marge@vu-vlsi.Villanova.EDU (Marge Luecke) (07/22/88)
THIS IS A PLEA FOR HELP!!!!! If anybody has ANY infromation on Computer Viruses, Immunizations, etc., please forward the infromation. I am working on a senior project on computer viruses. I would like to try to write an immunization program, however, I cannot obtain enough information from published literature to do so. How do viruses work inside the computer. What are some present methods of detection? Are there any public domain immunization programs available? Where? Somebody wrote in one article that one could write a virus using the pc-dos appendices as reference...I looked this up and was not too successful... how do I do this?...What was meant by this? What are some infected programs which were available? What is the SCORES virus? How about VirusX?, etc... Thank you, Marge Luecke Senior EE, Villanova University P.S. I can be reached several ways: 1. This computer system. 2. FAX: (609) 723-8461 (USA) 3. Mail: Marge Luecke 980 Wakeling Street or Dept. of EE Philadelphia, PA 19124 Tolentine Hall USA Villanova University Villanova, PA 19085 USA 4. PHONE: (215) 645-4970 Day (215) 537-9633 Evening
rwallace@vax1.tcd.ie (01/26/89)
The old boot block viruses were easy enough to protect against but now we've got viruses that put themselves in program files, it's time to give some serious thought to virus protection. Some schemes have been suggested recently about getting programs to check themselves, which as was pointed out is no good because by the time the program code gets to run the virus has done its dirty work anyway. Having another program do the checking is more sensible but the problem is once the virus is in memory it can intercept any attempt to read a program file and make it look like the file is uninfected. Two suggestions: First, is there any general way to check if a virus is in memory? Obviously any given virus can be detected but then your virus kiler will be obsolete as soon as the next strain of virus comes out. The general idea might be to inspect ExecBase, DOSBase, trackdisk.device and the like for alterations but they're not guaranteed to be the same from machine to machine. How about storing a copy of the normal structures on disk and each boot up compare the current structure with the copy on disk? Another suggestion: How about doing a patch to DoIO or trackdisk.device so that each time a sector is read in it can be checked for alteration? perhaps with some sort of checksum so that the original version can be stored on disk and compared against the new version on each read? also maybe check for a disk write immediately after a program load because that would probably be when the virus would recognize the file as a program and put itself into it. Or for a really far out idea, how about analyzing the startup code of each program that gets loaded to see if it looks like it's going to modify files and put copies of itself onto them. Any suggestions welcome. "To summarize the summary of the summary: people are a problem" Russell Wallace, Trinity College, Dublin rwallace@vax1.tcd.ie
dykimber@phoenix.Princeton.EDU (Daniel Yaron Kimberg) (01/29/89)
I hope people don't mind another go-around on virus protection. I think it's a good thing to keep talking about. In article <31622@vax1.tcd.ie> rwallace@vax1.tcd.ie writes: >Two suggestions: First, is there any general way to check if a virus is in >memory? Obviously any given virus can be detected but then your virus kiler >will be obsolete as soon as the next strain of virus comes out. The general >idea might be to inspect ExecBase, DOSBase, trackdisk.device and the like >for alterations but they're not guaranteed to be the same from machine to >machine. ... >Or for a really far out idea, how about analyzing the startup code of each >program that gets loaded to see if it looks like it's going to modify files >and put copies of itself onto them. These problems, unfortunately, are probably as complicated as the problem of artificial intelligence. If you want a program that won't be obsolete with each new virus, it would have to be able, essentially, to read code and browse system structures and tell what they're doing. In essence, a virus is just like any other program, which is to say that the only really reliable way to tell if something is a virus or not is to check to see what it does. The fact that there are more trivial ways to detect the current viruses (even without knowing the specific virus) is misleading in this respect - it can lead you to draw the conclusion that viruses can be detected by heuristics. Even if that were 99.9% true, it would be a very dangerous assumption. Earlier in the message: >The old boot block viruses were easy enough to protect against but now we've >got viruses that put themselves in program files, it's time to give some >serious thought to virus protection. Some schemes have been suggested recently >about getting programs to check themselves, which as was pointed out is no >good because by the time the program code gets to run the virus has done >its dirty work anyway. Having another program do the checking is more sensible >but the problem is once the virus is in memory it can intercept any attempt >to read a program file and make it look like the file is uninfected. As has been repeated frequently, the only really acceptable way to protect yourself from viruses is to take the responsibility yourself (insert analogies with AIDS here). Easier said than done. If you buy some software from a software house you never heard of, who knows what it does to your system? Probably the big ones aren't immune either. Another problem is that you really have to put a lot of trust into your front line defenses. Current viruses are detectable once they've entered your system, but future viruses may be better at making themselves invisible. Being able to detect viruses after they've infected your system is nice, but it's not something you'd want to count on. I think the best approach would really be to have all virus protection under user control, but with help from software tools. For instance, it would be nice to be able to maintain a list of all the executables you've decided to allow on your system, along with their vital statistics. It would also be nice to have a set of analytic aids to do things like check out the status of your system, or try a range of clever heuristics on new programs. And frequent use of write-protect switches and tabs would be important. It isn't enough to just let viruses bounce around in your system, and hope your tools can detect them. Once you've run an unfamiliar executable, whether you got it from the net or in shrink-wrap from electronic arts, you've opened your system. Anyway, the upshot of all this is that I think the best way to go about virus protection is to develop useful preventative tools not of the sort that sit in the background and do your checking for you whenever you decide to run an executable, but of the sort that you can use to decide what executables it's safe to run. -Dan