padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (04/02/91)
Archive-name: security/virus/six-bytes-padgett/1991-03-29 Archive: cert.sei.cmu.edu:/pub/virus-l/docs/six.bytes.padgett [128.237.253.5] Original-posting-by: padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) Original-subject: "Six Bytes for Virus Detection" paper available (PC) Reposted-by: emv@msen.com (Edward Vielmetti, MSEN) [Ed. This is the beginning of Padgett Peterson's paper, "Six Bytes for Virus Detection in the MS-DOS Environment". The complete paper is available by anonymous FTP on cert.sei.cmu.edu in pub/virus-l/docs under the filename six.bytes.padgett.] WARNING: The method depicted in this paper will not detect every conceivable virus, to do so would take far more than six bytes. What it will do is to detect all currently "common" viruses for a knowlegable user, however, CHKDSK can do the same thing if intelligently applied. A short .COM file following these principles will make a good "first check" before using a scanner to determine if something unknown might be resident. Some viruses revealed immediately include Brain, Yale, Datalock, Stoned, 4096, Fish-6, Flip, Whale, Joshi, MusicBug, and Azusa. TSR viruses such as the Jerusalem, Sunday, and 1701/1704 variants will also be revealed if the user is knowlegable about the system. Padgett Peterson, 3/29/91 Six Bytes for Virus Detection in the MS-DOS Environment A. Padgett Peterson, P.E. Orlando, Florida Introduction Concerning the size of the population (over fifty million MS-DOS platforms at last estimate), to the macro, the 240+ known viruses represent a relatively small statistic. In the micro however, they can be devastating. With the growth in size of fixed disks and applications, often backups are obsolete or incomplete where proper discipline has not been established. Unfortunately, this seems to include the majority of the non-power users. Since the number of known viruses appears to be doubling each year, the threat is not diminishing, yet the most accepted utilities, John McAfee's SCAN & CLEAN, rely on detection of known infections. While there are some products that actually perform integrity management of a system (Certus International CERTUS, Enigma-Logic VIRUS-SAFE and PC-SAFE, Fischer International PC-WATCHDOG, Dr. Panda BEARTRAP), most are oriented to file protection rather than system protection. To adequately protect a machine that possesses no native integrity management requires a layered approach of user management, files/applications management, and systems management. We have a good handle on the first two but the question of systems integrity, something so pervasive in mainframes that it is taken for granted, does not currently exist for the PC. Until recently, a large enough population did not exist of not only successful but also unsuccessful viruses to draw any inferences concerning their viability in the general population. At the close of 1990, however, certain characteristics of "successful" viruses, those listed as "common" in Patricia Hoffman's Virus Summary, have become clear: 1: Become resident in memory following infection 2: Allocate memory to themselves 3: Redirect part of the operating system (not necessarily interrupts) Each of these elements is easily detected, often in more than one way, yet few people or programs bother to look. Some years ago, this author wrote three simple assembly language programs, each about 1k bytes long. The first tests file integrity, the second tests disk integrity, and the third tests system integrity. Taken together these still detect every "common" virus, not because they "know" all viruses but because they "know" an uninfected system. There is nothing magical involved, merely a knowledge of how the architecture operates. This paper does not address those viruses that attach themselves to programs or files specifically, rather consideration is made to those that attack elements of the operation system. That these infections may later attack programs or files is incidental. Rather, a description is provided of the third of these routines.