CHESS@YKTVMV.BITNET (David.M.Chess) (06/19/91)
>From: hermann@uran.informatik.uni-bonn.de (Hermann Stamm) >Date: 07 Jun 91 14:33:23 +0000 >I have a few questions concerning detection of virii in general and >1701 in special. The main thing you've discovered here is that scanners only reliably detect the viruses that they know about. If you create a new virus (from scratch, or by modifying an old one), it's very likely that some scanners will no longer detect it. No big surprises there! >First of all, I hope that only good guys are on this list, because the >remarks made here would otherwise result in hundreds of newly virii. Almost certainly a false hope; there's no reason to think that no virus writers are reading this. On the other hand, I think they already understand the principle! One could have wished you'd been a little less explicitly helpful to them, but I don't it'll hurt, at least in the long run. > - what other scanner should I try for these versions ? Some scanners may be "lucky", and see your home-grown variants as infected. IBM's Virus Scanning Product, for instance, will recognize the first of your monsters as a variant of the 1701. > - is it true, that any scanner must try to look at the > semantics of such decoders, and not at the shape ? > (undecidable problem ?) Yep, deciding whether or not a given program is a virus is definitely undecidable. Fred Cohen proved that awhile back. So if you take some existing virus, and make some changes to it, the question of whether or not the result is still a virus is not one that *any* program is going to get right all the time. Scanners reliably detect only *exactly* the viruses they know about, not variants that you (probably unwisely) choose to create. > - which systems are good by looking at the length of > files and reporting differences ? Any good modification-detection program will look at the *contents* of files (not just the length), and tell you what's changed. Of course, if you want to be able to trust the result, you have to get the machine into a known state first (cold-boot from a trusted floppy, don't run anything from the suspect hard disk). > - Is the following behaviour possible for a virus: > > After getting resident, it forces to do a warm-start > with ctrl-alt-del, and then it copies itself to all > .com-files encountered during rebooting > (like command.com, ...). > > I think, that this is the way most of my .com-files > were infected. A virus could certainly do that, but the 1701 doesn't. Most likely it infected something in the autoexec, so that the next time you booted, it got control early, and then infected everything else executed thereafter (that's how the 1701 works; it infects every com executed after you run the first infected one). DC P.S. Assume that anything you post in public will be read by large number of virus authors. Please *don't* post live virus code, or suggestions for improvements to existing viruses! *8)
frisk@rhi.hi.is (Fridrik Skulason) (06/19/91)
hermann@uran.informatik.uni-bonn.de (Hermann Stamm) writes: > - what other scanner should I try for these versions ? It does not matter - you will get practically the same results. My scanner may detect some of those SCAN missed or vice versa, but that is not important. What is important is that you cannot expect a scanner to detect a modified virus. It may work, or it may not, but there is absolutely no guarantee. A scanner is designed to detect existing viruses, not new ones or new variants of older viruses, although some scanners may detect some new variants of some viruses. > - is it true, that any scanner must try to look at the > semantics of such decoders, and not at the shape ? Well, if it looked at something else, it would not be a scanner.... :-) Don't misunderstand me - there are programs which may look at the 1701 virus, or some of your modified variants, and report something like: This program seems to cotain additional code at the end, which starts by performing decryption of itself. This is typical of a virus. But, a program like this is not a scanner - it is a generic analysis tool, unable to identify viruses - it just reports anything "suspicious". > - which systems are good by looking at the length of > files and reporting differences ? Differences between what ? > - Is the following behaviour possible for a virus: > > After getting resident, it forces to do a warm-start > with ctrl-alt-del, and then it copies itself to all > .com-files encountered during rebooting > (like command.com, ...). No - it is not possible.
a_rubin@dsg4.dse.beckman.com (Arthur Rubin) (06/19/91)
I'm somewhat suspicious of any code with the following instructions: E80000 CALL (next instruction) (except that some linkers produce that for a near call to an unsatisfied external, and it could be required for ROM/position-independent code that needs to access data) 3134 XOR [SI],SI (except that that is ASCII '14') There doesn't appear to much else fixed in there except B*8206 MOV ??,0682 which could also be changed if you have a spare byte, which you can get in your last try. (Details omitted -- let's not make it TOO easy.) I hope some virus scanners have a signature for 1701 in the encrypted portion. - -- 2165888@mcimail.com 70707.453@compuserve.com arthur@pnet01.cts.com (personal) a_rubin@dsg4.dse.beckman.com (work) My opinions are my own, and do not represent those of my employer.