76476.337@CompuServe.COM (Robert McClenon) (05/24/91)
I have a question, or probably a series of related questions. Can
someone please explain exactly what "stealth" viruses are? Is there a
standard definition of what characteristics make a virus a "stealth"
virus? If not, what are the alternate definitions? I have read that
they delete themselves from the hard disk and hide in memory when they
are active. If so, can't they be disinfected by simply powering off
the workstation? If not, exactly what are they doing and how? I
apologize if I am wasting the time of some readers, but I assume that
there are others who also want to know this.
Robert McClenon
Neither my employer nor anyone else paid me to ask this.padgett%tccslr.dnet@mmc.com (A. Padgett Peterson) (05/29/91)
>From: "Robert McClenon" <76476.337@CompuServe.COM>
"STEALTH" is a buzzword used to denote any virus that attempts to hide itself
from observation by intecepting calls that might be used to detect the virus
and instead provides returns indicative of a clean system.
The first "stealth" virus was also the first PC virus, the Pakistani BRAIN.
On activation, it would go resident in memory, intecepting calls to the floppy
disk. If the boot sector of an infected floppy was requested, it would return
instead the real boot sector code that had been stored elsewhere on the disk.
As far as I know, the firt time the word "stealth" was applied to a virus was
to the 4096, a file infector that, when resident would intercept all calls
for infected files, strip the viral code off, and return the original
uninfected file to DOS so that signature scanners could be thwarted. Very
quickly scanner authors added memory checking mechanisms to reveal these
activities.
The vulnerability is that for a "stealth" virus to be active, it must become
resident and intercept calls that would reveal its presence. This residence
is detectable, usually with nothing more complex than CHKDSK, if the user
knows the meaning of the returns.
Memorize: "655360 total bytes memory".frisk@rhi.hi.is (Fridrik Skulason) (05/30/91)
76476.337@CompuServe.COM (Robert McClenon) writes: > I have a question, or probably a series of related questions. Can >someone please explain exactly what "stealth" viruses are? Is there a >standard definition of what characteristics make a virus a "stealth" >virus? To qualify as a "stealth" virus a virus must: A) Make any increase in file length disappear when a user checks an infected file while the virus is active. Viruses which do not change infected files ("companion viruses") are not included, nor are overwriting viruses. The "Number of the beast" virus is considered to be a stealth virus. B) Intercept any operation to read from an infected file or an infected boot sector, and make the virus code "disappear" by returning the original program. Whether this is done by actually disinfecting programs when they are opened for reading, or just by modifying the read buffers is irrelevant. According to this definition, "Brain" is a stealth virus, for example. > I have read that they delete themselves from the hard disk and hide in > memory when they are active. Totally incorrect. Some "stealth" viruses disinfect programs when they are read, so it is possible to remove them by simply giving a command like COPY *.* NUL: in every directory containing executable files, but this is certainly not an universal solution. - -frisk Fridrik Skulason Technical Editor of the Virus Bulletin (UK) (author of F-PROT) E-Mail: frisk@rhi.hi.is Fax: 354-1-28801
p1@arkham.wimsey.bc.ca (Rob Slade) (06/01/91)
76476.337@CompuServe.COM (Robert McClenon) writes: > someone please explain exactly what "stealth" viruses are? Is there a > standard definition of what characteristics make a virus a "stealth" There is *always* argument over terms in the computer virus field. However, I think that most researchers would agree that "stealth" viri are those which "trap" any reading of the disk, and hide themselves by ensuring that the information given back to the screen (or calling program) is only that of the original program, before infection. This means that stealth viri, while active, can avoid any kind of detection mechanism that relies on reading the disk, such as file signature checking, file size checking, checksum, CRC or other "image signature" calculation and checking. Generally, stelath viri can be detected by examination of system memory. Exactly how, or the best way to do this, would be the subject of great debate. (Which I am not going to precipitate.) ============= Vancouver p1@arkham.wimsey.bc.ca | "If you do buy a Institute for Robert_Slade@mtsg.sfu.ca | computer, don't Research into (SUZY) INtegrity | turn it on." User Canada V7K 2G6 | Richards' 2nd Law Security | of Data Security