frisk@rhi.hi.is (Fridrik Skulason) (04/04/91)
I know that many readers of comp.virus feel this discussion about the "six-byte method" in just a waste of time, and I apologize - but I still want to clarify a few issues. I don't mean this to be interpreted as a personal attack on Padgett Peterson, and I respect his work in the virus area in general, but I just happen to disagree with how he sometimes presents the "six-byte" check. Padgett Peterson wrote: While the "stealth" seen so far will defeat a program integrity check, it will NOT defeat a system integrity check (the six bytes). I replied: The six-byte check is no sustitute for a full system integrity check. Padgett Peterson then wrote: I did not think I ever said that it was. In fact in my New York paper specific mention was made that it did not detect the 512 (Number of the Beast). It will also not detect the Alabama, Icelandic, EDV, or any virus that does not go resident. What was said was that it will detect all currently "common" viruses. I was just replying to your earlier posting - and while I agree that the currently existing "stealth" viruses should not be able to evade a full system integrity check, we have at least one "stealth" virus which is able to evade the "six-byte" check. And regarding the claim that it will detect all currently "common" resident viruses, I must disagree - the Vienna virus and its 30+ variants are quite common, even though they are not as common as Jerusalem or "Stoned". Hovever, basically we agree. Checking the memory allocation (the six-byte check) before and after running a program will in most cases tell you if that program was infected with a virus. My point is just that "in most cases" is not good enough. Padgett Peterson wrote: An effective defense MUST start at the BIOS level, something that has nothing to do with the "six bytes". Such a program's major difficulty will be to handle every oddball O/S, partitioning scheme, and non-compliant application around. I more-or-less agree - with the latest viruses managing to bypass all interrupt monitors, and accessing the ROM BIOS functions directly, it is clear that 100% defence needs to be at least partially implemented in the BIOS itself. >I cannot go into details, but I do have a working program which is >able to do this - more details next month. Is this why the "insulting" of the "six bytes" ? I admit to being surprised that someone with your well-deserved reputation and many contributions would feel it necessary to harp on admitted flaws in something that is not a commercial product but merely a technique some people find useful. No, certainly not - I respect your work in the virus area, but I disagree with you presentation of the techique, like: "it will NOT defeat a system integrity check (the six bytes)" and "What was said was that it will detect all currently "common" viruses." As long as it is just presented as a simple check to detect if some program has allocated memory in a "standard" way, I have no objections to the "six-byte" check - primitive, but sometimes useful. - -frisk
PHYS169@csc.canterbury.ac.nz (Mark Aitchison, U of Canty; Physics) (04/10/91)
A few thoughts... (1) It would be best to check a few key interrupt vectors (via their low memory locations, not via DOS), as well as the memory size, since either a virus may be living in video RAM (and some key vector would point there), or in an used area of the vector table (etc), again the check would help spot a virus freshly resident. (2) The mention of direct calls to BIOS by viruses... A friend of mine has a method (well, two really, one for diskettes and one for hard disks) that should prevent this, but we can't test it with many real viruses- any volunteers? (3) Does any virus take interrupts by not changing the vector but by changing the first few bytes of the present routine to be a far jump to the virus? If so, my comments in (1) need the addition of checking the first few bytes. (4) I really prefer blocking viruses before they get a chance to run, but spotting them very soon after they load is at least better than scanning disk every few days or weeks. (5) I had hoped that the checksum in the header of .EXE files would help spot viruses, but few programs have a valid checksum. Can anyone tell me whether, if I go to the effort of correcting the checksum in all my programs, will any virus be smart enough to rewrite a corrected checksum? Personally, I think that ultimately boot sector viruses will disappear, since the odds are in the favour of the anti-virus people, assuming users do sensible things. That doesn't involve inconveniences to operations, or changes to DOS or BIOS (although the latter would be very nice). However, IMHO, non-boot sector viruses will probably eventually win over the best efforts of anti-virus software coupled with the present generation of BIOSes and DOS (even DRDOS), and that will hurt "serious" users of the PC, like businesses and universities. The answer is going to have to mean radical changes to BIOS, DOS and MSWINDOWS (which, for a new product, makes a lot of stupid mistakes, it seems). In the short term, a slight change to BIOS, and a not much more than DRDOS's password protection system, should suffice. By the way, I keep asking, has anyone found a virus that gets past DRDOS 5.0's password protection system yet? Has anyone else tried? (I haven't got a lot of viruses to test). Mark Aitchison, University of Canterbury, New Zealand.