padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (04/06/91)
>From: ejd@slate.mitre.org (eRic Donaldson) >From: vancleef@iastate.edu (Van Cleef Henry H) >My study begins with some assumptions, which I should state here. >a. That MS-Dos viruses (is this an all-encompassing term for things >that tamper with and destroy the OS and programs?) have conceptual >parallels in the Unix o/s. i.e. the kernel is equivalent to >COMMAND.COM, the file system superblock is equivalent to the FAT, etc. Kind of: COMMAND.COM is more of an analogue of the shell, the kernel is closer to the BIOS while IO.SYS & MSDOS.SYS are more like a "run-time library" - imperfect conceptulization but you get the idea. One reason MS-DOS viruses flourish is that the O/S has zero integrity checking while most multi-user systems have some means of defending one user from the "errors" of another, what we usually term "robustness". >b. That all "security" to read and write as a superuser has already >been breached and that this breach has gone undetected. Given this, an intruder can do anything the system is capable of. Period. However, a worm or spoof is much more likely than a virus simply because it is easier to write (UNIX performs some integrity checking of a file against its header and directory information - MS-DOS does not). Similarly, users of Sun OSes will be reasured to know that the diversity of Sun platforms (based on Intel, Mororola, and SPARC architectures) makes it difficult for an outsider to plant a virus unless it is in the form of source code that the intruder can compile and execute at your location. Executable code that will run on a Sun386i is gibberish to the Sun-3 family. On the other hand, an insider or professional targetting a specific organization can tailor the attack. Given B, anything is possible. The only protection in this case is to make B impossible (or difficult, or, at least detectable). You have to decide the risk/response for yourself. From your comments, it sounds like you have a specific workstation and individual in mind. My minimum suggestion would be to monitor at the network level (any number of devices can do this) every communication from this station.