p1@arkham.wimsey.bc.ca (Rob Slade) (02/01/91)
gt1546c@prism.gatech.edu (Gatliff, William A.) writes: > To help combat this, what would be the possibility of 'delibrately' > infecting ones boot-sector with a piece of code that would display > some kind of 'ok' message if it hadn't been tampered with? Not a bad idea, although it would have to be done carefully, and wouldn't be 100% certain anyway. You see, boot viri generally remove the original boot sector to a safe location, and then install themselves in the original boot sector location. They are then run first. After that, they are perfectly content to let the normal OS take over ... under supervision, as it were. I could see your scheme working with some current viri, if the original boot sector "pointed" to another program which checked the boot sector to see if it was intact, andonly then called the OS. This would deal with a number of current viri, including Stoned. It would not, unfortunately, deal with "stealth" boot viri like Joshi, and I can see virus writers getting around it in other ways as well. Still, it's a thought. Vancouver p1@arkham.wimsey.bc.ca _n_ Insitute for Robert_Slade@mtsg.sfu.ca H Research into (SUZY) INtegrity / User Canada V7K 2G6 O=C\ Security Radical Dude | O- /\_ /-----+---/ \_\ / | ` ||/ "A ship in a harbour is safe, but that / ||`----'|| is not what ships are built for." || || - John Parks `` ``
70033.1271@CompuServe.COM (Steve Albrecht) (02/05/91)
> From: gt154c@prism.gatech.edu (Gatliff, William A.) > To help combat this, what would be the possibility of deliberately > infecting ones boot-sector with a piece of code that would display > some kind of 'ok' message if it hadn't been tampered with? While waiting for the same type of self-check in the boot sector, we have developed a small program (so far only intended to protect ourselves against reinfection by the Stoned virus) which does the following: 1. Reads the partition table sector (absolute sector 1). 2. Compares the sector with a previously saved copy of absolute sector 1 (in a DOS file). 3. Writes (using Int 13h) the saved copy to absolute sector 1 in the event of a discrepancy. 4. Immediately reboots the machine with a system reset (hard boot). This program is placed in the AUTOEXEC.BAT file (this does lead to the possibility that the process can be disabled very easily). A separate initialization program is used to save the "clean" copy of absolute sector 1 (necessary for step 2 above). This file must be saved at a time when the sector is known to be clean. We have used McAfee's SCAN and direct examination of the sector with a low-level sector editor to verify that absolute sector 1 is "clean". The immediate reboot (step 4) is necessary because the Stoned virus is still in memory at this point, and a reboot will prevent the virus from rewriting itself to the partition table. This process monitors and corrects problems in absolute sector 1 only. If a virus changes additional sectors, this process will restore the original code in the partition table, and the system should boot normally, if no changes have been made to the boot sector (logical sector 1). This process is not as complex as programming a self-check into the code contained in the partition table sector, and is perhaps not as effective as a deterrent to partition table viruses in general. However, it works very effectively against the Stoned virus. We have not had a chance to test it against other partition table viruses. One caveat, though, is that this process will not work against a virus which somehow prevents the write operation in step 3 above. Luckily, the Stoned virus does not interfere. One additional benefit we have realized is that in the case of accidental corruption of the partition table, the saved copy can be found with a low-level sector editor, and restored to absolute sector 1. We haven't had cause to use this benefit yet, but it is there if the need arises. We will likely improve on this program (barring availability of a commercial alternative), but I share the idea for what it may be worth to any of you who have been plagued by pesty comments about legalisation. Steve Albrecht 70033,1271@compuserve.com
padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (02/06/91)
>From: Steve Albrecht <70033.1271@CompuServe.COM> > >While waiting for the same type of self-check in the boot sector, we >have developed a small program (so far only intended to protect >ourselves against reinfection by the Stoned virus) which does the >following: (lengthy description follows) This method will detect the Stoned however "stealth" type viruses (Brain, Joshi) will return the original boot sector (floppy-Brain) or partition table (hard disk-Joshi) when an Int 13 request is processed since these viruses (as well as others) trap the Int 13 call. A proven technigue is to first perform an Int 12 call (returns # of k in hex to AX) and check for either 280h (640k) or 200h (512k). Successful BSI/PTI viruses (Brain, Stoned, Joshi) go resident at the TOM and change this value to some lower number. Padgett