padgett%tccslr.dnet@uvs1.orl.mmc.com (A. Padgett Peterson) (02/04/91)
>From: "Nick FitzGerald" <CCTR132@csc.canterbury.ac.nz> >If a virus such as STONED infected a machine with a cherry "All is OK" >message in the boot sector, you would continue to see this now >terribly misleading message after the STONED code loaded and passed >control to the original boot sector. >If the "All is OK" boot sector did a check of the actual (physical) >boot sector then it wouldn't give an erroneous message if the disk was >infected with STONED or similar boot sector infectors, but it would >still give a misleading report if a stealth boot sector infector >struck, as the virus would intercept the attempt to read the boot >sector and return the contents of the original from its hiding place. >(This seems to be a lot of extra code to jam into a single sector... Yes, it was but the following capabilities were able to be placed into 512 bytes (with NONE left over though the ASCII and some of the "nice" could be reduced) - remember, this is in the partition table, not the boot sector: 1) Validity check of disk access through BIOS 2) Self-Check of own code (every byte) 3) Validity check absolute sector 1 (every byte) 4) Validity check of real partition table (every byte) 5) Password control of disk access - unlimited length 6) Print Logo 7) Print error messages 8) Lock system on error Following Boot: 1) Prevent read or write to check code 2) Prevent write to partition table, hidden sectors, or first boot sector 3) Prevent low-level format to entire disk (if a second physical disk is present, all also apply to it) 4) Display error message if any of the above occur 5) Provide verifyable direct access to disk services even if "stealth" infection occurs. 6) Prevent DOS access to fixed disk(s) if booted from floppy. This has been able to catch everything thrown at it so far (and my collection is pretty good). It seemed that every step of the way, other possibilities opened up (this started out to be a simple password protection scheme) though I will admit that lasagna code (spagetti code is traceable) was necessary and it kind of pulls itself up by its bootstraps. Just to make things sillier, the whole thing was written using DEBUG since MASM or C did not provide enough control. ("What I did on my Christmas Vacation") - -------------------------------------------------------------------------- >[J.] Christian Kohler Keele university, csw76%keele.ac.uk@nsfnet-relay.ac.uk > Isn't it easy to build a >self-checker into a program ( as suggested WP has done )? I could >imagine that you just check the .exe when it is running, you could >play around with some XOR's to create a check. You could even put the >value in a seperate file, as long as your checking algorithm is >complexe enough. Problem is that with the "stealth" viruses, the original, uninfected file is what is presented to the checker. Unless you KNOW you have a clean system, such checkers can be defeated by viruses already known. (for fun, infect a disk with the 4096 and then run McAfee's excellent SCAN with the /nomem switch (you don't do you? I use /m whenever in doubt which is often) set. Padgett (definately my own views - no-one else knows what I'm talking about) (well, maybe Chip Hyde or Andy Hopkins)