padgett@tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (01/31/91)
For some time I have been debating whether or not to mention a possibility concerning the spread of Partition Table/Boot Sector infections lest anyone get ideas. Watching the postings lately leads me to think that possibly it has already happened. In short, it would be trivial to write a trojan or virus that would place a P-Table or BSI on a machine. At the moment, I suspect that in the interest of speed, signature scanning routines only look for these infections in memory and in the partition table and boot sector and not inside executables. For this reason, I would suggest that people experiencing multiple unexplainable infections utilize Mr. McAfee's new extension to SCAN and check all executables for a random code sequence taken from such an infection. As some of you know, I have been experimenting with anti-viral routines implanted in the partition table of the fixed disk and have become convinced that effective protection against malicious software MUST include such programs. So far the technique has proven equally effective against both "stealth" and non-"stealth" software. Used in conjunction with any number of authentication programs specific to the operating system (is effective with MS-DOS, and should be equally effective on an OS/2 or unix platform with an IBM-type BIOS) it can detect (only hardware can block) infections carried on the boot sector of a floppy immediately (before DOS loads), can block any later attempt at infection of the partition table or boot sector, and can provide an authenticatable path to the disk for other routines loaded later. Interestingly, the technique started out as a password protection scheme to protect fixed disks from intrusion. The full capability just fell out in testing. Padgett