RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) (11/27/90)
Hellow fellow, two recent, seemingly unrelated, contributions to VIRUS-L deserve a common response. My point in both cases is: When a virus is active, it does not need to crack any anti-virus method, as it can circum- vent it. This holds for contemporary architectures of personal computers (note the small "p": I'm referring to all brands) and many types of hosts. Imagine a firm door, locked with seven secure locks: If you forget to put an equally strong wall on both sides of it, nobody will bother with the locks nor the door! (And if the wall is in place, don't forget the floor and the ceiling; don't forget the people and equipment that will have to go in and out; and so on...) An amusing variation of this motif can be found in the chapter introductions of Douglas Hofstatter's "Goedel, Esher, Bach: an Eternal Golden Braid", where the Turtoise keeps producing records that cannot be played on Achilles' more and more sophisticated hi-fi record players. On Thu, 15 Nov 90 17:35:00 -0400 Herbert Lin <HLIN at NAS> said: > In a recent msg, someone said that a "stealth" virus could evade > checksum and CRC checks. .. > Wouldn't the author of the virus have to know the checksum/CRC > technique being used in detail? He/she (Aside: Ever thought of female virus authors? In my imagination, virus authors are inevitably of the male sex and of age < 25 years, but I may be wrong...) can circumvent any algorithm (even a bitwise compare to a backup-copy) by simply interfering with all disk-read operations and presenting any programs reading an infected file with a (faked!) image of the unaltered file. This is exactly what "Stealth Viruses" do. > I should be able to detect viruses ALL THE TIME (of course, if and > only if I have a confirmed clean system to begin with). That's exactly the point: To check for viruses, you have to start your system without activating any virus. E.g. you can boot from a confirmed clean system disk and avoid running any infected program. > what am I missing? Nothing. On Tue, 20 Nov 90 14:11:00 +0100, Peter van der Landen <LANDEN at HROEUR5> said: > I have experimented quite a bit with Jerusalem-B but I have never seen > it survive a warm boot. Neither did I. Possibly the originial contribution has confused it with some other virus that indeed can survive a warm boot. > Could anyone explain to me how it is possible for any virus to survive > a warm boot by any method other than infecting something on the boot > disk. As you have noted yourself, a virus can intercept the Ctrl-Alt-Del keystroke (we call it the "Monkey's Snatch"). Then it can do anything the programmer can imagine. E.g. it could fake a warm-boot by reading something from the A-disk (this would fool many users, perhaps even experienced ones). Or it could perhaps use part of the Int-19-code, keeping controll during the whole process (or making sure that it will re-gain controll, afterwards). The latter scheme has been discussed in VIRUS-L before, and I think we arrived at the conclusion that a virus must be rather large and sophisticated to do this with any DOS variant; however, a virus need not deal with any and all systems to prosper. > ... doing a reboot with int 19h, this would be difficult. I think, no virus would be able to survive a genuine, complete re-boot in memory AND re-gain controll. (Take this as an educated guess, as I'm no expert with system internals.) Hence the motif reappers: Circumvent what cannot be cracked. Best wishes Otto
dave@sharkey.cc.umich.edu (11/29/90)
RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) writes:
)
)An amusing variation of this motif can be found in the chapter
)introductions of Douglas Hofstatter's "Goedel, Esher, Bach: an Eternal
)Golden Braid", where the Turtoise keeps producing records that cannot
)be played on Achilles' more and more sophisticated hi-fi record
)players.
I think you'll find it was the Crab's hi-fi phonographs which were being
destroyed by the Tortoise's records. The Tortoise was merely relating
the story to Achilles.
) To check for viruses, you have to start your
)system without activating any virus. E.g. you can boot from a
)confirmed clean system disk and avoid running any infected program.
Unfortunately, all my bootable disks are infected by a horrible, evil
program, perhaps the most insidious program that cruelly twisted minds
have ever devised.
It's called MS-DOS. :-)
- --
David R. Conrad | "If Douglas Hofstadter were dead he'd turn over in his
dave@tygra.ddmi.com | grave upon hearing such a crude self-referential
..!tygra!dave | sentence as this one." -- The author of this quote.
- --
= CAT-TALK Conferencing Network, Computer Conferencing and File Archive =
- - 1-313-343-0800, 300/1200/2400/9600 baud, 8/N/1. New users use 'new' -
= as a login id. AVAILABLE VIA PC-PURSUIT!!! (City code "MIDET") =
E-MAIL Address: dave@DDMI.COMwoody@chinacat.Unicom.COM (Woody Baker @ Eagle Signal) (12/01/90)
RZOTTO@DKNKURZ1.BITNET (Otto.Stolz) writes: > Hellow fellow, > > > disk. > > > ... doing a reboot with int 19h, this would be difficult. > > I think, no virus would be able to survive a genuine, complete re-boot > in memory AND re-gain controll. (Take this as an educated guess, as A very good friend of mine, who sometimes watches this group, has written a nifty gadget that he calls Acabus. It survives everything you do short of powering the machine off. The routine when installed, grabs a complete snapshot of the interrupt vector area of dos, and stores it internally. It then changes all the vectors to point to it's entry point. Due to the segmented architecture of the PC, it does this by manipulating the paragraph and offset values so that they are all diffrent, but point to the same physical spot. When Acabus gains control, it merely has to examine the address on the stack, to determine which vector it was entered by. It then vectors to the old location for that vector. Upon coming back from the vector, Acabus again has control and runs a check of the interrupt vector area. If any of the vectors have changed, it copies them, chains them back into the old vector and replaces the vector with what it wants to be there. This is done very rapidly, and as a result, things operate like normal. As a matter of fact, it can gain such a secure hold on the system that it can survive a boot of an ENTIRELY diffrent operating system. It can handle a reboot to CPM or XENIX or DOS and still maintain control. Cheers Woody
achilles@alphalpha.com (David Holland) (12/05/90)
> A very good friend of mine, who sometimes watches this group, has > written a nifty gadget that he calls Acabus. Seems to me you could make that into a pretty good security and anti-virus program by popping up a permit/deny window every time it detected something trying to change an interrupt vector. Only trouble is that anybody using it would have to know his interrupts cold so he can decide what to allow - if you deny everything most of your programs won't run. Of course, one could always make a list of "legal" interrupt changes and legal values to change them to based on offsets from the code segment of a particular executing program. Our lives would be much easier if MS-DOS had been designed with even the slightest of concessions to security... ------ David A. Holland Internet: pro-angmar!achilles@alphalpha.com | There is no great aeneas@blade.mind.org (slower) | talent without a Citadel: blade!aeneas@{undermind, overmind} | mixture of madness. Fidonet: David Holland @ 1:322/337 (not preferred) | -Seneca