frisk@rhi.hi.is (Fridrik Skulason) (09/27/89)
I have been following the anti-virus-virus discussion with some
interest, but I have not yet seen anybody mention the fact that one
such virus already exists.
The virus is the "Den Zuk" (Translation: The Search) virus, which was
written to fight the Brain virus.
When this virus finds a Brain-infected diskette, it removes Brain and
puts a copy of itself in place.
It also looks for old versions of itself and "upgrades" them if
necessary.
The virus resides on track 40 on diskettes (normally 360K diskettes
only have tracks numbered 0-39), and thus takes up no usable space.
So far, so good.
However - this virus also demonstrates what can (and will) go wrong
with anti-virus-viruses.
The programmer did not anticipate 1.2M or 3.5" diskettes. When the
virus infects a disk of that type, it will destroy data.
Also, several "hacked" versions of this virus have been reported,
including one that will disable the SYS command and destroy all data
on drive C: on September 13. 1991. (One more of those "Friday the 13th
viruses. Why can't virus writers have a little more imagination :-) )
So - the conclusion is simple: "The only good virus is a dead one."
---- friskdrew@dave.nrl.navy.mil (Greg Drew) (08/17/90)
In issue 143, Scott Erickson stated that "I don't see any
additional danger the average user is put into with the innovation of
antiviruses...." I would agree that some of his points have merit,
but I would like to give one example of how a phony antivirus could
pose a greater danger than a "standard" virus.
Many people using Macintoshes now employ some sort of resident
virus blocker such as Vaccine or Disinfectant. These types of
utilities are designed to identify known viruses and to BLOCK
SUSPICIOUS ACTIVITY. Many of these have an option to allow this kind
of activity to certain programs (compilers, etc). If a virus writer
wanted an easy way to get around these programs, all he or she would
need to do is to have the virus identify itself as an antivirus, and
then ask the user to set his or her virus protection to allow the
virus in. After a few days, weeks, or months, the seemingly helpful
antivirus would then reveal its true colors.
It is certainly easier for a virus writer to put in some message
like the one above (perhaps one which only reveals itself if the virus
detects something like Disinfectant) than for the person to design a
virus to get around the protection.
- GDD
-------------------------------------------------------------------
Greg Drew | drew@dave.nrl.navy.mil
| (202) 767 - 6886
-------------------------------------------------------------------
My opinions in no way reflect those of the Naval Research Lab, the
U.S. Navy, or any other organization.padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (08/18/90)
Frankly the idea is abhorrent to me. For one reason, such a program must, by definition be constantly modifying files and would make any effective configuration management impossible. Secondly, there are a number of programs (VolksWriter comes to mind) using overlays that cannot function properly with any extra appendages. We already have "hunter-killer" programs (the McAfee utilities come to mind) that are initiated by the user and quit when told. Other programs are available which become resident and keep watch on system activities (e.g. Virus-Safe). Most are based on a stable environment from which deviations can be detected. Mature detection routines are still mixed into two camps: virsu spotters that work by viral signature analysis, and exception spotters that detect deviations from a known environment. While both have their pros & cons, I suspect that the final product will either be #2 or a synthesis of both. For obvious reasons any viral activity, even of a benign nature, would make this impossible. While it is certainly possible that an adaptive expert system might be developed that would be essentially virus-proof, it would also be a troubleshooting nightmare. We must remember that a solution must be appropriate for 50 million uneducated users who wish the PC to be a tool, not for the "experts" who can pull apart a 160k .EXE and determine its function. Unfortunately, the users for whom a global solution is necessary are unlikely to participate in this forum. (personal opinion) One further opinion: some people have commented that the 4096 is not reponsible for crosslinking files and that users cause the problems when they use CHKDSK/F. Sounds like something a politician would say. Padgett
FXJWK@ALASKA.BITNET (Jo Knox - UAF Academic Computing) (09/01/90)
Okay, okay: Saulk/Salk/Sabin---I agree with others who have stated that the analogy is a stretch; in fact, I think we should drop this particular line; the analogy is irrelevant. Maybe we should drop the entire discussion of anti-virus viruses; as far as I can tell, some here tend to favor the idea, and some think it reprehensible, and I don't think anyone has changed anyone else's opinion... Before I drop the subject, though, I would like to rebut WHMurray@DOCKMASTER.NCSC.MIL: > > An anti-virus could be written to infect only certain types of > > operating systems. > > No, I am sorry, it could not. It could be written not to infect > certain known operating systems, but it could not be written to > "infect only certain" ones. The susceptibility of unknown systems > cannot be known. You just about lost me, here; I was thinking in terms of "platforms", rather than differing OS versions. Still, I disagree: I haven't heard of any virus which is infectious across platforms (IBM-Mac or anything else), though I guess "Frankie" is getting close. Every virus that I know of is already platform-specific, and I don't see why it shouldn't be easy to make a virus OS-specific: (pseudo code) if( os-version != "6.0.5" ) exit; infect_it(); Perhaps I'm contributing to this "beating the dead horse"; can we hear from some of the fence-sitters out there? Has anyone's mind been changed during these discussions? It may also be we're all just getting typing practice: we will see viruses of this sort, and I think not too long from now. I hope whoever releases such creates a well-behaved little demon...!
Peter_Urka@ub.cc.umich.edu (09/05/90)
As Knox points out; some like the idea of AVV's, and some don't. Unlike Knox, I do believe that this discussion has had merit and people have changed their minds. I have received e-mail indicating this. I just hope that more people don't like the idea now than before, and that less people like the idea of AVV's now than before. Knox also points out that we may be seeing vaccines turning up. I believe that we, society, morally and legally, should be prepared to treat the authors of vaccines as authors of viruses are. Admittedly that is not too harsh, but perhaps that will change in the future. Peter Urka@ub.cc.umich.edu
flaps@dgp.toronto.edu (Alan J Rosenthal) (09/09/90)
FXJWK@ALASKA.BITNET (Jo Knox - UAF Academic Computing) writes: >Every virus that I know of is already platform-specific, and I don't see why >it shouldn't be easy to make a virus OS-specific: > (pseudo code) > if( os-version != "6.0.5" ) exit; > infect_it(); Even if the WDEF virus for the mac contained such a test, it would still probably be the case that "the virus causes the Mac IIci, the IIfx, and the Portable to crash almost immediately after insertion of an infected floppy." (Disinfectant 2.1 help screen) The issue is the same here. The author of the wdef virus didn't have any of these machines to test the virus on at the time (most of them weren't released yet (I don't know the exact timing)). But they are all supported by system 6.0.5. There's no way to write that test correctly. Virus writers can't test for machines they don't know about. ajr
JS05STAF%MIAMIU.BITNET@OHSTVMA.IRCC.OHIO-STATE.EDU (Joe Simpson) (09/11/90)
I really don't care what the motivation of a virus writer is. If I could identify the writer of any virus introduced into my computer system without my permssion, I would attempt to see that person at least publicly identified, and if practical prosecuted.
landman@hanami.Eng.Sun.COM (Howard A. Landman) (09/18/90)
I am not arguing in favor of AVVs, but have a few technical ideas to throw out for discussion: One method of limiting the risk of an AVV would be to make it spread more rapidly where there are other viruses than where there are not. For example, the virus could award itself "food points" every time it "eats" a bad virus, and require a certain number of points before it attempts to replicate. The copy, of course, starts life with no food points ... This way, the AVV would be almost unable to spread among systems which were apparently clean, but would spread rapidly in an obviously sick environment. This property could be quite useful in focusing the concentration of the AVV to where it was needed the most. Many variants of this scheme are possible. For example, the virus might split food points with its copy, but then lose a point every time it runs and there's nothing to disinfect. Eventually it could "starve" and remove itself. If the virus was on read-only media, and hence unable to accumulate food points, it could replicate with a low probability each time it ate something, giving much the same effect as saving up points. Another safety feature would be to publish all the information needed to recognize and disinfect the virus, a few months before releasing it. That way no one would have to have it that didn't want to and already had means for virus protection. A polite AVV might ask before committing suicide, so the user had the choice of some other software to do the job. - -- Howard A. Landman landman@eng.sun.com -or- sun!landman
ROBERTS@apple.com (I'm working on it...) (09/18/90)
Howard A. Landman writes about potential anti-virus viruses (AVV's) >Another safety feature would be to publish all the information needed >to recognize and disinfect the virus, a few months before releasing >it. A good idea, and you would want to publish anonymously. >A polite AVV might ask before committing suicide, so the user had the >choice of some other software to do the job. I don't think a "polite" AVV would spread. Noone would say "yes". A "considerate" AVV would kill itself if it detected any form of anti-viral software known to be able to detect the virus(es) that the AVV is hunting. I think Howard's idea of food points is clever and would not significantly reduce the AVV's effectiveness. another note: Is it true that the destructive viruses are less contagious because they are more likely to be noticed? - -George Roberts ..decwrl.dec.com!teda!ratvax.dnet!roberts
ROBERTS@decwrl.dec.com (I'm working on it...) (09/24/90)
Brian Yamauchi writes: >The problem with "food points", and other self-limiting strategies in >general, is that from an evolutionary perspective these limitations >are *flaws*, and the evolutionary pressure will be to remove these. This is true, but viruses don't mutate often enough to matter over the course of the expected life time of the currently used personal computers. Viruses make clones of themselves and (I hear) sometimes have code to PREVENT themselves from mutating (hamming function). - - George Roberts ..decwrl.dec.com!teda!ratvax.dnet!roberts