padgett%tccslr.dnet@uvs1.orl.mmc (Padgett Peterson) (07/30/90)
On the Netserver issue: it would seem that we are missing one important distinction: is the server itself becoming infected or is it files stored on the server ? I have seen files on a server become infected (Sunday) but not the server itself (of course, being a VAX it would have been very difficult). We need a more explicit description of the experiment to be able to determine risk, particularly having seen several instances where privileged operation resulted in an infection that could not have been spread by other means. Generally, write permission is something that is either granted or not, and while spoofing & hole exploitation are means of getting around this, I have not yet seen a PC virus that attempts it. On CheckSumming: in order to know the algorithm in place (assuming it is more than a trivial summation), the detection/authentication package in use must be determined. Given knowlege of the package, it is far easier to subvert the package itself (always pass) than to try to match its checksums. This is the same reason that mainframe viruses are rare: it is easier to accomplish the same ends using a worm rather than a virus. ANY protection package can be subverted given enough knowlege and effort. Luckily a virus must operate under certain constraints as to size and complexity. The most devious MS-DOS virus currently requires a 4k addition to files to operate and becomes evident through its size though it is often lost in hard disk quantum space. Even so, it still attempts to hide from detection packages rather than to subvert them. The key is that many detection packages still rely on mutable MS-DOS interrupts for operation while the current crop of viruses have progressed spoofing BIOS interrupts and using DMA & direct I/O to bypass/subvert MS-DOS entirely. An effective detection package must use or at least be able to detect changes in these to be effective. For the last few years, the relatively easily detected viruses have been handleable by equally simple responses (my statement that ALL of the common viruses with the possible exception of the 4096 can be detected by examining just three bytes still goes). Now we are reaching the point where more sophisticated schemes are going to be necessary. Developments such as shadow ROM, multi-tasking software, and CMOS setups provide vulnerabilities that are not currently being covered. Enough philosophy. Concerning the STONED virus, a full low level repartitioning and reformat of a hard disk is not really necessary for recovery. Since the virus stores the original partition table (I believe it is in physical sector 7), someone who knows what they are doing can recover through restoration of sector 0. With only slightly more difficulty, if the original partition sizes and bad block table is known, a good technician can restore the partition table from scratch. The code is not particlularly complex and the table itself is well documented. While it is not something I would choose for a Saturday afternoon, it can be done. Of course if a full backup is available, re-partitioning/re-formatting/reloading is a mindless exercise. My point is just that if irreplaceable data is on the disk, it may recovered. As an exercise for the student, it should take not more than an hour using DEBUG to write a routine that will save the partition table, boot sector, both FATs, and the root directory to a floppy and allow selective restoration of any part thereof.