mweiner@bene.at.eu.net (Michael Weiner) (07/23/90)
Otto Stolz writes: > Luckilly, the dis-infector will find the information > to restore the > original content of the changed locations somewhere in > the viral code, The method you mention (scanning for a bit pattern at a certain position, taking bytes from a certain offset within the viral code and copying them to the beginning of the program in my opinion is exteremely dangerous and should not be used. We will experience a LOT of viruses that will carry identical signatures and will store the original code at a different offset within their code to fool anti-virus programs like McAffees' into destroying programs they are trying to recover. > Now, if the dis-infector hits on a hitherto unknown > variant of the > virus, it may take the wrong bytes from the viral > code, put them in > place of the sayed JMP- or CALL-instruction, and in > due course it will > destroy the program instead of repairing it. Perfect agreement with that - but it could even get worse: Imagine virus derivates deliberately placing JMPs to killer code within their body at the location where a recovery program expects the original start of the program. Consequences would be disastrous because viruses could be 'tailormade' to certain anti-virus programs. > I conjecture that the Vienna variant of the 1704 is > unknown to McAfee > and his team, and hence this sort of thing happened. > Martin Zejma: I think it would be a good idea to send > a copy of the > virus you experienced to McAfee Asociates (and also to > Frisk). Now how could they be supposed to know about all these viruses if the only thing any virus writer has to do is change 1 (one) byte at the right location of the virus to make virtually ALL removal programs destroy data. We will have to find a way to describe viruses in a way that will enable us to recognize and to react to some derivates. > some kind soul will send a new 1704-variant (or > whatever-variant) > on its way that will fool the dis-infectors again :-( To wrap it up, removal of a virus should ONLY be performed by a program if it has found a virus and identified ALL it's code (not just some short part of the code). If a single byte of the code found differs from the 'known' virus, the removal program should not attempt to mess around with it. A combination of signature scanning and checksumming comes up to my mind when I think about the dillema again: First check, if the (known) virus CAN be in the program assumed to be infected by using a signature the way we use it today and then use a range definition file to define the location of static fields within virus code and calculate checksums over that code area. If these checksums match, we can safely remove the virus from the file. Of course other algorithmic methods have to be used for 4096 and the like. There is hope after all :-) Hoping for comments, Michael Weiner +------------------------------------------------------------+ I UUCP: mweiner@bene.at.eu.net I I Internet: mweiner@f23.z2.FIDONET.ORG Voice ++43 1 8232400 I I Michael Weiner -- Ghelengasse 4 -- A-1130 Wien -- Austria I +------------------------------------------------------------+
frisk@rhi.hi.is (Fridrik Skulason) (07/25/90)
Some of my thoughts of the subject... mweiner@bene.at.eu.net (Michael Weiner) writes: >The method you mention (scanning for a bit pattern at a certain >position, taking bytes from a certain offset within the viral code and >copying them to the beginning of the program in my opinion is >exteremely dangerous and should not be used. Well, how are we then supposed to disinfect files ? Just replacing infected programs with originals may be preferable, and even necessary in three or four cases, where the virus destroys the original program, but the originals are not always available. The disinfector program can do various things to ensure that the bytes written back to the file are in fact the bytes the virus would copy, for example checking the presence of the "restore old program" code within the virus. Example: Suppose that a virus just overwrites the first 3 bytes of a .COM file with a JMP to the virus code and restores the original code with the following sequence of instructions. MOV BX,100H ; beginning of program MOV AX,[SI+357] ; location of original data MOV [BX],AX ; restore first two bytes MOV AL,[SI+359] ; get third byte MOV [BX+2],AL ; and restore it A disinfection program may check if this code fragment is indeed present at a specific location, and if so, the original 3 bytes can savely be written back to the beginning of the file. >We will experience a LOT of viruses that will carry identical signatures Just what do you mean by "identical signatures" ? Even if a part of the code is identical, another part may be different, so another set of signatures may not match. A scanning program should not use just a single signature for any virus. >Perfect agreement with that - but it could even get worse: Imagine >virus derivates deliberately placing JMPs to killer code within their >body at the location where a recovery program expects the original >start of the program. As soon as this happened, the virus would probably be sent to the author of the anti-virus program, who could then update his program to deal with the new virus. After all, new versions of anti-virus programs get distributed a lot faster than new virus variants. >Consequences would be disastrous because viruses could be 'tailormade' to >certain anti-virus programs. Anti-virus programs are always changing, and as long as we have several popular programs, it is impractical to attack them all in this way. It has been attempted of course, one virus attacks the programs by Vesselin Bontchev, and another one attacks Flushot+ and Bombsquad. >To wrap it up, removal of a virus should ONLY be performed by a >program if it has found a virus and identified ALL it's code (not just >some short part of the code). This is becoming more and more difficult, as the number of self-modifying, encrypting viruses increases. It seems this group now includes four viruses, Stealth (1260), V-101, Suomi (1008) and Flip. I was not even able to produce a 16-byte identification string for the Virus bulletin in those cases, without using "don't care" characters. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |