JHSangster@DOCKMASTER.NCSC.MIL (02/27/90)
Possibly a useful approach to posting virus scan patterns would be for
virologists to extract one or more segments of the virus code of, say,
1K bytes (that's a fairly reasonable 12 lines at 80 bytes per line).
>From that posted segment or segments, the user community could
arbitrarily select a substring or substrings to use for recognition of
the virus. Presumably no two users would select the same substrings, so
virus writers would have to alter the entire posted segment to escape
detection. Yet the segment would not be executable (with luck!) so
posting it would not run the risk of spreading a "live" virus.
This leaves the question of how many bytes the user should include in
the scan pattern to avoid false alarms. Possibly the person posting the
segment could provide guidance on this, or a general guideline could be
used based on the size of the storage device to be scanned. (Anybody
know offhand the entropy per byte of virus code?)
Of course, viruses can be constructed which alter themselves at each
replication, making any search with a fixed string futile, or at best,
"challenging" to design.
- -John Sangster / JHSangster at dockmaster.ncsc.mil / (617) 235-8800 -
SPHINX Technologies, Inc. / Post Office Box 81287, Wellesley Hills, MA 02181