dmg%lid.mitre.org@vma.cc.cmu.edu (David Gursky) (11/18/89)
In VIRUS-L Digest V2 #243, David Hoyt (dhoyt@vx.acs.umn.edu) speculates about patching an internal CRC check for authentication to always return "True". I would like to counter that a virus designed to defeat an internal consistency check in this manner would not be a very good infector. It would have to rely upon either (1) always knowing where to find the consistency check or (2) always being able to *find* the consistency check. In the former case, the virus would only be able to infect files would be limited to the number of files it knows about, and the more files it would know about would cause the virus to be larger and larger. The larger the file, the more likely the virus will be detected by a simply size check. In the latter case, the virus would be unnecessarily cumbersome because of the needed search code to find the consistency check, again, increasing the likelyhood of detection because of the size of the code needed to do the search and any delay caused by the virus performing the search. Also, the virus would be limited to attacking files with the targeted consistency check. If the check is subtly varied from one file to the next, the search would have to be even more complicated. None of this says such an infector is not possible, just that it would be a poor infector.