TMPLee@DOCKMASTER.ARPA (10/28/89)
For various reasons I have been behind in my reading of Virus-L, and so I found myself skimming something like the last dozen issues of the digest all at once. I was struck by something: are we lucky and there are no competent, sophisticated writers of viruses out there, or are we just fooling ourselves? Although the details of most of the virus prevention programs (e.g., Gatekeeper for the Mac) haven't been discussed at all or recently enough that I remember them, it seems to me that any virus writer willing to get his hands dirty and write code that directly uses the I/O hardware (rather than rely on the operating system) should be able to write a virus that could not be detected by any of the preventative defenses that are supposed to be watching for suspicious writes and that would only be detected after-the-fact by reactive defenses that did a lot of robust integrity checksumming. (Looking for file modification dates would be useless since the virus would of course not be polite enough to update any directories; scanning programs would be useless on the assumption that the virus remains undetected until it goes off so no-one would have included a signature to scan for.) Suppose some suitably motivated person wrote such a virus and set the trigger for a year or two away (provided the virus had been executed and/or propagated some number of times) -- how far within the IBM-PC or Mac community would it likely spread before the trigger fired? How do we know one or more such beasts isn't already out there, just biding its time?
christer@cs.umu.se (Christer Ericson) (11/08/89)
In article <0002.8911062045.AA11747@ge.sei.cmu.edu> ctycal!ingoldsb@cpsc.ucalga ry.ca writes: >There are probably two reasons why the viruses you suggest do not >exist: > 1) If the system code is bypassed, then it must be rewritten. > Most hackers are not at that level. Those that are that > proficient are busy making money. > 2) Code to do all the stuff needed would be quite large, and > therefore noticeable. If you add 20 K to somebody's > programs they will likely notice. I don't agree with you on any of these points, Terry. Say, on the Macintosh all calls to ROM are done through trap vectors in RAM. These trap vectors are patched by the system file (to fix bugs), by some programs and by all anti-virus tools. However, it doesn't take a genius to figure out that one could restore the trap vector to it's original value and thereby bypassing the "safe" system. (Alright, we don't have the bug fixes installed, but it's easy to mimic what is done by the system file. (For instance by simply calling the very same routine.)). A patch like this wouldn't occupy much space and is quite simple to write. I'd guess I could write a virus using the above technique in a day or two, which would be undetectable by all existing anti-virus tools, and along with me so could lots of other people. However some of us are busy making money, as you said, and we who are just working (:-)) probably have some sense of moral, stopping us from bringing total chaos to the computer society. > Terry Ingoldsby /Christer | Christer Ericson Internet: christer@cs.umu.se | | Department of Computer Science, University of Umea, S-90187 UMEA, Sweden | | >>>>> "I bully sheep. I claim God doesn't exist..." <<<<< |
madd@world.std.com (jim frost) (11/12/89)
frisk@rhi.hi.is (Fridrik Skulason) writes: >jim frost writes: >>Given the limited resources of PC environments, it's >>unlikely that you'll get a very sophisticated virus. >I must disagree. In the PC environment it is not a question of limited >resources, but rather the fact that any user process has full access to >ALL resources and can even directly manipulate the hardware if required. >So, my opinion is that it is even easier to write a sophisticated virus on >the PC than in most other environments. No, it's harder. Most of the items which I consider sophisticated require fairly fancy programming which requires code space, data space, and CPU time, each of which is at a premium in most PCs. A really sophisticated virus, one targeted for UNIX, for instance, could easily approach or exceed a megabyte in size. You just can't do that on most PCs, and users would notice even if you could. On the other hand you don't need to. MS-DOS systems are so trivial that it's difficult to build a good virus detector and there are no inherent security systems. Viruses don't need to be sophisticated. >Finally, I want to add one "feature" to the description of a sophisticated >virus: >"Bypass protection programs and jump directly to the hardware, DOS or >BIOS routines." I didn't add that because that's not usually one of the "survival" traits, but rather is used in propagation and/or infection. I have a fairly lengthy document on the kinds of things a real sophisticated virus might do in each stage (what I showed before was a subset of this document). I consider the document sensitive so I am wary of posting it. jim frost madd@std.com