Alan_J_Roberts@Sun.COM (10/25/89)
The following is a forwarded message from John McAfee:
=============================================================================
A number of people have commented on the "closed" architecture of
VIRUSCAN and the encryption of the individual search strings used for
virus identification. Some users feel that this is done in order to
maintain a "monopoly" in the scanning industry and to keep competitors
from using the same strings. I would like to put that concern to
rest, if possible. First, as many users will have noticed, the
earlier versions of SCAN had all strings available for anyone who
cared to look at them. The users who wished merely to scan for
viruses merely noticed them, shrugged (really - what value is it to
the average user?), and went on. The folks who seemed to take notice
of the strings were those few crackers who used the strings to change
the virus segments referenced by the strings. This has happened seven
times in three months, the most recent being the New Jerusalem virus
discovered by Jan Terpstra and Ernst Baedecker in the Netherlands.
The virus is identical to the Jerusalem-B, with the exception of the
string changes that SCAN originally referenced. What this does is
invalidate all of the work done to date on identification of the
Jerusalem-B. To make it more difficult for crackers to get around the
scanning process, I've done two things: 1. encrypt the strings (I know
that this merely slows down the determined cracker, but it does deter
the casual cracker - of which there are many). and 2. I use multiple
strings for the more mutable viruses. In addition, I have taken to
randomly changing strings for different versions of scan. None of
this was done to deter competition. In fact, as Art Gilbert and Bill
Vance at IBM should agree, I co-operate fully with competitors in
providing virus samples, infection trends, market information and
(possibly unwelcome) suggestions for improvements and points to watch
out for in the more troublesome viruses. I even provide my string
lists to any legitimate competitor who asks for them. I just don't
provide them to the public, and I'm not sure the public really would
be served by knowing the binary string sequences I use to identify a
given virus.
I response to the comments that IBM's open string list will make
it easier for users to update the files themselves - I absolutely
agree. There's a lot to be said for the flexibility and control that
such an approach brings. But, ignoring the problem crackers for the
moment, we will have to ask - who is going to update the string files?
Is it each user? If so then chaos will ensue. I can categorically
say that the average user is incapable of taking a live virus sample
and creating a valid search string for that virus. The problems are
immense. First, many viruses are written in C, PASCAL or other higher
level language. Unless you are familiar with the actual code
generated by the compiler runtime library and the canned compiler
output sequences, you will have dificulty separating the origin virus
code from the same code that you will find in hundreds or maybe
thousands of other similarly compiled programs. Second, the string
segments must have a unique "style" that will avoid false alarms with
similar styled programs. For example, choosing a long string of
register saves as an identifier will guarantee false alarms with other
programs. The user will also have to know something about the
infective characteristics of the virus as well. Does it only infect
the partition record, or the boot sector? Does it infect overly
files? Which ones? etc. All in all it is a task that most user
shouldn't have to face. So we can agree, I think, that the strings
will havee to be done by competent programmers with a fair amount of
virus experience if it is to work. The question then is - which
programmers? Who will set the standard. If there is no standard,
then again, chaos results and which version of the strings swhould we
use? My feeling is that the IBM approach works well for researchers,
but that the general public should use only the strings that IBM
produces (or someone that IBM should designate). So much for my
soap-box for the day.
We survived the earthquake out here. We were 6 miles from the
epicenter, but we must have been on a standing wave since we suffered
only moderate damage. My cat slept through the entire event (though,
admittedly, he only normally wakes for 15 minutes at breakfast and 20
minutes at dinnertime).
Have a good day.
John McAfeedavidsen@crdos1.crd.ge.com (10/27/89)
You have a good point about encrypting strings, and I am as guilty as anyone else of not saying thanks often or publically enough. Due to the recent flap about viruses, I gave a talk about protection at a local user group meeting, and distributed about 40 copies of viruscan, including putting a copy on my BBS. I am happy to say that I am not a user of the program, since I run UNIX, but I have tried it, am impressed, and do provide it to any PC user who wishes it. Well done, for what it's worth! - --- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon