Alan_J_Roberts@Sun.COM (10/25/89)
The following is a forwarded message from John McAfee: ============================================================================= A number of people have commented on the "closed" architecture of VIRUSCAN and the encryption of the individual search strings used for virus identification. Some users feel that this is done in order to maintain a "monopoly" in the scanning industry and to keep competitors from using the same strings. I would like to put that concern to rest, if possible. First, as many users will have noticed, the earlier versions of SCAN had all strings available for anyone who cared to look at them. The users who wished merely to scan for viruses merely noticed them, shrugged (really - what value is it to the average user?), and went on. The folks who seemed to take notice of the strings were those few crackers who used the strings to change the virus segments referenced by the strings. This has happened seven times in three months, the most recent being the New Jerusalem virus discovered by Jan Terpstra and Ernst Baedecker in the Netherlands. The virus is identical to the Jerusalem-B, with the exception of the string changes that SCAN originally referenced. What this does is invalidate all of the work done to date on identification of the Jerusalem-B. To make it more difficult for crackers to get around the scanning process, I've done two things: 1. encrypt the strings (I know that this merely slows down the determined cracker, but it does deter the casual cracker - of which there are many). and 2. I use multiple strings for the more mutable viruses. In addition, I have taken to randomly changing strings for different versions of scan. None of this was done to deter competition. In fact, as Art Gilbert and Bill Vance at IBM should agree, I co-operate fully with competitors in providing virus samples, infection trends, market information and (possibly unwelcome) suggestions for improvements and points to watch out for in the more troublesome viruses. I even provide my string lists to any legitimate competitor who asks for them. I just don't provide them to the public, and I'm not sure the public really would be served by knowing the binary string sequences I use to identify a given virus. I response to the comments that IBM's open string list will make it easier for users to update the files themselves - I absolutely agree. There's a lot to be said for the flexibility and control that such an approach brings. But, ignoring the problem crackers for the moment, we will have to ask - who is going to update the string files? Is it each user? If so then chaos will ensue. I can categorically say that the average user is incapable of taking a live virus sample and creating a valid search string for that virus. The problems are immense. First, many viruses are written in C, PASCAL or other higher level language. Unless you are familiar with the actual code generated by the compiler runtime library and the canned compiler output sequences, you will have dificulty separating the origin virus code from the same code that you will find in hundreds or maybe thousands of other similarly compiled programs. Second, the string segments must have a unique "style" that will avoid false alarms with similar styled programs. For example, choosing a long string of register saves as an identifier will guarantee false alarms with other programs. The user will also have to know something about the infective characteristics of the virus as well. Does it only infect the partition record, or the boot sector? Does it infect overly files? Which ones? etc. All in all it is a task that most user shouldn't have to face. So we can agree, I think, that the strings will havee to be done by competent programmers with a fair amount of virus experience if it is to work. The question then is - which programmers? Who will set the standard. If there is no standard, then again, chaos results and which version of the strings swhould we use? My feeling is that the IBM approach works well for researchers, but that the general public should use only the strings that IBM produces (or someone that IBM should designate). So much for my soap-box for the day. We survived the earthquake out here. We were 6 miles from the epicenter, but we must have been on a standing wave since we suffered only moderate damage. My cat slept through the entire event (though, admittedly, he only normally wakes for 15 minutes at breakfast and 20 minutes at dinnertime). Have a good day. John McAfee
davidsen@crdos1.crd.ge.com (10/27/89)
You have a good point about encrypting strings, and I am as guilty as anyone else of not saying thanks often or publically enough. Due to the recent flap about viruses, I gave a talk about protection at a local user group meeting, and distributed about 40 copies of viruscan, including putting a copy on my BBS. I am happy to say that I am not a user of the program, since I run UNIX, but I have tried it, am impressed, and do provide it to any PC user who wishes it. Well done, for what it's worth! - --- bill davidsen (davidsen@crdos1.crd.GE.COM -or- uunet!crdgw1!crdos1!davidsen) "The world is filled with fools. They blindly follow their so-called 'reason' in the face of the church and common sense. Any fool can see that the world is flat!" - anon