Charles_M_Preston@Sun.COM (08/13/89)
For the past couple weeks I have been testing the latest
versions of John McAfee's virus scanning program, Viruscan,
downloaded as SCANV29.ARC, SCANV33.ARC, etc., and very briefly
the resident version archived as SCANRES4.ARC.
While I have not completed the testing protocol with each
virus, perhaps an interim report will be of interest.
The testing protocol is:
1. Scan a disk containing a copy of a virus in some form;
2. Have the virus infect at least one other program (for
.COM and .EXE infectors) or disk (for boot infectors)
so Viruscan must locate the virus signature as it would
normally be found in an infected machine;
3. Modify the virus in the most common ways people change
them (cosmetic changes to ASCII text messages or small
modifications to the code and try Viruscan again.
Step 2 arises from testing another PC anti-virus product
which was supposed to scan for viruses. When I found that it
would not detect a particular boot virus on an infected floppy,
I asked the software vendor about it. I was told that it would
detect a .COM program which would produce an infected disk - not
useful to most people with infected disks, the common way this
virus is seen Even though the viruses tested are not technically
self-mutating, my intent is to test Viruscan against later
generation infections, as they would be found in a normal
computing environment.
Naturally, there is a problem knowing which virus is actually
being found, since they go under different names and are
frequently modified. The viruses are currently identified by
their length, method of infection, symptoms of activity or
trigger, and any imbedded text strings, based on virus
descriptions from a variety of sources. These include Computers &
Security journal, and articles which have been on Virus-L, such
as Jim Goodwin's descriptions modified by Dave Ferbrache, and
reports by Joe Hirst from the British Computer Virus Research
Centre.
There is a proposal for checksumming of viruses in the June
Computers & Security, which would allow confirmation that a found
virus is the identical one already disassembled and described by
someone. In the meantime, identification has been made as
mentioned.
So far, Viruscan has detected the following viruses:
Boot infectors - Brain, Alameda/Yale, Ping-Pong, Den Zuk,
Stoned, Israeli virus that causes characters to fall down
the screen;
.COM or .EXE infectors - Jerusalem -several versions
including sURIV variants, 1701-1704-several versions,
Lehigh, 1168, 1280, DOS62-Vienna, Saratoga, Icelandic,
Icelandic 2, April First, and Fu Manchu.
SCANV33 has a byte string to check for the 405.com virus, but
does not detect it. SCANV34 has been modified to allow proper
detection.
SCANRES 0.7V34, the resident version of Viruscan, correctly
detects the 405 virus when an infected program is run.
I have not had any false positives on other commercial or
shareware programs that have been scanned. Viruscan appears to
check for viruses only in reasonable locations for those
particular strains. If there is a virus that infects only .COM
files, and an infected file has a .VOM or other extension, it
will not be reported. Of course, it is not immediately
executable, either.
On the other side of the coin, if a disk has been infected by
a boot infector, and still has a modified boot record, it will be
reported by Viruscan. This is true even if the rest of the virus
code normally hidden in other sectors has been destroyed, thus
making the disk non-bootable and non infectious. This is a
desirable warning, however, since the boot record is not
original, and since other disks may be still infected.
Disclaimer: I am a computer security consultant and have been
working with PC and Macintosh microcomputer viruses and anti-
virus products for about 18 months. I have no obligation to John
McAfee except to report the outcome of the tests. I am a member
of the Computer Virus Industry Association, which is operated by
John McAfee.
Charles M. Preston 907-344-5164
Information Integrity MCI Mail 214-1369
Box 240027 BIX cpreston
Anchorage, AK 99524 cpreston@cup.portal.comcpreston@Sun.COM (10/24/89)
These results apply to versions through V38. The current version at
this time is V45. Changes are made at least once per week, it seems,
to keep up with new viruses, and I finished the work about the time
this digest went off for a couple weeks.
VIRUSCAN, for the IBM PC, from McAfee Associates, was tested using 23
actual viruses or strains of virus. These included boot or partition
viruses such as Stoned, Ping Pong, and Brain, and .COM or .EXE viruses
such as Datacrime (1168, 1280, Datacrime II) Jerusalem, Icelandic
(several varieties) and Fu Manchu.
In each case, with two exceptions (noted below) VIRUSCAN correctly
identified the viruses after they had infected programs or disks, and
located all instances of infection in all subdirectories of the hard
disks.
One version of the program, before V35, failed to detect the 405
virus, but this was corrected in later versions. Suriv 300, a
Jerusalem variant, was not detected in an .EXE file, but was caught in
a .COM file.
Based on the testing I did, VIRUSCAN appears to be a well-written and
effective program for locating specific known viruses, and is a very
useful part of an anti-virus program.
Next question: How good are scanning programs?
There seems to be a perception, at least as written in several sources, that
scanning for known viruses is the weakest method of detecting viruses. This
is probably based partly on the assumption that the slightest change in a
virus will defeat the effort to detect it using byte strings. Experience
shows that minor changes are frequently made to microcomputer viruses.
Perhaps the most freqent change is to imbedded, non-encrypted, text strings.
Changes are also made to the infection trigger or activation conditions or
dates.
Obviously, changes can be made to any virus to defeat any particular scan
string. This has already occurred in the Macintosh world, but most changes
made so far have been on the same level of difficulty as changing ASCII
strings.
Inspection of a search string in VIRUSCAN and/or its location in the virus
code can show that a particular search string is not based on imbedded text,
and that changing the text will not interfere with detection. A number of
viruses were checked for this.
Also, it is easy to determine that text added to a boot sector in the
Yale/Alameda virus, for example, to make it look more like a normal boot
sector would not interfere with its detection. If the search string used in
the scanning program is at a different location than the added text, it
won't interfere.
On other changes, I found that with a partial disassembly, or one that was
perhaps incorrectly interpreted by me, changes to what appeared to be an
infection trigger did not replicate with the virus, or did not cause the
anticipated change in virus behavior.
For this reason, it seemed more efficient, and probably more accurate, just to
make a common type of change to a virus, and test VIRUSCAN again.
Each virus was modified by patching it, making minor changes in the
executable code on the disk. Each modified virus was allowed to infect at
least one other program to produce a second generation virus. The final
infected program was inspected and run to ascertain that the modification
was correctly transmitted with the virus. This established that there was
a viable new strain of virus. VIRUSCAN was run to see if it still found the
modified virus.
- --------
Viruses modified and detected by VIRUSCAN version 0.5V34 or later versions
through V38.
-Virus name- -Type of modification-
Ping Pong boot Virus (Italian) Activation window time was
increased
Jerusalem Virus - Version D Activation date changed
1280 Virus (Datacrime) Activation (destruction)
date changed
1168 Virus (Datacrime) Activation (destruction)
date changed
Vienna (DOS 62) Virus - Version A Manipulation task to move
5 bytes to corrupt
infected program was
changed.
405 virus Changed to seek and infect
hidden files
- -------------
Conclusion:
A well-chosen search string for a virus can survive at least some of the
common changes to viruses that are made as they pass through different
hands. A good scanning program can provide better protection than it might
appear at first glance.
VIRUSCAN is available from BIX, CompuServe, and other sources, including the
Homebase BBS, at 408-988-4004. On Homebase, the latest version is
SCANV45.ZIP.
Disclaimer: I am a computer security consultant and have been
working with PC and Macintosh microcomputer viruses and anti-
virus products for about 18 months. I have no obligation to John
McAfee except to report the outcome of the tests. Information Integrity is
a member of the Computer Virus Industry Association, which is operated by
John McAfee.
Charles M. Preston 907-344-5164
Information Integrity MCI Mail 214-1369
Box 240027 BIX cpreston
Anchorage, AK 99524 cpreston@cup.portal.comdmg@lid.mitre.org (David Gursky) (10/25/89)
In VIRUS-L Digest V2 #221, Charles Preston wrote a rather long message about virus scanners vs. more automated virus detection applications. I would like to point out to him that although there are some excellent scanning applications on the market, for Macs, PCs, etc., I prefer recommending that users do not rely on scanners simply because you must remember to periodically scan the disk. My experience has been that users simple do not remember to do this, hence a strategy that relied solely on a scanner application would not be a strong defense against electronic vandalism. David Gursky Member of the Technical Staff Special Projects Department, W-143 The MITRE Corporation