tkopp@uunet.UU.NET (Tom Kopp) (10/02/89)
I had a thought earlier about a possible future Anti-viral system. It would be software based, therefore subject to its own corruption, however it seems to me to be a mix of the work of Anti-Viral gurus McAfee and Greenberg. It works something like this: A version/variant of ViruScan would run, searching not for viral-identifying code, but rather for the interrupt calls that write to a disk (a la Flu_Shot techniques). When it finds one, it looks in a table to see if that code is allowed. This table could consist of the following format: filename;offset of interrupt;filesize CRC; with the possible inclusion of just WHICH interrupt was attempting to be invoked. The user of the software could either add to the table for software that he/she has written, or wait for updated database listings from whoever wrote/maintained such a program. Also in the vein of Flu_Shot, a list could be maintained of files to 'ignore'. I do see a problem in that setting up the original database to cover the countless programs existing is a truly arduous task, however for a purpose such as this, I would think reputable software companies would provide as much assistance as possible, which could be a lot if the code was written in assembler. Is there some other fundamental element I'm missing, or is this a plausible idea? tkopp@carroll1.cc.edu or uunet!marque!carroll1!tkopp Thomas J. Kopp @ Carroll College 3B2 - Waukesha, WI
David.M..Chess.CHESS@YKTVMV (10/02/89)
Unfortunately, it's just about impossible to scan for new viruses by examining the on-disk image of programs, and looking for things like INTs. Three (at least) of the families of PC viruses out in the world today store themselves on disk in "garbled" form, with only a little "degarbler" stored in clear. That degarbler doesn't contain any INTs or other suspicious instructions, and the garbled part of the virus appears to be random data. The nasty instructions don't appear until the virus executes, and the degarbler converts the garbled stuff to code. So it's really only possible to catch these things at runtime (as Flushot+ and similar programs try to do), not on disk... DC
jwright@atanasoff.cs.iastate.edu (Jim Wright) (10/03/89)
In article <0014.8910021145.AA27888@ge.sei.cmu.edu> carroll1!tkopp@uunet.UU.NET (Tom Kopp) writes: | A version/variant of ViruScan would run, searching not for | viral-identifying code, but rather for the interrupt calls that write | to a disk (a la Flu_Shot techniques). When it finds one, it looks in | a table to see if that code is allowed. There is a program to do this already. CHK4BOMB will scan a program and report on anything "suspicious" it finds. This was originally meant to find Trojan Horses, but could work against some viruses as well if used in conjunction with other programs. One thing it cannot find is code which is self-modifying, thus hiding the actual low-level access to the disk controller. - -- Jim Wright jwright@atanasoff.cs.iastate.edu