RY15@DKAUNI11.BITNET (Christoph Fischer) (07/29/89)
In our computerviruslab we have been working on the problem of mutants
of several viruses. Initially we intended to make antiviruspackages more
secure. Since a single byte added or removed from the virus code will
cause most antiviruspackages to do erroneous repair attempts which might
result in even bigger harm than the virus itself will do. Furthermore
watertight identification leads to a better 'Epidemiology' of the
different virusstrains.
Thanks to the kind help of fellow virus researchers all over the world
we were able to obtain and tryout quite a few viruses and their mutants.
PROPOSAL
VIRUS IDENTIFICATION ALGORITHM
PURPOSE: Positive and secure identification of *known* viruses to
prevent repair attempts on files infected by unknown
mutants of a virus.
REPLACES: Identification by a unique string of code. (Which might
still be unaltered at the same offset in the code of a
new variant of the virus)
METHOD: 1. Identification of the *known* virusstrain by a unique
string or other feature (sUMsDos, (C)Brain, or the 1Fh
in the seconds of the filetime)
2. Relocation to segmentoffset 0 and possible decryption
of the viruscode. (This might be necessary for mutiple
parts of the virus)
3. Writing zero over sections that contain variant parts
like garbage from the last infection attempt or a time-
bomb counter.
4. Finally a CRC-sum is generated (maybe using more than
one polynominal)
If this signature matches the one calculated on the virus
code for which the removalalgorithm was designed it is
safe to apply this antivirusprogram.
IMPLEMENTATION: We have done a testimplementation in C and for 2
virusstrains (6 viruses yet). Our goal is to prepare a
toolset for quick addition of new variants to the set
identifyable viruses.
ADVANTAGE: Antivirus tools can identify exactly a specific virus
without encorporating full or partial viruscode in the
antivirusprogram. (This would be a security risk if done
in comercial or PD software)
Any comments sugestions welcome respond to VIRUS-L or directly
we will summarize to the list|
Currently we are also working on virus behavior in networks. For this
we have setup a 4 machine Novell network. (PS2/80, PS2/60, Atari386,
and a good old PC-XT). Here also any sugestions and help are welcome|
*******************************************************************
* Christoph Fischer and Torsten Boerstler *
* Micro-BIT Virus Center / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET *
*******************************************************************