olender@sor.CS.ColoState.Edu (Kurt Olender) (03/16/90)
Not being an expert either on DOS or OS/2, but having recently installed OS/2 v1.2 on my home machine (also recently installed), I'm concerned about the potential for virus infection, trojan horse invasion, and all the other plagues that have struck the PC world. There seem to be enough similarities that it might be possible for a PC/DOS virus to infect an OS/2 system. So I have some questions. 1. Does anyone know of, or have experience with, these problems under OS/2? Have there been any reports of OS/2-specific viruses? 2. Is an OS/2 system susceptible to a virus designed for DOS? 3. Does running HPFS make any difference? Do routines that convert FAT file requests from the DOS box to HPFS requests filter out the kind of direct disk operations that a virus might require to infect a file? 4. Do the virus detectors available for DOS work under OS/2? 5. Any recommendations for precautions apart from proper backups and downloading software only from reasonably trustworthy sources? P. S. Obviously, there is always the potential, so caution is the word of the day, but I'd like some hard information on which to base my precautions if there is any about. I'll summarize to the net if I get sufficient e-mail response.
alistair@microsoft.UUCP (Alistair BANKS) (03/19/90)
I would say that os/2 has + & - compared with DOS regarding viruses. For the time being, the biggest plus, is that OS/2 is less known about and less installed so their are likely to be fewer virus creators around to gain the reduced 'reward'. More technically, without giving listening virus creators any ideas, os/2 uses the same basic boot mechanism as dos and so is susceptable: BUT, when it has loaded its device drivers and switched to protect mode, no clock activated or other interrupt activated code gets a look in. This is a major plus. Under os/2 1.X the dos box is not active while you are NOT looking at it, therefore a DOS virus wont be active while you are using OS/2. HPFS is new, powerful, and complicated - viruses that use bios interrupts to attack FAT based file systems wont work. - (with rider): OS/2 does have neat and reliable multi-tasking, so a rogue virus process can do its work in the background, but os/2 has a real process model which the virus would have to be using, and a real process list command for you to see that virus at work - this would, of course be for an os/2 virus. Seeing it should allow you to track it down and kill it, but remember it may have an assumed pseudonym! Generally, os/2 virus opportunities are more complex and are too new to have been created. I dont know of any (yet), but of course, Microsoft would like to hear of any - even in the making, so that we can help avoid or eradicate them. Alistair Banks OS/2 Group Microsoft.
mdhardin@watserv1.waterloo.edu (Matthew D. Harding) (03/19/90)
In article <53617@microsoft.UUCP> alistair@microsoft.UUCP (Alistair BANKS) writes: >I would say that os/2 has + & - compared with DOS regarding viruses. Well, yes and no - see rest of comments. >For the time being, the biggest plus, is that OS/2 is less known about >and less installed so their are likely to be fewer virus creators around >to gain the reduced 'reward'. Yes, this much is true. Unfortunately, for how long can we continue to feel safe? I don't know of any viruses for OS/2 right now, but you just know some depraved individual is working on one right now. >More technically, without giving listening virus creators any ideas, os/2 >uses the same basic boot mechanism as dos and so is susceptable: BUT, >when it has loaded its device drivers and switched to protect mode, no >clock activated or other interrupt activated code gets a look in. Trust me, anyone that can read (and understand!) one of the many programming in assembler books for the PC can write a virus. And, as you are undoubtedly aware of, there exist similar books for OS/2 (hell, you guys write most of them!). Unfortunately, the base operating system is not different enough to discourage most virus writers. Now, writing a virus which runs under HPFS, that would be a challenge... >Under os/2 1.X the dos box is not active while you are NOT looking at it, >therefore a DOS virus wont be active while you are using OS/2. Yes, but if you run a virus under the DOS box, it still can spread the virus to any executables in the same session. And if that executable happens to be a family API program (i.e. runs under DOS and OS/2), then the first time you run it under OS/2, bingo. >HPFS is new, powerful, and complicated - viruses that use bios >interrupts to attack FAT based file systems wont work. Yes to all three, but if you think that is going to stop a dedicated virus writer, you are sadly mistaken. As mentioned above, a FAT based virus could only affect OS/2 if it ran a family mode program, and if OS/2 FAT was running. None of the known viruses can run in HPFS, but again, anything you guys can write a virus hacker can beat, given an amount of time (in this case probably only a few weeks/months). >- (with rider): OS/2 does have neat and reliable multi-tasking, so a rogue >virus process can do its work in the background, but os/2 has a real >process model which the virus would have to be using, and a real >process list command for you to see that virus at work - this would, of >course be for an os/2 virus. Seeing it should allow you to track it down >and kill it, but remember it may have an assumed pseudonym! Well, yes and no. A virus would have to be redesigned from its present ways of attack (i.e. intercept all int 13s, all absolute disk read/writes, etc.), but that doesn't take too much work. And as far as protection goes, it is still no hard thing to write a process that is hidden from a casual inspection by any process control program I know of (I have several programs I'm sure a run- of-the-mill virus can't escape detection by, but these are not available to the average user unfortunately). >Generally, os/2 virus opportunities are more complex and are too new to have been created. Yes, but since when has complexity deterred a virus writer? (It takes skill and a lot of complexity to create a virus that can intercept interrupts, have a built-in critical error handler, encrypt its routines so debug can't follow it, check for reinfection and for .exe and .com files, and still fit in under 1000 bytes of code). >I dont know of any (yet), but of course, Microsoft would like to hear >of any - even in the making, so that we can help avoid or eradicate >them. Well, good luck. I appreciate your efforts, and believe me, HPFS is a step in the right direction. But anything you can write, someone else can bring down. And quickly and efficiently. Still, some good ideas and it's nice to talk these things over with dedicated, smart people. Matt.
ballard@cheddar.cc.ubc.ca (Alan Ballard) (03/20/90)
In article <53617@microsoft.UUCP> alistair@microsoft.UUCP (Alistair BANKS) writes: >I would say that os/2 has + & - compared with DOS regarding viruses. > A big plus for OS/2 *ought* to be that it runs in protected mode, which could provide a lot of security. Unfortunately, all kinds of software suppliers, include Microsoft, are busy advising users to put IOPL=YES in the config.sys file, which throws away much of the potential benefit (by allowing programs to directly access I/O devices etc.). Using the IOPL=list form isn't much better since it is seriously flawed from a security perspective. Alan Ballard | Internet: Alan_Ballard@mtsg.ubc.ca University Computing Services | Bitnet: USERAB1@UBCMTSG University of British Columbia | Phone: 604-228-3074 Vancouver B.C. Canada V6R 1W5 | Fax: 604-228-5116
madd@world.std.com (jim frost) (03/20/90)
alistair@microsoft.UUCP (Alistair BANKS) writes: >More technically, without giving listening virus creators any ideas, os/2 >uses the same basic boot mechanism as dos and so is susceptable: BUT, >when it has loaded its device drivers and switched to protect mode, no >clock activated or other interrupt activated code gets a look in. It's harder to write a virus for a protected-mode operating system, but not much, especially since OS/2 wasn't designed with any security in mind. Even if it weren't fairly easy to infect a running OS/2, a would-be virus can still modify the on-disk version of the operating system and become active at the next boot. >OS/2 does have neat and reliable multi-tasking, so a rogue >virus process can do its work in the background, but os/2 has a real >process model which the virus would have to be using, and a real >process list command for you to see that virus at work - this would, of >course be for an os/2 virus. Seeing it should allow you to track it down >and kill it, but remember it may have an assumed pseudonym! If the virus has taken over the operating system, it's a trivial task for it to lie about what's running, no? I agree that it's more difficult to write such a beast than it is under a monitor such as MS-DOS but it's substantially less difficult than it is under an OS with security (such as UNIX, VMS, etc), and there have been viruses on many of those. Food for thought, jim frost saber software jimf@saber.com
scott@ubvax.UB.Com (Scott Scheiman) (03/23/90)
In article <53617@microsoft.UUCP> alistair@microsoft.UUCP (Alistair BANKS) writes: >- (with rider): OS/2 does have neat and reliable multi-tasking, so a rogue >virus process can do its work in the background, but os/2 has a real >process model which the virus would have to be using, and a real >process list command for you to see that virus at work - this would, of >course be for an os/2 virus. Seeing it should allow you to track it down >and kill it, but remember it may have an assumed pseudonym! Um, what is that "list command"? If you are talking about an API entry, then it isn't useful to anybody unless some application is built around it. If you are talking about the Task Manager--well, things can hide from it (all of Lan Manager does, for example). I'd appreciate being enlightened what "list command" this is. Thanks.
jack@csccat.UUCP (Jack Hudler) (03/24/90)
In article <28153@ubvax.UB.Com> scott@ubvax.ub.com.UUCP (Scott Scheiman) writes: >In article <53617@microsoft.UUCP> alistair@microsoft.UUCP (Alistair BANKS) writes: >>- (with rider): OS/2 does have neat and reliable multi-tasking, so a rogue >>virus process can do its work in the background, but os/2 has a real >>process model which the virus would have to be using, and a real >>process list command for you to see that virus at work - this would, of >>course be for an os/2 virus. Seeing it should allow you to track it down >>and kill it, but remember it may have an assumed pseudonym! > >Um, what is that "list command"? If you are talking about an API entry, >then it isn't useful to anybody unless some application is built around >it. > >If you are talking about the Task Manager--well, things can hide from it >(all of Lan Manager does, for example). > >I'd appreciate being enlightened what "list command" this is. Thanks. Alistair is talking about the Process List or Proc Table for you *nix fans. ALL process must have an entry here in order to run.. check out the sample ps.exe. -- Jack Computer Support Corportion Dallas,Texas Hudler UUCP: {texsun,texbell}!csccat!jack
lowey@herald.usask.ca (Kevin Lowey) (03/24/90)
From article <28153@ubvax.UB.Com>, by scott@ubvax.UB.Com (Scott Scheiman): >>virus process can do its work in the background, but os/2 has a real >>process model which the virus would have to be using, and a real >>process list command for you to see that virus at work - this would, of > Um, what is that "list command"? If you are talking about an API entry, > then it isn't useful to anybody unless some application is built around > it. I'm not sure if this is what he means, but OS/2 1.2 has a command called PSTAT which shows the current status of all the processes, threads, etc. running in the system. -- Kevin Lowey