home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 19
/
CD_ASCQ_19_010295.iso
/
vrac
/
bull_215.zip
/
BULL-215.TXT
next >
Wrap
Text File
|
1994-11-04
|
48KB
|
1,319 lines
F-PROT Professional 2.15 Update Bulletin
========================================
Data Fellows Ltd, Päiväntaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.15 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd.
-------------------------------------------------------------------------------
Contents 5/94
=============
Data Fellows' Experts Abroad
The Global Virus Situation
Die_Hard
LZR
One_Half
Bye
3APA3A
The Virus Bulletin Conference '94
Retroviruses - how viruses fight back
Common Questions and Answers
Changes in version 2.15
Data Fellows' Experts Abroad
----------------------------
Virus Bulletin Conference, the grand event in the anti-virus
field, was held this September on the isle of Jersey,
between England and France. In the tradition of these
conferences, the event was very successful. The audience
could enjoy the several top-quality treatises presented by
anti-virus experts, and explore the latest anti-virus
products exhibited in the convention.
Three specialists who participate in F-PROT's development
had been invited to speak in the conference. Mikko Hyppönen
spoke about retroviruses, and Jeremy Gumbley told the
audience about BBS systems whose purpose is to spread
viruses and virus know-how. Fridrik Skulason was appointed
the president of the conference's technical half.
The conference is more closely described further on in this
bulletin.
We are unifying the F-PROT Professional version numbering.
From this update onward, the new versions of F-PROT
Professional for DOS, Windows and OS/2 shall all be numbered
2.11, 2.12, 2.13 etc. This will make it easier to recognize
the version upgrades of products designed for different
environments.
The Global Virus Situation
--------------------------
Die_Hard
--------
Die_Hard is a memory-resident file virus which uses fast
infector techniques. The virus infects COM and EXE files.
Die_Hard is known to be in the wild at least in Singapore
and India, where it was discovered in September 1994.
The virus loads itself into memory, where it decreases the
amount of available DOS memory by 9232 bytes. Die_Hard
infects all executed or opened COM and EXE files, increasing
their size by exactly 4000 bytes.
Die_Hard has several layers of encryption. The following
text can be found beneath the encryption:
SW DIE HARD 2
The virus doesn't use polymorphic encryption, so it is quite
easy to find. The full features of the virus are not yet
known.
FPROT can detect the Die_Hard virus.
LZR
---
LZR is a destructive virus which has quickly become common
all over the world. The latest occurrence happened on
October the 10th in Helsinki, Finland, when a large amount
of preformatted, infected diskettes was imported to the
country. Since only about ten percent of the diskettes were
infected, the virus slipped through the importer's virus
checks. A number of diskettes was sold before the virus was
noticed.
LZR infects the boot sectors of diskettes and the main boot
records of hard disks. The virus crosses to the hard disk if
a computer is booted while an infected diskette is in drive
A. The virus does not infect computers during every boot-up,
however, but only randomly. This makes it quite slow to
spread. Once the virus has infected the hard disk, it
infects practically all non-write protected diskettes used
in the computer.
When LZR is resident in memory, it decreases the amount of
available DOS memory by 8 kilobytes. LZR damages 3.5" HD
diskettes when it tries to infect them. It does not identify
this diskette type correctly, and copies the second sector
of its own code, together with the original boot sector,
straight to the middle of the diskette. The viruse's
original purpose is to copy them to the diskette's end. The
overwritten area is cylinder 39, sectors 8 and 9. If this
one-kilobyte area contains data, it is lost.
LZR contains two separate activation routines. Every time a
disk operation is made, the virus has a 1/65536 chance of
activating. If this happens, the virus overwrites all data
on the computer's first hard disk.
The second activation mechanism is connected to disk writes.
Every time the hard disk is written to, the virus has a
1/256 chance of activating. When this activation routine is
executed, the virus corrupts one byte in the computer's
write buffer. This way, it steadily corrupts the data on the
hard disk. Damaged files can not be located afterwards - and
in most cases, the corrupted files have already made it to
the backup copies.
There is no sure way to find out how long the virus has been
corrupting the system. The LZR virus is therefore very
dangerous.
F-PROT Professional can detect and remove the LZR virus.
One_Half
--------
One_Half, which is also known as Slovak Bomber, Freelove or
Explosion-II, was first discovered in May 1994. The virus
has been found both in USA and Europe. One_Half is a
destructive virus: its removal may cause files to be damaged
to the extent that they are completely unintelligible.
One_Half is a multipartite virus. It infects hard disk MBRs
and COM and EXE files. Infected files grow by 3544 bytes.
The virus is also polymorphic, so its appearance changes
between every infection.
Besides the aforementioned features, One_Half employs
stealth virus techniques. When the MBR of an infected hard
disk is examined, the virus shows the original contents of
the MBR. It makes the other sectors on the zero track seem
empty, although in truth they contain a part of the virus
code and the original MBR.
The following, unencrypted texts can be found inside the
viruse's code:
Dis is one half.
Press any key to continue ...
Did you leave the room ?
The virus also contains the names of many anti-virus
products:
SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV
One_Half is a destructive virus. Every time an infected
computer is booted, the virus encrypts the last two
unencrypted cylinders on the first disk partition. This way,
the encrypted area slowly creeps toward the disk's
beginning. When information is retrieved from the encrypted
area, the virus decrypts it on the way, so the user doesn't
notice anything out of the ordinary.
The encrypted information stays encrypted while the virus is
not resident, so the true nature of things is revealed only
after the computer is booted from a diskette or after the
virus is removed. If One_Half is removed from a hard disk's
MBR without first making a backup copy of the computer's
data, it is almost impossible to restore the encrypted
information on the hard disk; the virus stores both the
encryption key and information about the location and extent
of the encrypted area inside its own code in the MBR.
F-PROT can detect the One_Half virus.
Bye
---
Bye is a typical boot sector virus which infects the boot
sectors of diskettes and the main boot records of hard
disks. The virus is capable of infecting all common diskette
types (360, 720, 1200 and 1440 kilobytes). Bye was
discovered in Italy, at the end of September 1994.
The virus infects the hard disk when the computer is booted
from an infected diskette. Once the hard disk is infected
and the virus has loaded itself into memory, it shall infect
all non-write protected diskettes used in the computer.
The viruse's code contains the encrypted text: "Bye by
C&CL".
The virus uses stealth virus techniques, so its code cannot
be seen on the hard disk's MBR while it is resident in
memory.
The virus stores the original main boot record on the last
sector of the hard disk's active partition. On diskettes,
the virus stores the boot sector on the diskette's last
sector.
The virus changes only 40 bytes in the boot sector - the
rest of the viruse's code is stored elsewhere. Bye does this
to avoid being detected by heuristic scanners.
F-PROT can detect and remove the Bye virus.
3APA3A
------
Analysis by Igor G. Muttik MIG@lt.phys.msu.su
A new and unique boot sector virus has appeared in Russia.
The virus was named "3APA3A" (in Russian slang, it means
"INFECTION"). The virus was found in the wild in Moscow,
between 12th and 14th of October 1994.
The virus uses a complex infection method that seems also to
be a completely new one. Like other boot sector viruses,
3APA3A infects the boot sectors of diskettes. However, on
hard disks the virus infects the DOS core file IO.SYS. The
diskette boot sector infection mechanism is like that of
many other boot-sector viruses, but the hard disk infection
method is unique. Because of this, the virus is deemed to
belong to a new virus class, known as "kernel infectors".
The viruse's size is 1024 bytes (i.e., 2 sectors). On a
diskette, the first half of the viruse's code is stored in
the boot sector. The original diskette boot sector and the
second half of the viruse's code are stored at the very end
of the diskette's root directory. This means that when the
virus infects a diskette, it also overwrites the last two
sectors in the root directory.
When a computer is booted from an infected diskette, the
virus tries to infect the first file in the root directory
of the active DOS partition (this file being usually
IO.SYS). The virus begins by making a copy of the IO.SYS
file, after which it infects the original file. After the
infection, the root directory contains two IO.SYS entries.
The first is not shown in a directory listing, however,
because the virus sets its volume-label bit. The directory
entries point to the two IO.SYS files. The first, infected
IO.SYS is located in its customary place at the beginning of
the root directory. It contains the viruse's code, 1024
bytes, in its beginning, but is not otherwise changed. The
second IO.SYS directory entry points to the copy of the
original IO.SYS file, which is located at the end of the
partition. The copy is not infected.
When DOS is started during the computer's next boot-up, the
infected IO.SYS is executed and the virus loads itself into
memory like any other boot sector virus. It will then infect
all non-write protected diskettes that are used in the
computer.
Infected hard disks carry the label "IO SYS". The label can
be seen with the DIR and LABEL commands. This label cannot
be changed even with the LABEL command.
Since the 3APA3A virus is located in the IO.SYS file, it
cannot be removed with the command FDISK/MBR. FDISK/MBR
replaces the MBR and DOS boot sectors, so it can be used for
removing a great many boot sector viruses. With 3APA3A it is
quite ineffective, however. The command SYS C: isn't very
useful, either. It only modifies/removes the uninfected copy
of IO.SYS the virus has placed at the end of the active DOS
partition.
The 3APA3A virus is mildly polymorphic - the boot sectors of
infected diskettes vary slightly. Only the string 'MSDOS
5.0' is visible at the beginning and, obviously, the 55AA
marker is present at the very end of the boot sector.
The virus contains the message "B BOOT CEKTOPE 3APA3A!"
(which means "IN BOOT SECTOR - INFECTION!") The message
string is encrypted, and cannot be seen even in memory. In
August, the virus displays its message during every computer
boot-up.
The 3APA3A virus does not contain destructive routines.
Because of a bug, the virus frequently hangs 386/486
computers. 3APA3A can only infect hard disks whose active
DOS partition is bigger than 10.6 MB.
The Virus Bulletin Conference '94
---------------------------------
The Virus Bulletin Conference is an annual conference held
by the English Virus Bulletin magazine. From year to year,
it gathers together virtually all noteworthy anti-virus
experts, anti-virus product manufacturers and a great number
of interested companies. This year's conference was held on
the isle of Jersey, with over 200 participants.
The conference lasted two days, in which time anti-virus
experts presented 23 different treatises on various
subjects. For most of the time, the convention was divided
into two auditoriums, one reserved for technical treatises
and the other for more general subjects. The conference
audience was provided with a booklet which contained and
expanded upon the things heard on stage, so it was possible
to familiarize oneself with all the treatises by reading the
material. For the first time, the conference also included a
product exhibition. In keeping with the general nature of
the conference, the exhibition was attended by all important
anti-virus products and manufacturers.
The Bottom Line
---------------
Computers do not spread viruses, people do. Since there are
no practical means to actually stop viruses from being
written, it is best to condemn the practice together and in
public. Even toddlers should be told that it is harmful to
spread viruses. The harmfulnes of viruses should be pointed
out in schools' computer classes. In addition to this,
everybody, especially companies and anti-virus
manufacturers, should publicly condemn the spreading of
viruses - viruses are a hindrance to business and may cause
great financial losses. Virus writers should be made to
understand that when they spread the viruses they have
written, they are acting harmfully and even against the law.
Technical Treatises
-------------------
The conference's technical treatises addressed various
subjects, such as viruses in the future, new ways to combat
viruses, virus BBSs, virus writers, viruses behind the ex-
Iron Curtain, viruses in the wild, retroviruses and the
certification of virus tests, to name a few.
Paul Ducklin from South Africa addressed the virus problem
from an educational viewpoint. In his opinion, anti-virus
practices should be taught to all users, not just to
administrators and computer support personnel. Even though
the number of computer viruses has grown to the magical
5000, only very few of these viruses have been found in the
wild. Viruses found in the wild are usually old, and in most
cases also simple to detect and remove. Virus education
would abolish ignorance, hysteria and superstition about
viruses.
Jeremy Gumbley, F-PROT's distributor in Italy, demonstrated
how easy it is to gain access to a virus BBS. Before the
audience, Jeremy called a virus BBS he had never visited
before. He proved once and for all that such BBSs do exist,
and at the same time showed the audience a nasty example of
their contents.
Vesselin Bontchev from Germany spoke about the future of
computer viruses. He addressed the various techniques and
possibilities virus writers may come to employ in the
future, and gave suggestions on how to prepare for them.
Vesselin made it clear that the matter should be taken
seriously, and recommended that everybody prepare for the
worst but hope for the best.
Glenn Coates from England presented a new virus description
language he had created with David Leigh. The language opens
up new ways to search for and detect viruses. The language
is as yet unfinished, and the makers of current anti-virus
products present in the audience had many comments about its
continuing development.
Mikko Hyppönen from Data Fellows Ltd. spoke of retroviruses.
Mikko's treatise is included in this and the next bulletin
in its entirety.
Sara Gordon from USA spoke of virus writers. She had been
doing research on them, and had come to the conclusion that
there is no such thing as a typical virus writer. It is
interesting to note that, according to research made on the
subject, there are no female virus writers. Sara had
interviewed many virus writers, and expressed the opinion
that forceful methods and stern laws against virus writing
and virus writers themselves were not going to do much good.
Instead, the harmfulnes of viruses should be taught to
everyone from children to adults, and viruses should be
publicly condemned. Virus writers are much more affected by
the condemnation of society in general and friends in
particular than by rigorous laws and criminalization.
Pavel Baudis from the Czech Republic discussed viruses
behind the ex-Iron Curtain, with emphasis on viruses found
inside the boundaries of previous Czechoslovakia.
Chris Baxter from England told of the ITSEC certificate.
ITSEC (IT Security Evaluation Criteria) defines the way in
which anti-virus products are tested, and aims to become a
producer of valid and unbiased anti-virus tests. A product
which passes such a test receives the ITSEC certificate.
Joe Wells from USA has compiled a virus list which contains
all the viruses found in the wild of which he has received a
report. This list can be used as a tool by, among others,
anti-virus product manufacturers, indicating the viruses
which should be given priority when detection and removal
mechanisms are being added to anti-virus products. The list
also helps in the unification of virus naming conventions,
since in many cases viruses' names must be invented or
picked up from inside the virus code. In addition to this,
the list aids anti-virus software developers in designing
tests, for it is much more important for a product to find
viruses which actually exist in the wild, than some 4000
viruses which may only be found in some obscure collection.
Jeff Kephart from USA discussed methods for automating the
selection of search strings used in identifying viruses.
With schemas, Jeff demonstrated how an automated system can
find the most effective search strings very quickly. This
naturally saves time when the recognition of new viruses is
being added to an anti-virus program.
General Treatises
-----------------
The emphasis of general treatises was on information
security, which was discussed from many points of view,
including network management, the security of NetWare, LAN
Server and OS/2, information security in general, diskette
protection and electronic evidence. There were also
treatises on virus writers and anti-virus methods, and the
audience was treated to a wild vision of computer
terrorists.
Jan Hruska and Steve White from USA started a little ahead
of schedule, on the night before the conference officially
opened. They spoke of viruses in general, bringing the
audience up to date on the global virus situation.
Richard Ford from England held the conference's opening
speech, reminding the audience that viruses are still going
strong, and that the situation is in no way improved by
virus BBSs and the virus CD-ROMs sold on open market. During
this year, viruses have become even more cunning than
before, and the situation is not likely to change for the
better in 1995.
Alan Solomon from England described a virus writers' group
whose career he had had the chance to follow. Alan was one
of the speakers who thought that re-education would be a
more efficient way to combat viruses than the
criminalization of virus writing and spreading.
Edward Wilding from England spoke of electronic evidence.
Edward told the audience how computers can be used for
gathering evidence of criminal activities. He pointed out
the things one should pay attention to when examining a
computer's contents, and described the difficulties in the
procedures, tools and techniques used in gathering evidence
from computers. He also told the audience about the "gray
area", or how computer evidence can be used. Edward
suggested that global guidelines on the legal use of
electronic evidence should be established.
Winn Schwartau from USA painted a disturbing picture of
computer terrorists. He pointed out that USA and NATO devise
their defence according to their enemies' capabilities, not
their intentions. Why should an industrialized society act
differently? In his treatise, Winn described the facts of
information security and insecurity, and listed various
things which can be used in terrorism. It is realistic to
expect that if a party - an individual or a group - wishes
to acquire information, stop it from being used or destroy
it, it will find it possible and in some cases even easy to
do so. These problems and their solutions have been known
for a long time, now it is time to do something about them.
Martin Smith from England spoke about information security.
Since computers are currently related to almost everything
in some way, it is very important that the data in them is
safe, always available and never damaged. This is the
purpose of information security products. Information
security is people's problem - not computers'.
Mike Jones from England discussed information security
guidelines. An English standard of such guidelines is
currently being established, and it is hoped that it will
some day become also an international one.
Linda Saxton from England spoke about the basics of
information security, concentrating on viruses and how they
can be detected. In Linda's opinion, all companies should
understand the importance of information security, have an
information security policy, and take the necessary steps to
enforce it.
David Ferbrache from England concentrated on viruses found
in other than PC computer environments, pointing out that
each system has its own characteristic features, users and
viruses. Many methods used in PC systems can be applied to
other environments, and this, in David's opinion, is what
should be done.
Scott Lenharth from USA discussed the security of LAN Server
and OS/2, while Stephen Cobb from England concentrated on
NetWare's security considerations. Stephen expressed
satisfaction in NetWare's security. He said that if
companies take advantage of NetWare's security features, the
information security problems in NetWare environments will
remain very small.
Joe Norman from France spoke also of network security, but
from users' point of view. He mentioned several things which
should be added to network operating systems in order to
improve their security. Many of these things have, in fact,
been incorporated to network operating systems, either in
already existing versions or in upgrades which are due to
appear soon. However, some of the improvements Joe suggested
will not be seen for some time yet.
Steve Bailey from England described various anti-virus
strategies, and mentioned diskette authorization as a new
way to combat viruses. Such authorization will efficiently
stop viruses from spreading through diskettes.
Summary
-------
The Virus Bulletin Conference '94 was in many ways a very
satisfying experience. During the conference, the audience
heard treatises discussing virus-related topics from many
points of view, together with treatises addressing
information security in general. In addition to this, the
reading material provided in the conference made it possible
to familiarize oneself with all the subjects discussed
there, even if time did not allow participation in all the
events. The opportunity to contact anti-virus experts
personally added to the conference's atmosphere, as did the
chance to explore the latest anti-virus and information
security products in the separate exhibition hall.
The Virus Bulletin '94 Conference proceedings can be ordered
for £50 + postage £7 in UK, £17 in Europe and £25 in other
parts of the world. The orders can be sent to Virus
Bulletin, Victoria Lammer, phone +44 (0) 1865 843691,
fax +44 (0) 1865 843971.
Retroviruses - how viruses fight back
-------------------------------------
Mikko Hyppönen, who works in Data Fellows Ltd's F-PROT-
support, presented the following treatise in the Virus
Bulletin '94 conference. The treatise is published in two
parts. The second part will appear in the next update
bulletin which will come out in December.
"The GoldBug virus has extensive anti-anti-virus routines.
It can install itself while several resident anti-virus
monitors are running. It will prohibit most popular anti-
virus programs from running, and will also by-pass several
integrity checking programs" -from the original source
code of the GoldBug virus
Abstract
--------
This paper will discuss the methods viruses use or might use
in the future to attack anti-virus programs. Attacks of this
kind are becoming more common, as virus writers seem to be
constantly looking for ways to make their viruses more
efficient and vigorous. This paper also suggests how to make
anti-virus products more resistant to such attacks. The
scope of this paper is limited to PC-compatible machines.
Introduction
------------
There is a constant battle going on between computer virus
authors and virus fighters. Virus writers are looking for
ways to create more complicated, more difficult-to-analyse
and more inconspicuous viruses. At the same time, anti-virus
people are building methods to address these threats.
It's not surprising that virus authors have realised that
anti-virus tools are one of their creations' worst enemies.
The logical step for them has been to make ...their viruses
fight back, either directly or indirectly..
Several viruses explicitly target anti-virus programs. The
attack routines may be generic or targeted against a
specific program. Many virus authors obviously consider an
attack to be the best defence, when the objective is to keep
the virus alive in order to spread it as widely as possible.
There is a battle going on in computer systems world-wide -
it's survival of the fittest, one might say. Hopefully, this
paper will provide some ideas how to make anti-virus
applications fitter than viruses.
A virus that fights back
------------------------
For the purposes of this paper, a retrovirus is defined as
follows:
Retrovirus is a computer virus that specifically tries to
by-pass or hinder the operation of an anti-virus program or
programs. The attack may be specific to a known product or a
generic one.
Retroviruses are sometimes known as anti-anti-viruses. Anti-
anti-viruses should not be confused with anti-virus-viruses,
which are viruses that will disable or disinfect other
viruses. To avoid confusion, the term retrovirus will be
used here.
The creation of a virus which incorporates retro-routines is
not necessarily a difficult task. In most cases, virus
writers have access to the anti-virus programs they want to
by-pass. All they need to do is experiment by trial and
error until they find a way to attack the anti-virus program
in a way the anti-virus developer has not foreseen.
[Siilasmaa]
Some virus authors have gone all the way and disassembled
the offending anti-virus programs in order to find the most
effective way to attack them. They often look for methods to
attack a product in a way that would be most difficult to
circumvent in future versions of the product.
As the virus authors are pretty efficiently connected to
each other via different types of electronic networks,
information on how to attack specific products spreads
quickly.
It should be noted that virus writers typically have access
to only those anti-virus products that are available as
freeware or shareware. Some virus exchange BBS systems are
known to make pirated copies of commercial products
available, but the shareware products seem to be targeted
most often [Fellows].
It can be expected that more retroviruses, using more
advanced retro-routines, will be seen in the future.
Rules of the game
-----------------
Viruses using retro-routines started to show up during late
1980's - before that, there was no point in creating
retroviruses, as anti-virus products weren't widely used. As
the popularity of anti-virus programs has grown, so has the
number of viruses that attempt to subvert them in some way.
Several approaches are possible, including:
- modifying the code of an anti-virus program file or the
image in memory
- detecting when an anti-virus program is activating, and
either hiding itself, stopping the execution of the
program or triggering a destructive routine
- altering the computing environment in a way that affects
the operation of an anti-virus program
- using methods in the virus code that cause problems for
anti-virus programs
- exploiting a specific weakness or a backdoor in an anti-
virus program
- using generic methods that generally make it difficult or
potentially dangerous to detect, identify or disinfect the
virus
The basic principle is that the virus must somehow hinder
the operation of an anti-virus program in such a way that
the virus itself benefits from it.
Methods like encryption, stealth, polymorphic routines, code
armouring, anti-debugging tricks and confusion code can also
be considered attacks against anti-virus programs. However,
they are often generic in type and therefore outside the
scope of this paper.
Attacks against non-resident scanners
-------------------------------------
Non-resident scanners are probably the most commonly used
anti-viral products. They are also the favourite target of
real-world retroviruses.
There are several different ways a scanner can be attacked
against.
Deletion and replacement
A virus can locate the anti-virus program and delete it. A
more sophisticated attack would be a modification or a patch
that would alter the operation of the scanner in a way that
would be beneficial to the virus. A virus could locate the
search strings used by the scanner and overwrite them,
making the scanner unable to find any virus, but still
appear to be functional.
A virus can replace the scanner program with a Trojan horse
which could trigger a damage routine when run or just simply
display an error message and abort. Such an error message
would also make the scanning product look bad in the eyes of
the users, especially if the error message would be
something like 'only 620kB of free DOS memory, unable to
run' or 'BRUN30 GW-Basic run-time library not found,
aborting'.
If the virus stays resident in memory, it can do similar
attacks when it sees that an anti-virus program is executed.
It can also by-pass a self-check routine of an anti-virus
program by patching it only after the application has
finished the check on its own code.
Modification of parameters
There is at least one known case of a virus that modifies
the command-line parameters when it sees a specific anti-
virus program to be started (see below). This technique
allows the virus to modify the operation of the scanner to
its advantage without patching the actual program code.
A similar attack in which the virus modifies the
configuration file of an anti-virus program might also be
possible - these files are often left unencrypted and are
not checked for such modifications.
Altering the output
If the visual interface of the anti-virus program isn't
complex (ie. command-line driven), it might be feasible for
a retro-virus to mimic the operation of the program. This
way, the user might not notice anything strange.
A variation of the theme would be that the virus would patch
the texts displayed by the product. If the text string
'Virus found!" were to be changed to 'All clear!', a typical
user wouldn't probably doubt anything.
In many installations, anti-virus programs are run
automatically and the alarms are set off depending on the
exit codes (errorlevels) returned by a program. A successful
attack on such a system might consist of a retrovirus that
would always set the return-code of an anti-virus program to
zero.
False false alarms
Scanners are prone to false alarms ie. detecting a virus in
a clean file. Viruses can use this as one way to attack. If
a virus incorporates code sections from popular
applications, it is quite possible that an anti-virus vendor
without a proper false-positive testing routine might
include a search string that would cause a large amount of
false positives.
One way to implement this kind of an attack would be to
include an encryption routine to a virus, but borrow the
decryption code from some known application - the encryption
would limit the traditional search strings to only strings
that would cause false positives, and this in itself would
cause problems for some scanning products.
Problems with packed files
Several scanners are able to scan inside compressed
executables that have been packed with some of the most
popular EXE-packers. Some scanners do not scan packed files
at all, but only flag them as packed so the user is aware of
them. This provides one way a virus could cause problems for
a scanner. If a virus used a section of fake code that would
make an infected program look like it had been packed, it
could by-pass the scanning by such a product completely. The
virus could also replicate in packed form, making it even
more difficult for some scanners to detect.
A similar attack might be possible against products that
actually unpack the programs and scan underneath the
packing. In order to uncompress the program, the scanner
fetches program info from the unpacking code. If this code
contained irrational values, it could cause some scanners to
crash or run out of memory.
One man's data is another man's code
Almost all scanners default to scanning only the executable
files instead of all files. File type is usually determined
by the extension (ie. COM, EXE, SYS).
Since a virus can control the system in any way it wants,
one way to by-pass a scanner would be to change the file
extensions of all infected files to non-executable ones, for
example from EXE to XEX. While the virus is resident in
memory, it can use stealth techniques to hide this change -
but it will also make sure that all executables copied to
floppies have the valid extension, to ensure that the virus
gets a chance to spread. The advantage of such a method is
that even if the machine is booted up from a clean diskette
and all executables are scanned with a scanner that can
detect the virus, it will only be found in the initial
carrier file.
Exploitation of technical limits
A virus writer could analyse in detail how a scanner
actually does the scanning and develop infection methods
that cause detection problems for a specific scanner. The
virus doesn't have to be difficult to find - it is enough
that it is very slow to search for.
The Command Bomber virus is an example of this: it inserts
its code in the middle of the host file and builds a
complicated series of branching commands to transfer the
flow of the program code to the actual code. The detection
of such virus would force some scanners to scan the whole
file from the beginning to the end - which would be enough
to make them unusably slow.
Attacks against resident scanners and behaviour blockers
--------------------------------------------------------
Resident anti-virus programs are vulnerable to special
attacks. Since DOS does not provide any kind of memory
protection, a program can modify the memory space of another
program. This makes it possible for a virus to locate and
patch or disable a resident scanner or a behaviour blocker.
Unloading the protection
Some anti-virus TSRs can be unloaded from memory (actually,
they will have to be unloadable if the product is wanted to
be Novell-certified). If such mechanisms exist, they can
also be called by a virus. Viruses use this method quite
successfully with some products for which it is known to
work.
Through the back door
Practically every TSR scanner has a back door, which is used
by the non-resident scanner of the same package. This back
door either turns off the checking done by the TSR or
provides an alternative access method to the file system. If
such a back door did not exist, the TSR part would clash
with the normal scanner, as the TSR would notice an
infection when the non-resident part would open an infected
file for scanning.
A virus can use such back doors for its own benefit, either
disabling the resident part or by using the clean path to
file system provided by the TSR.
Yet another way for a virus to attack a resident scanner is
to observe the display routines, and trap the alarm messages
displayed by the TSR. If the user never sees the alarm
messages of the TSR, the protection is not doing its job.
* To be continued in the next update bulletin in December *
F-PROT-Support Informs: Common Questions and Answers
----------------------------------------------------
If you have questions about information security or virus
prevention, contact your local F-PROT distributor. You can
also contact Data Fellows directly in the number +358-0-478
444.
Written questions can be mailed to:
Data Fellows Ltd, F-PROT Support, Päiväntaite 8, 02210
ESPOO, Finland.
Questions can also be sent by electronic mail to:
Internet: f-prot@datafellows.fi;
X.400: S=FPROT, OU1=DF, O=elma, P=inet, A=mailnet C=fi.
I want to run a virus check on our computers every time they
are booted. Also, if viruses are found, I want to prevent
the computers from being used. Is there a simpler way to do
this than by checking the ERRORLEVEL values returned by F-PROT.EXE?
F-PROT's DOS version supports the parameters /FREEZE and
/FREEZE2.
When started with the parameter /FREEZE, F-PROT stops the
computer's functioning if it finds a virus in the computer's
memory. With the parameter FREEZE2, F-PROT stops the
computer if it finds a virus in a file or a boot sector. By
using these parameters, you can easily configure the kind of
scan you want.
Insert the command F-PROT /HARD /FREEZE /FREEZE2 in the
AUTOEXEC file. The program will scan the computer's memory
and hard disk and freeze the computer automatically if it
finds a virus.
If it takes too long to scan the whole hard disk, you can
use the command F-PROT C:\ /NOSUB /FREEZE /FREEZE2 in daily
scans. The program will scan the computer's memory and the
files in the root directory of disk C. This should, in
itself, protect the computer quite well. However, if you opt
for this solution, you should arrange for the whole hard
disk to be scanned regularly. The scans can be easily
scheduled by using F-AUTO. For example, if you use the
command F-AUTO 7 F-PROT /HARD /FREEZE /FREEZE2, the program
will scan the whole hard disk once every week.
I have started using the newest version of the QEMM memory
management program, v7.5. After I installed the program, my
computer has constantly tried to boot from drive A, although
I have defined the hard disk to be the boot disk in the BIOS
Setup. What's the matter?
The QuickBoot feature of QEMM 7.5 uses drive A as the
default boot drive. If you add the parameter BF:N
(BootFloppy=No) to QEMM386's command line, your computer
will resume booting directly from the hard disk. In addition
to this, you will avoid the risk of accidentally
contaminating your computer with a boot sector virus.
For some reason, my computer won't execute the programs
TERMINAT.EXE and MAX.EXE. If I change the names of these
files to something else, they will execute just fine. In
addition to this, my BIOS Setup information keeps
disappearing every once in a while. Is my computer infected?
Yes. Your description fits the GoldBug virus. It prevents
the execution of EXE programs whose names have the letter
'A' as their second to last character, and some letter
between 'N' and 'Z' as their last character. GoldBug does
this in order to detect a number of anti-virus programs and
to prevent them from being executed. The method is effective
with, for example, the programs SCAN, CLEAN, NETSCAN, CPAV,
NAV and TBAV.
Besides detecting anti-virus programs and preventing them
from being executed, GoldBug also deletes the computer's
CMOS information every time the user tries to run an anti-
virus program.
Changes in version 2.15
-----------------------
Changes in F-PROT Professional for Windows.
- Both English and Finnish are now available as language
options.
- The updating of buttons on the screen has been speeded up.
- Boot sector viruses can now be removed directly from
Windows .
- After you have checked a diskette, F-PROT for Windows asks
whether you want to continue checking other diskettes.
This feature is the same as in F-PROT for DOS.
- Network communication features have been partly
reprogrammed to increase operational certainty under
uncertain network environments.
- Idle scanning tasks are not ru, if the program on the
foreground is a DOS window. Since Windows cannot see what
happens in a DOS window, idle scanning tasks were
previously sometimes run even though the computer was not,
in fact, idle.
- When a scheduled task starts, F-PROT is no longer brought
to the foreground. Instead, the scan is executed
unnoticeably in the background. However, if a virus is
found during the scan, F-PROT is brought to the foreground
immediately.
- The administrator's F-Agent keeps watch for new messages
and reports sent by the users. When new messages come in,
the administrator is asked whether F-PROT should be
started.
- The status bar of the administrator's F-PROT announces all
new messages and reports.
- The administrator ca nown limit access rights much more
comprehensively than before
- The error situation which came up when F-PROT was updated
as a Remote Installation through SETUP has now been
corrected.
Changes in F-PROT for DOS
- VIRSTOP used to come into conflict with a protection
program called HARDLOCK. When this happened, VIRSTOP would
halt the machine, thinking that the computer had been
infected with a boot sector virus. The situation could
previously be solved by running VIRSTOP with the /NOMEM
switch, but this is no longer necessary. VIRSTOP now
recognizes HARDLOCK and continues operating normally.
Changes Common to F-PROT Professional for DOS, Windows and OS/2
The false alarm given of the file l2d.exe has been
corrected
New Viruses Detected by F-PROT 2.15
The following 41 viruses are now identified, but can not be
removed as they overwrite or corrupt infected files. Some
of them were detected by earlier versions of F-PROT, but
only reported as "New or modified variant of...".
Burger.560.AU
Copyprot
Crazy_Lord
ExeError
HLLO.4505.B
HLLO.4742
HLLO.7392
HLLO.RUW
Human_Greed
KI
Ku
Marked-X.355
Rythem.1818
Rythem.47857
Trivial.22
Trivial.26.C
Trivial.29.E
Trivial.30.H
Trivial.34
Trivial.40.G
Trivial.85
Trivial.90
Trivial.97.A
Trivial.97.B
Trivial.146
Trivial.Banana.B
Trivial.Banana.C
Trivial.Banana.D
Trivial.Banana.E
Trivial.Banana.F
Trivial.Banana.G
Trivial.Banana.H
Trivial.Banana.I
Trivial.Banana.J
Trivial.Banana.K
Trivial.Banana.L
Trivial.LSD
Trivial.Vsafe
VCL.663
VCL.Mindless.423.C
VCL.Viral_Messiah.703
The following 202 new viruses can now be detected and
removed. Many of these viruses were detected by earlier
versions, but are now identified accurately.
_200
_361
_386
_503
_310
_351
_554
_797
_908
Abal
Acid
AEP
Anti-Pascal_II.407
Arianna.3375
Ash.743.B
Ash.743.C
Ash.743.D
Ash.743.E
Ash.743.F
Ash.743.G
Ash.743.H
Ash.743.I
Ash.743.J
Ash.743.K
Atomic_comp
Bootexe.207
BW.373
Cait
Cascade.1704.V
Cascade.1704.X
Casino.D
Cetenary
Chaos.1241
Clogg
Clonewar.547
Coke
Dark_Apocalypse.1016
Dementia.609
Dinky.122
Dry_Dream
Enculator
ESP
Fax_Free.1024.I
Grog.566
H_Andromeda.800
H_Andromeda.1024.B
H_Andromeda.1024.C
HDZZ
Hehehe
Hello.400
Hello.600
Hellspawn
HLLC.Tree2
Howard
Hwang
Hymn.Sverdlov.B
Intruder.1331
Inv_Evil
IVP.Becky
IVP.Darlene
IVP.Roseanne
IVP.Sonic
JD.158.B
JD.158.C
JD.158.D
JD.158.E
JD.158.F
JD.158.G
JD.158.H
JD.158.I
JD.158.J
JD.158.K
JD.158.L
JD.158.M
JD.158.N
JD.158.O
JD.158.P
Jerusalem.Anticad.4096.J
Jerusalem.Sunday.N
Kato
King.1424
King.2175
Klot
Kohn_6.633
Koko
Komp
Lemming.2146
Lockjaw.507
Lockjaw.573
Lockjaw.887
LordZero
Mange_Tout.1091
Marzia.N
Mohova
Murphy.Migram.1221.B
Murphy.Migram.1221.C
Murphy.Migram.1221.D
Murphy.Migram.1221.E
Murphy.Migram.1221.F
Murphy.Migram.1221.G
Murphy.Migram.1221.H
Murphy.Migram.1221.I
Murphy.Migram.1221.J
Murphy.Migram.1221.K
Murphy.Migram.1221.L
Natas.4988
NeverOne
November_17th.768.D
Npox.963.C
Npox.963.D
Npox.963.E
Npox.963.F
Npox.963.G
Npox.963.H
Npox.963.I
Npox.963.J
Npox.963.K
Npox.963.L
Offspring.711
One_Half.3544
One_Half.3577
Pollution
Proto-T.1052
Protovirus
PS-MPC.569.D
PS-MPC.803
PS-MPC.Anarchist
PS-MPC.Guten_Tag
PS-MPC.Joana.1075
PS-MPC.Skeleton.601
PS-MPC.Toys.763
Pure.A
Pure.B
PVW
Raptor.C
School_Sucks
Semtex.515
Semtex.686
Shake.C
Shark.1661
Shutdown.644
Shutdown.698
SIC
Slam
Slimline2
Small_Comp.88
Small_Comp.92
Small_Comp.100
Small_Comp.1001.A
Small_Comp.101.B
SRC
SRP
Sterculius.240
Sterculius.266
Sterculius.273
Sterculius.428
STSV.C
STSV.D
STSV.E
STSV.F
STSV.G
Sundevil.762
Suomi.B
Tadinho
Timid.300
Tiny_Family.137
Tony.203
Traceback.3066.B
VCL.337
VCL.389
VCL.405
VCL.535
VCL.2805
VCL.Code_Zero.654
VCL.Dial.600
VCL.Dominator
VCL.Donatello.831
VCL.Earthday.799
VCL.Genocide
VCL.Kinison.809
VCL.Nomemn
VCL.Olympic.1442
VCL.Pearl_Harbour.931
VCL.Taboo
VCL.Timothy
Vienna.Ambalama
Vienna.BNB.B
Vienna.BNB.C
Vienna.BNB.D
Vienna.BNB.E
Vienna.BNB.F
Vienna.BNB.G
Vienna.BNB.H
Vienna.BNB.I
Vienna.BNB.J
Vienna.Black_Ice
Voronezh.600.B
Voronezh.1600.B
XPH.1032
YB.425
ZP
The following 32 new viruses are now detected but can not
yet be removed.
_1492
Am
Australian_Parasite.369.B
Australian_Parasite.424
Beer.643
Boot-446
Butt
Cacophony.944
Cacophony.1050
Catholic
Crazyboot
Daddy.1093
Daddy.1117
Dark_Avenger.1000
Democracy.3806
EndOne
Froll
Geldwasch
Grog.1200
Grog.1349
Hello.402
Lisa
Manic
Moonlite.465
Neuroquila
Newbug
Oracle
Raver
Taz.1087
Verify
Vienna.Variable.906
Virogen
The following 4 viruses which were detected by earlier
versions can now be removed.
_189
Honey
Techo_Rat
W-Boot
The following viruses have been renamed.
_638 ->> Kohn_6.638
_1099 ->> Mange_Tout.1099
Mayberry.* ->> BW.Mayberry.*
Trickster ->> Shark.1661
-------------------------------------------------------------------------------
F-PROT Professional 2.15 Update Bulletin
========================================
Data Fellows Ltd, Päiväntaite 8, FIN-02210 ESPOO, Finland
Tel. +358-0-478 444, Fax +358-0-478 44 599, E-mail: f-prot@datafellows.fi
This text may be freely used as long as the source is mentioned.
F-PROT Professional 2.15 Update Bulletin; Copyright (c) 1994 Data Fellows Ltd.