home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.22
< prev
next >
Wrap
Text File
|
1995-01-03
|
2KB
|
55 lines
VIRUS-L Digest Monday, 23 Jan 1989 Volume 2 : Issue 22
Today's Topics:
re: PC Viruses
---------------------------------------------------------------------------
Date: 23 January 1989, 09:20:53 EST
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: PC Viruses
In VIRUS-L v2n20, Otto Stolz <RZOTTO@DKNKURZ1.BITNET> writes
a number of things, including:
> First Main Proposition of Virus Hunting: Every program designed to
> catch viruses can be circumvented by virus-writers who know its
> principles of operation.
> ...
> The best option you have: To detect
> COM- and EXE-viruses, write your own program to compute some signature
> value from all bytes in a file and compare it with a value obtained
> earlier in the same way. Lock away the source of your program and
> every hints on its algorithm in a safe place, and apply it regularly
> to every program file you use (including itself).
While I agree with pretty much everything -else- Otto writes, I think
these statements are perhaps a bit too strong. Consider, for instance,
a modification-detection program that works using a nice long CRC
(at least 30 bits), and that uses a "user-selectable" polynomial
(for instance, the program might prompt the user for a long string
when it's first run, and use that to find an irreducible polynomial).
If the program and the database are kept on external media (in a floppy
in a locked desk drawer, for instance), and the polynomial key is
also external (in the user's head, or on that locked floppy), AND
the program is run only after cold-booting the maching from a trusted
IPL floppy (perhaps the same one again), so that the checking program,
key, and database are never in the machine at the same time as a virus,
I think I would claim that knowing all about the checking program,
including having the commented source code, would do the virus-writer
NO GOOD AT ALL in trying to defeat it (as long as the user's secret
key isn't known, of course). That's just because it's not possible
to make a probably-undetected change to a dataset if you don't know
the polynomial used for detection (and if the CRC uses enough bits).
Objections?
DC
Watson Research
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253