home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker 2
/
HACKER2.mdf
/
virus
/
virusl2
/
virusl2.46
< prev
next >
Wrap
Text File
|
1995-01-03
|
4KB
|
89 lines
VIRUS-L Digest Tuesday, 14 Feb 1989 Volume 2 : Issue 46
Today's Topics:
re: Virus detection
re: "Valentine's Day Trojan Horse" (VAX/VMS)
---------------------------------------------------------------------------
Date: 13 February 1989, 10:02:09 EST
From: David M. Chess <CHESS@YKTVMV.BITNET>
Subject: re: Virus detection
> currently we seem to be fighting a
> losing battle against virus detection
Are we? In practice, the existing viruses are all very
unsophisticated, and easily detected by things that watch for
suspicious activity in the environment (executables changing length,
modifications to system files, new resources appearing, and so on).
It's not hard to write a program that will detect every known virus,
*and* every other virus in the general families that we've seen. In
theory, of course, viruses >could< be a lot nastier, and I'm not
advocating ignoring the threat. But I don't think we're losing the
battle at the moment...
> Maybe the quarantine approach is better.
No better than the modification-detection approach, I don't think.
They might be used together to some advantage, but I think trying to
reply entirely on "quarantine" would be a serious mistake. Unless you
try very very hard, it's going to be trivial for the virus to notice
that the machine it's running on is not "normal" in any sense ("hmm,
thirty-five programs have been run without a single keystroke on the
physical keyboard; rather suspicious!"). A virus could be designed
not to do any infecting unless the environment looked normal (physical
keystrokes occurring now and then, a certain amount of idle time,
etc). For every step you can take to make the quarantine environment
look more normal, a new virus can come out that is one step cleverer.
Same sort of escalation that could occur in the area of non-quarantine
methods of detection!
> The system clock runs 1000 times
> faster than normal to check for delayed-action viruses.
If you speed up the CPU by a factor of 1000 as well, it will burn out
(if you're using a normal machine), or be very very expensive (if
you've found someone who can make a CPU that'll run 1000 times faster
than today's, I think lots of computer companies would be
interested!). If you don't speed up the CPU, but only the time-of-day
clock, the fact will be very obvious to any virus testing to see if
it's running in quarantine.
> Comments, anyone?
You asked for it! *8)
DC
------------------------------
Date: 13 Feb 89 20:23
From: minow%thundr.DEC@decwrl.dec.com (Repent! Godot is coming soon! Repent!)
Subject: re: "Valentine's Day Trojan Horse" (VAX/VMS)
In Virus-List 2.43, Gary Ansok asks whether a program on a host
computer can change the VT100/VT200 answerback message or echo screen
contents back to the host.
Neither is possible in VT100 or VT200 series terminals. Also, the VMS
mail display program filters out all escape sequences and non-standard
control codes.
Thus, a Trojan Horse program distributed via VMS Mail would have to
tell the user to save the file and execute it.
In a postscript, Gary notes that he'll "be looking over [his] incoming
mail extra carefully for a few weeks." This is always good advice.
Martin Minow
minow%thundr.dec@decwrl.dec.com
The above does not represent the position of Digital Equipment
Corporation.
------------------------------
End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253