home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!spool.mu.edu!uwm.edu!zaphod.mps.ohio-state.edu!cis.ohio-state.edu!news.sei.cmu.edu!cert!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: RADAI@vms.huji.ac.il (Y. Radai)
- Newsgroups: comp.virus
- Subject: Re: Good use of (possible bad) viruses
- Message-ID: <0004.9301121242.AA22066@barnabas.cert.org>
- Date: 7 Jan 93 15:37:53 GMT
- Sender: virus-l@lehigh.edu
- Lines: 65
- Approved: news@netnews.cc.lehigh.edu
-
-
- Suzana S.-C. [sorry, I can't cope with such a long name] writes:
-
- > Just one of those days...Two examples of good use of (possible bad)
- > viruses come to my mind :
- >
- > 1. Viruses written to improve an A-V product
- >
- > The logic is simple. It is better that I write virus which can do this
- > or that and have prepared solution to implement in my A-V product than
- > wait that such virus arises in wild and then react. That means if I
- > know that today exist viruses which could be stealthy, tunneling or
- > polymorfic why shouldn't I write virus which is all that and design my
- > A-V product to recognize such virus before it really appears in wild.
- > (Well, maybe it is not commercial, I don't know). If such virus *by
- > accident* escape from my lab I already have a response and there is no
- > ethical problem at all.
-
- You definitely should try to anticipate new types of viruses. But
- why do you have to *write a virus* to do this? It's certainly
- pointless in the case of scanners, and in the case of other types of
- AV software, it's usually sufficient to *think* of what a new type of
- virus might do, and to modify your AV product accordingly, without
- actually writing such a virus. (And if your virus does escape by
- accident, it would suggest irresponsibility on your part, so I think
- you *would* have an ethical problem.)
-
- (Btw, although this evidently was not what you were referring to,
- it reminds me of a few cases I have heard of in which the authors of
- a known-virus scanner have written a new virus and inserted a corres-
- ponding pattern into their scanner, so that the virus is detectable
- by their scanner but not by their competitors' scanners. They then
- adduce this as "proof" that their product is better than those of
- their competitors. Needless to say, this would be highly unethical
- in the opinion of most people.)
-
- > 2. Viruses built in an A-V product (it's just an idea, don't blame me if it
- > is not applicable in reality)
- >
- > Suppose that we have an A-V product which in regular intervals or
- > randomly send a virus in system. Virus (fast infector) infects only
- > programs which checksum doesn't correspond to previously calculated
- > values. If no such program is found virus deletes itself or removes
- > from memory. If changed program found virus activates scanner to check
- > if there is any known virus. If known virus is found message is sent
- > to the user. If program is changed and no known virus is found the
- > message is sent to the user to make decision. If decision is to leave
- > program as is, virus cuts itself from the program. The whole process
- > (except messages) takes place in background. There is no need for all
- > A-V program (which is combination of I-checker and scanner) to be TSR,
- > only virus is occasionally TSR. There is slight similarity in this
- > idea with reaction of human immunity system. Anyone has ethical
- > problem with her/his own immunity system ?
-
- I'm afraid I don't understand this one at all. What's the advantage
- of infecting files? Just so that the I-checker and scanner don't have
- to be resident? There are lots of I-checkers and scanners which are
- *non-resident*. Not only does that save memory, but it's also a more
- secure way of doing things. The advantage of your proposal seems to
- me completely outweighed by the risks involved.
-
- Y. Radai
- Hebrew Univ. of Jerusalem, Israel
- RADAI@HUJIVMS.BITNET
- RADAI@VMS.HUJI.AC.IL
-
