home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
CRCREVUE
< prev
next >
Wrap
Text File
|
1990-12-18
|
56KB
|
1,575 lines
Comparison: Products to Detect Changes to Programs
Prepared by David J. Stang, Ph.D.
and (c) 1990, 1991 by
the National Computer Security Association
Suite 309, 4401-A Connecticut Ave NW
Washington DC 20008
Voice: 202-364-8252
BBS: 202-364-1304
This document may be freely distributed, but may not be altered
in any way.
This is a review of some of those checksum or CRC comparison
programs. In it, I make an effort to concisely describe the
merits of this class of products, and then to help
you in selecting a product from their ranks.
There is a difference between checksum algorithms and CRC --
cyclic redundancy check -- algorithms. The latter usually uses a
table, and is usually a bit slower than the former. Despite the
differences, many authors seem to use the words
interchangeably, and we will continue the sloppy practice in this
chapter.
Each file has a unique fingerprint in the form of a checksum
or CRC. Changes in any character within the file likely change
the checksum or CRC. If a file's original CRC is known --
perhaps recorded in a file elsewhere -- and its current CRC is
known, the two values can be compared. Any difference indicates
that the file has been changed, and offers reason to investigate
further. For example, DELOUSE allows you to build a list of
critical system files that are normally subject to attack, and
check them periodically for changes.
If a program's size is changed, it must be concluded that some
modification has occured to the file. If the size has not changed,
some modification is still possible. A file that contains the simple
message Hi Mom! could be modified so that it contained the
message Hi Dad!, and it would not show any change in size.
A much tougher test of whether a file has been modified is to
compute the checksum or CRC cyclic redundancy check. At
this writing, there are no viruses able to modify a file without
modifying the file's CRC. Thus any checksum checker will work
just fine in catching viruses, providing that you use it to
establish checksums before a virus has modified your files.
How is the checksum computed? Simply adding the values of all
the characters in the file is not enough, as a file containing just
"AE" would produce the same result as a file with just "EA".
Rather, the first byte of a file is read, and an algorithm applied
to it. This algorithm does something to the value of the byte,
such as rotating the bits a certain number of times, and logically
ANDING or ORING the bits to something else. The result of
that algorithm is then applied to the next byte of the file. The
process is repeated until the final byte is reached, and the
remainder is recorded. During this process, different algorithms
might be used for different portions of the code being processed.
With most procedures, a small file produces a checksum value of
the same size as a large file.
Is there such as thing as "the" CRC value? No. The algorithm
used defines the result. There are two popular algorithms in use:
a standard CCITT CRC and a popular XMODEM CRC. Consider
COMMAND.COM for DOS 3.3 dated 2/2/88 and taking 25308
bytes. Here are some of the checksums produced for this file by
various programs. SSCRC and Validate (method 1) use the
CCITT standard. All others in the list use some other approach.
o BSearch, 16-bit CRC - 13369 (3439 h)
o BSearch, CRCTT - 10994 (2AC0 h)
o CHKSUM - 20011 (4E2B h)
o CRCDOS - 59676 (E91C h)
o Delouse, method 1 - 1073916 (1062FC h)
o Delouse, method 2 - 1067428 (1049A4 h)
o Delouse, method 3 - 1048666 (10005A h)
o The Detective, CRC 1 - 26939 (693B h)
o The Detective, CRC 2 - 54914 (D682 h)
o Module Integrity Check - 24922 (615A)
o SSCRC - 52167 (CBC7 h)
o Validate, method 1 - 52167 (CBC7 h)
o Validate, method 2 - 4024 (0FB8 h)
o VCheck - 2141344 (0020ACA0 h)
WHY DETECT CHANGES?
There are several good reasons.
o Viruses have great difficulty infecting your machine
without making some change in it. To detect a change
is to begin the process of detecting a virus. Although
some are concerned that a change-detecting program
cannot prove there isn't already a virus in your
computer, the fact is that you needn't worry about this.
If you infect your computer with a dozen viruses, then
measure its state, one of these viruses will change that
state in the next hour or so; a remeasurement
establishes that something is afoot.
o Occasionally things go wrong with computer hardware
and software. You run CHKDSK and discover a
number of lost clusters in a number of lost chains. You
scrap these clusters, but wonder what files you've lost.
A proper change-detection program will give you a list
of files deleted since your last run. You can then
restore them from your backups.
o In many organizations, we only want to permit the use
of "authorized software." Using a proper
change-detection program, you can establish what
software was added to the machine since your last run.
Any "extra" software will quickly come to your
attention.
CAN A VIRUS BEAT THE SYSTEM?
The answer may be yes. You need to know how, so it doesn't
happen to you. The defeat can come at the hands of a
CRC-aware virus (none exists yet) or at the hands of a stealth
virus (there are several now).
CRC-AWARE VIRUSES
In theory, a virus could be written that would compute a file's
CRC, add itself to the file, then replace additional characters
from the file until the new CRC was the same as the old one.
Such a virus would escape the attention of many checksum
checkers.
Programs could catch such a virus by using an incremental
cyclic redundancy check approach. In this approach, files are
dissected into randomly-sized blocks of data, using dynamic
block size allocations that allow files as small as one byte to be
accurately checked. CHECKUP uses this approach. It scans and
compares every byte of the target files on a block-by-block basis.
If the recorded file sizes, any of the block CRC comparisons, or
the CRC totals do not match, CHECKUP alerts users that the
target files have been altered.
Another approach to the problem is to compute the check in two
different ways. For example, if both a checksum and a file size
were to be calculated and recorded for later comparison, it is
unlikely that a virus could be modified without mismatching on
one of the comparisons. Or if checksums were to be calculated
using two different algorithms, the virus would again likely fail
to fool both techniques.
Thus if some future virus were to compute checksums prior to
infections, pad their viral code with characters that maintain
checksum integrity and then infect, CHECKUP could catch it.
STEALTH VIRUSES
A stealth virus is able to defeat a checksum program if it loads
into memory before the checksum program runs. The stealth
virus can then detect the checksum program as it attempts to
read each program on the disk, and before letting the checksum
program see the file it is trying to read, extracting the virus
from it. After the checksum program is satisfied that there is no
virus in the file, the virus in memory can re-insert it into the
file just checked.
Such a problem can be easily avoided: simply boot the system
from an uninfected floppy, then run your checksum program
from it.
In the tables presented here, space has been provided for you to
rate an additional product.
PRODUCT COMPARISONS
EASE OF USE
Conducting these evaluations was not easy. In the table below, I
record my joy or frustration in trying to master the program.
Alert