home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
V101PT3
< prev
next >
Wrap
Text File
|
1989-04-26
|
19KB
|
319 lines
Portal-Rmail-To: garyt@cup.portal.com
Received: by portal.com (3.2/Portal 8)
id AA13166; Wed, 26 Apr 89 01:38:31 PDT
Received: from Sun.COM (arpa-dev) by sun.Sun.COM (4.0/SMI-4.0)
id AA18573; Tue, 25 Apr 89 23:08:58 PDT
Received: from sun by Sun.COM (4.1/SMI-4.0)
id AB12617; Tue, 25 Apr 89 23:08:11 PDT
Message-Id: <8904260608.AB12617@Sun.COM>
Received: from LEHIIBM1.BITNET by IBM1.CC.Lehigh.Edu (IBM VM SMTP R1.2) with BSMTP id 5946; Wed, 26 Apr 89 02:02:49 EDT
Received: by LEHIIBM1 (Mailer R2.03A) id 5722; Wed, 26 Apr 89 02:02:45 EDT
Date: Wed, 26 Apr 89 02:02:44 EDT
From: Revised List Processor (1.5o) <LISTSERV@IBM1.CC.Lehigh.Edu>
Subject: File: "V101 3" being sent to you
To: "Gary F. Tom" <sun!portal!cup.portal.com!garyt>
Subject: Virus 101: Chapter 3
From: woodside@ttidca.TTI.COM (George Woodside)
Newsgroups: comp.sys.atari.st,comp.sys.apple,comp.sys.mac,comp.sys.ibm.pc
Date: 13 Mar 89 14:24:23 GMT
Reply-To: woodside@ttidca.tti.com (George Woodside)
Organization: Citicorp/TTI, Santa Monica
First, the mail:
Addressing a controversial topic is sure to generate some strong responses,
and this one is no exception. Mail of the "Thank You" flavor outweighs the
"You Idiot" flavor by about 4-1, so I'll be pressing on. The majority of the
"You Idiot" mail is from senders who either admit, or display, limited
programming ability. For the benefit of those individuals: I appreciate your
concern. I am not attempting to aid in the spread of viruses, but in your
own understanding of them, and ability to defend yourself. People with the
ability to create a working virus will have found little or nothing they
didn't already know in the preceeding postings. There is certainly nothing
in them that isn't already available in the most fundamental books about
personal computers. The preceeding postings are also written at a
superficial level, and are missing quite a few specific things necessary to
make a real working virus. Those missing items would add nothing to the
layman's understanding of how a virus spreads or works, so are not included.
You need not take my word for this; contact anyone you know who is
knowledgeable in the system software field, and they will confirm it.
Sin of omission:
Part of a message received from Forrest Gehrke (feg@clyde.att.com):
...One method for a virus finding enough space to hide itself, that I have
seen, you have not mentioned. I have noticed that the so-called Pakastani
virus uses non-standard sectoring at tracks 37 and 38 for IBM PC
diskettes...
Mr. Gehrke is quite right. I did forget to mention this technique. While I
had heard rumors of it being in use, I hadn't seen it in any of the virus
code I've captured (again, I'm in the Atari ST world).
I have responded to all mail I have recieved (if it requested a response)
including mailing out copies of missed chapters. Several responses have been
returned by various mailers. If you requested something, and haven't heard
from me, either your request or my response failed.
Now, Chapter 3:
Once a virus has installed itself, and replicated as frequently as it has
found the opportunity, it will eventually launch whatever form of attack it
was originally designed to do. That attack is the real purpose of the
existance of the virus. Everything up to this point has been for the sake of
getting to this stage.
What will it do? Almost anything. The limits are imagination and code space.
The most benign virus I've seen claims to be an anti-virus. It blinks the
screen on boot-up. The idea is that if you see the screen blink, you know
that the benign virus is on the disk, rather than a more malicious one. It
does, however, spread itself just like any other virus. From there, things
proceed through the prank levels, time-triggered, messages, ones which try
to simulate hardware failures, to ones which destroy files and disks. The
actions vary from virus to virus. And, of course, there is a whole different
library of viruses for each machine type. Attempting to detect a virus by
describing or recognizing the symptoms is not only a task of limitless
proportions, it is too little too late. When the symptoms appear, the damage
has already been done.
Several viruses attempt to simulate hardware problems. (Conversly, I've had
several pleas for help with a virus that proved to be other types of
failures.) Frequently these viruses use timers to delay their actions until
the system has been running for some time, and to spread out their
activities to make the problem appear intermittent. Such virus induced
glitches include occasionally faking succesful disk I/O, while actually not
performing the read or write, altering the data being read or written, and
(more commonly) screen display glitches. It is very difficult for anyone to
determine whether such incidents are the results of a virus, or a real
hardware problem. When such incidents start to occur on your system, start
executing whatever virus detection software you have available, before
lugging your system off to a service firm.
Previously, I mentioned the use of write protected disks as a step in the
right direction to protect yourself. A large percentage of personal computer
systems now use hard disk systems. Floppy disks are more often a backup
media, or offline storage of files not needed on the hard disk for day to
day use. Backing up requires the disks to be writeable, as does archiving
off the infrequently used files. It is good practice to write protect the
archived disks as soon as the files are copied to them. Run whatever virus
checking software you have on the archive disks, write protect them, and
then file them away.
(When reading the following suggestions about protecting your system from
attacks, keep in mind that not all techniques can be applied to all systems
or all software. Read the documentation accompanying the software before
your first attempt to use it. Be familiar with what it is expected to do
before you run it, and you'll be more able to recognize unexpected activity.)
The next step is to apply write protection to whatever disks you recieve
software distributed on, before ever inserting them into a computer. Be they
Public Domain, User Group Libraries, Commercial Software, or whatever, write
protect them before you first read them. Then, make a backup copy if
possible. Finally, when first executing the new software, have only write
protected disks in your system. You should be well aware of any legitimate
attempt to write to a disk by the software before it happens, and have
adequate opportunity to insert a writeable disk when the proper time comes.
This will not only give you a clue to the presence of a virus in the new
software, but also protect the new software from a virus already resident in
your system.
If your system supports the use of a RAM disk, copy new software into the
RAMdisk before executing it the first time. Put write protected disks in
the drives, then execute the software from the RAMdisk. If the software has
no reason to access other disks, especially when starting itself up, be
very suspicious of any disk activity. The most common time for a virus or
trojan horse program to do it's dirty work is at startup, when it is
impossible to tell whether disk access is part of program loading, or some
clandestine operation. By having the software loaded into and executing
from memory, you will be able to detect any disk I/O which occurs.
Finally, backup everything. Hard disks, floppy disks, tapes, whatever. Make
backup copies, write protect them, and store them in a safe place off-line.
If you are attacked by a dstructive virus, your first problem is to rid your
system of the virus. Do not go to your off-line backups until you have
determined if your problem came from a virus, and if so, that you have
removed it from the system. A backup is useless if you give a virus a chance
to attack it as well as your working copy.
A significant portion of these three chapters have been related to boot
sector viruses. While the most common t