Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!usc!sdsu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: TMPLee@DOCKMASTER.ARPA Newsgroups: comp.virus Subject: Where are the Sophisticated Viruses? Message-ID: <0005.8910301224.AA05511@ge.sei.cmu.edu> Date: 28 Oct 89 05:46:00 GMT Sender: Virus Discussion List Lines: 23 Approved: krvw@sei.cmu.edu For various reasons I have been behind in my reading of Virus-L, and so I found myself skimming something like the last dozen issues of the digest all at once. I was struck by something: are we lucky and there are no competent, sophisticated writers of viruses out there, or are we just fooling ourselves? Although the details of most of the virus prevention programs (e.g., Gatekeeper for the Mac) haven't been discussed at all or recently enough that I remember them, it seems to me that any virus writer willing to get his hands dirty and write code that directly uses the I/O hardware (rather than rely on the operating system) should be able to write a virus that could not be detected by any of the preventative defenses that are supposed to be watching for suspicious writes and that would only be detected after-the-fact by reactive defenses that did a lot of robust integrity checksumming. (Looking for file modification dates would be useless since the virus would of course not be polite enough to update any directories; scanning programs would be useless on the assumption that the virus remains undetected until it goes off so no-one would have included a signature to scan for.) Suppose some suitably motivated person wrote such a virus and set the trigger for a year or two away (provided the virus had been executed and/or propagated some number of times) -- how far within the IBM-PC or Mac community would it likely spread before the trigger fired? How do we know one or more such beasts isn't already out there, just biding its time?