Path: utzoo!utgpu!utstat!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!swrinde!gem.mps.ohio-state.edu!uakari.primate.wisc.edu!unmvax!ncar!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: krvw@SEI.CMU.EDU (Kenneth R. van Wyk) Newsgroups: comp.virus Subject: Re: Sophisticated Viruses Message-ID: <0002.8911101233.AA16030@ge.sei.cmu.edu> Date: 9 Nov 89 15:37:36 GMT Sender: Virus Discussion List Lines: 33 Approved: krvw@sei.cmu.edu WHMurray@DOCKMASTER.ARPA writes: >> We have not seen any viruses that were determined to conceal their >> existence... In theory anyway, what proof to we have of their non-existence? If they're determined to conceal themselves, then why would we expect to notice them in the first place? In Cliff Stoll's book, "The Cuckoo's Egg", Dr. Stoll points out that for every forty (approximately) computers that the hacker invaded, only one or two system administrators ever noticed. The connections were relatively overt in that they left behind audit trails ('lastlog' entries), yet very few people noticed. (In my personal opinion, by the way, "The Cuckoo's Egg" should be considered required reading by anyone who runs, or is interested in, computers - *highly* recommended.) >> ...in part because writing a virus that no one notices is not any >> fun. If no one notices, then it is not possible to know about >> propagation or survival. What fun is that? There's an important distinction to be made here - detection during propagation vs. detection after (presumably) successful propagation. A virus could well attempt to conceal its existence while propagating, and then do quite the opposite (!) during a destructive phase. No one would notice until it would be too late. I'm not trying to sound like the voice of gloom and doom, really. I don't believe that the sky is falling. The purpose of this posting isn't to sound sensationalistic - merely to raise some questions. Ken van Wyk