Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!cica!iuvax!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: christer@cs.umu.se (Christer Ericson)
Newsgroups: comp.virus
Subject: Re: Sophisticated Viruses (Mac)
Message-ID: <0008.8911201547.AA05782@ge.sei.cmu.edu>
Date: 20 Nov 89 15:37:18 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 37
Approved: krvw@sei.cmu.edu

levin@BBN.COM (Joel B. Levin) writes:
>>I don't agree with you on any of these points, Terry. Say, on the
>>Macintosh all calls to ROM are done through trap vectors in RAM. These
>>trap vectors are patched by the system file (to fix bugs), by some
>>programs and by all anti-virus tools. However, it doesn't take a
>>genius to figure out that one could restore the trap vector to it's
>>original value and thereby bypassing the "safe" system.  . . .
>> . . . A patch like this wouldn't occupy much space and is quite
>>simple to write.
>
>Except that when system patches or INIT patches or program patches to
>the traps were removed by the virus (and how would the virus decide what
>value to restore them to?--this is different for each ROM and system
>release version) the user would certainly be likely to notice the
>resultant changed program behavior -- or system crashes.
>
>    /JBL

First, restoring the traps to their original values isn't that
difficult. These are initialized by the ROM, then there must be a
table from where all initial values are fetched from, right? As I
haven't been writing any viruses lately, I'm not sure if this table is
moving around from ROM version to ROM version, but attaining the start
address of this table for each and every ROM version isn't too
difficult. Also, the virus would of course restore the trap vector
after it's done, so why would there be crashes? Actually, it wouldn't
even have to change the trap vectors, it could call the ROM directly,
but I left that to your imagination to figure out (a fruitless
attempt, obviously) since I didn't want to give away freebies to
aspirant virus writers. Some things they'll have to figure out
themselves.

/Christer

| Christer Ericson                           Internet: christer@cs.umu.se  |
| Department of Computer Science, University of Umea, S-90187 UMEA, Sweden |
|     >>>>>    "I bully sheep. I claim God doesn't exist..."    <<<<<      |