Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: christer@cs.umu.se Newsgroups: comp.virus Subject: Re: Sophisticated Viruses (Mac) Message-ID: <0001.8911281214.AA07608@ge.sei.cmu.edu> Date: 26 Nov 89 16:03:22 GMT Sender: Virus Discussion List Lines: 63 Approved: krvw@sei.cmu.edu chrisj@cs.utexas.edu (Chris Johnson) writes: >There would be crashes because it's very common for software that >patches traps to have interdependencies between its patches, i.e. one >patch depends on data discovered and stored for later use by another >patch. Removing only a portion of such patches will be likely to kill >the machine sooner or later. > . . . >Further, restoring traps to their original values is going to remove >all of the patches put in place by the System itself - the patches >that keep that machine running inspite of bugs in the ROMs, etc. >Also, whole portions of the OS and Toolbox will be removed by >restoring traps to their initial values (as taken from the ROM) - this >will kill the machine for sure. > . . . So what if I remove system patches? You seem to think that I need to call every little routine in ROM to do my dirty stuff. What I need is say, ChangedResource, WriteResource and perhaps AddResource. What do these traps have to do with OS traps? How many system patches are there for these traps? Do you *really* think that the ROM is truly and utterly worthless without the system patches? Do you think they wrote routines that didn't work at all and then patched them into working? Why would I care if there is some small and obscure bug in the ROM that could make my virus crash with prob. .000001%, after all that is probably the whole idea with the virus after all!! I don't claim that the ROM is bug free, but your indirect claim that every trap is buggy is pretty heavy. (I got that from the "fact" that everything will kill the machine "for sure", in case you wonder). > . . . >Writing well behaved patches is a black art on the best of days - >writing the sort of un-patching patches discussed here would make that >"black art" look like a carefree romp in the sunlit countryside. I >don't think such patches could be implemented safely, and I don't >think anyone clever enough to do so would be wasting his time working >on viruses in the first place. This proves you've missed the point entirely. We're not talking about well behaved viruses here. And just because you think no one would write one isn't exactly proof that no one will... >All in all, I don't think the techniques dealt with in this discussion >are significant simply because there are too many reliability and >compatibility problems intrinsically linked to them. I do think they are significant though. The whole point with my post in the first place was to make people realize that a virus could bypass the protective fences of all anti-viral programs (including Gatekeeper) pretty easily (theoretically anyway). What if a virus changed the resource map directly without going through the ROM at all? We can't just rely on the trivial and obvious protection that Gatekeeper et al. provies. What we need is sophisticated protection schemes, and unless there's no discussion of potential viruses we might never come up with these schemes in time. >- ----Chris (Johnson) /Christer | Christer Ericson Internet: christer@cs.umu.se | | Department of Computer Science, University of Umea, S-90187 UMEA, Sweden | | "Track 0 sector 0 must *always* load into page 8!" -Krakowicz' first law | Brought to you by Super Global Mega Corp .com