Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!asuvax!ncar!tank!cps3xx!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Newsgroups: comp.virus Subject: Re: Sophisticated Viruses (Mac) Message-ID: <0004.8912011616.AA11845@ge.sei.cmu.edu> Date: 28 Nov 89 21:43:05 GMT Sender: Virus Discussion List Lines: 148 Approved: krvw@sei.cmu.edu christer@cs.umu.se writes: >chrisj@cs.utexas.edu (Chris Johnson) writes: >>There would be crashes because it's very common for software that >>patches traps to have interdependencies between its patches, i.e. one >>patch depends on data discovered and stored for later use by another >>patch. Removing only a portion of such patches will be likely to kill >>the machine sooner or later. >> . . . >>Further, restoring traps to their original values is going to remove >>all of the patches put in place by the System itself - the patches >>that keep that machine running inspite of bugs in the ROMs, etc. >>Also, whole portions of the OS and Toolbox will be removed by >>restoring traps to their initial values (as taken from the ROM) - this >>will kill the machine for sure. > >So what if I remove system patches? You seem to think that I need to >call every little routine in ROM to do my dirty stuff. What I need is >say, ChangedResource, WriteResource and perhaps AddResource. What do >these traps have to do with OS traps? How many system patches are >there for these traps? Do you *really* think that the ROM is truly >and utterly worthless without the system patches? Do you think they >wrote routines that didn't work at all and then patched them into >working? Why would I care if there is some small and obscure bug in >the ROM that could make my virus crash with prob. .000001%, after all >that is probably the whole idea with the virus after all!! The point is that you can't know the interdependencies of traps. Maybe you can get away with some of what you discuss, but it'll be a matter of luck more than anything else. And *no* I don't think that the ROM is utterly worthless and bug ridden, but most ROMs were created to operate in the context of much earlier system software and may not be (without the patches that would normally be in place) ready to cope with the modern Macintosh. Beyond that, and perhaps more significantly, Apple's fixes to the ROMs are often made not to the routine that has the bug, but to routines invoked *by* that routine which are likely to be, in and of themselves, unrelated to the actual bug. See the ongoing discussion of tail patching in comp.sys.mac.programmer for a full treatment of this subject. So I think the probability is actually a bit greater than ".000001%" that your virus will crash the machine *before* it can replicate itself. At which point it's just not a virus anymore. >I don't claim that the ROM is bug free, but your indirect claim that >every trap is buggy is pretty heavy. (I got that from the "fact" that >everything will kill the machine "for sure", in case you wonder). See above - I certainly didn't mean to claim that everything is buggy. Also, if I can't be sure something will work, when I program, I look at it as a guarantee that sooner or later I'm going to crash somebody's machine. I still make a good number of mistakes (like most folks), but I think this kind of paranoia is a good idea and steers me clear of a lot of other problems. I like to think that all Mac programmers will exercise similar care in their approach to programming issues, but, of course you're right, virus authors may not bother. >>Writing well behaved patches is a black art on the best of days - >>writing the sort of un-patching patches discussed here would make that >>"black art" look like a carefree romp in the sunlit countryside. I >>don't think such patches could be implemented safely, and I don't >>think anyone clever enough to do so would be wasting his time working >>on viruses in the first place. > >This proves you've missed the point entirely. We're not talking about well >behaved viruses here. And just because you think no one would write one isn't >exactly proof that no one will... I didn't miss any point completely. The first of my points which you quote above deals with issue of reliability and practicality - I stand by that statement. The second of those points was a psychological one, it was *not* offered as *proof* of anything, just a statement of what I believe to be a reasonable opinion. If you have a different opinion - that's fine. I hope you and your opinion are very happy together. :-) >>All in all, I don't think the techniques dealt with in this discussion >>are significant simply because there are too many reliability and >>compatibility problems intrinsically linked to them. > >I do think they are significant though. The whole point with my post in the >first place was to make people realize that a virus could bypass the >protective fences of all anti-viral programs (including Gatekeeper) pretty >easily (theoretically anyway). What if a virus changed the resource map >directly without going through the ROM at all? We can't just rely on the >trivial and obvious protection that Gatekeeper et al. provies. For the reasons I stated above, I still don't think the techniques dealt with in this discussion are significant. This is not to say that there aren't ways around the various virus protection schemes currently available - there is not now, nor do I believe that there is ever likely to be, an infallible anti-virus system for the Macintosh. Nonetheless, I don't think that these particular techniques will be of service to anyone in trying to get around anti-virus systems. Since the failed attempts to create such a virus could, however, cause a few victims a lot of damage I thought it was important to comment on the practicality of these techniques. Techniques that would safely create more sophisticated viruses, are techniques that I refuse to comment on in any public forum. (In general I also refuse to comment on the techniques that won't work, but I made a rare exception in this case.) As an aside, Gatekeeper is more sophisticated than Vaccine, and SAM is more sophisticated than Gatekeeper (although in ways that aren't yet important, I'm relieved to say). Gatekeeper is improving and will continue to do so - I will not be advertising these improvements because I do not care to notify would-be virus authors of what Gatekeeper can and cannot do. The more they're left guessing, the better-off the rest of us will be. Further, Gatekeeper, at least, can only be extended so fast because my resources (free time, money, etc.) are very limited. To the extent that this discussion promotes the creation of newer, more sophisticated viruses we are all done a dis-service - I can only extend my tools so fast; if you deprive me of time by accelerating the development of new viruses, you are *not* promoting the creation of more sophisticated anti-virus tools, instead you're hindering such efforts. If you find the protections offered by Vaccine, Gatekeeper and SAM trivial, I would encourage you to write a better tool. I imagine that a lot of people would be very pleased to see another good tool made available. >What we need >is sophisticated protection schemes, and unless there's no discussion of >potential viruses we might never come up with these schemes in time. More to the point, I believe, would be the following statement: "unless we keep up open discussions of this kind the virus authors may never come up with the ways to bypass the existing protection mechanisms." Sharing of information is great, but offering would-be virus authors important information isn't. It'll be a dark victory indeed if we get the more sophisticated anti-virus tools you desire (quite appropriately) IN RESPONSE TO the appearance of more sophisticated viruses made possible by these discussions. I am sympathetic with the desire for more sophisticated tools (although I think you underestimate SAM), but I don't believe that this is the way to make them a reality. If you'd like to pursue these issues privately, I'd welcome an email discussion with you. Seriously. Best wishes, - ----Chris (Johnson) - ----Author of Gatekeeper - ----chrisj@emx.utexas.edu Brought to you by Super Global Mega Corp .com