Path: utzoo!attcan!uunet!cs.utexas.edu!news-server.csri.toronto.edu!utgpu!watserv1!mdhardin From: mdhardin@watserv1.waterloo.edu (Matthew D. Harding) Newsgroups: comp.os.os2 Subject: Re: Security concerns for OS/2? Message-ID: <1521@watserv1.waterloo.edu> Date: 19 Mar 90 15:31:57 GMT Organization: University of Waterloo Lines: 77 In article <53617@microsoft.UUCP> alistair@microsoft.UUCP (Alistair BANKS) writes: >I would say that os/2 has + & - compared with DOS regarding viruses. Well, yes and no - see rest of comments. >For the time being, the biggest plus, is that OS/2 is less known about >and less installed so their are likely to be fewer virus creators around >to gain the reduced 'reward'. Yes, this much is true. Unfortunately, for how long can we continue to feel safe? I don't know of any viruses for OS/2 right now, but you just know some depraved individual is working on one right now. >More technically, without giving listening virus creators any ideas, os/2 >uses the same basic boot mechanism as dos and so is susceptable: BUT, >when it has loaded its device drivers and switched to protect mode, no >clock activated or other interrupt activated code gets a look in. Trust me, anyone that can read (and understand!) one of the many programming in assembler books for the PC can write a virus. And, as you are undoubtedly aware of, there exist similar books for OS/2 (hell, you guys write most of them!). Unfortunately, the base operating system is not different enough to discourage most virus writers. Now, writing a virus which runs under HPFS, that would be a challenge... >Under os/2 1.X the dos box is not active while you are NOT looking at it, >therefore a DOS virus wont be active while you are using OS/2. Yes, but if you run a virus under the DOS box, it still can spread the virus to any executables in the same session. And if that executable happens to be a family API program (i.e. runs under DOS and OS/2), then the first time you run it under OS/2, bingo. >HPFS is new, powerful, and complicated - viruses that use bios >interrupts to attack FAT based file systems wont work. Yes to all three, but if you think that is going to stop a dedicated virus writer, you are sadly mistaken. As mentioned above, a FAT based virus could only affect OS/2 if it ran a family mode program, and if OS/2 FAT was running. None of the known viruses can run in HPFS, but again, anything you guys can write a virus hacker can beat, given an amount of time (in this case probably only a few weeks/months). >- (with rider): OS/2 does have neat and reliable multi-tasking, so a rogue >virus process can do its work in the background, but os/2 has a real >process model which the virus would have to be using, and a real >process list command for you to see that virus at work - this would, of >course be for an os/2 virus. Seeing it should allow you to track it down >and kill it, but remember it may have an assumed pseudonym! Well, yes and no. A virus would have to be redesigned from its present ways of attack (i.e. intercept all int 13s, all absolute disk read/writes, etc.), but that doesn't take too much work. And as far as protection goes, it is still no hard thing to write a process that is hidden from a casual inspection by any process control program I know of (I have several programs I'm sure a run- of-the-mill virus can't escape detection by, but these are not available to the average user unfortunately). >Generally, os/2 virus opportunities are more complex and are too new to have been created. Yes, but since when has complexity deterred a virus writer? (It takes skill and a lot of complexity to create a virus that can intercept interrupts, have a built-in critical error handler, encrypt its routines so debug can't follow it, check for reinfection and for .exe and .com files, and still fit in under 1000 bytes of code). >I dont know of any (yet), but of course, Microsoft would like to hear >of any - even in the making, so that we can help avoid or eradicate >them. Well, good luck. I appreciate your efforts, and believe me, HPFS is a step in the right direction. But anything you can write, someone else can bring down. And quickly and efficiently. Still, some good ideas and it's nice to talk these things over with dedicated, smart people. Matt.