Path: utzoo!attcan!uunet!jarthur!usc!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) Newsgroups: comp.virus Subject: V&S Message-ID: <0003.9009191742.AA13188@ubu.cert.sei.cmu.edu> Date: 20 Sep 90 14:19:00 GMT Sender: Virus Discussion List Lines: 74 Approved: krvw@sei.cmu.edu >The protection of "protected mode" could cut both ways, however. >Although it would be harder for a virus to gain access to a system, it >would also be harder to detect and kill. You can't scan memory for a >virus if you get nailed by a segment violation whenever you look >outside your own data. Must disagree on this one. I "own" my PC. As on mainframes, most of the time my processes are denied access to "privileges" - this does not mean that privilege is not available when requested, just that 99% of the time it is unnecessary, and, for many years I have had the habit of only taking on those privileges I need - that way programs requireing privileges not available to most users are identified early. Point is that just because you choose to protect the O/S from your "accidents", this does not mean that you are permanently locked out, nor that a virus is either. Already, in some cases, booting from a protected floppy is the only recourse for recovery (though EVERY virus I have seen so far, including 4096 and Joshi, are easily detectable in memory. - ---------------------------------------------------------------------------- > Our informal survey showed >that only 25-30% of the campus bothered to check their disks for the >virus. Part of that was the fact that users a) don't understand >viruses -- they don't WANT to understand them and b) they're so >amazingly apathetic. I have found that a small dose of education plus an easy, effective means of screening software does wonders. For too many years we just pointed people at a PC and expected them to use it like a typewriter or calculator. If users of systems in our care do not understand viruses or are apathetic about precautions, that is our fault, not theirs. - ------------------------------------------------------------------------------ (except from FidoNet posting provided by Frisk) > when we discovered the motherfish, the > decision was made to disavow its existence and any > public comment on it was prohibited...the file was > never made available through normal distribution based > on two findings 1. the virus can not be detected by > present methods 2. the virus is modularly constructed > to allow it to "learn" the methods used to detect it, > and then integrate this coded thought into its arsenal > of defense mechanisms This is pure B.S. and sounds like a politician. I know, am going out on a limb again since have not seen the "mother fish"/"whale"/"Gordius" as yet but am relying on the fact that by definition a virus must change things and ANY change is detectable. If the change is hidden then the mechanism used to hide the change is detectable, etc. 1st, any virus is detectable if not resident since it cannot hide itself from observation. If it is resident, then it must be resident somewhere. This is not to say that there are not some very tricky possibilities for residency, but even these are detectable. In the last few months my old three-byte test has grown to six-bytes (Joshi is easier to find when resident than when dormant unless you look specifically for the 1fh signature and I do not like signature tests - not that they are not effective, but that they require constant updates) Of course, my job is made much easier in that I do not have to identify infections, John McAfee and Morton and Frisk do an excellent job, all I need to know is that SOMETHING has happened & then reel out the arsenal. Similarly, this should be the attitude of users / generic detection software: determine that something has happened & call for help. This can be done with virtually no impact. To provide this environment is our responsibility. Padgett