Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: vail@tegra.com (Johnathan Vail)
Newsgroups: comp.virus
Subject: Re: stealth viruses..
Message-ID: <0004.9011261543.AA06200@ubu.cert.sei.cmu.edu>
Date: 20 Nov 90 16:55:40 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 43
Approved: krvw@sei.cmu.edu

HLIN@NAS.BITNET (Herbert Lin) writes:

   In a recent msg, someone said that a "stealth" virus could evade
   checksum and CRC checks.  Can anyone tell me how this is done?
   Wouldn't the author of the virus have to know the checksum/CRC
   technique being used in detail?  Without specific knowledge of the
   polynomial being used, what could the virus author do?

Checksums are easy to beat.  CRCs are more difficult.  The combination
of both is unbeatable except by "stealth" techniques.  As I understand
it, the stealth type programs take over DOS or BIOS and if the
infected files or sectors or directory info about these is read then a
"fixed" version is actually returned.  The fixed version makes it
appear that the program or disk is uninfected.

   I can imagine that certain values wouldn't contribute to the checksum,
   but if you make the original size of the file part of the check, then
   adding those special values will change the file size, and render it
   detectable.

Yes, the way to add code without changing the checksum or without
calculating it from the entire file is to make the checksum of the
additions be zero.  Any addition would add to the file size.

   In short, it seems that if I am willing to give up the detection of
   virus propagation in real-time, I should be able to detect viruses ALL
   THE TIME (of course, if and only if I have a confirmed clean system to
   begin with).

   what am I missing?

The stealth concept.  That is why it is called stealth...  Your
detector would have to do all its disk I/O by itself, or somehow
guarantee that the BIOS and DOS routines have not been compromised.
And direct hardware I/O may not be completely safe on a 386 without
checking the MMU, which again may not be guaranteed safe.

"Like a clock, they sent, through, a washing machine:
 come around, make it soon, so alone." -- Syd Barrett
 _____
|     | Johnathan Vail | n1dxg@tegra.com
|Tegra| (508) 663-7435 | N1DXG@448.625-(WorldNet)
 -----  jv@n1dxg.ampr.org {...sun!sunne ..uunet}!tegra!vail