Path: utzoo!utgpu!watserv1!watmath!att!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: RZOTTO@DKNKURZ1.BITNET (Otto.Stolz)
Newsgroups: comp.virus
Subject: Lateral Thinking
Message-ID: <0007.9011281444.AA08768@ubu.cert.sei.cmu.edu>
Date: 26 Nov 90 17:08:04 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 81
Approved: krvw@sei.cmu.edu

Hellow fellow,

two recent, seemingly unrelated, contributions to VIRUS-L deserve a
common response. My point in both cases is: When a virus is active, it
does not need to crack any anti-virus method, as it can circum- vent
it. This holds for contemporary architectures of personal computers
(note the small "p": I'm referring to all brands) and many types of
hosts. Imagine a firm door, locked with seven secure locks: If you
forget to put an equally strong wall on both sides of it, nobody will
bother with the locks nor the door! (And if the wall is in place,
don't forget the floor and the ceiling; don't forget the people and
equipment that will have to go in and out; and so on...)

An amusing variation of this motif can be found in the chapter
introductions of Douglas Hofstatter's "Goedel, Esher, Bach: an Eternal
Golden Braid", where the Turtoise keeps producing records that cannot
be played on Achilles' more and more sophisticated hi-fi record
players.

On Thu, 15 Nov 90 17:35:00 -0400 Herbert Lin <HLIN at NAS> said:

> In a recent msg, someone said that a "stealth" virus could evade
> checksum and CRC checks.
..
> Wouldn't the author of the virus have to know the checksum/CRC
> technique being used in detail?

He/she (Aside: Ever thought of female virus authors? In my
imagination, virus authors are inevitably of the male sex and of age <
25 years, but I may be wrong...) can circumvent any algorithm (even a
bitwise compare to a backup-copy) by simply interfering with all
disk-read operations and presenting any programs reading an infected
file with a (faked!) image of the unaltered file. This is exactly what
"Stealth Viruses" do.

> I should be able to detect viruses ALL THE TIME (of course, if and
> only if I have a confirmed clean system to begin with).

That's exactly the point: To check for viruses, you have to start your
system without activating any virus. E.g. you can boot from a
confirmed clean system disk and avoid running any infected program.

> what am I missing?

Nothing.

On Tue, 20 Nov 90 14:11:00 +0100, Peter van der Landen <LANDEN at
HROEUR5> said:

> I have experimented quite a bit with Jerusalem-B but I have never seen
> it survive a warm boot.

Neither did I. Possibly the originial contribution has confused it with
some other virus that indeed can survive a warm boot.

> Could anyone explain to me how it is possible for any virus to survive
> a warm boot by any method other than infecting something on the boot
> disk.

As you have noted yourself, a virus can intercept the Ctrl-Alt-Del
keystroke (we call it the "Monkey's Snatch"). Then it can do anything
the programmer can imagine. E.g. it could fake a warm-boot by reading
something from the A-disk (this would fool many users, perhaps even
experienced ones). Or it could perhaps use part of the Int-19-code,
keeping controll during the whole process (or making sure that it will
re-gain controll, afterwards). The latter scheme has been discussed in
VIRUS-L before, and I think we arrived at the conclusion that a virus
must be rather large and sophisticated to do this with any DOS
variant; however, a virus need not deal with any and all systems to
prosper.

> ... doing a reboot with int 19h, this would be difficult.

I think, no virus would be able to survive a genuine, complete re-boot
in memory AND re-gain controll. (Take this as an educated guess, as
I'm no expert with system internals.)

Hence the motif reappers: Circumvent what cannot be cracked.

Best wishes
            Otto