Path: utzoo!attcan!uunet!jarthur!usc!wuarchive!udel!rochester!uhura.cc.rochester.edu!ub!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: lhamey@vision.mqcc.mq.oz.au (Len Hamey)
Newsgroups: comp.virus
Subject: Defeating Virus Scanner Trojans
Message-ID: <0010.9012111924.AA23660@ubu.cert.sei.cmu.edu>
Date: 11 Dec 90 18:18:44 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 27
Approved: krvw@sei.cmu.edu

The rash of trojan "new" releases of virus scanners is worrying.  I
wonder whether it might not be possible for virus scanner developers
to employ public-key encryption to provide unforgeable proof of the
validity of new releases of their product.

The scanner developer would checksum his program using a (preferably
complex) check-summing algorithm.  The check-sum and the file size
would then be encrypted via public-key encryption and released with
the program itself.  The person attempting to subvert such a program
would be faced with the task of making their subverted program the
same size with the same checksum.  They could not simply compute a new
checksum and install it because they would not know the scanner
developers private key.

A PD program could be provided for computing the checksum and checking
it against the file.  This program could be provided in source code
form.  The scanner programs could also include the ability to check
new releases, so that a user once certain of the validity of a release
could then readily check new releases.

I would be interested in comments on this idea, especially from the
virus scanner developers.

			Len Hamey
			Lecturer in Computing
			Macquarie University
			len@mqcomp.mqcs.mq.oz.au