Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!sdd.hp.com!mips!pacbell.com!iggy.GW.Vitalink.COM!widener!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: My final comments on the six-byte method (PC) Message-ID: <0011.9104091351.AA04984@ubu.cert.sei.cmu.edu> Date: 3 Apr 91 21:00:54 GMT Sender: Virus Discussion List Lines: 70 Approved: krvw@sei.cmu.edu I know that many readers of comp.virus feel this discussion about the "six-byte method" in just a waste of time, and I apologize - but I still want to clarify a few issues. I don't mean this to be interpreted as a personal attack on Padgett Peterson, and I respect his work in the virus area in general, but I just happen to disagree with how he sometimes presents the "six-byte" check. Padgett Peterson wrote: While the "stealth" seen so far will defeat a program integrity check, it will NOT defeat a system integrity check (the six bytes). I replied: The six-byte check is no sustitute for a full system integrity check. Padgett Peterson then wrote: I did not think I ever said that it was. In fact in my New York paper specific mention was made that it did not detect the 512 (Number of the Beast). It will also not detect the Alabama, Icelandic, EDV, or any virus that does not go resident. What was said was that it will detect all currently "common" viruses. I was just replying to your earlier posting - and while I agree that the currently existing "stealth" viruses should not be able to evade a full system integrity check, we have at least one "stealth" virus which is able to evade the "six-byte" check. And regarding the claim that it will detect all currently "common" resident viruses, I must disagree - the Vienna virus and its 30+ variants are quite common, even though they are not as common as Jerusalem or "Stoned". Hovever, basically we agree. Checking the memory allocation (the six-byte check) before and after running a program will in most cases tell you if that program was infected with a virus. My point is just that "in most cases" is not good enough. Padgett Peterson wrote: An effective defense MUST start at the BIOS level, something that has nothing to do with the "six bytes". Such a program's major difficulty will be to handle every oddball O/S, partitioning scheme, and non-compliant application around. I more-or-less agree - with the latest viruses managing to bypass all interrupt monitors, and accessing the ROM BIOS functions directly, it is clear that 100% defence needs to be at least partially implemented in the BIOS itself. >I cannot go into details, but I do have a working program which is >able to do this - more details next month. Is this why the "insulting" of the "six bytes" ? I admit to being surprised that someone with your well-deserved reputation and many contributions would feel it necessary to harp on admitted flaws in something that is not a commercial product but merely a technique some people find useful. No, certainly not - I respect your work in the virus area, but I disagree with you presentation of the techique, like: "it will NOT defeat a system integrity check (the six bytes)" and "What was said was that it will detect all currently "common" viruses." As long as it is just presented as a simple check to detect if some program has allocated memory in a "standard" way, I have no objections to the "six-byte" check - primitive, but sometimes useful. - -frisk