Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw From: Eric_Florack.Wbst311@xerox.com Newsgroups: comp.virus Subject: doom2:reply (PC) Message-ID: <0008.9106251509.AA25956@ubu.cert.sei.cmu.edu> Date: 24 Jun 91 15:26:53 GMT Sender: Virus Discussion List Lines: 64 Approved: krvw@sei.cmu.edu Ross says: =-=-=-= >It would appear to me that VIRx 1.4 isn't cleaning up after itself. >You guys just ran accross different bits of code because of different >ares of RAM being used to store the search strings. (Will I ever live this down? One mistake and *bingo!* all over the place. Sigh.) - -=-=-=-=-= Ha. You mean I wasn't the first? :*> You say: - -=-=-=-=" Actually, the strings are trivially "encrypted" to prevent the image out on disk from triggering who-knows-how-many other scanners out there. =-=-=- On /DISK/, yes. But consider the amount of scanners, including MAcAffee that look at RAM, as well. False trip city, as we have seen. You say: - -=-=-= The answer is simple: whatever for? The bad guys can certainly break whatever coding scheme I use, thereby using the string list just as if it were not encoded at all. =-=-= This misses the point altogether. My point was simply that without encryption of one sort or another, even in RAM, another package wil false trip. If you think that people are going to depend on your package alone for protection, this might not cause a problem. But a realitry check, ( facilitated by a quick peek at the postings in here) will prove that doesn't happen. You say: - -=-=- The signature a scanner uses is of no use to a bad guy unless he or she already has the subject virus on hand, in any case. =-=-=- Of course not. My point in this case was the person doing the altering to routre around your code being the original author. Moreover, we have seen several varieties of a particular virus around, indicating more than one person altered one person's code. This is commonplace. (Can you say 'Stoned'? Sure. I knew you could.) Obviously, virus code is being passed around, by writers of such code, like a wine bottle at a garbage can fire. Getting the original code is therefore no problem. You say: - -=-=-= >Encrypting the search strings in your code, therefore is always a good >idea, as is cleaning up the mess your program makes in RAM. VIRx, >apparently doesn't address these two points. Wrong on both counts. It is interesting, though, that about 20 beta testers did not find that problem at all.... =-=-= First point: How on earth is cleaning up RAM you've allocated with your program before the program closes to be considered a BAD idea? Diito a string encryption? As for your beta testers not finding the problem, I suggest to you that perhaps they missed a major problem. WIthout being judgemental, here, finding this problem after beta was complete would seem to call into question the validity of certain of your test results. Regards to you. E (Normal employer isolation disclaimers apply here... IE: They may or may not agree with my thoughts in this matter)