Path: utzoo!utgpu!water!watmath!clyde!rutgers!mit-eddie!uw-beaver!cornell!rochester!bbn!uwmcsd1!marque!gryphon!crash!pnet01!haitex
From: haitex@pnet01.cts.com (Wade Bickel)
Newsgroups: comp.sys.amiga
Subject: Re: Virus via PD programs
Message-ID: <2310@crash.cts.com>
Date: 8 Jan 88 22:16:08 GMT
Sender: news@crash.cts.com
Organization: People-Net [pnet01], El Cajon CA
Lines: 57

rouaix@inria.UUCP (Francois Rouaix) writes:
>Some guys here suggest that the viruses may come from some PD program and
>not from a bootable disk.
>Let think about it: 
>	In every FISH disk I have, there is a file README.listnumber.
>In this file I can find the description of the programs and the NAME OF THE
>AUTHOR !!!. Most of them (including me) are sending regularly programs
>on the net or to Fred Fish.
>Same for programs in comp.binaries.amiga. You know their origin. (We suppose
>here the net is quite safe, since the moderators send Acknowledge message, so
>the origin adress may not be counterfeited).
>
>Do you really believe that the people who wrote dangerous Viruses would 
>give their name and take the risk of being spotted ?
>I'd rather believe that PD writers are honest programmers !-- 


        Sure, if you get your PD stuff directly from a reliable source, you
might be safe from such a thing.  But the nature of PD stuff is that it gets
spread around.  Suppose the virus writer were to alter the original authors
binary, and set it up so that a generation count were maintained and no
hostile action were taken in the first few generations.  By the time it starts
to strike it would be nearly impossible to track it (it would be if done
correctly, but I'm not going to elaborate!).  


        Suggested solution:  a monitoring program, lets call it Vcheck3.0,
might maintain a list of programs and relative checksums.  This program would
confirm the checksum of a program before running it and ALERT when spores are
found.  Of course this assumes the list is correct, but would protect the
user from spores.  If an "VInstall" program were written, users could add 
any program they wished to the executable list.  If an infectious program were
added, its spores would be noticed in their first generation, and the
dangerous code would (hopefully) be identifyable.
        If the Vcheck program intalled itself into the user's startup
sequence, using one of a number of possible methods (actually utilize
different methods to add confusion for a virus), using a randomly generated
name (to help hide from virii), and (of course) is relocatable code (so an
address cannot give it away), it would be relatively safe from infection.
[Sorry for the long run-on sentance ;-) ]
        Of course a virus could still be snuck in, but it would be much more
difficult with this kind of protection.  There are a number of additional 
things which could be done to improve this system, and not disclosing exactly
what it does would give additional protection.

        Have I goofed, or would this work?  Would the over-head be excessive?


                                                        Thanks,


                                                                Wade.


UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!haitex
ARPA: crash!pnet01!haitex@nosc.mil
INET: haitex@pnet01.CTS.COM