Path: utzoo!attcan!uunet!portal!cup.portal.com!dan-hankins From: dan-hankins@cup.portal.com Newsgroups: comp.sys.amiga Subject: Re: The ultimate fix!!! Message-ID: <9680@cup.portal.com> Date: 3 Oct 88 06:57:57 GMT References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc Organization: The Portal System (TM) Lines: 47 XPortal-User-Id: 1.1001.5361 In article <2720@sugar.uu.net>, peter@sugar.uu.net (Peter da Silva) writes: >I think you need to add "and has the ability to infect other systems it >comes in contact with". I thought I had implied that; I didn't specify that the replication was limited to a single system. I said, "replicates by usurping the function of the host's code". I should think this would include inter-system replication. >(1) On a non-protected system it would take *0* time to infect the system. >I think the best thing to do would be to have the virus hide itself in a >public bin directory with a a name that's a common typo of one of the standard >commands. Then it prints the usual error message and starts seeing what new >privileges it has. This will go on until root executes it. In a well managed >UNIX system, with root privileges only used for root commands, this could take >quite a while. What you just described is known in some circles as a bacterium. It has different characteristics from a virus. Like a virus, it draws on the resources of the host system for survival and replication. Unlike a virus, it does not attempt to alter the genetic code of host cells (read: alter the executable code of legitimate programs) for reproduction and camouflage. It is more difficult for a bacterium to reproduce unnoticed, partly because it introduces a file that was not present previously, and partly because it cannot spread to a system with a different cpu. >(2) It's harder for a virus to infect UNIX, also, because it's unlikely that >68020 code from a sun would do much to a Microvax or even a 68010 machine >like a 3b1. A binary standard is a two-edged sword. This provides no impedance whatsoever to a virus. An executable-program virus is one that attaches itself to programs in the user's account. The user then does the virus' work for it whenever he sends an executable program to someone else. Why would the user send a 68020 executable to a person with a 68000 machine? He wouldn't. The virus is assured of being copied to environments where it will execute with no problems. Plus, there are interpreted languages that are at least somewhat system-independent. Shell scripts and Rexx programs are as good if not better vectors for a virus than raw executables. By the way, Fred Cohen's original research was done on a Unix machine, as noted in an earlier posting. Dan Hankins