Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!apple!bionet!agate!ucbvax!decwrl!sun!imagen!atari!portal!cup.portal.com!dan-hankins From: dan-hankins@cup.portal.com Newsgroups: comp.sys.amiga Subject: Re: The ultimate fix!!! Message-ID: <9764@cup.portal.com> Date: 5 Oct 88 23:05:26 GMT References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc Organization: The Portal System (TM) Lines: 66 XPortal-User-Id: 1.1001.5361 In article <2747@sugar.uu.net> peter@sugar.uu.net (Peter da Silva) writes: >In article <9680@cup.portal.com>, dan-hankins@cup.portal.com writes: >>>UNIX system, with root privileges only used for root commands, this could take >>>quite a while. >> >> Unlike a virus, >> it does not attempt to alter the genetic code of host cells (read: alter >> the executable code of legitimate programs) for reproduction and >> camouflage. > >Ick. Now *this* is a tough job. I would think that a "virus" would have to >remain a "bacterium" at least until a superuser executed it. Something a >non-protected virus doesn't have to worry about. It's not tough at all. The virus prepends itself to an executable file. Whenever someone executes the infected file, the virus gets control first. It does its dirty work, then moves the real executable back to where it is supposed to be in memory, then transfers control to the real executable. If the virus is worried about being caught by checksums or file size changes, it compresses the source and adds some bytes to spoof the checksum. >> Why would the user send a 68020 executable to a >> person with a 68000 machine? He wouldn't. The virus is assured of being >> copied to environments where it will execute with no problems. > >Why would someone send an executable from one machine to another in the first >place? I have only ever seen one non-commercial program distributed in this >way, and I *certainly* didn't run it. Given the near-universal availability >of 'C', this is an awfully minor problem. ... more comments about people not copying programs ... People copy executables all the time. Here are some scenarios: 1. Piracy 2. PD/Shareware that comes without source, particularly shareware. 3. Commercial OCO (object-code-only) distribution How often do people demonstrate programs for each other? A friend comes over and sticks his disk in your machine to show you a neat program. You run it, and bingo! you're infected. This was precisely how the Jerusalem Virus propagated. Or a consultant comes over to do some work for you (business scenario). He sticks his disk in your machine to help you, runs an infected utility program, and bingo! you're infected. How often do you really read the source code or recompile the program to make sure it's not infected? What if it's in Modula-2 and you don't have a Modula-2 compiler? I suppose you'll never run any of my programs; I don't write in C. >I'm not really worried about a shell-script virus. You could probably hide one >in a sharchive, but since it's human readable it'd become real obvious real >quick who's responsible. But Rexx is another story. Rexx programs can be quite large and complex, and people simply do not have the time to read every Rexx program that comes their way. And there are plenty of other interpreted languages: Forth, BASIC, Prolog, and so on. Each is a potential cross-architecture virus environment. Everywhere the infected program will run, so will the virus. Dan Hankins