Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!bellcore!texbell!tness1!sugar!ficc!peter From: peter@ficc.uu.net (Peter da Silva) Newsgroups: comp.misc Subject: Re: The Usenet Virus: a case history. Keywords: Orson Welles Message-ID: <1989@ficc.uu.net> Date: 24 Oct 88 22:25:48 GMT References: <2836@sugar.uu.net> <890@dlhpedg.co.uk> Organization: SCADA Lines: 47 In article <890@dlhpedg.co.uk>, cl@datlog.co.uk (Charles Lambert) writes: > I have a question about Pete's "speedhack" fiction. Why would using the > guise of a standard C library routine, such as malloc() or perror(), make > the virus any more or less insidious? I'm using the tight definition of a virus, that requires that it be able to infect other code. This means that the virus needs to be able to patch itself into source. The two obvious ways of doing this are (1) add a call to an existing routine, or (2) to modify a library routine to make the call and then go on. For the first case you can (1a) modify the mainline, or you can (1b) modify other routines. 1a. People tend to inspect the mainline when trying to debug a foreign program, since that's where control flow starts. This would tend to make the virus easier to find. 1b. In any random program, other routines might be called very infrequently or not at all in any given invocation. 2. A library routine is likely fairly complex and has hidden connections to other parts of the system. Rewriting it has all sorts of complications. I code route 2, using malloc, because I suspect that many 'C' libraries simply copy the malloc code from K&R because they're derived from it or because it's perfectly valid code stealing. Perror would also be a good choice, though the infectivity would be lower (the virus would only trigger if you made a mistake). Modifying the mainline might be even better, if you could think of ways to hide it. An even better compromise might be to modify the first non-library routine called by main. Hey, it was a judgement call... > In Pete's scenario, the active code of the virus as scattered under > innocuous names throughout the source. Is the well-known name a necessary > hook? No, just a convenient one. You need to get a hook from somewhere... > I wonder, too, whether a good static tracer like CSCOPE would help to reveal > such a virus. I'll leave this to someone familiar with CSCOPE. -- Peter da Silva `-_-' Ferranti International Controls Corporation "Have you hugged U your wolf today?" uunet.uu.net!ficc!peter Disclaimer: My typos are my own damn business. peter@ficc.uu.net