Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!husc6!bbn!rochester!ritcv!jjv3345 From: jjv3345@ritcv.UUCP (Jeff Van Epps) Newsgroups: comp.sys.amiga Subject: Re: Viruses (was: Re: The ultimate fix!!!) Message-ID: <934@ritcv.UUCP> Date: 14 Oct 88 00:30:37 GMT References: <8810062045.AA04638@cory.Berkeley.EDU> <12643@oberon.USC.EDU> <814@super.ORG> <1109@lakesys.UUCP> Reply-To: jjv3345@ritcv.UUCP (Jeff Van Epps) Organization: Rochester Institute of Technology, Rochester, NY Lines: 57 [Is the line-eater a virus?] Thoughts: 1. We DO NOT have virus-detection programs. We have a few pretty trivial special-case programs (i.e. only looking at the boot block or only recognizing one strain of virus) and we have a few programs which yell if a file is a different size than it used to be. 2. Deciding whether or not a given program is a virus: You would have to search the entire execution tree, taking all possible branches, using all possible values for external input. You would also have to deal with a mutating tree (self-modifying code). 3. Since doing (2) fully is equivalent to running every possible execution of the program, ever, it is unlikely to be accomplished in a reasonable amount of time. Something that looks more possible is to examine the program for external interactions (disk, output port, screen, keyboard, even memory). Unfortunately, any useful program will have many of these. Then trace backwards and figure out what conditions must be true to get you to this point in the program, and what values the data involved may have. You can eliminate some of the interaction categories if your system has certain characteristics. If you have memory protection, ignore memory interactions. If your keyboard has no keys that can be reprogrammed, and can't be made to produce input that you didn't type, ignore keyboard interactions. Etc. 4. Even (3) looks far too hard to work on anything except possibly one of the languages developed to be useful in terms of program verification. 5. Statements claiming UNIX is not susceptible to a virus are false. Manifestly so, since it has happened. Statements claiming it has better virus protection than, for example, MS-DOS, are true but misleading. Certainly it's better to have a newspaper to shield yourself from the rain than nothing at all, but it only stops the laziest of raindrops. You still get awfully wet. 6. My Amiga has remained virus-free so far, but then I've never even been near a user's group or other gang of disk-swappers. I have run all sorts of binaries from the net (don't have a compiler yet) without incident. 7. Programs are not the only means of propagation available to a virus. This very message might contain some sequence of control characters that could reprogram your function keys. The key you thought held your signature might now contain the same sequence of control characters, plus perhaps a command to format your disk. Who knows? 8. Danger lurks everywhere. 9. That article in Time Magazine was ridiculous. They actually made a cartoon out of someone getting infected by a virus. Enough gloom for one night. (Geez, how would I feel if I *had* been infected already?).