Path: utzoo!attcan!uunet!mcvax!ukc!cs.tcd.ie!vax1!rwallace
From: rwallace@vax1.tcd.ie
Newsgroups: comp.sys.amiga.tech
Subject: Viruses
Message-ID: <31622@vax1.tcd.ie>
Date: 26 Jan 89 13:20:54 GMT
Organization: Computer Laboratory, Trinity College Dublin
Lines: 34

The old boot block viruses were easy enough to protect against but now we've
got viruses that put themselves in program files, it's time to give some
serious thought to virus protection. Some schemes have been suggested recently
about getting programs to check themselves, which as was pointed out is no
good because by the time the program code gets to run the virus has done
its dirty work anyway. Having another program do the checking is more sensible
but the problem is once the virus is in memory it can intercept any attempt
to read a program file and make it look like the file is uninfected.

Two suggestions: First, is there any general way to check if a virus is in
memory? Obviously any given virus can be detected but then your virus kiler
will be obsolete as soon as the next strain of virus comes out. The general
idea might be to inspect ExecBase, DOSBase, trackdisk.device and the like
for alterations but they're not guaranteed to be the same from machine to
machine. How about storing a copy of the normal structures on disk and
each boot up compare the current structure with the copy on disk?

Another suggestion: How about doing a patch to DoIO or trackdisk.device so
that each time a sector is read in it can be checked for alteration? perhaps
with some sort of checksum so that the original version can be stored on
disk and compared against the new version on each read? also maybe check
for a disk write immediately after a program load because that would probably
be when the virus would recognize the file as a program and put itself into
it.

Or for a really far out idea, how about analyzing the startup code of each
program that gets loaded to see if it looks like it's going to modify files
and put copies of itself onto them.

Any suggestions welcome.

"To summarize the summary of the summary: people are a problem"
Russell Wallace, Trinity College, Dublin
rwallace@vax1.tcd.ie