Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!osupyr.mast.ohio-state.edu!zf
From: zf@osupyr.mast.ohio-state.edu (Zbigniew Fiedorowicz)
Newsgroups: comp.sys.mac
Subject: Antivirus proposal
Message-ID: <1206@osupyr.mast.ohio-state.edu>
Date: 27 Jan 89 22:32:21 GMT
Reply-To: zf@osupyr.mast.ohio-state.edu.UUCP (Zbigniew Fiedorowicz)
Distribution: na
Organization: Mathematical Sciences Computer Lab, Columbus, OH
Lines: 46


Here is a proposal for detecting/repairing applications damaged by virus 
infections.  It seems to me that all current Macintosh viruses (and any
conceivable future Mac virus) designed to infect a broad range of 
applications do their dirty work by
        (a) adding new viral code segment(s) to the application (or perhaps
             concatenating them with into existing segments).
        (b) changing the first entry (program entry point) in the jump table
             to point to the added viral code.
 Unless the virus was targetted against a specific application, it could not
 reliably mess with the existing application code or modify the other jump
 table entries without a high risk of crashing the application on the first
 go.

 In view of this, the following seems to be a reasonable way of dealing with
 such viral effects:
     (1) Collect a database of program entry points & code segment numbers
         and sizes for all major Macintosh applications (and for each
         version).
     (2) Archive this database at major archive sites & commercial informa-
         tion services (eg. sumex, Compuserve, ...).  This would enable 
         sophisticated Mac users to fix an infected application by restoring
         the correct entry point & removing the added viral code segments
         using Resedit. (Actually restoring the entry point suffices to disable
         the virus.) Also make provisions for regularly updating this database.
     (3) Write an application which would use this database to detect infected
         applications and automatically repair them.

 Present virus detection/repair programs (eg. KillScores, AntiPan, ...) are
 based on intimate knowledge of the code segment numbering algorithm of a
 particular virus and where it squirrels away the original entry point for a
 given application.  This makes them useless against new viruses or even
 trivial modifications of old viruses.

 I of course realize that the above proposal does not deal with all viral
 effects (eg. inits, modifications to the system file, etc.), but I believe
 it would still be a very useful addition to the antivirus arsenal.

 Perhaps there are some difficulties in this scheme which I have overlooked.
 If so I would like to hear from you.  Otherwise I call for a discussion on how
 to set this up.  I for one am willing to volunteer my services with
 points (1) and (2) of the program.

 Of course it would be nice if Apple took charge of such a project.

 Zbigniew Fiedorowicz
 zf@osupyr.mast.ohio-state.edu