Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!UIAMVS.BITNET!AWCTTYPA
From: AWCTTYPA@UIAMVS.BITNET ("David A. Lyons")
Newsgroups: comp.sys.apple
Subject: viruses and checksums
Message-ID: <8903031624.aa07673@SMOKE.BRL.MIL>
Date: 3 Mar 89 22:21:12 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 49
X-Unparsable-Date: Friday 03 Mar 89 3:07 PM CT

>Date:         Fri, 3 Mar 89 11:46:00 -0800
>From:         Ryan Lanctot <rdlanctot@INSTR.OKANAGAN.BC.CA>
>Subject:      viruses
>
>As anyone knows, a checksum is only effective if the person who wrote
>the virus doesn't have the smarts to make the checksum add up after
>the virus has inserted itself.  Some really smart cookie would
>probably have the virus checksum the program itself before insertion,
>then rebalance the checksum......  Or they could corrupt the checksum
>program itself to produce the same result every time , no matter how
>the program looked.
>
> Ryan Lanctot
> <rdlanctot@instr.okanagan.bc.ca>

No!  It isn't anywhere near that simple.  A virus could make the
checksum come out the same if and _only_ if it knew what method of
checksumming was being done on the file!  Simple single-byte
additive checksums would indeed be very easy to bypass:  just make
sure the bytes added to the file add up to 0 (mod 256).

The number of possible checksumming schemes is immense.  (Start by
considering adding groups of N bytes rather than single bytes, and
rotating the checksum-in-progress by M bits after each N-byte group
was added in.)

Individuals can certainly bypass checksum protection on particular
pieces of software, but this is a very different thing from having a
virus do it.  Analysis of programs by other programs (for example, a
virus trying to determine what algorithm is being used in a
newly-encountered program) is something that is, in general, not
possible even in theory, and certainly not in practice.

By the way, a simpler and probably just as effective method for
software to detect that it has been altered (possibly infected by a
virus) is to check its own length on disk and compare it against the
correct length.

(ProDOS 8 programs can do an OPEN, GET_EOF, and CLOSE on the
pathname stored at $280 immediately after they start.  Be sure to
deal with errors on the OPEN appropriately so that you don't get
false virus-detector triggers when someone launches your program
from the rare program launcher that does not correctly put your
program's complete or partial pathname at $280.)

 --David A. Lyons              bitnet: awcttypa@uiamvs
   DAL Systems                 CompuServe:  72177,3233
   P.O. Box 287                GEnie mail:    D.LYONS2
   North Liberty, IA 52317     AppleLinkPE: Dave Lyons