Xref: utzoo comp.sys.mac:28155 comp.sys.mac.programmer:4951 Path: utzoo!utgpu!utstat!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!sun!pitstop!sundc!seismo!uunet!mcvax!ukc!etive!lfcs!nick From: nick@lfcs.ed.ac.uk (Nick Rothwell) Newsgroups: comp.sys.mac,comp.sys.mac.programmer Subject: Mac Viruses: How long before...? Keywords: Mac, virus technology. Message-ID: <1551@etive.ed.ac.uk> Date: 9 Mar 89 13:35:10 GMT Sender: news@etive.ed.ac.uk Reply-To: nick@lfcs.ed.ac.uk (Nick Rothwell) Organization: LFCS Mornington Crescent Society Lines: 67 I'd like to air some general comments and concerns about Mac viruses, based on the way that existing viruses (SCORES, nVIR, ...) work, and more importantly, how they *don't* work. I hope that such discussion doesn't incite anybody to build one as a result of these discussions; but I don't know how I would do this, and it may not be possible, and I belive that there are enough saints on the Net to make this posting worthwhile. Any villain who understands these ideas would have had them anyway. I'm basing this on my knowledge of the Mac - I've had one for about 9 months, I have Lightspeed C, vols I and II of Inside Mac, and USEnet access, of course. I don't know a great deal about the OS apart from what I've needed to write simple Mac applications. Earlier this week, we were hit by nVIR strain B. I spotted it on a public machine, using Jeff Shulman's VirusDetective. It took me a couple of hours to isolate it and rebuild the system, and the rest of the day to pick up more recent virus tools, configure them, and check other volumes and machines. Finding this virus was simplicity itself - nVIR resources in applications and systems. As far as I know, all other Mac viruses use dedicated resource types. I removed it by doing a complete rebuild, but could probably have rendered it safe in existing applications, if this was necessary. I now believe I have the Macs safe from all viruses using this kind of technology. So, how long before the next level of technology? nVIR and so on seem pretty simple, even to a novice Mac programmer like myself. Patch a few resource manager calls, write a few special resources, patch the entry code of a few applications, and that's it. The resource manager provides all the necessary tools on a plate. So, I think we're at a stage where Mac viruses are easy to write and easy to defeat. Presumably, the next stage is viruses which work in the same way, but make themselves invisible to detection. If a virus can patch the toolbox calls which search for resources, then they become invisible. If a virus can detect patches on PutResource and so on, and find the original entry points, then it can propagate under the nose of resource watchers like Vaccine. I don't know how well the Mac is documented when you delve below the Resource Manager level. Could a virus propagate itself by interpreting the resource forks of files by itself? Could I create an INIT 32 in a system file by myself? Is it possible to write a Mac virus which works in the same way as the horrible low-level ones found on (Acht! Ptui!) PCs? I don't know how Macs boot from system volumes - I just assume it's magic. But, presumably the boot operation is open to attack, even if parts of the boot are directed from the Toolbox ROM. At this level, we would be talking about absolute disk addresses, absolute RAM locations, and so on, way below the safety of the OS. One property of abstraction is that the underlying representation can be quite volatile; because of the abstraction of the Memory Manager, perhaps attempts by viruses to use absolute RAM addresses would be doomed to failure as things come along and trample over them. What about the system patches found in the data forks of system files? Does anybody outside Apple know the format of these? Would it be easy to interpret and alter the data fork, bypassing the resource mechanisms altogether? These are all pretty simple questions, and have probably been thought of before, by cowboys with both black hats and white. Perhaps the nature of the Mac OS means that there's nothing reliable below the OS, so you can't build a virus there (you can't set fire to a ship if you're treading water...). Anybody have any comments? Words of reassurance? Nick. -- Nick Rothwell, Laboratory for Foundations of Computer Science, Edinburgh. nick@lfcs.ed.ac.uk !mcvax!ukc!lfcs!nick ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ...while the builders of the cages sleep with bullets, bars and stone, they do not see your road to freedom that you build with flesh and bone.