Xref: utzoo comp.sys.mac:28193 comp.sys.mac.programmer:4969 Path: utzoo!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!rutgers!rochester!cornell!biar!trebor From: trebor@biar.UUCP (Robert J Woodhead) Newsgroups: comp.sys.mac,comp.sys.mac.programmer Subject: Re: Mac Viruses: How long before...? Keywords: Mac, virus technology. Message-ID: <211@biar.UUCP> Date: 11 Mar 89 06:47:45 GMT References: <1551@etive.ed.ac.uk> Reply-To: trebor@biar.UUCP (Robert J Woodhead) Followup-To: comp.sys.mac Organization: Biar Games, Inc. Lines: 30 In article <1551@etive.ed.ac.uk> nick@lfcs.ed.ac.uk (Nick Rothwell) writes: > Is it possible to write a Mac virus which works in the same way as >the horrible low-level ones found on (Acht! Ptui!) PCs? I don't know >how Macs boot from system volumes - I just assume it's magic. But, >presumably the boot operation is open to attack, even if parts of the >boot are directed from the Toolbox ROM. At this level, we would be >talking about absolute disk addresses, absolute RAM locations, and so on, >way below the safety of the OS. One property of abstraction is that the >underlying representation can be quite volatile; because of the >abstraction of the Memory Manager, perhaps attempts by viruses to use >absolute RAM addresses would be doomed to failure as things come along >and trample over them. Anything is possible. However, this note of reassurance. A virus cannot become active until it's code is executed (during boot, INIT load, or application launch). Until that happens, it's bits on a disk. So lets say the latest nefarious "below the trap level" virus has infected your hard disk. Quick as a flash, you power down your Mac, pull out your locked floppy disk containing your favorite virus scan program (one that scans the files looking for nefarious code), insert it and boot your Mac. The system and finder on the floppy load; the virus code never executes. You now run the scanning program which finds the viruses and removes them. You are cured. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *