Path: utzoo!utgpu!jarvis.csri.toronto.edu!clyde.concordia.ca!uunet!tut.cis.ohio-state.edu!cica!iuvax!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: dmg@retina.mitre.org (David Gursky) Newsgroups: comp.virus Subject: Re: Virus trends Message-ID: <0001.8912221839.AA24578@ge.sei.cmu.edu> Date: 22 Dec 89 14:37:04 GMT Sender: Virus Discussion List Lines: 48 Approved: krvw@sei.cmu.edu I wish to take issue with Gene Spafford's Theorem 4: "Theorem #4) Within the next few years, there will be at least one major problem where some purported anti-viral/security software will be made available, and it will contain a logic bomb or trojan horse in it that causes more damage than what it is supposed to fix. (Minor thesis: the likely author of such software will be someone marketing commercial security software, and the logic bomb version will be a public-domain package not traceable to the author. The purpose -- to discredit public domain anti-virus software.)" This assumes the unavailability of high-quality PD/Shareware/Freeware anti-electronic vandalism software, or rather, that at a certain point in time, such software will not be available (i.e. the existing software will be outmoded, as say Interferon is). It also assumes the author is able to completely cover his or her steps, as Spaf does correctly point out, but I would counter that this is harder than it seems. Consider the current situation. Of the PD/SW/FW tools in use today (FluShot Plus, Gatekeeper, Disinfectant, et. al.), their authors are well known, and it is well known when they release new copies of their software. Any Trojan Horse masquerading as a tool against electronic vandalism would therefore have to be as good as these tools, and would probably have to be much better. Otherwise, people will simply keep using what they are using (look at how many people still use Interferon!) If people are not going to easily switch from one PD/SW/FW to another, there is an inherited limiting factor on the "effectiveness" of a Trojan Horse implanted in anti-electronic vandalism tools. Furthermore, the code hiding the logic bomb will have to persist in a large number of unknown user configurations. Look at the new WDEF virus on the Mac. It is simply incompatible with the new Mac IIci, and it doesn't like the IIcx or any Mac with 8M of RAM that much either. I would worry much more about the following: "Theroem 6": As the trend towards open systems continues, where a given programming environment can exist over several platforms (Examples: Smalltalk/V under the Mac OS and Presentation Manager, X-Windows, etc), instances of machine dependant vandalism will decrease, and environment dependant vandalism (example: The Dukakis Hypercard Virus) will increase. The power of the specific machine's operating system will be easier to access through these programming environments, opening up these systems to a larger number of people, and consequently to a larger number of vandals.