VIRUS-L Digest Tuesday, 14 Feb 1989 Volume 2 : Issue 46 Today's Topics: re: Virus detection re: "Valentine's Day Trojan Horse" (VAX/VMS) --------------------------------------------------------------------------- Date: 13 February 1989, 10:02:09 EST From: David M. Chess Subject: re: Virus detection > currently we seem to be fighting a > losing battle against virus detection Are we? In practice, the existing viruses are all very unsophisticated, and easily detected by things that watch for suspicious activity in the environment (executables changing length, modifications to system files, new resources appearing, and so on). It's not hard to write a program that will detect every known virus, *and* every other virus in the general families that we've seen. In theory, of course, viruses >could< be a lot nastier, and I'm not advocating ignoring the threat. But I don't think we're losing the battle at the moment... > Maybe the quarantine approach is better. No better than the modification-detection approach, I don't think. They might be used together to some advantage, but I think trying to reply entirely on "quarantine" would be a serious mistake. Unless you try very very hard, it's going to be trivial for the virus to notice that the machine it's running on is not "normal" in any sense ("hmm, thirty-five programs have been run without a single keystroke on the physical keyboard; rather suspicious!"). A virus could be designed not to do any infecting unless the environment looked normal (physical keystrokes occurring now and then, a certain amount of idle time, etc). For every step you can take to make the quarantine environment look more normal, a new virus can come out that is one step cleverer. Same sort of escalation that could occur in the area of non-quarantine methods of detection! > The system clock runs 1000 times > faster than normal to check for delayed-action viruses. If you speed up the CPU by a factor of 1000 as well, it will burn out (if you're using a normal machine), or be very very expensive (if you've found someone who can make a CPU that'll run 1000 times faster than today's, I think lots of computer companies would be interested!). If you don't speed up the CPU, but only the time-of-day clock, the fact will be very obvious to any virus testing to see if it's running in quarantine. > Comments, anyone? You asked for it! *8) DC ------------------------------ Date: 13 Feb 89 20:23 From: minow%thundr.DEC@decwrl.dec.com (Repent! Godot is coming soon! Repent!) Subject: re: "Valentine's Day Trojan Horse" (VAX/VMS) In Virus-List 2.43, Gary Ansok asks whether a program on a host computer can change the VT100/VT200 answerback message or echo screen contents back to the host. Neither is possible in VT100 or VT200 series terminals. Also, the VMS mail display program filters out all escape sequences and non-standard control codes. Thus, a Trojan Horse program distributed via VMS Mail would have to tell the user to save the file and execute it. In a postscript, Gary notes that he'll "be looking over [his] incoming mail extra carefully for a few weeks." This is always good advice. Martin Minow minow%thundr.dec@decwrl.dec.com The above does not represent the position of Digital Equipment Corporation. ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253