VIRUS-L Digest              Monday, 23 Jan 1989         Volume 2 : Issue 22

Today's Topics:
re: PC Viruses

---------------------------------------------------------------------------

Date:        23 January 1989, 09:20:53 EST
From:        David M. Chess  <[email protected]>
Subject:     re: PC Viruses

In VIRUS-L v2n20, Otto Stolz <[email protected]> writes
a number of things, including:

> First Main Proposition of Virus Hunting: Every program designed to
> catch viruses can be circumvented by virus-writers who know its
> principles of operation.
>                           ...
>                                 The best option you have: To detect
> COM- and EXE-viruses, write your own program to compute some signature
> value from all bytes in a file and compare it with a value obtained
> earlier in the same way.  Lock away the source of your program and
> every hints on its algorithm in a safe place, and apply it regularly
> to every program file you use (including itself).

While I agree with pretty much everything -else- Otto writes, I think
these statements are perhaps a bit too strong.  Consider, for instance,
a modification-detection program that works using a nice long CRC
(at least 30 bits), and that uses a "user-selectable" polynomial
(for instance, the program might prompt the user for a long string
when it's first run, and use that to find an irreducible polynomial).
If the program and the database are kept on external media (in a floppy
in a locked desk drawer, for instance), and the polynomial key is
also external (in the user's head, or on that locked floppy), AND
the program is run only after cold-booting the maching from a trusted
IPL floppy (perhaps the same one again), so that the checking program,
key, and database are never in the machine at the same time as a virus,
I think I would claim that knowing all about the checking program,
including having the commented source code, would do the virus-writer
NO GOOD AT ALL in trying to defeat it (as long as the user's secret
key isn't known, of course).  That's just because it's not possible
to make a probably-undetected change to a dataset if you don't know
the polynomial used for detection (and if the CRC uses enough bits).

Objections?

DC
Watson Research

------------------------------

End of VIRUS-L Digest
*********************
Downloaded From P-80 International Information Systems 304-744-2253

You are viewing proxied material from infinitelyremote.com. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.