Path: utzoo!attcan!uunet!super!udel!gatech!mcnc!thorin!unc!bell
From: bell@unc.cs.unc.edu (Andrew Bell)
Newsgroups: comp.sys.amiga
Subject: Re: The ultimate fix!!!
Message-ID: <4320@thorin.cs.unc.edu>
Date: 22 Sep 88 00:52:43 GMT
References: <681@zehntel.UUCP> <3084@hermes.ai.mit.edu> <4197@thorin.cs.unc <9318@cup.portal.com>
Sender: news@thorin.cs.unc.edu
Reply-To: bell@unc.UUCP (Andrew Bell)
Organization: University Of North Carolina, Chapel Hill
Lines: 54

In article <9318@cup.portal.com> dan-hankins@cup.portal.com writes:
>
>     In article "Re: The Ultimate fix!!!" of 9/19/88 15:45 bell@unc.cs.unc.edu
>(Andrew Bell) writes:
>>If there are multiple bbc's out there,  it would be hard for a virus to
>>determine which one is on a given disk and modify it so it doesn't check
>>its location.

>     So when a new boot block comes out, the virus writer simply writes a new
>version of his virus that checks for the new code, the same way that Marauder
>comes out with a new Brain File that checks for more copy protections.  The
>virus program doesn't have to have a copy of a boot block in order to
>recognize it; a four or eight byte CRC will do the job admirably.

It can recognize it,  but how much code will it take to change it?  If there
are *multiple* bbcs around,  the virus will have to account for many of them
to spread reliably, and differently ordered (object file) versions of the
same boot block code will need to be treated differently.  How quickly can
that virus author get his "brain files" out there,  anyway?  People have enough
trouble getting upgrades to programs they *want*...

[I realise that the virus can link to code outside the boot block,  so the
1k limit for the initial virus code isn't that big a limiting factor,  it's
just more work for the virus author...]

And if dozens of boot blocks aren't enough,  how about an infinite number?
There would have to be some sort of boot block writer program.  Allow the
user to add his/her own name (or a name for their Amiga) in the code, and
perhaps a random seed to move data and code areas around (kinda tricky, I
realize).

You could then have a little program on your most commonly booted-with (but
write-protected) disk that checks each newly inserted disk for the presence
of your or your Amiga's name in the boot block,  and lets you know if it's
not a custom boot block.  Then when you forget to wear your write-protect
tab,  your "partners" are less likely to infect you...

What is in the boot block normally,  anyway?

>     Besides, an infection that only hits one out of eight machines is still
>destructive.  It will still spread.

A lot slower,  though.  It gives the anti-virus writers more of a chance to
catch up.  With people's conciousness level raised about viruses,  it should
nip the virus in the bud.  And if seven people out of eight a virus author
tries to infect can catch him/her in the act,  I suspect he'd/she'd be 
rather reticent about creating one.

>Dan Hankins

   -Andrew Bell
The Schizophrenic Grad Student
bell@cs.unc.edu
acb@cs.duke.edu