Blogsndiarys: June 2011

Thursday, June 30, 2011

Detection avoidance

Viral programs have almost no defence at all against
disinfection. 99% of viri are almost trivially simple to get
rid of, simply by replacing the "infected" file (or boot sector)
with an original copy. (Some more recent boot sector and system
viri require slightly more knowledge in order to perform
effective disinfection: none require drastic measures.) Far
from their image as the predators of the computer world, viral
programs behave much more like prey. Their survival is
dependant upon two primary factors: reproductive ability and
avoidance of detection.

Using the standard system calls to modify a file leaves very
definite traces. The change in a file "creation" or "last
modified" date is probably more noticeable than a growth in file
size. File size is rather meaningless, whereas dates and times
do have significance for users. Changing the date back to its
original value, however, is not a significant programming
challenge.

Adding code while avoiding a change in file size is more
difficult, but not impossible. Overwriting existing code and
adding code to "unused" portions of the file or disk are some
possible means. (The fictional rogue program P1, in Thomas
Ryan's "The Adolesence of P1", avoided problems of detection by
analyzing and rewriting existing code in such a manner that the
programs were more compact and ran more efficiently. Such
activity has not yet, alas, been discovered in any existing
virus.)

Some viral programs, or rather, virus authors, rely on
psychological factors. There are a number of examples of virus

which will not infect program files under a certain minimum
size, knowing that an additional 2K is much more noticeable on a
5K utility than on a 300K spreadsheet.

In a sense these are all "stealth" technologies, but this term
is most often used for programs which attempt to avoid detection
by trapping calls to read the disk and "lying" to the
interrogating program. By so doing, they avoid any kind of
detection which relies upon perusal of the disk. The disk gives
back only that information regarding file dates, sizes and
makeup which were appropriate to the original situation. (This
also relies upon the virus being "active" at the time of
checking.) Although this method avoids any kind of "disk"
detection, including check summing and signature scanning, it
leaves traces in the computer's memory which can be detected.
(Some viral programs also try to "cover their tracks" by
watching for any analysis of the area they occupy in memory and
crashing the system, but this tends to be noticeable behavior
... )

Computer operations and viral operations

Having defined what viral programs are, let's look at what
computers are, and do, briefly. The functions that we ask of
computers tend to fall into a few general categories.

Computers are great at copying. This makes them useful for
storing and communicating data, and for much of the "information
processing" that we ask them to do, such as word processing.
Computers are also great for the automation of repetitive tasks.
Programming allows computers to perform the same tasks, in the
same way, with only one initiating call. Indeed, we can, on
occasion, eliminate the need for the call, as programs can be
designed to make "decisions" on the basis of data available.
Finally, computer processors need not be specially built for
each task assigned to them: computers are multi-purpose tools
which can do as many jobs as the programs available to them.

All computer operations and programs are comprised of these
three components: copying, automatic operation, "decision"
making: and, in various combination, can fulfill many
functions. It is no coincidence that it is these same functions
which allow computer viral programs to operate.

The first function of a viral program is to reproduce. In other
words, to copy. This copying operation must be automatic, since
the operator is not an actively informed party to the function.
In most cases, viral program must come to some decision about
when and whether to infect a program or disk, or when to deliver
a "payload". All of these operations must be performed
regardless of the purpose for which the specific computer is
intended.

It should thus be clear that computer viral programs use the
most basic of computer functions and operations. It should also
be clear that no additional functions are necessary for the
operation of viral programs. Taking these two facts together,
none should be surprised at the conclusion reached a number of
years ago that not only is it extremely difficult to
differentiate computer viral programs from valid programs, but
that there can be no single identifying feature that can be used
for such distinction. Without running the program, or
simulating its operation, there is no way to say that this
program is viral and that one is valid.

The fact that computer viral operations are, in fact, the most
basic of computer operations means that it is very difficult to
defend against intrusion by viral programs. In terms of
"guaranteed protection" we are left with Jeff Richards' Laws of
Data Security:
1) Don't buy a computer.
2) If you do buy a computer, don't turn it on.

HOW TO WRITE A VIRUS PROGRAM

   For people who have nothing else to do but cause unprecedented havoc
     on other peoples systems, this is something you should read. To begin
     with, I'd like to explain briefly to the ignorant readers of this, what
     exactly a virus program is. A virus program is in the genre of tapeworm,
     leech, and other such nasty programs. I will show clearly, one possible
     application of it, on an Apple system, and I will demonstrate how easily
     this little pest could lead to wiping out most of someone's important
     disks. Here we go!

        One day, while I had little else to do, I was reading an computing
     article in some obscure science magazine. As it happened, the article
     discussed a growing problem in the computer community about the danger
     of virus programs. Someone quoted in the article said that they wrote
     a very simple virus program and put it on the university computer as
     a test. All the program did was look through the computers memory,
     and devices (tape drives, hard drives, etc...) for stored programs, and
     when it found one, it would search through the program for itself. If
     it didn't find anything, it would find an empty spot in the program, and
     implant itself. This may not sound too exciting, but this little program
     was actually part of another program (maybe a word processor, or spread-
     sheet, or maybe even zaxxon) and whenever someone ran that program, and
     executed the little virus stuck inside it, the virus would stop program
     execution (for a time period that even us humans wouldn't notice) and do
     its little job of infecting other programs with itself.   This example
     of a virus was harmless, but even so, after only 4 hours the whole system
     had to be shutdown and the whole memory core dumped because the virus had
     begun to fill up too much space and it was using up all the mainframe's
     time. I don't think it would have been so easy if this professor had
     just done this experiment on his own and had not got permission or told
     anyone about it. Think of the havoc!!
         Well, that has taken up too much time discussing already, so I'll
     add only one more thing before we get down to business, that REAL
     viruses are extemly BAD. They usually are designed as time bombs that
     start erasing disks, memory, and maybe even backups or the operating
     system after they have been run so many times, or after a certain date
     is reached. Someone did this to a bank one time (and by the way he was
     never caught!) He was given the task of designing their operating system
     and security, and he decided he wasn't getting paid enough, so he devised
     his own method of compensation. Every so often, the computer would steal
     a certain amount of money from the bank (by just CREATING it electronic-
     ally) and would put it in an account that didn't exist as far as the bank
     or the IRS or anybody knew, and whenever this guy wanted, he went to
     the bank and withdrew some money. They aren't sure how he did it, but
     he probably visited the electronic teller as often as possible. As I
     said, the authorities still haven't found him, but after several years
     of his leech program being in service, it "expired." They assume that
     he set it up to destroy itself after so long, and when this little
     program was gone, the bank suddenly was missing several million dollars.
     Now, I wouldn't recommend doing this sort of thing, but then again, who
     said crime doesn't pay?
          Now to discuss the application of this to a Personal Computer is
     very simple. When I decided to do this, I figured it would be easiest
     to stick my program in the DOS, so that I would always know where to put
     another copy of my virus while it was reproducing itself, and that it
     would be easier to explain why the disk drive is running when it starts
     to initialize your disks. For those who have a copy of Beneath Apple DOS
     it would be easy to find the space to put in the program. If you don't,
     I tell you a few places that are not used (or where you can put it and
     it won't be noticed) but I'd recommend getting the book anyways - it's
     an excellent tool for doing these sort of things, and useful even if you
     don't. As suggestions for where to put it (if you choose to infect DOS),
     you could use BCDF-BCFF which is still unused, or BFD9-BFFF, which WAS
     unused, but has since been used in updates of DOS. Likewise, I would
     also suggest using space taken up by junk like LOCK or UNLOCK commands.
     Who the hell ever uses them? Think about it, when was the last time you
     used the lock command? Get real. If you don't like that, how about
     MAXFILES. I've only used that in a program once in my entire life. I
     know people who couldn't even tell you what it does. That would make me
     feel safe about sticking a virus there.
           But now comes the part that will be harder for the inexperienced,
     but easier as long as you know what you're doing. By the way, you've
     been TOTALLY wasting your time reading this if you don't understand
     assembly, because you HAVE TO in order to accomplish a task such as this.
     But, don't fret, you could insert a little BASIC code into some dumb
     utility (like an program whose only function is to initialize disks) that
     would put itself on the disk, as it initializes it (probably as the hello
     program) and would work from that aspect. Of course, it would be easier
     for a less experienced person to detect, but who really cares!
           As I was saying, however, you now have to write the code. If you
     work in an area where you are limited memory wise (like I did) it can get
     tough at times. The only way I got through it was by referring to
     documented listings of all of DOS that I got somewhere, and using bits
     and pieces of routines from other things as much as I could. When I
     was done, I had a copy of DOS that when it was booted into the computer,
     would work completely properly (except for maybe some bizarre cir cum-
     stances that I didn't bother testing for), but when someone CATALOGed a
     disk, it did a few different things. It would first load up the VTOC as
     usual, but then it would jump to MY routine. In this instance, it was
     very easy to use the VTOC which contains many unused bytes to house my
     counter. I would increment it, check if it was time to destroy the disk,
     and then execute an INIT, or just save the VTOC. Then it would save
     three more sectors to the disk. One was the place where DOS branched to
     my routines, the others were my actual routine. And thus was born a
     virus. I guarantee that if anyone has experienced a problem with their
     disks, it was not my fault because I have not yet implemented the virus.
     No one has pissed me off enough to warrant its use. Even worse is the
     fact that it could backfire (after being distributed across the country,
     I don't doubt I'd end up with it also) because not only was it very well
     planned, but you don't even notice any sort of a pause. The virus
     executes itself so fast that there is little more than a microsecond of
     a pause while the catalog is going on. I tried comparing it to a normal
     catalog, and found I couldn't tell the difference. The only way this
     thing wouldn't work is if the disk it was cataloging wasn't DOS 3.3, and
     if that happened, it would probably screw the disk anyways. I know
     there are people who will abuse this knowledge, so you may wonder why I
     even bothered writing it. The fact is that it isn't important to shield
     people from this knowledge, what is important is for people to know that
     can be done, and perhaps find a way to prevent it. Just consider what
     would happen if someone starting putting a virus in a DDD ][.2. First of
     all, everyone would get a copy of it and use it. Only a few would be
     that interested to check what these new updates to it were. And perhaps
     within a month, whenever you tried to unpack a program, it would instead
     initialize the disk with your file on it. So, like I said, beware of
     those that would jeopardize themselves and would do such a thing. Of
     course, I wouldn't hesitate to drop my "bomb" on a few leech friends of
     mine who don't have modems, but that a different story. I don't have
     to worry too much about getting the "cold" back from them. They'll be
     too screwed up to worry about trading disks. Well, I've said too much
     already. Please keep my name on this file if you put it on your BBS,
     ect..., but I don't really care if you want to put your local AE line
     number, or whatever up at the beginning too, just give me credit where
     I'm due. Thank-you, and good luck, and, as I said before, be careful
     out there!!

AGING AND ALCOHOL ABUSE

Alcohol abuse among older men and women is a more
serious problem than people generally realize. Until recently
older problem drinkers tended to be ignored by both health
professionals and the general public. The neglect occurred
for several reasons: our elderly population was small and
few were identified as alcoholics, chronic problem drinkers
(those who abused alcohol off and on for most of their
lives) often died before old age; and, because they are
often retired or have fewer social contacts, older people
have often been able to hide drinking problems.

Some families may unknowingly "encourage" drinking in
older family members if they have the attitude that drinking
should be tolerated because older people have only a
limited time left and therefore should be allowed to "enjoy"
themselves.

As more people learn that alcohol problems can be
successfully treated at any age, more are willing to seek
help to stop drinking.

   Physical Effects of Alcohol

Alcohol slows down brain activity. It impairs mental
alertness, judgment, physical coordination, and reaction
time -- increasing the risk of falls and accidents.

Over time, heavy drinking can cause permanent damage to
the brain and central nervous system, as well as to the
liver, heart kidneys, and stomach.

Alcohol can affect the body in unusual ways, making
certain medical problems difficult to diagnose. For
example, the effects of alcohol on the cardiovascular
system (the heart and blood vessels) can mask pain, which
may otherwise serve as a warning sign of heart attack.
Alcoholism can also produce symptoms similar to those of
dementia -- forgetfulness, reduced attention, confusion. If
incorrectly identified, such symptoms may lead to
unnecessary institutionalization.

Alcohol, itself a drug, mixes unfavorably with many other
drugs, including those sold by prescription and those
bought over-the-counter. In addition, use of prescription
drugs may intensify the older person's reaction to alcohol,
leading to more rapid intoxication. Alcohol can dangerously
slow down performance skills (driving, walking, etc.),
impair judgment, and reduce alertness when taken with
drugs such as:

*   "Minor" tranquilizers: Valium (diazepam), Librium
    (chlordiazepoxide), Miltown (meprobamate), and
    others.

*   "Major" tranquilizers: Thorazine (chlorpromazine),
    Mellaril (thioridazine), and others.

*   Barbiturates: Luminal (phenobarbital) and others.

*   Pain killers: Darvon (propoxyphene), Demerol
    (meperidine), and others.

*   Antihistamines: both prescription and over-the-
    counter forms found in cold remedies.

Use of alcohol can cause other drugs to be metabolized
more rapidly, producing exaggerated responses. Such
drugs include: anticonvulsants (Dilantin), anticoagulants
(Coumadin), and antidiabetes drugs (Orinase).

In some people, aspirin can cause bleeding in the stomach
and intestines. Alcohol also irritates the stomach and can
aggravate this bleeding. The combination of alcohol and
diuretics can reduce blood pressure in some individuals,
producing dizziness.

Anyone who drinks -- even moderately -- should check with
a doctor or pharmacist about possible drug interactions.

Who Becomes a Problem Drinker?

In old age, problem drinkers seem to be one of two types.
The first are chronic abusers, those who have used alcohol
heavily throughout life. Although most chronic abusers die
by middle age, some survive into old age. Approximately
two-thirds of older alcoholics are in this group.

The second type begins excessive drinking late in life, often
in response to "situational" factors -- retirement, lowered
income, declining health, and the deaths of friends and
loved ones. In these cases, alcohol is first used for
temporary relief but later becomes a problem.

Detecting Drinking Problems

Not everyone who drinks regularly or heavily is an alcohol
abuser, but the following symptoms frequently indicate a
problem:

*   Drinking to calm nerves, forget worries, or reduce
    depression.

*   Loss of interest in food.

*   Gulping drinks and drinking too fast.

*   Lying about drinking habits.

*   Drinking alone with increasing frequency.

*   Injuring oneself, or someone else, while intoxicated.

*   Getting drunk often (more than three or four times in
    the past year).

*   Needing to drink increasing amounts of alcohol to
    get the desired effect.

*   Frequently acting irritable, resentful, or unreasonable
    during nondrinking periods.

*   Experiencing medical, social, or financial problems
    that are caused by drinking.

Getting Help

Older problem drinkers and alcoholics have an unusually
good chance for recovery because they tend to stay with
treatment programs for the duration.

Getting help can begin with a family doctor or member of
the clergy; through a local health department or social
services agency; or with one of the following organizations:

Alcoholics Anonymous (AA) is a voluntary fellowship of
alcoholics whose purpose is to help themselves and each
other get -- and stay -- sober. For information about their
programs call your local chapter or write to the national
office at P.O. Box 459, Grand Central Station, New York,
NY 10163. They can also send you a free pamphlet on
alcoholism and older people entitled "Time to Start Living."

National Clearinghouse for Alcohol Information is a Federal
information service that answers public inquiries, distributes
written materials, and conducts literature searches. For
information, write to P.O. Box 2345, Rockville, MD 20852.

National Council on Alcoholism distributes literature and
can refer you to treatment services in your area. Call your
local office (if listed in the telephone book) or write to the
national headquarters at 12 West 21st Street, New York,
NY 10010.

The previous materials are a summary of information
published by: the National Institute on Aging. These
materials are meant as a general guideline. You should
always consult with your own physician prior to taking
action.