Basic HTML version of Foils prepared August 4 1997

Foil 25 Naïve way Viruses Spread themselves

From Remarks on Java and Internet Security Web Certificate CPS616 Enhancement -- Summer 1997 . by Geoffrey C. Fox


Take any good program (for which virus has write privileges) and take instruction at location L1.
Replace this by a jump to L2.
Insert the dreadful code at location L2 followed by original code at location L1. Worry about saving and restoring registers while doing this.
Insert a jump to location L1+1 at end of bad code.
Net result is a program that does all the old program did plus whatever else bad is inserted
This naïve approach can be detected by presence of distinctive byte codes formed by code at L2 or more precisely by checking that a particular program has unexpected length or modify time.
The hacker who entered NPAC installed a trapdoor into UNIX command ps in a way that left length of ps unchanged!
First entered NPAC by "sniffing" somebody's password and using UNIX bugs to get root permissions.



© Northeast Parallel Architectures Center, Syracuse University, npac@npac.syr.edu

If you have any comments about this server, send e-mail to webmaster@npac.syr.edu.

Page produced by wwwfoil on Wed Apr 1 1998