Re: And You Thought You Were Paranoid...


Winston B Edmond (bbn.com!wbe@bbn.com)
8 Nov 88 16:33:01 GMT


In article <7080011@eecs.nwu.edu> naim@eecs.nwu.edu (Naim Abdullah) writes:
>In such a situation, you would have no inkling that there was anything
>wrong. The only way to get out of such a situation would be to physically
>replace disk packs. And you would only do that if you got suspicious. But
>why would you get suspicious, since all the commands are giving you a rosy
>picture... ? (probably high disk usage would be one clue, but then the bad
>guy was probably smart enough to have tampered with du and df so you wouldn't
>see the high disk usage; your partitions would just get full and you would
>either blame it on the BSD file system hogging that 10% free space :-) or
>those huge incremental backups that you keep on disk; or to give you some
>free space, the worm could silently truncate files that hadn't been touched
>for three months or so).

Even easier -- use the 10% free space area to hold the virus's files,
then adjust the used-block count. The penalty is somewhat worse disk
performance, and the possibility of detection when the disk is fsck'd,
but how many people worry about reports that the free block count has
been adjusted when there are no reports of broken files?

I agree, though, that the next stage of development for virus and worm
programs is to augment offensive techniques (replication methods) with
improved defensive techniques: evading detection by attacking the tool
programs like ps, and limiting execution of the offensive code so that
runtime and disk usage look normal and negligible.
 -WBE



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT