DEFGENC.CVP 930908 Tunnelling Somewhat related to stealth technology is the concept of "tunnelling". Again, this is a technology, not a virus per se, and one that is used in both viral and antiviral programs. To examine the concept of tunnelling, let me go back a bit in computer history. Before there were viri, there were trojans. Anti-trojan software was generally of the activity monitoring and operation restricting variety, similar to a number of antiviral programs today. Activity monitors do not really monitor activity. They place traps and interrupts at certain points in the operating system. Certain system calls are either potentially dangerous themselves (such as the function that formats a disk) or are precursors to dangerous activities. Therefore, when a program calls one of these functions, the activity monitor is triggered. Again, this relies upon the fact that operating system functions *must* be made available in a known location so that valid programs can use them. Activity monitors, as we have said, place traps at the location of potentially dangerous system calls. These traps are generally pieces of code which run the activity monitor program, rather than the original operating system code. The activity monitor can then alert the user, and the user can choose to stop the action, or to allow the action, in which case the original operating system code is run. This means that the activity monitor has performed a very virus- like action. It has made a change to the original state of the system. Since the state of the system is generally well known, a virus can be written to examine these system entry points. The virus can "tunnel" or trace back along the programming associated with the system call. If an activity monitoring program is found (and this generally means anything other than the original operating system code) the trap can be reset to point to the original system call. The activity monitoring program is now bypassed, and will *not* trigger--at least not for that particular function. This same type of activity can be used against viral programs. Viri often trap certain system calls in order to trigger infection activities and so forth. Antiviral software can tunnel along the various interrupts, looking for changes. Viral programs can thus be disarmed. Tunnelling may seem like a lot of work to go to in order for a virus to defend itself. Indeed it is. One particularly well known, and widely marketed, antiviral has a resident component. Only seven bytes of code are required to disable it. Not to tunnel around it, but to disable it completely. (Viral programs are also becoming more aggressive. One has been found which takes action to disable or cripple no less than fourteen antiviral systems ... ) copyright Robert M. Slade, 1993 DEFGENC.CVP 930908 ============= Vancouver ROBERTS@decus.ca | "The client interface Institute for Robert_Slade@sfu.ca | is the boundary of Research into rslade@cue.bc.ca | trustworthiness." User p1@CyberStore.ca | - Tony Buckland, UBC Security Canada V7K 2G6 |