DEFGENC.CVP 930908
Tunnelling
Somewhat related to stealth technology is the concept of
"tunnelling". Again, this is a technology, not a virus per se, and
one that is used in both viral and antiviral programs.
To examine the concept of tunnelling, let me go back a bit in
computer history. Before there were viri, there were trojans.
Anti-trojan software was generally of the activity monitoring and
operation restricting variety, similar to a number of antiviral
programs today. Activity monitors do not really monitor activity.
They place traps and interrupts at certain points in the operating
system. Certain system calls are either potentially dangerous
themselves (such as the function that formats a disk) or are
precursors to dangerous activities. Therefore, when a program calls
one of these functions, the activity monitor is triggered. Again,
this relies upon the fact that operating system functions *must* be
made available in a known location so that valid programs can use
them.
Activity monitors, as we have said, place traps at the location of
potentially dangerous system calls. These traps are generally
pieces of code which run the activity monitor program, rather than
the original operating system code. The activity monitor can then
alert the user, and the user can choose to stop the action, or to
allow the action, in which case the original operating system code
is run.
This means that the activity monitor has performed a very virus-
like action. It has made a change to the original state of the
system. Since the state of the system is generally well known, a
virus can be written to examine these system entry points. The
virus can "tunnel" or trace back along the programming associated
with the system call. If an activity monitoring program is found
(and this generally means anything other than the original operating
system code) the trap can be reset to point to the original system
call. The activity monitoring program is now bypassed, and will
*not* trigger--at least not for that particular function.
This same type of activity can be used against viral programs. Viri
often trap certain system calls in order to trigger infection
activities and so forth. Antiviral software can tunnel along the
various interrupts, looking for changes. Viral programs can thus be
disarmed.
Tunnelling may seem like a lot of work to go to in order for a virus
to defend itself. Indeed it is. One particularly well known, and
widely marketed, antiviral has a resident component. Only seven
bytes of code are required to disable it. Not to tunnel around it,
but to disable it completely. (Viral programs are also becoming
more aggressive. One has been found which takes action to disable
or cripple no less than fourteen antiviral systems ... )
copyright Robert M. Slade, 1993 DEFGENC.CVP 930908
=============
Vancouver ROBERTS@decus.ca | "The client interface
Institute for Robert_Slade@sfu.ca | is the boundary of
Research into rslade@cue.bc.ca | trustworthiness."
User p1@CyberStore.ca | - Tony Buckland, UBC
Security Canada V7K 2G6 |