From: Sergey Goldgaber <sergey@delbruck.pharm.sunysb.edu>
Date: Thu, 24 Feb 94 10:01:19 PST
To: Brian D Williams <talon57@well.sf.ca.us>
Subject: Re: STEALTH OCEAN
In-Reply-To: <199402241623.IAA08236@well.sf.ca.us>
Message-ID: <Pine.3.89.9402241251.A4692-0100000@delbruck.pharm.sunysb.edu>
MIME-Version: 1.0
Content-Type: text/plain




On Thu, 24 Feb 1994, Brian D Williams wrote:
 
>  Why not "Parasitize" your program on to Command.com like many
> viruses do? The "Stealth" viruses also employ code that will not
> reveal the change in size to either MEM or CHKDSK, such code can
> also restore the timestamp.

This is a possibility, but one would have to make sure that the resulting
file is indistinguishable from a normal file if one hopes to elude any 
but the most casual observers.  Having a noise block at the beginning of the 
program is definately a telltale sign that something is amiss.  An simple 
dissasembly of the program is all it would take to be sure that the strange
looking noise block doesn't belong.  And, if the moethod you've suggested 
becomes popular, a standard scan of .COM or .EXE files could be implemented
by your opponent(s).

However, this solution might be effected provided that one somehow makes 
the "noise" block look like a legitimate part of the program it has 
parasitized.  It must also pass the dissasembly test.

Another idea might be to make one's "noise" file look like a legitimate
Clipper encrypted file.  Imagine the frustration that would be felt by 
your opponent when even the seemingly appropriate escroe key that he has 
spent months aquiring is of no avail in decrypting the file!  Of course, 
your efforts are going to be for naught when he realizes that your Clipper 
file is nothing of the sort.  :(  Back to square 1.

> 
> 
> Brian Williams
> Extropian
> Cypherpatriot
> 
> "Cryptocosmology: Sufficently advanced comunication is
>                   indistinguishable from noise." --Steve Witham
>  


Sergey