Viruses

John M. Morris jmorris at dtx.net
Sun Apr 19 14:51:04 EDT 1998


On Sat, 18 Apr 1998, Jim Richards wrote:

> When this first happened, I too was sceptical since it went against 
> everything I knew about viruses and how they work.  All of our 
> stations' hard drives were completely marked as read-only. (except for 
> files that HAD to be writtne to) Yet, I still found a virus on 3 out 
> of 25 machines.  It was the exact same virus on each machine, sorry, 
> I don't remember the name of it...

Your problem there was you expected a virus to actually honor the read
only bit.  It is only a recommendation, not a prohibition since all
Messy-DOS apps run with full (i.e. root) access.  Heck, all it even means
to File Manager is an extra OK to click.  :) 

All it takes is for someone to get a Blue Screen 'O Death(tm) and punch
Reset with a floppy in the drive and whammo, you are infested regardless
of how many read only bits or third party utils you have installed. 
Unless you are one of the minority who actually go into CMOS and set the
boot order to C,A or just C.   But even that won't provide a 100% fix to
users running unsafe code.  If you throw enough money at the problem you
can almost secure a Windows box.

Which is why, when I was given the task of setting up six patron machines
I took a different approach.  First off I realized I could spend a LOT of
time and a LOT of money on the problem, but since I was doing it on a
contract basis that didn't sound very appealing.  So I decided the best
way to secure a DOS box is NOT to secure it. Or at least not from DOS. 

So the contract specified a hard drive of at least 500MB (this was almost
two years ago... my how times change) so I upped that to 1GB and stuck
Linux on half of all the drives and put Windows on the other half.  The
only concessions to security was setting the flags in progman.ini to
forbid users from deleting icons, exiting windows or accessing the Run
command and installing McAffee to prevent infected floppies from spreading
between patrons. CyberPatrol was also included on the three children's
machines.

Now for the interesting part.  I set the machines so that Linux would come
up by default on boot, and since LILO was in the boot sector any boot
sector virus would either try to modify it and go BOOM or erase LILO,
which would be as obvious as sending up a flare.  I made a gzipped copy of
each machine's DOS side and stored it away on the protected Linux side.
Every night, the staff go by each machine and hit reset so Linux will run
overnight.  Late at night it restores the DOS side and forces a reboot
back into Windows so that in the morning the machine is pristine.  Typing
'restore' at the LILO prompt forces a restore during the day (only takes a
few minutes) and an onscreen boot message informs users that if they are
rebooting from a crash to type 'dos' and windows will come back up
normally without the delay of a restore.

There are other features of this scheme, such as the ability to restore
from another machine's image (modifying the hostname and IP on the fly) to
make it easy to upgrade software.  I put the newest Netscape on one Adult
and one Children's machine and let the others restore over the network.

All of the described software is freely available, Open Source software
and I'd be happy to share it with anyone else who would like to give it a
try.  This system has been in use for going on two years and I have yet to
have to waste any time sorting out crashed machines.

John M.      http://www.dtx.net/~jmorris         This post is 100% M$ Free!
Geek code 3.0:GCS C+++ UL++++$ P++ L+++ W+ N++ w--- Y+ 5+++ R tv- b++ e* r%
===========================================================================
The views expressed certainly don't reflect those of CCC Internet Services.



More information about the Web4lib mailing list