Browse Prior Art Database

System for Detecting Undesired Alteration of Software

IP.com Disclosure Number: IPCOM000100333D
Original Publication Date: 1990-Apr-01
Included in the Prior Art Database: 2005-Mar-15
Document File: 3 page(s) / 136K

Publishing Venue

IBM

Related People

Arnold, WC: AUTHOR [+2]

Abstract

Various forms of malicious software (including "computer viruses" and other "Trojan Horses") operate by surreptitiously altering software objects in the attacked system. This invention is a novel system for detecting such alterations, especially alterations made in such a way as to avoid detection by traditional methods.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 45% of the total text.

System for Detecting Undesired Alteration of Software

       Various forms of malicious software (including "computer
viruses" and other "Trojan Horses") operate by surreptitiously
altering software objects in the attacked system.  This invention is
a novel system for detecting such alterations, especially alterations
made in such a way as to avoid detection by traditional methods.

      A typical "virus" in an executable (program) file operates by
altering other executable files to contain the virus (1).  Other
possible attacks include the modification of programs to produce
subtly incorrect results and the modification of data files to
introduce errors.

      The traditional approach to detecting such undesirable changes
involves computing, and then storing a digital signature for each
object to be protected, and periodically recomputing the signature
and comparing it to the expected value.  Objects for which the
signature has changed are judged to have been altered, and the user
is altered to the fact.  Signatures vary from a bit-for-bit copy of
the object to be protected (large, but very reliable) to a shorter
binary string computed from the contents of the input object (these
strings may be computed, for instance, by standard Cyclic Redundancy
Check techniques, or by more sophisticated methods).  Several
commercial packages now available provide this sort of protection to
certain objects on certain computers.

      These traditional modification-detection methods have certain
weaknesses that may be exploited by authors of malicious software who
are familiar with them.  The primary weakness of these methods is
that they only tell the user which files have changed, and the user
must judge whether or not the change was legitimate.  A sophisticated
piece of malicious software could escape detection by only modifying
objects which have recently been modified legitimately. Traditional
detection methods will report that the object has been changed, but
since a legitimate change was made as well, the user will not
interpret this report as a sign of anything amiss. A malicious
program can also make undetected changes by altering only objects
which have been created recently, and which are therefore not yet
recorded in the signature database.  In this case, traditional
methods will inform the user only that the file is new, and the
surreptitous changes will go undetected.

      This invention is a system (which may be used alone, or in
conjunction with a traditional signature-check of the protected
objects) which provides a further set of checks designed to detect
modifications that are made with the traditional checks in mind.  A
typical implementation of the system will consist of two parts:
   a traditional signature-based modification-detector; possible
signature algorithms include, but are not limited to:
        -  exact copies of the protected objects,
        -  Standard CRC checks of th...