home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!ukma!cs.widener.edu!dsinc!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Newsgroups: comp.virus
- Subject: Re: Kuo's infection theory (PC)
- Message-ID: <0007.9211171913.AA17490@barnabas.cert.org>
- Date: 16 Nov 92 15:02:19 GMT
- Sender: virus-l@lehigh.edu
- Lines: 29
- Approved: news@netnews.cc.lehigh.edu
-
- tyetiser@umbc3.umbc.edu (Mr. Tarkan Yetiser) writes:
-
- > Dr. Cohen's coverage of the material is fairly broad yet concise.
- > Curious individuals are recommended to take a look at it. You might
- > learn something. Here is one: "... for small files, deriving CRC
- > coefficients is trivial; and for "empty" files, CRC codes may show the
- > CRC coefficients directly."
-
- This is one point where I (and Yisrael Radai, I believe, will support
- me) disagree with Dr. Cohen. Deriving the CRC coefficients it
- "trivial" only if you have enough file-checksum pairs. If you are
- really smart and don't care about the file size, "enough" can be
- reduced to "one". However, most self-respecting checksummers also
- record the file size, so this is just a theoretical speculation.
-
- Otherwise, i.e., if the checksum database is kept off-line and out of
- the reach of the virus, there is no way to derive the CRC
- coefficients, without knowing the polynomial used for the CRC. And, if
- the virus -does- have access to the signature database, then all bets
- are off, since it could go stealth instead, modify the database, and
- lots of other nasty tricks.
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
-
