Old viruses making a comeback? Come on…really? Have detection capabilities gotten any smarter?
September 21, 2007

This was an interesting story this week: http://www.theregister.co.uk/2007/09/17/vista_hit_by_stoned_angelina/

It made me think, have antivirus products gotten any smarter?

I remember in the early days of computer viruses (early 90s) when antivirus products had signature recognition and/or CRC checks against files. (Gees…have things changed or do we have less now?) Remember the “heuristic detection” claims?

A product called Victor Charlie emerged that should have been a disruptive technology but for some reason, never made it. (Read: VHS vs Beta etc etc….same old story). We actually deployed it country wide at the company I worked for at the time (in combination with the usual signature based scanning just to be sure…as you did at the time).

The product was smart…far smarter in terms of approach/forward thinking than anything else we were seeing emerge from the main anti-virus vendors.

Now keep in mind, this is early 90s. This product would reside in memory and “bait” viruses – intercepting calls to interrupts 13H and 21C (gees, correct me if I got that wrong, it has been a while)…the calls that needed to made to either infect the boot sector or files directly.

Skipping ahead….it would then capture a string of the virus code, alert the user/admin and then store that string, enabling the admin to use the captured string within the scanning component of the package to scan for other potential instances in the environment….all on the fly.

Now the latter part, ie; capturing a string of code to use on the fly in a new scan was not perfect but gees, that ability to detect an unknown virus by way of the “baiting” technique at the time was brilliant.

It just never took off. Far ahead of its time and the dudes that developed it, I have no idea what ever happened to them; Bangkok Security Associates. Had these guys succeeded, I wonder if things may have progressed differently. (Yeah, I know the number of bits we work with now has increased but maybe the intelligence of the guys working on the protection side of things may have also!)

Comments (3)
Posted in: Research, Vulnerability Management, Web Application Security


  1. Dec says:
    September 21, 2007 at 7:23 pm

    Like most good security stories.. I don’t know whether to laugh or cry ;-)

  2. Fionnbharr says:
    September 21, 2007 at 10:05 pm

    Dec:
    How about laugh at the people crying or cry at the people laughing?

    Ah I get confused too :P

  3. Drazen Drazic says:
    September 21, 2007 at 11:29 pm

    Nice….so neither of you pulled me up on the interrupts.