File Corruption Detection (DETEKT)
This program was created at the request of AIG Corporation. It was used by agents to assure the safety of client information.
File Corruption Detection (DETEKT)
Version 1.0
All Rights Reserved
FOR SINGLE USER COMPUTERS CONNECTED OR NOT
Our reason for the development of this program is to provide the typical, non-technical
computer user early warning against a virus attack or defective software that might
corrupt his/her computer system. FCD(DETEKT) limits the problem, allowing
your computer security contingency plan to be enforced prior to execution of a corrupt
program. Should you not have a computer security contingency plan, consider the orderly
process suggested following the completion of the FCD(DETEKT) operational instructions.
With FCD(DETEKT) as part of your daily start up routine and re-executed after the entry
of any software or data on to your system from an outside source, including trusted
computer software, you should be safeguarded from the unknowns which are basic to less
than reasonable security. You may use FCD(DETEKT) as the cornerstone of your
software quality program and reduce the potential for major problems. FCD(DETEKT)
ALERTS YOU TO THE PROBLEM WHILE MINIMIZING THE POSSIBILITY FOR
SUCCESSFUL CORRUPTION.
Introducing FCD(DETEKT) to your Computer System
Insert the FCD(DETEKT) floppy disk into your A: drive. Be sure the drive door is
secured. As an initial precausion type DIR/W at the drive A: prompt. You will see that four
files are on the disk:
DETEKT.EXE
SAFEZONE.EXE
NEWZONE.EXE
MANUAL1
The disk you have inserted into your A: drive has been DETEKT processed to assure
integrity. Type DETEKT at the A: prompt. When the introductory screen appears press the
RETURN key. The next screen will consist of two windows. In the lower window you will
see printed the three .EXE programs. Across the top-most window you will see three boxed
words, FILE, CHECK and QUIT. Press the right arrow key once so as to highlight CHECK.
Press the RETURN key. A new window will open. You will be positioned at the line
SPECIAL FILES. Press the RETURN KEY. As you watch DETEKT will open a third
window and Validate that no changes have been made to this original disk. When the
process ends (it takes about 8 seconds) use the right arrow key to move to QUIT. Press
the RETURN key. Read the final message, it is worth remembering. Press the RETURN
key again. You have just completed a task which should be the basis for safe computing.
YOU have validated the integrity of your disk. Now let's install DETEKT system wide.
Type the command line COPY A:DETEKT.EXE C: and press the return key. The
FCD(DETEKT) basic program will now be resident upon the root directory of drive C:. Next
type the command line DETEKT and press the return key.
The introductory screen tells you that the program File Corruption Detection has begun.
Press the return key again.
You will now see three choices displayed across the top of the screen. They are FILE,
CHECK and QUIT. Under the FILE choice three options are listed (DRIVE SELECTION,
ADD FILES and DELETE FILE).
DRIVE SELECTION allows you to choose drives A: through I: if the drive physically
exists and is configured into the computer system. In the case of floppy disk drives the
drive door must be properly closed with a formated disk mounted in the drive. If you utilize
a hard drive choose drive C:.
Using the Arrow keys drop down one level to ADD FILES. Press the return key. Notice
that the upper window now shows are Directories and Files in the root directory. The
Cursor shell now bounds the first item (left most,top most). Were you to choose this item
simply press the return key. In less than a second the chosen file name will appear in the
lower window. The FCD(DETEKT) has opened a hidden directory, calculated both a
checksum and CRC and identified the day stamp, time stamp and file attributes. That
information is added to the control file within the hidden directory. The cursor is back in
its original position. Use the arrows to move to the next file you wish protected. For your
protection, the cursor always returns to its home position and creates a unique detectable
path. In this way path derviations which substitute a duplicate named program will not be
allowed to distort your original intent.
Should you choose a directory, the FCD(DETEKT) will display the programs in that
directory. FCD(DETEKT) can drop down to the lowest sub-sub-sub-subdirectory on your
drive. Again choose the file to be protected by moving the arrow keys to your selection.
Press return to invoke FCD(DETEKT).
NOTE: In order to assure that the proper path is chosen and encoded in the FCD(DETEKT)
bounding scheme you must begin from the root directory each time. While we realize that this
method is a bit more time consuming, it provides your system with the maximum unique protection available. Short cut logic creates windows of vulnerability. The ADD FILES logic is a balance between user friendliness and encryption effectiveness.
When you are satisfied that all the files normally in daily use are protected press the
ESCape key to return to the choices.
The DELETE FILE option helps those who make mistakes to remove them. As before
during the file to be protected selection use the arrow keys to locate the file to be
unprotected. Press the return key and the file will be removed from the lower window. The
ESCape key will return you to the option choices.
At this point you have created a set of controls for the most active and/or vunerable
files. Those files are bounded so if corruption, willful or negligient occurs you will be notified
at the next DETEKT execution. The control file is in the hidden subdirectory in encrypted
form. It is backed upon in a hidden moving file somewhere upon drive C:.
Moving on to the CHECK command you move the right arrow one position. The
options available are SPECIAL FILES, DISK FILES, ALL FILES, UPDATE DISK AND
UPDATE ALL. Move the bounded cursor down to SPECIAL FILES and press the return
key. A window opens in the center of your screen as all the files you chose during the
setup are verified and validated.This is probably the most used command in the schema.
FCD(DETEKT) is designed to afford full disk protection. Move the bounded cursor to
the middle line, UPDATE DISK. This command causes FCD(DETEKT) to establish a disk
control file. First DETEKT verifies itself then it proceeds to establish controls for every file
on the drive currently specified. The command UPDATE ALL will create a control for every
file on every installed and active (loaded and on-line) drive from A: through I:. As a point
of reference the initial processing of a fully loaded 32MB drive takes approximately 25
minutes while a 362k floppy requires approximately one minute.
The command DISK FILES performs a verification of the full current disk against the
control file created by the ALL FILES process. Verification requires about 5 minutes for the
32MB drive described above. We recommend that the DISK FILES be processed
immediately after any software is added. The UPDATE ALL examines all disks installed
and active (loaded and on-line) from A: through I:
The ESCape key returns you to the highest command level.
The use of the right arrow will put you into QUIT mode so that when completed you may
exit FCD(DETEKT).
Closing corruption loopholes FCD(SAFEZONE)
In order to assure total coverage, we have developed the SAFEZONE. Corruption
which enters your system in data files can be executed when that file,i.e.,a spreadsheet
or word processor file or text is called. This corruption is limited to two specific parts of
your system, the BOOT track (track 0) and the FILE ALLOCATION TABLE (FAT).
SAFEZONE allows you to backup both areas on a clean, formatted floppy disk. Should you
experience a disk problem you need only shut down the system, wait thirty seconds (30)
and reboot using you original DOS boot disk. When the reboot is complete mount the
SAFEZONE FLOPPY DISK in drive A: and type the command NEWZONE. The damaged
track and FAT will be replaced. Your system is as it was prior to the attack. Attacks cannot
be stopped but they can be contained and neutralized.
Be sure to copy the offending file to a floppy disk prior to deleting the file from your
computer system. In this way a computer security professional can analyze the culprit.
Upon deleting the corrupt file process DETEKT using the Command CHECK and the sub-
command ALL FILES. This will assure that the corruption has not attempted to hide itself
so that it might reoccur at a later time.
Processing SAFEZONE
SAFEZONE backups should be generated at the end of each work period prior to
shutdown. SAFEZONE Backups should be generated prior to any on-line down loading
of files. To create a SAFEZONE FLOPPY DISK:
1. Mount a clean formatted floppy disk in drive A:. Be ure the door is properly closed
and locked.
2. Type the command SAFEZONE and press the return key
3. COPY NEWZONE.EXE to the floppy disk you just updated.
Processing NEWZONE
1. Reboot the computer using the original DOS boot disk placed in drive A:.
2. Place the SAFEZONE FLOPPY DISK in drive A:. Be sure the drive door is securely
closed and locked.
3. Type the command NEWZONE and press the return key
4. Copy the corrupted file to a floppy
5. Delete the corrupt file from your disk
6. Use DETEKT to validate the entire disk
7. Return to your normal routine
DETEKT PRODUCT SPECIFICATION
DETEKT -- is composed of three sub-areas which contain options which support the
execution of the change detection feature. Detection of change in every
possible condition, attribute or combination there of, is the only positive mechanism to
identify differences which might constitute a threat to the computing environment.
DETEKT change detection goes beyond that typical to virus checkers. It develops a
dual CRC/Checksum based upon the file size, file name, directory, path from
root to the file, date stamp, time stamp, all attributes, header length and location upon the
disk. Any change is logged and alerts DETEKT .
1. FILES -- this sub-area contains six (6) options:
DRIVE - allows the choice of drive A: through and including M: as the source
of the code to be defined for monitoring.
WHY: the security baseline for each drive is maintained uniquely in hidden files
ADD - enforces a rigorous mechanism by which the administrator chooses
a specific program or data set to be monitored. The stringent procedure assures that the
monitor mechanism verifies the validity of path from root, directory, file size, date stamp, time
stamp, all attributes, header length and location on the disk currently in force. This option
allows the monitoring of frequently executed application code and data without having to
conduct a full disk monitoring process
WHY: the mechanism assures that a substitution follows the procedures in
force in the OS computing environment. Any deviation is specified as suspect.
DELETE - removes a program or data from the monitoring process.
WHY: allows adjustment of the state of security to the realities of the
operating environment.
PRINT AUDIT - permits the administrator to generate a hard copy history of change activity at his discretion.
CHANGE HEADER - permits the customization of the audit report title.
ERASE - writes a random series of ones and zeros over the chosen
program or data file five times.
WHY: There are routines which recover the file pointers in the FAT. DETEKT
assures that the erased file cannot be illegally resurrected.
2. CHECK -- this area contains seven (7) options
SPECIAL - verifies that those files used daily chosen using the ADD option have not been altered.
WHY: reduces the time to verify files used daily with no effect upon security.
THIS DISK - verifies that all files upon the disk chosen in the DRIVE option of FILE
have not been altered.
ALL DISKS - verifies all files and all data on every active drive in the computing system.
NOTE: DETEKT will pass through unguarded gateways and cross LAN bridges if they exist. In tests
we used DETEKT to locate gateways open during program integration and later forgotten.
UPDATE DISK - recalculates the values created previously for all programs and data
files upon the drive chosen in the FILE option.
UPDATE ALL - recalculates the values created previously for all programs and data file on all active drives.
CURRENT RESULTS - hard copy of the current audit.
COMPLETE HISTORY - a listing from latest to oldest of all audits retained for analysis
purposes.
3. QUIT -- the exit method from the DETEKT process.
WHY: as the DETEKT process is organized the user may establish an audit procedure
which differs from that suggested in the option menu. The program requires notification of the
completion of the monitoring process for this reason.
How to run FCD(DETEKT) during normal operations
FCD(DETEKT) normally placed placed in the root directory and executed from the
AUTOEXEC.BAT system path so that it is accessible at system startup. We recommend
that FCD(DETEKT) be called as the first task line of the AUTOEXEC.BAT. It might appear
C:\ DETEKT. Once this is done all that is needed to start the program is to POWER UP
the computer. If you choose not to utilize the AUTOEXEC.BAT then type DETEKT at the
command prompt, press the return key and the program will self start from the root
directory. You will notice that you can use DETEKT to check for changes in itself. This
protection mechanism assures prevention and secure bounding of the base corruption
prevention mechanisms.
Once invoked two work windows will appear a upper one and a lower one. The upper
window is the selection or pick window where those files you wish the FCD(DETEKT) to
validate will appear and/or you can select additional files for review. The lower window will
always contain the selected files.
At the top of these two screens are your menu controls which are as follows FILE,
CHECK, or QUIT.
FILE SELECTIONS ARE:
Drive Select
Allows you to select between drives A - I if they are available for use. A floppy disk
drive will not be selected if the drive door is open or if a disk is missing from the drive.
Add File
Allows you to select any file from the drive or sub-directory selected. Once the desired
drive and directory has been selected the up/down arrows are used to move the
highlight bar to select the file then press return and the file will appear in the lower
window to indicate that the file has been accepted.
Delete File
Allows you to delete selected files from the drive or sub-directory selected. To use
this function the up/down arrows on your keyboard can be used to move the highlight bar
to the file you wish to delete. Once file has been highlighted press the return key to select
the file. When using this function files that are selected will have an asterisk (*) to the right
of the file name. Then press the escape key to complete the
operation.
CHECK SELECTIONS ARE:
Special Files
Using this selection only allows selected files to be checked. Should you happen to
delete a file which appears in the TO BE CHECKED lower window and not remove it, i.e.,
not practice proper maintenance of your files, you will be told NO LONGER EXISTS next
to the file name. You must press the ENTER key to continue the CHECKing process.
Disk Files
Using this selection only allows files on selected drive with .COM, .EXE, .SYS, .OBJ, and
BAT extensions to be checked. Message NO FILES HAVE BEEN CHANGED SINCE
LAST UPDATE appears if disk matches the hidden control file for that drive.
All Files
Using this selection causes all files on every drive in use to be verified
Update Disk
Using this selection only allows the update of the control file which was created during
the setup exercise explained in detail above.
Update All
Using this selection causes all files on every drive in use to be updated.
QUIT (exiting the program)
Allows the user to exit from the program. Upon leaving the program <RETURN> you will
receive a final warning:
REMEMBER TO PERFORM DAILY BACKUP ROUTINE
FOR OPTIMUM DATA AND FILE INTEGRITY
Press the return key to get back into the OS system. BUT, please take the message
most seriously.
THE WARNING MESSAGES WHICH YOU MAY SEE ARE:
POSSIBLE INFECTION !!
This warning message will appear during file checking if any one of the following is true.
File size has been altered.
File date/time has been altered.
File checksum has been altered.
File CRC has been altered
New unvalidated file has been added
WARNING THE ABOVE FILE HAS BEEN ALTERED!!
DO YOU WISH TO UPDATE CONTROL FILE?
This message will follow the possible infection warning, asking the user if this file is
ok to update or should some other course of action be taken. Answering * YES * (i.e.,
typing "Y") to this question will update the control file to the current status of the file that
has been identified as changed. Answering * NO * (i.e., typing "N")to this question leaves
the control settings for that file just the way they were before the user was alerted to the
possible infection. When this message is encountered some action must be taken by
the user to avoid possible problems.
LOGGING DETEKTED DIFFERENCES (SOFT AND HARD COPY)
We have conceived a method which allows the user to see all detected differences
at one time in one place. Should differences be found they will not only be displayed to the
screen for your review, they will be written to a file named OSERROR.TXT in the \root of
the disk being evaluated. Some users copy this file to a security sub-directory with the
name changed to dif<mmddy>.doc. In this way they can combine results to determine if
trends and/or patterns exist which require further investigation. Should you not wish to keep
disk files simply Type the command PRINT OSERROR.TXT and produce hardcopy for
review, analysis and historical purposes.
CONCLUSION
In closing, this program IDENTIFIES A DIFFERENCE in the software residing on your
disk drives since the last time it was analyzed. It LOCATES THE DIFFERENCE, and
provides a warning of a possible infection or software glitch. FCD(DETEKT) should
be used along with a well planned backup routine to be fully effective. Use SAFEZONE as
suggested to keep your risk level at minimum. Once in operation, FCD(DETEKT) creates
a wall bounding the amount of risk you are exposed to by being a typical computer user.
RULES FOR SAFE COMPUTER USAGE
Let us begin by defining some terms. There are two computer program elements that
need definition if you are to accept the need for a micro-computer based system of backup
and recovery.
First is a Trojan Horse program. This sort of program, like its historical namesake,
has two functions. On the "outside" it does something to encourage the user to run it.
Typically, Trojan Horse programs may be games, small support programs, such as
directory listers, or even, in one case already on record, commercial software packages.
On the "inside" however, the program does something unfriendly to the computer on which it
runs. Some Trojan Horse programs delete files, some reset clocks, some mark disk
areas as unusable and some change the operating system of the computer. The most
destructive of them cause other programs to change their nature, usually by adding
instructions to those programs that make them Trojan Horse programs as well. These
added instructions are often called computer viruses.
A computer virus is a portion of a program that does not run alone, but requires
another program to support it. In this sense it is like a biological virus, requiring a cell for
a host in order to allow it to work. Since it does not run alone, it does not appear in any
directory and is never directly executed. It moves from program to program by
making each program to which it is attached (infected so to speak) a Trojan Horse
program for further software infection. A virus may be programmed to appear to do
nothing for a long time (remain dormant), and then, when some trigger event occurs, do
whatever it is programmed to do. The movement of a virus program element from machine
to machine occurs when a Trojan Horse program is run on that machine.
If a corrupt program element infects your machine, then not only will the company's
in house computers be affected, but the home computers that many staff members
now have will also have their files affected by the very same corruption, and at the same
time. If you are preparing a paper for publication, writing or working on a spreadsheet, or
preparing some important correspondence, you may well find that your machine readable
copies of that material will become unusable both at home and at the office.
This security plan discusses some evasive action that you can take to prepare for the
return of your machine to working order. What we recommend is no more than good
housekeeping and is a practice that each of us should do anyhow, with or without the
threat of some mysterious computer virus. We know that FCD(DETEKT) will do its job
BUT !! if your drives are not maintained, electricity spike freely, and/or your safe software
habits were not in place prior to adding DETEKT to your way of doing business, worry.
That which we explain in the next few paragraphs applies to users who have machines
with either a floppy disk drive and one or more hard disk drives on their computers. If you
cannot verify and validate your software consider beginning again as follows:
Step one: Locate the original source disks for the operating system you are now using
on your computer. This may no longer be the system delivered with your machine, you
may well have had an upgrade. DO NOT PUT THESE DISKS INTO YOUR FLOPPY
DRIVE YET. Secure a few dozen write-lock tabs and put one on each of the delivery
system disks. (When you hold a disk upright the right side of the disk has a 1/4" square
notch cut into the black paper jacket. The write-lock tabs are black or aluminum colored
gummed paper tags about 3/4" X 1/2" that can be stuck over the edge of the disk
covering the front and back of this notch. When that tab is in place it is not possible for
the computer to write information onto a floppy disk.)
Only after you have write-locked these disks should you put the disk into the computer
and compare the system on that disk with the system you are using. STOP AND READ
THE NEXT SENTENCE! The simple act of executing the DIR command on an unlocked
disk is enough to infect that disk with a virus if your system is already infected and if the
disk is not write-locked. There is a very small probability that your system is already
infected. We recommend that you compare the date and size of the file
COMMAND.COM on your original source disks and on your working disk or disks to see
that they are the same. USE FCD(DETEKT) with your original disks to assure a clean
control audit trail.The results should look like this:
------------------------------------
C> dir a:\command.com
Volume in drive A is MS330PP01
Directory of A:\
COMMAND COM 25276 8-31-89 12:00a
1 File(s) 5120 bytes free
C> dir c:\command.com
Volume in drive C has no label
Directory of C:\
COMMAND COM 25276 8-31-89 12:00a
139 File(s) 4556512 bytes free
------------------------------------
Note that both copies of COMMAND.COM have the same date and time of creation
(midnight on August 31st 1989) and both are the same size (25,276 bytes). The numbers
for your machine may well differ from the example depending upon your DOS version, but
both should be the same. When those disks have been found, put them away in a safe
place. We recommend that they be put in a secure storage box not too near your
computer.
Step two: There are a small number of software packages that you would be lost
without. In my case they include a word processor, a DBMS system, Modem software,
DOS utilities, and a data compression system among hundreds which are commercially
available and could be in your possession. These packages may well be purchased
commercial software, shareware, and freeware. In each case you should have an original
source delivery disk for each of these packages. Find those disks, WRITE LOCK THEM,
and use FCD(DETEKT) to compare them with the copies you are now using. Put them
in the same secure storage box in a safe place.
Step three: Using the backup procedure of your choice, perform a backup of the
system files on your computer. If we were using a computer with a floppy and a hard disk,
we would use backup-restore, or Fastback or some other package to back up the
directories C:\WP, C:\DIA, C:\UTIL, C:\COMM and C:\DOS. (Of course these directories
have different names on your system.) Write lock these backup disks. Label them with
today's date. Using the FCD(DETEKT) compare the disks you have just backed up with
the disks you are using to ensure that the backup "took". Put the backup disks in the safe
secure box. This will tie up a few dozen disks, but with disks now costing pennies each,
you will probably find the minimal investment worth while.
Step four: (This applies to those users who use hard disk based computers.)
Prepare a backup procedure that will permit incremental backups. This will entail
backing up the entire system once, and then periodically backing up those files that have
changed since the last backup.
Perform such incremental backups regularly. After several such incremental
backups, the size of the backup set will become quite large. At that time, put the backup
set away in a safe place and begin with another set of disks for a full system backup
followed by several increments. When the second set is full, put them away and return
to the first set. This will afford a very secure set of backup files. We suggest that 50
disks makes a good backup set. Thus 100 disks would be used for the double backup
group. We believe that most users would need to do a full backup monthly, requiring
about 1/2 hour of manipulation and should do incremental backups about twice per
week, requiring less than 5 minutes.
(It is a very good idea to periodically test the backup system with a FCD(DETEKT)
verification of what you have backed up.)
Step five: Go back to your useful work.
Recovery from the loss of one or a few files:
Sooner or later you will lose some files. They will disappear without apparent cause
and you will blame the problem on a virus. It is our experience that in cases like this no
virus is involved, the loss of files will be due to an operator error. If you have been doing
incremental backups, then the simplest corrective action is to use the recover feature
of the backup system that you are using and simply restore the latest copy of the lost
file(s) to the hard disk. If you have been conscientious in your backup practice, then
the loss of work will entail just a few minutes or, at most, a few hours of rework.
Recovery from the loss of the entire system:
It may happen that the entire hard disk seems to be lost. This is serious but, in most
cases, is likely not the result of a virus. Most failures of the hard disk are due to
hardware problems caused by a combination of abuse, overuse and poor maintenance
habits. The best solution is to repair the hardware if the technical people judge that that
is the problem, and then, after reformatting the hard disk, restore the system from your
latest backup. Almost without fail, this will result in a complete return to a normal system.
Really bad news, the restore does not work: This may well be the point of FCD(DETEKT).
If a virus has been planted in your system and has been set to trigger on some event,
then, if you are not using FCD(DETEKT) the only way to recover is to rebuild the system
from scratch using the write locked set of disks located in that safe secure box. If these
disks are not write locked, and if you mount them onto an infected system, then the disks
will be infected in turn and you may well be unable to restore from a clean, uninfected
source without returning to the system vendor for a fresh copy of each of your executable
programs. This means you ignored the warning FCD(DETEKT) provides. On the
assumption that you first build your system again from scratch, you may
restore all of the data files from your backup set. Non-executable files should not be
able to carry a virus either between systems or over the backup process.
Final thoughts:
There is no reason to ever boot the system from a foreign disk whose history you are
not prepared to trust. (For example, booting from a copy protected version of Lotus 1-2-3
is as secure as the Lotus corporation can make it but booting a downloaded disk called
SURPRISE!! can kill your operation.)
There is no reason why a disk used to transport data between machines should
have a copy of the files io.sys, msdos.sys, ibmio.sys, ibmdos.sys or command.com on
it. Check you transport disks and delete those files which are unnecessary prior to copying
any file into your hard drive. Use the DOS ATTRIBUTE command to remove all attribute
modifications to assure that an attack is not hidden from view.
No executible file on a micro system, to date, has been infected by the transport of data
files to the system. Only executable files (including device drivers and the operating
system itself) can be used as Trojan Horse programs. Beware, systems have been
corrupted by BOOT sector VIRUS and FAT scramblers executed from data called by word
processor and spreadsheets. We strongly urge the use of the programs
SAFEZONE.EXE and NEWZONE.EXE to minimize the effects of this problem for
FCD(DETEKT) users.
We hope that you enjoy your future computing adventures safe in the knowledge that
your equipment will be corruption free as long as you follow these instructions. The team
of you and FCD(DETEKT) will work every time.
(c) Thomas V. Sobczak, Consultants 1988,1989, 1990, 2007