Tracker INIT For MacOS 9, version 1.1.1

Tracker.gif

The Tracker INIT is a generic antivirus suspicious behavior blocker, something like Gatekeeper or SAM Intercept "lite". It is not as sophisticated as either of the later ones, but it gets the job done, quickly and easily. (Version 1.1 adds three more suspicious resource types ('boot', 'ptch', 'lodr') which should have no reason for being altered.)

System needs:

Tracker needs a 68020 processor or greater. It will not run on old 68000 Macintoshes. It will run fine on any PowerPC machine. It also needs at least System version 7.0.0.

Installing Tracker:

To install Tracker, drag the two files (both of them) "Tracker" and "Tracker Exceptions" into your Extensions Folder and then Restart.

Operations:

Tracker continuously monitors the System for suspicious calls. In particular, any AddResource or ChangedResource calls to the following executable code types, will be blocked:

CODE, INIT, CDEF, MDEF, WDEF, cdev, FKEY, LDEF, MBDF, XCMD, XFCN, scod, DRVR, proc, PTCH, DSAT, PACK, PATC, boot, ptch, lodr and cfrg. If you don't know what all these are, don't worry. They are objects (actually they are executable code) that can be used by old or new viruses to infect your system. When Tracker identifies an alteration attempt against any of these objects, it blocks it and in addition it issues a notification dialog, that will tell you WHO tried to make the change and against WHOM. Most regular programs should have no need to perform alterations to such objects. Unfortunately, these calls can also appear legally in some programs. In general, programs that issue legal calls to objects like the above, are Installers, Compilers and Resource editors (like ResEdit). There are always exceptions though, so one can never be sure. For example, the Global Village Fax software, issues MDEF, WDEF and CDEF calls to the system. ~ATM, issues DRVR calls to itself.

If you become a bit more familiar with the way these calls work, you can almost identify if there is a problem. For example, most of your programs should NOT issue lots of these calls, unless you are a programmer or developer. If you are a regular user and you suddenly get bombarded with Dialogs from Tracker, something is probably wrong. Pay particular attention to such calls issued against the System file.

Operational Details:

The job of most viruses is usually to infect the System file first. If you run a program and Tracker presents you with a notification Alert from such a suspicious call, it means that probably a virus is attacking your System. Try to see if when you run the same program again it issues a similar call. Observe how the program functions after the unsuccessful attempt to modify your System file. If you see an application issuing such a call to ANOTHER application that's totally unrelated to the running one, that's reason for concern. If you see a repeated attack against one particular file (application/system/control panel) there is something very suspicious about it. The net result of this blocking, is that Tracker does not allow the virus to enter your system or to spread to other files, and it is as such quite an effective tool for combating further infections. Some viruses though, besides spreading can also deliver a malignant payload. They can, for example, attempt to erase your default drive. Tracker ONLY GUARDS AGAINST FURTHER SPREADING (and possible side damage FROM the infection) of viruses. However, if you want protection from such payloads that try to delete files, install DelProtect, which blocks calls to "Delete" functions and as such will stop unauthorized deletes from viruses.

Most known Mac OS viruses, issue "AddResource" and "ChangedResource" calls at one time or another. There is no way a virus can enter your system-with the exception of the Autostart worm-and avoid these calls at the same time. (The reason the Autostart worm does not issue such calls, is because it is technically a "worm" not a virus. I.e. it simply replicates through file manager routines. It does NOT attach itself to other files. Viruses, technically, need a host file to which they attach themselves and they usually accomplish this by issuing the two calls above.)

I have tested Tracker with the following viruses:

The Tracker INIT is successful in blocking further spreading, and prevented side damage to applications, but is not configured to prevent already infected applications from attempting to erase a drive when their trigger payload date was reached. DelProtect though is successful in preventing viruses from delivering Delete payloads. If you want protection from such payloads, install DelProtect as well.

SevenDust E, the "Graphics Accelerator" virus, tries to modify in a destructive way the menus of applications. As a result, when the Graphics Accelerator virus attacks an application, it will also attempt to damage the file's menus, besides spreading into that application. You may notice garbled menus when your application is attacked, but the file will be protected and Tracker will tell you that somebody attempted alterations on your menus. If the file becomes damaged either because you don't have Tracker or DelProtect installed or because of some other failure you should replace such applications from originals, or use a professional AntiVirus, or use John Dalgliesh's program, "Agax" which repairs them. For more information on John's program, see the credits.

SevenDust-D also will attempt to damage window resources. This is because, technically, those two strains (D/E) are "symbiots", meaning they damage the host so that the user is not able to remove the virus.

There were some later variants discovered as of this writing ((2-3-99), notably what Symantec calls F and what John Dalgliesh calls G). For those variants, Tracker can protect successfully against System infection, directory infection and MENU and WIND resource damage. If these later variants attack your System, you will notice increased activity and alerts from Tracker, and some application menus may appear garbled. This is to be expected, since Tracker denies permission to the virus to modify an application's menus. In fact, Tracker will protect you from ALL the existing Sevendust variants, and perhaps new ones, as long as the Sevendust virus continues using similar code and infection techniques.

Tracker will not prevent infections from the AutoStart worm. To be protected from the worm, if you are a programmer, you can modify the source to block the AutoStart, but you better know what you are doing. For example, you could add patches to some file manager routines, like PBSetFInfo, etc.

Tracker is effective against most of the older viruses, including the ones described in Disinfectant's manual. I have not tested Tracker with all the older viruses (except T4, MBDF, MDEF, CDEF and nVIR), but most of them issue calls to the resource types above. Besides, only a handful of them actually operate on Mac OS 8.x-9.x without major problems.

You may prefer to use a commercial Intercept Extension, such as SAM Intercept which is part of SAM or now NAM. In fact, i encourage you to do so. But if you can't afford it or don't want to buy NAM or SAM, Tracker will do quite a good job. Gatekeeper and SAM Intercept were a lot more sophisticated than Tracker, but their power had the disadvantage that they were difficult to configure and created lots of non needed alerts. Unfortunately Gatekeeper has been discontinued, so the only other viable alternative is a professional behavior blocker like the one in the commercial package of Norton AntiVirus for Macintosh, or the checksum checker in Virex.

Creating Exceptions:

If you see a program that attempts to issue lots of calls to resource types like the ones above and you are sure its not a virus (like the ~ATM Extension), you can configure Tracker to ignore it, using a very simple way (See the section Notes on Exceptions for more explanations). Edit the included SimpleText TEXT file and copy in it the names of the programs that you want to ignore. Just write the names as they appear on the Finder (or copy the names if possible from the Finder and paste them in the SimpleText file). Separate all the program names by a simple return. Then save the file (its name has to be EXACTLY "Tracker Exceptions"). I have included a sample file for you on the download. Close the file and drag a copy of this file into your extensions Folder. Then Restart. At the time of loading, Tracker will read this file, and will ignore applications or programs that issue such calls if their names are included in the SimpleText file. If there is no such file in the Extensions Folder, Tracker will inform you using a notification that no exceptions will be made, and all programs that issue suspicious calls will be intercepted. You can add as many program names as you like in the SimpleText file, as long as the size of the file does not exceed 1024 bytes. Needless to say, that if you are using ANY installers for new software, you need to disable Tracker and DelProtect using the Extensions Manager. Also, don't forget to add the names of your AntiViral programs like NAM or Virex 5.8.1. Other than that, you will have no problems. Tracker is as you can see, easily configurable, and it is hard to tamper with, unless someone restarts the machine, after it has modified Tracker's exception file. You can, in addition, make the exception file invisible with ResEdit, so that people cannot tamper with the programs that Tracker allows to legally call the above routines, if you run Tracker in a networking environment. By also removing the file Extensions Manager, this makes the setup virtually bullet-proof.

Programmer Notes:

If you have THINK C 7.x.x, you can recompile the projects and add more resource types for your protection. Change the header macro PROTECT_MORE_TYPES to 1 and recompile for protection for 'xxxx' resources, where 'xxxx' is the type you want to protect against (See source file). If you do, the recompiled INIT will guard those types as well. I have added protection against WIND and MENU resources to protect against damage from 'WIND' and 'MENU' symbiots, such as the SevenDust D and E (Graphics Accelerator) strains. As a result, Tracker is successful in protecting from the Graphics Accelerator virus.

Tracker simply patches the two traps "_AddResource" and "_ChangedResource". If the resource type that's modified is not one of the types listed, then Tracker will not interfere and will call the original routine normally. If however the resource type is listed, Tracker will block the alteration. Please add the name of your development environment in the file exception list. If you use MPW, you will have to add the corresponding tool along with MPW shell. You probably know the reason: MPW transfers control to "Link" for example to do the actual code linking.

The reason Tracker needs a 68020 at least is quite simple. When the THINK C compiler sees a pascal void MySubroutine(type1 arg1,type2 arg2,...) and the total size of the arguments exceeds 4 bytes, it generates a:

MOVEA.L (SP)+,A0 ;get return address
LEA $x(SP),SP ;pop arguments
JMP (A0) ;return to caller

This naturally trashes the A0 register and we don't want that, because we must preserve it inside the trap dispatcher. So, we check the "Generate 68020 code" on the THINK C environment, and instead the Compiler generates an RTD to return to the caller, not affecting A0. (Thanks to Anton Rang for this bit).

Tracker could be easily augmented to deal with the autostart worm. You'd have to add a patch to some file manager routines like FSpCreate to prevent unauthorized creation of suspicious files. This way the Autostart would never be able to install itself. There are also a couple of other neat programming tricks, such as unlimited notification storage. If the Graphics Accelerator virus tries to attack your system, it will fail, because even though the actual file will be created, the 'INIT' resource will never make it into the file, as a result the file will end up empty. Tracker will be effective against spreading of most known viruses, as long as it loads first. However, if another extension loads first, it CAN bypass Tracker. So be careful. Feel free to experiment with it. I basically created tracker to protect myself from the Graphics Accelerator virus.

There is a very slight speed penalty when using the INIT, because mode context switches are required to pass from the patch, to the original AddResource and ChangedResource routines which are native PowerPC code. However, i will sooner or later port the INIT to native PowerPC code to boost the speed up. If anybody has any experience with doing so with Symantec Project Manager, i'd appreciate the help, and your name will show up on the credits.

Download Tracker (with source) in here.