TweetFollow Us on Twitter

Virus Detection
Volume Number:8
Issue Number:2
Column Tag:Cover Story

Related Info: Resource Manager File Manager

Generic Virus Detection

Virus Detection - the state of the art solutions

By William Hsu, Millersville, Maryland

Note: Source code files accompanying article are located on MacTech CD-ROM or source code disks.

About the author

William Hsu is a third-year undergradutate majoring in Computer Science at the Johns Hopkins University. The following article was based on a paper for an independent programming workshop under Dr. Steven Salzberg. His Internet address is His research interests include recent advances in computer virus theory and treatment, program synthesis, and randomized and approximation algorithms.

Recently, computer viruses have attracted a high volume of public, media, and scientific attention. This is no surprise considering the explosion in the development rate of computer virus code. Combine this with the fact that current methods for detection of viruses have had limited success. A new approach to the detection of such code is needed. We're going to look at two variations on algorithms originally developed for string matching. Both modifications allow an increased tolerance for variant “strains” of known viruses, especially for the so-called evolutionary class which mutate themselves at predetermined intervals.

First, a randomization scheme can be applied to an established fast substring matching procedure (such as the Boyer-Moore algorithm). This randomization allows mutation-resistant searching. Second, an approximate pattern matching algorithm for a maximum number of differences can be used. The algorithm is modified by weighting the edit distance metric to make it robust to character padding and removal. Both functions are combined to create a generalized detector capable of finding viral clones, whether produced by human authors or by automatic variations.

This article was produced as part of an undergraduate computer science workshop at Johns Hopkins University. First and foremost, I would like to thank Dr. Steven Salzberg, my project advisor, for his guidance, insight, and instruction. Many thanks to the faculty and staff of the JHU Computer Science Department, and to John Norstad, Brian Seborg, Ephraim Vishniac, and Jan Christian van Winkel for their help and comments.

Virus Detection: Classification, Methods, and History

There has been a great deal of interest in the detection of active “viral” code on both Macs and mainframes, especially as members of an interconnected network. Definitions of the set of programs called viruses have been put forth in many recent articles, most notably in the work by Cohen.1 In this work, detection of the virus is simply considered a pattern string to be searched for in a larger text (a possibly infected program).

Current viral detection procedures are classified according to a system put forth by the Computer Virus Industry Association.2 The association divides anti-viral products into three categories: Class 1 antiviruses (“Infection Prevention Products”) halt the virus replication and prevent the initial infection from occurring - an example of such a program for the Macintosh operating system is the cdev (Control Panel Device) Vaccine. Class 2 programs (“Infection Detection Products”) detect infection soon after it has occurred and mark specific components of system segments that have become infected - they do so by periodically inspecting executable files, and may or may not attempt repair of an infected file. An example of a Class 2 program on the Macintosh is the INIT package GateKeeper and GateKeeper Aid. Finally, Class 3 antiviruses (“Infection Identification Products”) identify specific viral strains (see below for more information about this topic) on systems that are already infected and may remove the virus, returning the system to its state prior to infection. This category is most common, although its effectiveness is dependent on the frequency of user invocation. McAfee's MS-DOS program SCAN and the Macintosh Disinfectant series are Class 3 products.

At present, three approaches to viral code detection have been prevalent. The first, viral signature matching, requires information about the virus. Specifically, a signature-based detector requires the virus’ code length and the location of its “contagious” segment (which is essential to its replication and transfer among storage media, computer memory, and networks). Code enumeration, a second technique, involves examining known programs periodically to test whether any unknown segments of code have been added to the original file. It is most effective when applied before each execution of the program. Finally, checksum methods compare the current size of a file and the summed value of its bytes to the same attributes of a known uninfected version - an infection will often change these values. None of the above methods require the use of the code of the virus itself in its entirety, and all three require user action upon discovery of a virus. Usually, the computer user is urged to restore an earlier copy of the infected file or files from backup. In specific cases, disinfection is possible.

Most software developers claim that the absence of the actual viral code from a detection program prevents its reuse by other virus authors. These authors could conceivably design a virus based on the stolen code and thwart the original detection program. For this reason, developers choose against using a whole (deactivated) virus in detectors. An opposing viewpoint suggests that the only defense against viral code that will not inevitably fail is one which does not depend on the secrecy of its internal mechanisms. A conflict has arisen between these two opinions as each side handles sensitive information very differently. The former advocates secrecy regarding: breaches of security, weaknesses in system defenses, and vulnerabilities of protective software (which will be discussed later in this article), while the latter believes revealing such details will attract support from developers of anti-viral programs and prevent unexpected attacks.

MacDTS has argued that attempting to support anti-viral measures is a futile struggle. This viewpoint fails to factor in the practical results approximate methods have had with problems which were once considered intractable. On the other hand, algorithmic detection of all viruses, including those for which no specimens exist, has been established as an intractable problem. It has been shown that to determine whether any given program is infected is undecidable.3 However, examination of the sample code of a virus, once it has been discovered, allows a signature detection schema to be implemented. Extending the use of this necessary information to both increase the range of the detectable viral set and decrease the amount of data required to do so is a logical goal. It stilll makes sense to include established algorithms suited for such detection as part of the process. By tracking down new viruses quickly, their damage can be lessened further than by distributing cures long after the spread is under way.

Viral Variant Detection an Algorithmic Approach

Choosing an appropriate class of algorithms depends on the treatment of the subject data; in this case, it is beneficial to consider viral and program code as text. For this problem, it is reasonable to use string matching procedures, which are specifically oriented toward character sequences with a pre-defined alphabet (such as the ASCII alphabet). In this context, viruses are searched for by two methods similar to the “Find” and spelling check commands in most word processors. The unique aspect of visrus detection, however, requires the search to be repeated many times (for hundreds of small pieces of the virus). The other search, similar to the “Suggest Word” command in a spelling checker, looks for approximate matches rather than exact ones. Virus detection gives character deletions more importance over inserted characters.

We have developed algorithms that will detect known viruses and unknown clones and mutants of those viruses. For our purposes a viral clone is defined as a known virus which has been modified prior to its release without changing its viral properties in any appreciable way. For instance, its replication and infection techniques and “detonation” effect (damage done when its preset trigger goes off) should remain identical. An example of a clone is the Hpat virus, a first-generation modified version of the nVIR A Macintosh virus. A viral mutant is defined as a known virus to which self-modification parameters have been added which cause it to create successive clones of itself at intervals or upon a trigger event - mutation may occur after release and may or may not be limited to a finite number of iterations. No Macintosh viral mutants currently exist. The term strain is often applied interchangeably to groups of clones, mutants, and even unrelated viruses (developed separately) which share any common feature. Due to this ambiguity, the expression is not used except in reference to sets of viruses previously designated as “strains”, such as nVIR A and B. The word variant is applied to mean an altered virus which may or may not be known and whose function may or may not have been changed during modification of its code; a variant is not necessarily a clone, but all viral clones and generations of mutants are variants of their ancestor viruses. Note that viruses of a single strain are not necessarily variants of each other under this definition; an example is the WDEF strain (Macintosh), with substrains A and B - they are so designated merely because they share the same code label.

A primary method of creating clones and mutants is character padding, the addition of code sequences or characters which do not affect the operation of the virus. Safeguards against this technique are presented in the algorithm discussions. A more difficult strategy is the removal of segments from a known virus - of course, this cannot be carried out indefinitely or even for a large portion of the virus. Finally, a virus may be designed to relocate itself once appended onto or inserted into a host program; auto-propagation is formally considered a feature of worms, but shifting code segments is another way of avoiding detection.

To implement variation-tolerant matching, one of several approaches may be selected. First, approximate string matching for a text of length n, a pattern of length m, and an integer k is among the most common of these. k is the maximum number of differences allowed between a pattern string and the text which is being searched. Algorithms exist which can compute an edit distance, based on the number and type of differences. The “edit” operations are character deletion, insertion, and “twiddle” (transformation of one character to any other). This distance metric can be computed by dynamic programming, a method which breaks down problems which would otherwise require recursion and solves it by computing a table. A straightforward implementation requires O(mn) time; a more complex version solves the problem in O(kn) time4 with some overhead. Parallelization of the procedure allows the values to be computed in O(k) complexity.

The second approach uses a fast substring matching function for small segments of the viral code which is being searched for. The length of each segment is proportional to the expected frequency of variation in the text by addition and deletion of characters. Since the base algorithms and user interface used in this project have been developed elsewhere, our work focuses on general methods for virus detection, rather than implementation issues.

Experimental Input

This code was developed on a UNIX machine before porting to the Mac. Input data at all stages of program development consisted of ASCII and binary data treated as ASCII text (the smallest alphabetic unit was one byte). The “text” used in mainframe testing comprises alphanumeric text, compiled binaries (executable and object files), and ASCII script files. An application was developed for use on the Mac, for which known viruses and their variants exist.5 All text used in the microcomputer development stage consisted of resource data because two primary requirements of viral code - the abilities to replicate and gain control of the operating system - require the execution of the infectious resources.

During the experimental stage, our pattern and text strings were obtained by extracting CODE resource from files found on the average Macintosh hard disk; the segments that were used are listed below. All input data was processed with ASCII character-handling functions. Simple character arrays were used to store both strings. Space requirements were relatively small for the string matching algorithms used. Internal data structures included: a matrix of O(2m) size in the first algorithm - the array requires O(mn) space, but the dynamic programming method only needs two columns at a time - and two arrays for internal computation by the Boyer-Moore algorithm.

The Boyer-Moore Algorithm

The string-matching algorithm developed by Boyer and Moore6 for substring matching has proven significantly faster, in practice, than both straightforward scanning and the finite-state automaton technique implemented by Knuth, Morris, and Pratt. This advantage applies even to binary strings, and becomes increasingly evident as the size of the alphabet increases. Thus, the number of character comparisons per text character scanned is even lower for executables than for alphanumeric text. The Boyer-Moore algorithm employs right-to-left scanning of the pattern string while attempting to find a match within the text body. The main savings are achieved by computing two failure functions which store, for each character in the pattern and the alphabet, respectively, the number of positions to be skipped when a mismatch occurs. Boyer and Moore suggest that entries from both arrays be compared and the larger skip selected. The Boyer-Moore string search requires m+n comparisons in the worst case, and can reliably use n/m steps for large alphabets and short pattern strings.

Our modification of the Boyer-Moore algorithm involved the introduction of a randomized system of string selection. An integer l was chosen to be sufficiently large that an accidental match of a substring of length l was extremely unlikely. We determined this likelihood experimentally (see the discussion below). The pattern source was an original (unmodified) sample of a known virus. Strings of length l were chosen randomly by generating an index between 0 and m-l and designating the next l characters (including the indexed one) of the source string as the pattern P. It was postulated that this probabilistic factor would establish tolerance for simple changes made to viral code by a potential author in possession of existing code. These changes include:

• Disassembling the viral code and changing variable identifiers.

• Padding null characters or sequences to calibrate the virus checksum.

• Removing small, superfluous amounts of code from the original virus.

• Automatic padding within a viral mutant.

• Pasting viral code segments under new labels or merging segments.

• Reversal of code order using logical jumps.

The probability of a match is experimentally shown (through the tests described below) to be extremely small when a virus is not present - it is clearly possible to discriminate with high precision between infected and uninfected files. An exact match is a very difficult event to duplicate coincidentally; the likelihood of such a match between random strings is infinitesimal even in practice. False positives are relatively rare, though more common than false negatives. Thus, use of a randomized algorithm appears to be a feasible approach to generalized (“inter-clone”) viral detection.

Manual “mutation” of code is already becoming commonplace, as is evidenced by the multiple clones of the nVIR strain which already exist on the Apple Macintosh. Simple self-modification has been accomplished in the Core Wars class of programs, and it is not at all unfeasible for a simple virus to be programmed to pad itself with null or checksum-neutral character sequences in an effort to evade detection. Such changes would appear trivial under human inspection. The straightforward searching techniques used in current commercial products, by contrast, are unable to handle even trivial changes. Early efforts to deal with the emergence of viral clones involve omission of parts of the viral signature or selectively summing or enumerating only specified portions of the suspected code.7 This approach lacks generality, however; it is not guaranteed to be proof against even a single revision of a known virus, and is certain to fail against an evolutionary version.8

Important advantages of randomization include the fact that the instructions of viruses need not be physically oriented in their order of execution, but may instead be scrambled by jump instructions (see Figure 1). A second consideration is that preselection of a single segment of code (i.e., the “signature”), as the search pattern, renders the anti-viral system susceptible to circumvention. Once the identity of the target code is discovered, the procedure may be fooled in one of several ways: by specifically changing or deleting the targeted string; by shifting its physical position; or by disguising it using character padding. Note that none of the above techniques requires real knowledge of how the virus works! A slightly more sophisticated author may easily disassemble the executable code and change certain variable identifiers to thoroughly mask the virus. These variations, in addition to changes made to hide the virus without any detector in mind, may be virtually bypassed when the search string is different for each scan run.

Figure 1

A major concern in refining the probabilistic extension of the Boyer-Moore search is the selection of a string length l. This choice is affected by at least three factors, the most important of which is the chance of a false positive result. Since a false alarm is highly improbable when the pattern and text are unrelated (as is experimentally demonstrated and documented in the tables below), its likelihood is low because the vast majority of legitimate code lacks viral aspects and is dissimilar to the virus search pattern.

Moreover, false alarms are easily avoided by making l as high as possible. On the other hand, l must be made shorter to make the modified Boyer-Moore procedure less sensitive to padding. Figure 2 illustrates a padded clone below an original virus. Each padding sequence insures that at most l - 1 out of m - l strings will fail to be matched, but paddings within l -1 bytes of each other will overlap and “mask” fewer strings. An important feature of drawing random strings from the original virus is that the length of padding sequences is irrelevant; only their frequency must be considered.

Figure 2

The second factor in determining l is the instruction length of the viral host machine; the unused space in each segment of a binary executable is filled with null (neutral) characters, and a selection of sampled pattern strings containing a high proportion of such characters is likely to contain an excessive number of strings which match with an uninfected text file. One minor weakness will be present regardless of the string length chosen: the virus author will always be able to defeat the randomized filter by increasing padding frequency (although this cannot be done indefinitely). This is one example of the “strength in secrecy” argument in anti-virus programming. On the other hand, the dynamic programming method is reasonably tolerant to padding.

A Dynamic Programming Approach

While randomized string-search algorithms present a viable next step in developing countermeasures to computer virus proliferation, they are only a refinement of the simple straightforward technique. An exact match is required for each string, regardless of how short it may be or how many others are selected and compared. Therefore, it is subject to failure under two conditions, the latter of which results in a false alert.

First, if the length of the randomly selected strings consistently exceeds the distance between padded or removed characters, the algorithm will fail to achieve any matches. Second, the program will erroneously report viruses when the text contains code which is sufficiently similar to the sample virus data to effect more matches than the allowable limit. A heuristic is needed which will deterministically verify or refute the presence of the virus and yield consistent results on every run. Since we are specifically dealing with variants of known viruses, an approximate matching procedure is required.

Fast string matching has traditionally been applied to many text search problems. Where a partial match is available, dynamic programming offers an efficient solution. The algorithm used in our experiments is a straightforward dynamic implementation which relies on a matrix whose components are computed based on previous entries. The scan function is designed to return the boolean true upon encountering any instance of a k-approximate match between pattern P = p1p2 pm and text T = t1t2 tn for a positive integer k. Assume that n is large relative to m. The following rules are used.9

1. Let Dmxn be a matrix of integers for which D[i,j] equals the minimum number of differences between p1 pi and a segment of T ending at tj.

2. A k-approximate match is detected at any j for which D[m,j] ¾ k.

3. The rules for computing D[i,j] consider each of the possible differences that may occur at pi and tj, and the instance for which the two characters match. D[i,j] is assigned the minimum of the following three values:

a) If pi = tj then D[i-1,j-1] else D[i-1,j-1]+a.

b) D[i-1,j]+b (the case where pi is missing from T (deletions)).

c) D[i,j-1]+c (the case where tj is missing from P (insertions)).

a, b, and c are the integer values added whenever a mismatch occurs, and are the central parameters in our modification. Each entry is updated by inspection of the entries above it, to its left, and to its upper left.

Figure 3

The computation may be done in O(2m) space since only the current and previous columns need to be stored. The work requires O(mn) complexity in the straightforward implementation, but can be achieved in O(kn) time using the improved serial technique by Landau and Vishkin.10 The standard application of string matching by dynamic programming uses a constant value for a, b, and c (for instance, 1). Our method boosts tolerance for padded characters by increasing the ratio between the parameters b and c.

Let r be this ratio, a positive integer; if c is assigned a unit value i, then the matching function may be made tolerant to cases for which the characters in the text are missing from the pattern (i.e., the text has been padded) by setting a and b equal to r •c, making the effective “price” for padded characters lower. A final consideration is the selection of the “threshold” k. It may be determined based on the expected frequency of padding, as is the string length in our randomized Boyer-Moore component. Since r has already been defined relative to i and m, it is a fairly simple task to assign k a value. Typically, it should be close to r (actually, slightly lower to ensure against false alerts) and may be computed using the ratio m/n or simply set to a large fraction of r. Our padding-tolerant implementation uses 1 for i and c, 100 for r, a, and b, and 50 for k. A false match is possible whenever the ratio r is greater than i. However, this only holds in the absolutely worst cases in which an extremely small pattern is matched against a text string of very high length. The probability of this event is equal to that of the consecutive occurrence of all m characters in P within k+m positions of each other. Again, this is experimentally shown to be a statistically rare occurrence, which can reliably be ignored as long as the viral segment length m is not much smaller than r. Generally, a value for r that is higher than the threshold k can be expected to yield few false alarms and will rarely miss a variant created by padding. Conversely, tolerance for missing characters may be effected by increasing the ratio between c and b; in both cases, a is assigned the larger of the two values.

Future applications (and viral threats)

The code below introduces two effective methods of computer virus detection, using newly developed modifications of proven algorithmic techniques. Though previously used in many other applications of computation, these systems are applied here for the first time to the problem of viral code identification. Despite the previously established results on the intractability of universal detection put forth by Cohen, a new class of post-infection scanning methods seems entirely feasible. Further investigation into the circumvention of virus concealment techniques produced experimental results which have supported our assumptions concerning the probabilities of detection and false positives, and support the main premise of both of the algorithms used: that a standard string matching program may be adapted for tolerance toward modification of the text to be scanned. Two significant questions remain concerning general virus detection: First, can clone and mutation detection be extended under a strictly algorithmic foundation to include a broader range of detectable code - especially groups of viruses which have not yet been developed? Second, what optimizations may be performed on the programs to increase speed without sacrificing probabilistic safety? One possible solution is offered through the accompanying program.

Work in string matching, like work in virus detection, is by no means complete. Modern algorithms make use of parallel hardware and improved data structures, such as suffix trees (which may be respectively applied to randomized matching and dynamic programming). Mutating viruses are by no means prevalent yet and have (fortunately) not appeared in the Macintosh operating system. All recent research in “compuvirology”, however, suggests that such programs are feasible and may debut soon - if not on the Mac, then possibly on a larger-scale machine. The viral “visibility” threshold (i.e., the typical size of a virus compared to the average executable size and the machine's general capacity) would even be lower. As an illustration, consider that current viruses approach an order of 10 kilobytes in length and would be considered gigantic if they appeared on machines of 20 years ago. As machine size increases, utilities for virus detection may possess the same precision, but this is not sufficient - they must also match the increasingly sophisticated products of virus authors. Using advances in fast string matching and parallel computing, the software industry can stay not one but many steps ahead of viral attackers.

Code resources used in Randomized

Boyer-Moore Experiments

The randomized Boyer-Moore program was tested on many files to illustrate that on an average Macintosh system, the likelihood of false positives is low. To draw this conclusion, resources from several common Macintosh programs were extracted and searched for variants of nVIR.

Below is a listing of the origin of each code segment used for the generation of Table 2, detailing the size of the file and the application name and resource type (required for Macintosh operating system classification) from which it was extracted.

Segment Length

Group Number Source File (bytes)

B 1 MS Word, CODE 1 1474

B 2 Disinfectant 2.0, CODE 7 1116

B 3 Red Ryder 9.4, CODE 37 2164

B 4 SuperPaint 2.0, CODE 42 2480

C 1 WordPerfect, CODE 31 5002

C 2 Font/DA Mover, CODE 1 4670

C 3 WordPerfect File, CODE 1 4542

C 4 ZTerm 0.85, CODE 5 4378

D 1 HyperCard, CODE "HyperTools 2" 26078

D 2 Disinfectant 2.0, CODE 5 18720

D 3 THINK C Debugger, CODE 2 21960

D 4 SuperPaint 2.0, CODE 20 19754


[Baase 88] Baase, Sara. Computer Algorithms: Introduction to Design and Analysis. Addison-Wesley, Reading, MA, 1988.

[Boyer 77] Boyer, R.S., Moore, J.S. A Fast String Searching Algorithm. "In Communications of the ACM", pages 762-772.

October, 1977.

[Cohen 86] Cohen, Fred B. Computer Viruses. Phd thesis, Electrical Engineering Department, University of Southern California, December, 1986.

[Landau 86] Landau, Gad M., Vishkin, Uzi. Introducing Efficient Parallelism Into Approximate String Matching and a New Serial Algorithm. "In Proceedings of the 18th Annual ACM Symposium on Theory of Computing", pages 220-230. 1986.

[McAfee 88] McAfee, John. Implementing Anti-Viral Programs: Special Report for the Computer Virus Industry Association. Public Information Packet. InterPath Corporation, Santa Clara, CA, 1988.

[McAfee 89] McAfee, John. Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System: What They Are, How They Work, and How to Defend Your PC, Mac, or Mainframe. St. Martin's Press, New York, 1989.

Listing 1: Dynamic.c
/* Dynamic.c - Functions for dynamic k-approximate virus infection detection.
 Copyright © 1992 by William H. Hsu.
 Thanks to John Norstad and Ephraim Vishniac for help and comments.  
Portions of this code are based on [Morton 90], which appears in the 
May 1990 issue of MacTutor.  Reused with permission.  You may copy, alter, 
use, and distribute all code listed here if you leave the file unchanged 
up to this line.
 Think C version.

•  A main advantage of this code, as explained in the “Methods and History” 
section, is that its effectiveness is not diminished by its availability. 
 No matter how many potential virus authors read it, the algorithm will 
remain equally effective against circumvention.
•  To use this code in your programs: 
1. It will be necessary to obtain non-functional but significant (larger 
than 300 bytes) resource segments from the virus you are trying to detect.
2. Using a resource editor, insert the viral data under an unused type, 
such as 'VDAT', used in the code below -- this will render the virus 
code inactive and most likely invisible to conventional (Class 2 and 
3) detection programs. As an added security measure, you may wish to 
include only code segments above 300 bytes (or a similar threshold length) 
to ensure that the virus is crippled.
3. Both the C routines and the Boyer-Moore routines require an expanded 
512K Mac or later (specifically, System 3.2 or later); they have been 
fully tested on the SE, II, and IIcx.
4. This function should be run upon first launching your application, 
or, if it is an operating system utility, during a “dormant” or idle 
5. The code below assumes that the VDAT resource contains all 5 segments 
of nVIR A; change this accordingly by adding additional virus types (under 
a name other than the original infected type) */

#include "dec.h"

FILE *my_file;
void dynamic()
  char m[MAXSIZE];
  int pattern_length, index;
  MATRIX table;
  register Handle rsrc;
  short resCount;
  resCount = Count1Resources ('VDAT'); 
 /* how many of this type are there? */
  open_file (&my_file, WRITE_MODE);
#ifdef _REPORT /* developer debug flag */
  printf("Searching for <<virus name>>:\n\n");
  fprintf(my_file, "Searching for <<virus name>>:\n\n");
  while (resCount) /* loop down to 1 */
 if (resCount == 3)
     printf("\nSearching for <<virus name>>:\n\n");
     fprintf(my_file, "\nSearching for <<virus name>>:\n\n");
   rsrc = Get1IndResource ('VDAT', resCount);    
 /* get the resource's handle, but don't load                  it */
 index = SizeResource (rsrc);
 HLock (rsrc);
 /* load next virus segment */
 pattern_length = copy_array (*rsrc, m,                  &index);
#ifdef _REPORT
  printf("Next virus segment loaded (length %d).  Resources left to scan: 
%d\n",  pattern_length, resCount);
 fprintf(my_file, "Next virus segment loaded (length %d).  Resources 
left to scan:    %d\n", pattern_length, resCount);
 HUnlock (rsrc);
 initialize(&table, pattern_length+1);
 vResCheck('nVRB', m, pattern_length, table, NO_REPORT);
#ifdef _REPORT
 fprintf(my_file, "\n");
 vResCheck('nVRA', m, pattern_length, table, NO_REPORT);
#ifdef _REPORT
 fprintf(my_file, "\n\n");

void initialize(table, length)
MATRIX *table;
int length;
  allocate_table(table, length);
  clear_table(*table, length);

void allocate_table(table, size)
MATRIX *table;
int size;
  int i;
  *table = (MATRIX)calloc(size, (size_t)sizeof(long *));
  for (i = 0; i < size; i++)
    (*table)[i] = (long *)calloc(2,(size_t)sizeof(long));

void clear_table(table, length)
MATRIX table;
int length;
  int i;
  for (i = 0; i <= length; i++)
    table[i][0] = (long)UNIT*i;

/* vResCheck - Perform dynamic string search on all resources of a specified 
type in the current application. */
void vResCheck (type, m, pattern_length, table, report)
 register ResType type; /* INPUT: type of resource to sum */
 char m[MAXSIZE];
 int pattern_length;
 MATRIX table;
 register short report;
/* INPUT: >0 => report errors with debugger */
 register short resCount; 
 /* number of resources of this type */
 register Handle rsrc;  /* resource to check */
 register short oldResFile;
 /* for preserving current resource file */
 register Boolean oldResLoad;
 /* for preserving "ResLoad" flag */
 Boolean found;
 char n[MAXSIZE];
 int text_length, local_count = 1;
 int index;
 /* Switch to the application's resource file.  Note that all resource 
calls from here on are the "one deep" calls from Inside Mac, Volume
IV. */
 oldResFile = CurResFile();
 /* remember initial resource file */
 oldResLoad = ResLoad;  /* remember "ResLoad" state */
 resCount = Count1Resources (type);
 /* how many of this type are there? */
  if (report)
 fprintf(my_file, "Text string ");
 printf("Text string ");
 while (resCount)/* loop down to 1 */
 { /* get the resource's handle, but don't load it */
 rsrc = Get1IndResource (type, resCount);
 /* see if it's already in memory */
 if (!rsrc) /* not available? */
 if (report > 0) /* debugging flag */
 DebugStr ("\pResource not available!");
 goto EXIT;
 index = SizeResource (rsrc);
 HLock (rsrc);
 found = FALSE;
 while ((text_length = copy_array(*rsrc, n, &index)) && (!found))
 fprintf (my_file, "%d  ", local_count);
 printf ("%d  ", local_count);
 clear_table (table, pattern_length);
 if (pattern_length <= text_length)
 if (compare (m, n, pattern_length, 
 text_length, table))
   found = TRUE;
 HUnlock (rsrc);
 --resCount;/* get next index number */
 } /* end of loop through resources */
 EXIT: /* goto here on tampering or error */
 UseResFile (oldResFile); /* restore original resource file */
 SetResLoad (oldResLoad); /* restore original loading state */
 } /* end of vResCheck() */

/* compare: the actual dynamic programming algorithm, modified to a level 
of padding tolerance defined by THRESHOLD */
char compare(p, t, pattern_length, text_length, table)
char p[], t[];
int pattern_length, text_length;
MATRIX table;
  long value1, value2, value3;
  int i, j, flip, beep;
  flip = TRUE;
  for (j = 1; j <= text_length; j++)
    table[0][flip] = 0;
    for (i = 1; i <= pattern_length; i++)
 if (p[i-1] == t[j-1]) /* initialize */
        value1 = table[i-1][!flip];
        value1 = (table[i-1][!flip])+UNIT;
      value2 = (table[i-1][flip])+UNIT;
 /* UNIT: the orginal algorithm uses this 
 weight for all variations in the text */
      value3 = (table[i][!flip])+EPSILON;
 /* EPSILON: small weighted "distance" --    
 as opposed to the single unit */
      table[i][flip] = MIN3(value1, value2, value3);
 /* see discussion of dynamic */
    if (table[pattern_length][flip] <= THRESHOLD)
 if (report)
      printf("%ld-approximate match found.\n",     table[pattern_length][flip]);
      fprintf(my_file, "%ld-approximate match found.\n", table[pattern_length][flip]);
 return (TRUE);
    flip = !(flip);/* only an O(2m)-sized array is needed to simulate 
a "matrix", because only 2 columns are used */
  return (FALSE);

/* data.c: data structure operations (static allocation) for dynamic 
AND Boyer-Moore algs */

int read_array(fp, array)
FILE *fp;
char array[];
  char c;
  int n;
  n = 0;
  while(((c = fgetc(fp)) != EOF) && (n <     MAXSIZE)) /* Read one element 
    array[n] = c;
  if (c != EOF)
    ungetc(c, fp);

/* fileops.c : file operations for dynamic */

#include "dec.h"
#include "errors.h"

char open_file(fp, operation)
FILE **fp;
char *operation;
  SFReply reply;
  char filename[BUFSIZ];
  strcpy(filename, (char *)reply.fName);
  *fp = fopen(filename, operation);
  if (!(reply.good)) {
    fprintf(stderr, CANNOT_OPEN_FILE, filename);
    exit_cleanly(NO_ERROR, EXIT_FAILURE); 
  else return(TRUE);

/* The following routines deal with the filea. This is all using the 
Macintosh HFS. */
/* GetfileName: read a file name usign the HFS */
SFReply *reply;
 Point  dlgPoint;
 Str255 defName = "\pDynamic Output";
 int  numTypes = 1;
 dlgPoint.h = 100; /* position of the 'open' dialog box */
 dlgPoint.v = 100;
 SFPutFile (dlgPoint, "\pSave output file as ", defName, NIL_POINTER, 

 PtoCstr ((char *) (*reply).fName);
 /* convert from PASCAL to 'C' string */
}/* GetfileName */

/* dec.h - dynamic definitions and declarations */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
#define FALSE    0
#define TRUE1
#define NO_REPORT-1

#define K 1024
#define MAXSIZE  8*K
/* All of the tweaking is done here */
#define UNIT1
#define EPSILON  1
#define READ_MODE"r"
#define WRITE_MODE "w"
#define APPEND_MODE"a"

#define MIN2(a, b) (((a) < (b)) ? (a) : (b))
#define MIN3(a, b, c)((MIN2((a), (b)) < (c)) ? MIN2((a), (b)) : (c))
#define MAX2(a, b) (((a) > (b)) ? (a) : (b))

#define NIL_STRING "\p"
#define VDAT_RES_ID0

typedef long **MATRIX;
void initialize(), clear_table(), vResCheck(), allocate_table(), error_message(), 
exit_cleanly(), main();
char open_file(), compare();
int read_array();

int copy_array(array1, array2, bytes_left)
char array1[], array2[];
int *bytes_left;
  int bytes_gotten = 0;
  if (!(*bytes_left))
    return (FALSE);
  if (*bytes_left < MAXSIZE)
    memmove ((void *)array2, (void *)array1,       (size_t)(*bytes_left));
    bytes_gotten = *bytes_left;
    *bytes_left = 0;
    memmove ((void *)array2, (void *)array1, (size_t)MAXSIZE);
    bytes_gotten = MAXSIZE;
    *bytes_left -= MAXSIZE;
  return (bytes_gotten);
Listing 2:  BoyerMoore.c

/* BoyerMoore.c - Functions for fast, variable- randomized virus infection 
 Copyright © 1992 by William H. Hsu.
 Think C version.

 • As explained in the dynamic algorithm code, these routines are tolerant 
toward a wide variety of variations, including padded and mutating viral 

/* byrmoore.c: main searching file */

#include "dec.h"
void boyer_moore()
  FILE *my_file;
  char n[MAXSIZE], *sub_string, **pattern_array;
  int text_length, i, j, sum, match_count, size, divisor, total_match, 
index, index2, vdat_count,  refNum, files_to_scan = 5, total_virus_length;
  int *pattern_length_array, *pattern_index_array; /* virus segment lengths 
and delimiters */
  long file_size, total_file_size;
  register Handle rsrc, rsrc2;
/* Note: the code which scans files in the same way that Disinfectant 
does is far too long to include in this article.  The array used below 
is for the purpose of example only.  John Norstad has made the enumeration 
part of his program publicly available (by FTP at */
  Str255 ResFileArray[5] = {"\pOne*", "\pTwo*",          "\pThree", "\pFour", 
  Str255 DescriptionArray[5] = {"File 1\t", "File 2\t",        "File 
3\t", "File 4\t", "File 5\t"};
  ResType typeName;
  short resCount, typeCount, resCount2;
  open_file (&my_file, WRITE_MODE);
  csettabs (TABS, stdout);
#ifdef _REPORT
  printf("File description\t\t\tScore\tFile size\tAlgorithm's Decision\n");
  fprintf(my_file, "File description\t\t\tScore\tFile size\tAlgorithm's 
  fprintf(my_file, "================\t\t\t=====\t=========\t====================\n\n");
  sub_string = (char *)calloc(SIZE, sizeof(char));
  resCount = Count1Resources ('VDAT');
  vdat_count = resCount;
  pattern_length_array = (int *)calloc(resCount, sizeof(int));
  pattern_index_array = (int *)calloc(resCount, sizeof(int));
  pattern_array = (char **)calloc(resCount, 
 sizeof(char *));
  while (resCount) /* loop resCount down to 1 */
  {/* get handle, but don't load it */
    rsrc = Get1IndResource ('VDAT', resCount);
    index = SizeResource (rsrc);
    HLock (rsrc);
    pattern_array[resCount-1] = (char *)           calloc(index, sizeof(char));
    pattern_length_array[resCount-1] = copy_array (*rsrc, pattern_array[resCount-1], 
    pattern_index_array[resCount-1] = ((resCount < vdat_count) ? (pattern_length_array[resCount-
 1] + pattern_index_array[resCount]) : pattern_length_array[resCount-1]);
    HUnlock (rsrc);
  total_virus_length = pattern_index_array[0];

  SetResLoad (true);
  for (i = 0; i < files_to_scan; i++)
    refNum = OpenResFile (ResFileArray[i]);
    match_count = 0;
    divisor = 0;
    for (j = 0; j < ITERATIONS; j++)
      total_file_size = 0;
      sum = 0;
      while (!random_string(pattern_array, sub_string, pattern_index_array, 
 total_virus_length, SIZE, vdat_count));
      typeCount = Count1Types ();
      while (typeCount)
        Get1IndType (&typeName, typeCount);
        resCount2 = Count1Resources (typeName);
        while (resCount2)
          rsrc2 = Get1IndResource (typeName, resCount2);
          index2 = SizeResource (rsrc2);
          file_size = 0;
          HLock (rsrc2);
 while (text_length = copy_array (*rsrc2, &index2))
            compare(sub_string, n, SIZE,text_length, &sum);
            file_size += text_length;
          HUnlock (rsrc2);
          total_file_size += file_size;
      if (sum)
#  ifdef _REPORT
    printf("%s\t\t", DescriptionArray[i]);
    fprintf(my_file, "%s\t\t", DescriptionArray[i]);
    printf("%d\t\t%ld\t", match_count, total_file_size);
    fprintf(my_file, "%d\t\t%ld\t", match_count, total_file_size);
    if (match_count >= (divisor/LIMIT))
#ifdef _REPORT
      printf("\t%s\n", INFECTED_STRING);
      fprintf(my_file, "\t%s\n", INFECTED_STRING);
#ifdef _REPORT
      printf("\t%s\n", CLEAN_STRING);
      fprintf(my_file, "\t%s\n", CLEAN_STRING);
  printf("\nScore represents matches out of %d, with %d needed to diagnose 
infection.\n",   divisor, divisor/LIMIT);
  fprintf(my_file, "\nScore represents matches out of %d, with %d needed 
to diagnose infection.\n", divisor, divisor/LIMIT);

char random_string(string_array, sub_string, index_array, length, substring_length, 
char **string_array, sub_string[];
int index_array[], length, substring_length, vdat_count;
  int location, segment, i, zero_count = 0;
  Boolean legal = false, In_The_Right_Segment = false;   /* length and 
segments okay? */
  segment = vdat_count-1;
  while (!legal)
    location = (int)((rand()/(double)MAXINT)* (length - substring_length));
    In_The_Right_Segment = false;
    while (!In_The_Right_Segment)
      if (location <= index_array[segment])
        In_The_Right_Segment = true;
        if (location <= (index_array[segment] - substring_length + 1))
          legal = true;
          legal = false;
  if (segment < vdat_count-1)
    location -= index_array[segment+1];
  for (i = location; i < location + substring_length; i++)
    sub_string[i-location] =  (string_array[segment])[i];
    if (!string_array[segment][i])
  if (zero_count < substring_length/2) 

/* compare: the heart of the Boyer-Moore heurstic, similar to Knuth-Morris-Pratt's 
matching engine */
void compare(p, t, pattern_length, text_length, sum)
char *p, *t;
int pattern_length, text_length, *sum;
  ALPHABET_ARRAY char_jump;
  int *match_jumps, print;
  allocate_array(&match_jumps, pattern_length);
  compute_jumps(p, char_jump, pattern_length-1);
  compute_match_jumps(p, &match_jumps, pattern_length);
  if (bm_match(p, t, char_jump, match_jumps, pattern_length, text_length))

void allocate_array(array, size)
int size;
  *array = (int *)calloc(size, sizeof(int));

/* the bad-character failure function
NOTE: if the ASCII alphabet, which has size 256, is
used, this function is not worth computing for resource text strings 
of length ¾ 256 */
void compute_jumps(p, char_jump, length)
char *p;
int length;
  int c, k;
  for (c = 0; c < CHARS; c++)
    char_jump[c] = length;
  for (k = 0; k < length; k++)
    char_jump[POSITIVE(p[k])] = length-k-1;

/* implementation of pseudocode from [Baase 88] 
   - uses the good-suffix failure function */
void compute_match_jumps(p, match_jump, pattern_length)
char *p;
INDEX_ARRAY match_jump;
int pattern_length;
  int m, k, q, qq;
  int *back;
  allocate_array(&back, pattern_length+1);
  m = pattern_length;
  for (k = 0; k < m; k++)
    (*match_jump)[k] = 2*m-k-1;
  q = m;
  for (k = m-1; k >= 0; k--)
    back[k] = q;
    while ((q < m) && (p[k] != p[q]))
      (*match_jump)[q] = MIN2((*match_jump)[q], m-k-1);
      q = back[q];
  for (k = 0; k < q; k++)
    (*match_jump)[k] = MIN2((*match_jump)[k], m+q-k-1);
  qq = back[q];
  while (q < m)
    while (q < qq)
      (*match_jump)[q] = MIN2((*match_jump)[q], qq-q+m-1);
    qq = back[qq];

int bm_match(p, t, char_jump, match_jump, pattern_length, text_length)
char *p, *t;
int *match_jump, pattern_length, text_length;
  int j, k; /* j indexes text characters; k indexes            
 the pattern */
  j = pattern_length - 1;
  k = j;
  while (j < text_length)
    if (k == -1)
    if (t[j] == p[k])
      j += MAX2(char_jump[POSITIVE(t[j])], match_jump[k]);
      k = pattern_length - 1;

/* dec.h - definitions and declarations for bm */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <console.h>

#define TABS4

#define K 1024
#define MAXSIZE  8*K
#define MAXINT   32767
#define MINSUB   8
#define MAXSUB   12
#define STEP4
#define ITERATIONS 1000

#define FALSE    0
#define TRUE1

#define READ_MODE"r"
#define WRITE_MODE "w"
#define APPEND_MODE"a"

#define MIN2(a, b) (((a) < (b)) ? (a) : (b))
#define MIN3(a, b, c)((MIN2((a), (b)) < (c)) ? MIN2((a), (b)) : (c))
#define MAX2(a, b) (((a) > (b)) ? (a) : (b))

#define POSITIVE(a)((abs(a) == (a)) ? (a) : abs(a)+127)

#define CHARS    256

#define NIL_STRING "\p"
#define VDAT_RES_ID0

typedef int **INDEX_ARRAY;
typedef ResType **ResTypeHandle;

void compare(), allocate_array(), compute_jumps(), compute_match_jumps(), 
error_message(), exit_cleanly(), main();
char open_file(), random_string();
int read_array();


1. [Cohen 86] is the most complete and formal of these publications. He gives a full definition of the term virus and technical discussion of worm propagation and viral spread.

2. An inter-corporation group comprised of personal computer industry professionals (generally hardware and software developers) which is devoted to the distribution of anti-viral information (e.g., training seminars and publications) and tracking of new viruses. It was founded and is coordinated by John McAfee, the president of InterPath Corporation in Santa Clara, CA. The full text of his classification schema may be found in [McAfee 88].

3. This proof is available in its original form in [Cohen 86]; the doctoral thesis is exclusively published by the micrographics department of the University of Southern California. [Burger 88], [van Winkel 88], and many other works contain versions of this reduction of new virus detection to the halting problem [Turing 36].

4. A brief definition of O-notation, from [Baase 88]:

f(n) = O(g(n)) (f is “order of” g) if and only if there exist c > 0, N > 0, such that f(n) ¾ cg(n) for every n N.

Thus an O(mn)-time implementation requires time proportional to the product of the lengths of the pattern and text strings, in the long run. An O(kn) version requires time proportional to the product of the maximum acceptable number of differences and the length of the pattern.

Our implementation of the dynamic programming algorithm was coded in C, using Pascal-type pseudocode from [Baase 88] (Chapter 6) as a guide. The O(kn) version can be found in [Landau 86], in the 18th annual ACM STOC Proceedings, with more general pseudocode.

5. Among the Macintosh viruses with known variants (both strains and clones) are the following: WDEF, with strains A and B, and nVIR, with very prolific strains A and B, each with multiple clones found under Hpat, MEV#, AIDS, and other resource titles. An explicit definition of the terms “strain”, “clone”, and “viral mutant” as they are used in this article is given in the introduction.

6. The original presentation of the algorithm is given in [Boyer 77], a paper in the October 1977 CACM; again, pseudocode from [Baase 88] (Chapter 5) was used as a guide in our implementation.

7. This is the pivotal concept in [Morton 90], a recent article in MacTutor. The evident weaknesses in this technique are stressed by the author, who recommends user modification of the anti-viral source code as a means of circumventing viral tampering. This comment forebodes the use of expert systems techniques in viral code design; the use of artificial intelligence intermeshed with viral programs has been predicted in [Cohen 86], and is expected to appear as the availability of compiler tools increases and the viral visibility threshold decreases.

8. The evolutionary virus is a largely theoretical program, first proposed in [Cohen 86]; however, mildly evolutionary code (viral and otherwise) already exists in abundance. User modification of an antivirus is nearly certain to leave it “blind” to successive generations of an automatically self-modifying virus.

9. The table computation rules (with the exception of the distance metric modification - a, b, and c replace 1 in each rule) are quoted verbatim from [Baase 88], Section 6.3.

10.The article is [Landau 86], in the Proceedings of the 18th Annual ACM STOC.


Community Search:
MacTech Search:

Software Updates via MacUpdate

Geekbench 4.4.0 - Measure processor and...
Geekbench provides a comprehensive set of benchmarks engineered to quickly and accurately measure processor and memory performance. Designed to make benchmarks easy to run and easy to understand,... Read more
CleanMyMac X 4.4.4 - Delete files that w...
CleanMyMac makes space for the things you love. Sporting a range of ingenious new features, CleanMyMac lets you safely and intelligently scan and clean your entire system, delete large, unused files... Read more
TeamViewer 14.4.2669 - Establish remote...
TeamViewer gives you remote control of any computer or Mac over the Internet within seconds or can be used for online meetings. Find out why more than 200 million users trust TeamViewer! Free for non... Read more
Paperless 3.0.6 - $69.95
Paperless is a digital documents manager. Remember when everyone talked about how we would soon be a paperless society? Now it seems like we use paper more than ever. Let's face it - we need and we... Read more
BetterTouchTool 3.141 - Customize multi-...
BetterTouchTool adds many new, fully customizable gestures to the Magic Mouse, Multi-Touch MacBook trackpad, and Magic Trackpad. These gestures are customizable: Magic Mouse: Pinch in / out (zoom)... Read more
TextMate 2.0.rc.29 - Code/markup editor...
TextMate is a versatile plain text editor with a unique and innovative feature set which caused it to win an Apple Design Award for Best Mac OS X Developer Tool in August 2006 A rapidly growing... Read more
Little Snitch 4.4.1 - Alerts you about o...
Little Snitch gives you control over your private outgoing data. Track background activity As soon as your computer connects to the Internet, applications often have permission to send any... Read more
Little Snitch 4.4 - Alerts you about out...
Little Snitch gives you control over your private outgoing data. Track background activity As soon as your computer connects to the Internet, applications often have permission to send any... Read more
MPlayer OSX Extended 16 - Multimedia pla...
MPlayer OSX Extended is the future of MPlayer OSX. Leveraging the power of the MPlayer and FFmpeg open source projects, MPlayer OSX Extended aims to deliver a powerful, functional and no frills video... Read more
Google Chrome 75.0.3770.142 - Modern and...
Google Chrome is a Web browser by Google, created to be a modern platform for Web pages and applications. It utilizes very fast loading of Web pages and has a V8 engine, which is a custom built... Read more

Latest Forum Discussions

See All

TEPPEN guide - Tips and tricks for new p...
TEPPEN is a wild game that nobody asked for, but I’m sure glad it exists. Who would’ve thought that a CCG featuring Capcom characters could be so cool and weird? In case you’re not completely sure what TEPPEN is, make sure to check out our review... | Read more »
Dr. Mario World guide - Other games that...
We now live in a post-Dr. Mario World world, and I gotta say, things don’t feel too different. Nintendo continues to squirt out bad games on phones, causing all but the most stalwart fans of mobile games to question why they even bother... | Read more »
Strategy RPG Brown Dust introduces its b...
Epic turn-based RPG Brown Dust is set to turn 500 days old next week, and to celebrate, Neowiz has just unveiled its biggest and most exciting update yet, offering a host of new rewards, increased gacha rates, and a brand new feature that will... | Read more »
Dr. Mario World is yet another disappoin...
As soon as I booted up Dr. Mario World, I knew I wasn’t going to have fun with it. Nintendo’s record on phones thus far has been pretty spotty, with things trending downward as of late. [Read more] | Read more »
Retro Space Shooter P.3 is now available...
Shoot-em-ups tend to be a dime a dozen on the App Store, but every so often you come across one gem that aims to shake up the genre in a unique way. Developer Devjgame’s P.3 is the latest game seeking to do so this, working as a love letter to the... | Read more »
Void Tyrant guide - Guildins guide
I’ve still been putting a lot of time into Void Tyrant since it officially released last week, and it’s surprising how much stuff there is to uncover in such a simple-looking game. Just toray, I finished spending my Guildins on all available... | Read more »
Tactical RPG Brown Dust celebrates the s...
Neowiz is set to celebrate the summer by launching a 2-month long festival in its smash-hit RPG Brown Dust. The event kicks off today, and it’s divided into 4 parts, each of which will last two weeks. Brown Dust is all about collecting, upgrading,... | Read more »
Flappy Royale is an incredibly clever ta...
I spent the better part of my weekend playing Flappy Royale. I didn’t necessarily want to. I just felt like I had to. It’s a hypnotic experience that’s way too easy to just keep playing. | Read more »
Void Tyrant guide - General tips and tri...
Void Tyrant is a card-based dungeon-crawler that doesn’t fit in the mold of other games in the genre. Between the Blackjack-style combat and strange gear system alone, you’re left to your own devices to figure out how best to use everything to your... | Read more »
Webzen’s latest RPG First Hero is offici...
You might be busy sending your hulking Dark Knight into the midst of battle in Webzen’s other recent release: the long-anticipated MU Origin 2. But for something a little different, the South Korean publisher has launched First Hero. Released today... | Read more »

Price Scanner via

Amazon drops prices, now offers clearance 13″...
Amazon has new dropped prices on clearance 13″ 2.3GHz Dual-Core non-Touch Bar MacBook Pros by $200 off Apple’s original MSRP, with prices now available starting at $1099. Shipping is free. Be sure to... Read more
2018 15″ MacBook Pros now on sale for $500 of...
Amazon has dropped prices on select clearance 2018 15″ 6-Core MacBook Pros to $500 off Apple’s original MSRP. Prices now start at $1899 shipped: – 2018 15″ 2.2GHz Touch Bar MacBook Pro Silver: $1899.... Read more
Price drop! Clearance 12″ 1.2GHz Silver MacBo...
Amazon has dropped their price on the recently-discontinued 12″ 1.2GHz Silver MacBook to $849.99 shipped. That’s $450 off Apple’s original MSRP for this model, and it’s the cheapest price available... Read more
Apple’s 21″ 3.0GHz 4K iMac drops to only $936...
Abt Electronics has dropped their price on clearance, previous-generation 21″ 3.0GHz 4K iMacs to only $936 shipped. That’s $363 off Apple’s original MSRP, and it’s the cheapest price we’ve seen so... Read more
Amazon’s Prime Day savings on Apple 11″ iPad...
Amazon has new 2018 Apple 11″ iPad Pros in stock today and on sale for up to $250 off Apple’s MSRP as part of their Prime Day sale (but Prime membership is NOT required for these savings). These are... Read more
Prime Day Apple iPhone deal: $100 off all iPh...
Boost Mobile is offering Apple’s new 2018 iPhone Xr, iPhone Xs, and Xs Max for $100 off MSRP. Their discount reduces the cost of an Xs to $899 for the 64GB models and $999 for the 64GB Xs Max. Price... Read more
Clearance 13″ 2.3GHz Dual-Core MacBook Pros a...
Focus Camera has clearance 2017 13″ 2.3GHz/128GB non-Touch Bar Dual-Core MacBook Pros on sale for $169 off Apple’s original MSRP. Shipping is free. Focus charges sales tax for NY & NJ residents... Read more
Amazon Prime Day deal: 9.7″ Apple iPads for $...
Amazon is offering new 9.7″ WiFi iPads with Apple Pencil support for $80-$100 off MSRP as part of their Prime Day sale, starting at only $249. These are the same iPads found in Apple’s retail and... Read more
Amazon Prime Day deal: 10% (up to $20) off Ap...
Amazon is offering discounts on new 2019 Apple AirPods ranging up to $20 (10%) off MSRP as part of their Prime Day sales. Shipping is free: – AirPods with Charging Case: $144.99 $15 off MSRP –... Read more
Amazon Prime Day deal: $50-$80 off Apple Watc...
Amazon has Apple Watch Series 4 and Series 3 models on sale for $50-$80 off Apple’s MSRP as part of their Prime Day deals with prices starting at only $199. Choose Amazon as the seller rather than a... Read more

Jobs Board

*Apple* Systems Architect/Engineer, Vice Pre...
…its vision to be the world's most trusted financial group. **Summary:** Apple Systems Architect/Engineer with strong knowledge of products and services related to Read more
*Apple* Graders/Inspectors (Seasonal/Hourly/...
…requirements. #COVAentryleveljobs ## Minimum Qualifications Some knowledge of agricultural and/or the apple industry is helpful as well as the ability to comprehend, Read more
Best Buy *Apple* Computing Master - Best Bu...
**710003BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Store Associates **Location Number:** 000171-Winchester Road-Store **Job Description:** Read more
Best Buy *Apple* Computing Master - Best Bu...
**709786BR** **Job Title:** Best Buy Apple Computing Master **Job Category:** Sales **Location Number:** 000430-Orange Park-Store **Job Description:** **What does a Read more
Geek Squad *Apple* Master Consultation Agen...
**709918BR** **Job Title:** Geek Squad Apple Master Consultation Agent **Job Category:** Services/Installation/Repair **Location Number:** 000106-Palmdale-Store Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.