The Attack and Defense of Computers - PowerPoint PPT Presentation

1 / 121
About This Presentation
Title:

The Attack and Defense of Computers

Description:

... the partition table on the hard disk to understand the disk's ... chips accompany most hardware add-ons, such as hard drives, video boards, and so ... – PowerPoint PPT presentation

Number of Views:75
Avg rating:3.0/5.0
Slides: 122
Provided by: yanl
Category:

less

Transcript and Presenter's Notes

Title: The Attack and Defense of Computers


1
  • ???????
  • The Attack and Defense of Computers
  • Dr. ? ? ?

2
  • Virus Internet Security Professional Reference

3
Virus
  • A sequence of code that is inserted into other
    programs.
  • A virus can create a copy of itself to inserted
    in one or more other programs.
  • Virus cannot run on their own, and need to have
    some host program.
  • e.g. Melissa virus, ILOVEYOU virus.

4
Virus
  • Boot sector viruses
  • Master boot record viruses
  • File infector viruses
  • Multi-partite viruses
  • Macro viruses (infect data files)

5
  • Floppy Disks Hard Disks

6
Disk Structures
  • Units used in Floppy Disks and Hard Disks
  • Sectors
  • E.g. A 3 ½ inch high-density disk
  • 512 bytes/sector
  • 18 sectors/track
  • 40 tracks/side
  • Cluster
  • Disk space allocation unit
  • Each cluster contains one or more sectors.
  • Tracks
  • Heads
  • Cylinder (for HDs)

7
Floppy Disk Structure
8
Disk Sectors
Magnetic Disk
Sector
9
Hard Disk Structure
10
Areas of a Disk
  • Under DOS, A disk is divided into the following
    four areas
  • The boot record.
  • The file allocation table (FAT).
  • The root directory.
  • The data area.
  • A hard drive has a fifth area
  • The partition table.

11
Boot Record
  • Boot Record
  • Location
  • sector 1, track 0, head 0.
  • Contents
  • the bootstrap routine (a machine language program
    designed to load the operating system from other
    part of the disk.)
  • the BIOS Parameter Block (BPB), which identifies
    the floppy disks operating parameters, including
    the number of bytes per sector, sectors per
    cluster and track, and tracks per disk.
  • The BPB allows an operating system to understand
    the format of a disk.

12
The Bootstrap Program
  • In a PC, when a machine is turned on, a routine
    called The Power-On Self Test (POST) verifies
    all hardware components are working properly.
  • After everything is confirmed working well, POST
    loads up the boot record from the disk and checks
    for two signature bytes inside it.
  • If the boot record signature is present, the
    execution control is transferred to the bootstrap
    program inside the boot record.
  • Under DOS, the bootstrap program in turn loads
    the OS into the RAM from the disk and eventually
    transfers control to COMMAND.COM, the command
    interpreter.

On board
On disk
13
Boot Sequence from Uninfected Floppy Diskette
14
Hard Disk Partition and Master Boot Record
  • A single physical hard drive can be divided into
    several different partitions.
  • The user can specify one of the partitions as the
    active partition (the one from which the user
    wants to boot.)
  • The Master Boot Record (MBR) is a structure
    stored on the first track, sector and head of the
    hard drive.
  • The MBR contains a partition table, which denotes
    the allocation of all sectors and their
    respective partitions.
  • Programs require the partition table on the hard
    disk to understand the disks characteristics.

15
Boot Sequence from Uninfected Hard Drive -- (1)
Stop
16
Boot Sequence from Uninfected Hard Drive -- (2)
17
  • 8086/8088 INTERRUPTS, BIOS, and DOS

18
Interrupt Gerhard Roehrl
  • The 8086/88 microprocessors allow normal program
    execution to be interrupted by external events or
    by special instructions embedded in the program
    code.
  • When the microprocessor is interrupted, it stops
    executing the current program and calls a
    procedure which services the interrupt.
  • At the end of the interrupt service routine, the
    code execution sequence is returned to the
    original, interrupted program.

19
Interrupt Sources
  • An interrupt can be generated by one of three
    sources
  • Internal interrupts
  • Hardware interrupt
  • Software interrupt

20
Internal Interrupts
  • An interrupt can be generated as a result of a
    processor state violation, called an exception.
  • An example would be a divide-by-zero interrupt
    produced when the div instruction is interpreted
    to have a zero divisor.
  • Program execution is automatically interrupted
    and control transferred to an interrupt handler.
  • Conditional interrupts such as this are referred
    to as internal interrupts.

21
Hardware Interrupt
  • An interrupt can also be generated by an external
    device requesting service. This happens when a
    device signals its request on either the
    non-maskable interrupt (NMI) or on the INTR
    interrupt input lines of the processor.
  • The NMI interrupt is generally used to signal the
    occurrence of a catastrophic event, such as the
    immanent loss of power.
  • The INTR interrupt is used by all other devices.
  • An interrupt caused by a signal applied to either
    the NMI or INTR input pin of a CPU is referred to
    as a hardware interrupt.

22
Software Interrupt
  • Interrupts may be generated as a result of
    executing the int instruction. This is referred
    to as a software interrupt.

23
Interrupt Vectoring
  • Two 16 bit data words are used to specify the
    location of a interrupt service routine.
  • One word is used to load the CS register and
    points to the base address of the code segment
    containing the service routine.
  • The second word is used to load the IP with the
    offset value for the desired routine within the
    specified code segment.
  • The base and offset words for all interrupt types
    are grouped together in an interrupt vector
    table.

24
BIOS wikipedia
  • BIOS, in computing, stands for Basic Input/Output
    System or Basic Integrated Operating System.
  • BIOS refers to the software code run by a
    computer when first powered on. The primary
    function of BIOS is to prepare the machine so
    other software programs stored on various media
    (such as hard drives, floppies, and CDs) can
    load, execute, and assume control of the
    computer. This process is known as booting up.
  • BIOS can also be said to be a coded program
    embedded on a chip that recognizes and controls
    various devices that make up the computer. The
    term BIOS is specific to personal computer
    vendors. Among other classes of computers, the
    generic terms boot monitor, boot loader or boot
    ROM are commonly used.

25
BIOS Procedures in ROM Chips
  • ROM chips accompany most hardware add-ons, such
    as hard drives, video boards, and so forth. These
    chips contain machine language programs
    (routines) that handle most of the common
    requests that operating systems and applications
    make.
  • ROM-based software adheres to a well-known,
    published standard.
  • If a program wants to write data to the hard
    drive, for example, it can call upon the routines
    on the hard drive ROM chips to perform the
    operation. Although the circuitry in each brand
    of hard drive might differ, this well-defined
    software interface allows programs to efficiently
    request services from hard drives and other
    peripherals without having to understand their
    internals.
  • ROM-based software is referred to as a BIOS
    procedures. If a program needs to request a
    service from a peripheral, such as reading data
    from the hard drive, it can call upon the BIOS
    procedure in the ROM chip to communicate with the
    specific device and service the request.

similar to a device driver in Unix
26
Physical Memory Layout of a PC
640K
1M
27
DOS calls
  • The DOS operating system also offers system
    services to its applications. DOS installs its
    own service provider software in memory to
    service common requests, such as opening a file
    or writing data to a file. This DOS software
    works on top of the various BIOS Procedures and
    simplifies certain basic operations.
  • The application requests a system service, such
    as opening a file. The application makes this
    request with a simple DOS call. DOS may make one
    or more low-level requests to the ROM service
    provider. Finally, the ROM service provider may
    interact with the hardware to service some
    requests. Because the typical program doesnt
    care about how data actually is stored on the
    hard drive, as long as it can access it, DOS
    abstracts this for the program and offers a
    simple way to open files.

Similar to a system call in Unix
28
System Layering
29
An Example of System Layering Raymond Wisman
  • C program  cout ltlt "Hello world"
  • Machine     Call DOS video function 9 to
    output
  • Code string "Hello world"     
      
  • DOS            Call BIOS video function by
  • int 10h   
  •                        
  • BIOS           "Hello world" placed in
  • hardware video
    memory                 
  • Video hardware "Hello world" display from
  • video memory

30
Invoking a BIOS Procedure or DOS Call
  • Both BIOS procedures or DOS calls are invoked
    through the int instruction,
  • e.g.
  • int 20h
  • int 10h

31
Hook TSRs into DOS System Services
  • Memory-resident programs, called TSRs, can hook
    into the system service provider software already
    resident in the computers memory and augment the
    services offered by the original service
    provider.
  • The hooking program can service all requests on
    its own or pass on some or all requests to the
    original service provider. It also can opt to
    modify information before passing it to a
    subservient service provider (one installed
    before the current service provider).

32
How Resident File Viruses Hook into the Operating
System
  • Most programs that hook into DOS or ROM services
    do so for legitimate reasons. Unfortunately,
    memory-resident viruses also can hook into these
    system services to damage data or spread to
    floppy disks and files.

33
  • File Formats

34
The Most Common Executable File Formats under
Windows
  • The portable executable file format (PE) is the
    format of the binary programs (exe, dll, sys,
    scr) for MS windows NT, windows 95 and win32s.

35
PE File Structure
36
The Most Common Executable File Formats under DOS
  • The most common executable file formats used
    under DOS are COM, EXE, and SYS.
  • COM and EXE files are used for standard DOS
    programs, and SYS files are used for system
    device drivers.
  • Although viruses have targeted each of these file
    formats, to date, reports of SYS file infections
    have been rare.

37
Entry Points of DOS Program Files
  • A program file consists of data and machine
    language instructions interpreted directly by the
    computers CPU.
  • DOS program files contain one or two entry
    points, which are the locations in the program of
    the first instruction for the CPU to execute.
  • You might compare a program to a notepad that
    contains a list of tasks. The entry point, then,
    would be the first task on the list.
  • All COM and EXE files have a single entry point,
    while SYS files have two entry points.
  • The CPUs interpretation of a programs
    instruction must always start with the
    instruction at the entry point. This makes the
    entry point an area that viruses can modify and
    thereby gain control of the computer. After the
    virus completes its dirty work, it can then
    transfer control to the original program.

38
COM Files
  • The COM executable file has the simplest DOS
    program file format. The COM files simplicity
    makes it a major target for file infecting
    viruses.
  • The contents of the COM file are loaded directly
    into memory and executed without modification.
    The operating system transfers control to the
    first instruction in the memory image of the
    file. This first instruction is the COM files
    single entry point.
  • COM files have an upper size limit of
    approximately 64 KB

39
How a COM File Is Loaded into RAM and Executed
40
EXE Files Component Sections
  • The EXE executable file format is somewhat more
    complex than the COM file format.
  • The EXE file consists of two primary sections.
  • The first section is a header that tells DOS how
    to load the program.
  • The second section of the EXE file, known as the
    program load image, contains the actual memory
    image of the program and its data.

41
EXE Files the Header Section
  • The header includes two fields that identify the
    location of the EXE files single entry point in
    the program
  • the Code Segment (CS) and
  • the Instruction Pointer (IP).
  • The header also includes two size fields that
    specify the actual size of the executable
    program.
  • When a virus infects an EXE file, it must
    increase the value in the size fields to equal
    the total of the executable program file size and
    the virus program size.
  • For instance, when a virus that is 2 KB in size
    appends itself to a 10 KB file, it increases the
    value in these fields to 12 KB.

42
How an EXE File Is Loaded into RAM and Executed
overlay data
43
SYS Files
  • The SYS executable file format differs from both
    the COM and EXE file formats in that SYS files
    have two entry points.
  • SYS format files are used primarily for device
    drivers.
  • Like COM files, all SYS files must be 64 KB or
    less in size.
  • The SYS file is composed of three major sections.
  • The first portion of the SYS file contains the
    device header. Like the header of an EXE file,
    the device header contains entry point
    information and other fields.
  • The second and third sections of the SYS file
    contain the two device driver modules, which
    contain all the machine language code in the
    program.

44
How a SYS File Is Loaded into RAM
45
Program Files and Viruses
  • Program files are often targeted by viruses for
    two primary reasons.
  • Because each of the executable file types has a
    simple format, file viruses can piggyback
    themselves to program files with relative ease.
  • Executable file types also are common targets for
    infection because of the frequency of their use.
    If a virus can infect an executable file, its
    capability to infect other programs increases.

46
  • Macro Facilities

47
Macro Facilities
  • Macro facilities enable a user to record a
    sequence of operations within the application.
  • The user then uses a key combination to associate
    these operations.
  • Later, pressing this key combination repeats the
    recorded steps.
  • A given macro activated using a key combination,
    for example, might open a file, renumber the
    items within it, then close the file.

48
Global Pool of Macros
  • Macro systems have evolved greatly over the
    years.
  • Most old programs that supported macros had a
    global pool of macros that always were
    available for use, regardless of what file the
    user happened to be editing.
  • Individual document or spreadsheet files could
    not contain their own, local, macros.

49
New Properties of Modern Macro System
  • Modern macro systems differ from their
    predecessors in several key ways.
  • First, users now can write entire complex
    programs in a macro language. These programs have
    access to all the host applications features, as
    well as many of the operating systems features.
  • Microsoft products, for example, enable users to
    write macros in a language that resembles Visual
    Basic.
  • These macros can perform various tasks for the
    user, including popping up dialog boxes, altering
    files on the system, or inserting the date and
    time in a document. They can also be used to
    write viruses!
  • Second, the user can tote specific macros around
    in a document or spreadsheet data file. A user
    can create a macro for a specific spreadsheet,
    for example, and attach it directly to the
    spreadsheet file. Any time the file is used on a
    new machine, the accompanying macro is available
    for use.

50
Security Concerns of Modern Macro System
  • An inherent threat exists with modern macro
    system just as normal macros can be attached and
    carried along with a given document or data file,
    so can macro viruses!

51
Cross-platform Compatibility
  • Modern macro languages, such as Word for Windows
    WordBasic, are interpreted by the host
    application and often are compatible across
    different operating systems.
  • A Word for Windows 6.0 document that contains
    macros created on a PC, for instance, can be
    edited in Word for Macintosh. Because Word for
    Macintosh provides the same macro facilities as
    its DOS counterpart, the documents macros also
    function on the Macintosh platform.
  • This cross-platform compatibility means that a
    macro virus can spread from computer to computer,
    as long as the destination computer supports a
    macro-capable, compatible version of the host
    application.

52
  • Microsoft Word Shauna Kelly Better Solutions
    Limited

53
What is a Template ?
  • A template is a sample document that is used for
    the basis for a new document.
  • A template determines the basic structure for a
    document and contains document specific settings
    such as fonts, styles, page layout, macros etc.
  • When you create a document the file that is
    created initially is just a copy of its template.
  • A word template has the file extension (.dot) and
    every document is based on a template.
  • When you save a document as a Word template the
    three-letter extension of .dot is added to the
    end of the name instead of .doc.

54
What Is the Normal.dot Template ?
  • The Normal.dot template is the basis for any new
    blank documents you create.
  • If you start with a new document and make changes
    you will not be able to save it as your
    Normal.dot template.
  • Normal.dot is a special global template created
    and used by Word and should be in the User
    Templates folder.
  • Always open the original file using (File gt Open)
  • Whenever you create a new document by clicking
    (File gt New) a copy of the file called Normal.dot
    is created and is presented as a new document.
  • Normal.dot is the one file that is always open
    when Word is running.
  • If you change something in the Normal.dot then
    all new documents will reflect those changes.
  • If Word is unable to find your Normal.dot file or
    it is damaged then a new one will be created
    using the default settings.

55
What Happens When a Document Is Born?
  • When a document is created, it inherits three
    things from its parent template
  • styles In Word, a style is a collection of
    formatting instructions. You use styles to format
    the paragraphs in your document.
  • So you would use the "Title" style for your
    title, "Body Text" style for body text, "Caption"
    style for the picture captions, and "Heading 1"
    for the major headings.
  • content (e.g. text, pictures, a fax header, a
    form to fill in, the outline of your monthly
    management report, any content in headers and
    footers)
  • page settings (e.g. margins, paper size, paper
    orientation, settings for headers and footers).

56
When a New Word Document Is Created
  • The moment a document is created, it loses its
    connection with its parent with respect to
    styles, content and page settings.

57
Changing a Document Won't Change the Template
It's Attached to
  • You can change the margins in a document and the
    change won't affect the template.
  • You can add, delete or modify styles in a
    document, and it won't affect the template.

58
Changing the Template Won't Change Documents
Attached to the Template
  • You can change the margin in a template, and it
    will affect documents you create from this
    template in the future. But it won't affect
    existing documents attached to that template.
  • You can add, delete or modify styles in a
    template, and the change will affect documents
    you create from this template in the future. But
    it won't affect existing documents.

59
What Happens after a Document Is Born, While It
Is Being Edited?
  • Once a document has been created, the template to
    which it is attached takes on quite a different
    role.
  • When a document is being edited, its template
    sits in the background and makes four things
    available to a document
  • two kinds of functionality
  • macros
  • AutoTexts
  • two ways to access the functionality
  • toolbars
  • keyboard shortcuts (that is, a keyboard way and
    a mouse way).

60
Templates and Existing Word Documents
61
What are Global Templates ?
  • These are templates whose styles and other
    settings are available to all the open documents.
  • These templates are available every time Word is
    open.
  • Global templates are useful if you want to
    distribute any customisations.
  • Global templates are not loaded automatically
    when Word is opened.
  • The Normal.dot is an example of a global template
    and is the only global template that is loaded
    automatically when Word opens.
  • They are normally not "attached" to any document
    and normally do not contribute text or styles to
    any document. They are excellent vehicles for
    holding and sharing Autotext, Macros and
    Toolbars.

62
What Is a Macro ?
  • A macro is just the name given to a series of
    keystrokes that can be recorded and then played
    back in order to automate a task.
  • These keystrokes are then transferred into a
    series of commands which can then be rerun at any
    time.
  • Macros are simple computer programs where the
    code is often generated for you.
  • These macros run completely within an application
    like Word and require no additional software.
  • Macros can be used to play back your actions and
    can prevent you from having to perform tedious or
    repetitive tasks.

63
Where to Store Your Macro? Better Solutions
Limited
  • There are two possible workbooks where you can
    store your macros
  • Normal.dot - Storing your macros here will mean
    that they are available every time Word is open
    and are not reliant on any one particular
    document.
  • Document - This is the default location and is
    often the best place if you are relatively new to
    macros. A macro that has been saved into a
    specific document is only available when that
    particular document is open. The currently active
    document is also referred to as the current
    document or active document.

64
Macros Shauna Kelly
  • You can copy macros to and from documents and
    templates using Tools gt Templates and Add-ins gt
    Organizer.

65
Properties of Microsoft Word Macro
  • Microsoft Words macro system actually offers a
    global pool macro area, as well as
    document-specific macros.
  • Users can establish a set of global macros
    available for use regardless of the document
    being edited.
  • They also can use the local macros that accompany
    a specific document during editing of that
    document.
  • In the Microsoft scheme, macros can copy
    themselves to and from the global and local
    pools.
  • The global pool provides the macros with the
    capability to migrate from one document to
    another.
  • Upon execution, a macro can copy itself from a
    local pool to the global pool. Later, executing
    the same macro lets it copy itself from the
    global pool to a new documenta nice feature, as
    long as the user initiates the actions and knows
    of the results. Viruses can target this facility.

66
How Macros can Migrate from File to File
Microsoft Word uses a template to create, edit,
or assemble a document. The default template is
called NORMAL.DOT. This global template contains
information that gets pulled into your current
document, such as default settings, shortcut
keys, toolbars, custom menu settings, AutoText
entries, and macros.
67
Auto-execution Facility
  • The Word for Windows macro system also includes
    an auto-execution facility that makes it
    attractive to viruses.
  • Word for Windows has an AutoExec macro that
    launches (if it is present in the global pool)
    when a user starts the Word processor.
  • This facility can serve to execute other macros
    and set up the users work environmentor a virus
    can exploit it to ensure that the virus macro
    executes upon Word for Windows startup.
  • In addition to the AutoExec macro, Word for
    Windows contains numerous other macros that
    activate during a normal editing session without
    directly being activated by the user.
  • Any time the user opens a new document file, for
    example, a macro known as AutoOpen executes from
    the documents local macro pool (if present). A
    virus could easily use this macro to copy itself
    to the global pool as soon as a user opens the
    document.

68
Key Factors for the Emergence of Macro Viruses
  • First of all, many popular applications, such as
    desktop publishing, Word processing, and
    spreadsheet programs, include macro capabilities.
    Such widespread usage is attractive to a macro
    virus from the standpoint that chances for
    continued self-replication are high.
  • Secondly, it is far easier to write macro
    language programs than assemble language
    programs. The art of virus writing is no longer
    limited to the technically astute.
  • Finally, executable program viruses rely upon a
    systems CPU to directly execute its
    instructions, whereas macro viruses dont.
    Because of this, macros are platform independent.
  • The same macro that runs in a Windows-based Word
    processing program, for example, can also
    function in its Macintosh and Unix counterparts.

69
Macro Viruses
  • Infect data files.
  • Most common viruses nowadays.
  • Macro viruses infect Microsoft Office Word,
    Excel, PowerPoint and Access files.
  • Examples
  • Melissa,
  • WM.NicdDay,
  • W97M.Groov.

70
  • Boot Sector Viruses

71
Boot Sector Viruses
  • If a disk has a boot record virus, the virus
    activates when the PC attempts to boot from the
    floppy disk or hard disk.
  • Even if the PC cant start up from an infected
    disk (such as when the floppy disk does not
    contain the proper DOS system files), it attempts
    to run the bootstrap routine, which is all a
    virus needs to activate.
  • Like a terminate-and-stay-resident program, most
    boot record viruses install themselves in the
    host computers memory and hook into the various
    system services provided by the computers BIOS
    and operating system.
  • They remain active in RAM while a workstation
    remains on. As long as they stay in memory, they
    can continue to spread by infecting the floppy
    disks that a computer accesses.

72
  • Floppy Boot Record Viruses

73
Floppy Boot Record Viruses
  • Most floppy boot record viruses can infect the
    hard drive MBR or the active partition boot
    record, in addition to the floppy disk boot
    record.
  • The floppy disk serves as a carrier for the
    virus, allowing it to spread from one hard drive
    to another.
  • After the virus places itself on the hard drive,
    it can then infect other floppy disks that
    inevitably make their way to other machines.

74
When and How Floppy Boot Record Viruses Get
Control?
  • Floppy boot record (FBR) viruses seize control of
    the computer during system reset.
  • During the bootup sequence, the BIOS on most PCs
    determines whether a floppy disk is present in
    the floppy drive from which the computer is
    configured to boot.
  • If the BIOS finds a disk in the drive, it assumes
    that the user wants to boot from this disk. After
    it locates the disk, the BIOS loads the floppy
    boot record into the computers memory and
    executes its bootstrap program.

75
The Boot Sequence from an Infected Floppy Diskette
Virus reserves memory. Virus copies itself to
this memory Virus alters IVT to become proxy
service provider Virus attempts to infect hard
drive MBR or PBR.
Virus activities
Virus loads original non-viral and executes the
bootstrap routine
No SYS files
Display Message
Bootstrap routine checks for DOS system files
Bootstrap routine loads DOS system files and
execute them
stop
A prompt
76
BIOS Data Area
  • All PCs contain a reserved region of memory known
    as the BIOS Data Area (BDA).
  • During the initial stages of the computers
    bootup sequence (before control transfers to the
    bootstrap routine) the BIOS bootup program
    updates the BDA with information about the
    configuration and the initial state of the
    computer.
  • DOS relies on the information stored in the BDA
    of memory to properly use the peripherals and
    memory attached to the computer. Almost all FBR
    viruses exploit DOSs dependence on the BDA and
    update its contents to install themselves into
    memory.

77
Viruses Reserve Memory Stage 1
78
Viruses Reserve Memory Stage 2
79
Virus Copies Itself to Reserved Memory
  • After the virus reserves memory for itself by
    updating the BDA, it moves itself into the newly
    reserved memory and attempts to hook into the
    direct disk system services.

80
Interrupt Vector Table
  • The PC contains a memory structure, known as the
    Interrupt Vector Table (IVT), which is like a
    phone book that contains addresses for each of
    the services that the computer might need as it
    operates.
  • The IVT contains the addresses of ROM BIOS
    service programs in the computers memory. When
    the operating system needs to request a service,
    it can look up the address of the corresponding
    service provider in the IVT phone book and
    determine where to send its request.

81
IVT Entry Example
  • The computers ROM BIOS contains disk service
    routines that DOS calls upon to directly read
    from and write to floppy disks and hard drives.
  • One of the IVT phone book entries contains the
    address of the ROM BIOS disk service routines.

82
Hook into the IVT Entry for Disk Service Provider
  • The FBR virus hooks into the system services by
    changing the contents of this entry and informing
    the computer and any subsequent operating system
    that it now is a proxy for the ROM BIOS disk
    service provider. All requests to read and write
    to disks on the computer then are sent to the
    virus rather than to the original ROM BIOS disk
    services.
  • Later, when the operating system makes a system
    service request, the IVT is consulted and the
    virus has the request sent to it. The virus can
    then examine the request and, if it desires,
    infect the floppy disk being accessed.
  • After the virus performs its mischief, it can
    then redirect the request to the original ROM
    BIOS driver so that it can be properly serviced.

83
The Fully-installed Boot Virus
84
Hook as a System Service
  • Most FBR viruses attempt to install themselves as
    a memory-resident driver at this point in the
    bootup sequence.
  • In this way, the virus can monitor all disk
    service requests during the operation of the
    computer and infect additional floppy disks at
    will .

85
Conceptual Hierarchy of Service Providers after
the System is Infected
Conceptual hierarchy of service providers after
memory installation by the boot record virus
Application
Virus Resident Service Provider
86
The Original FBR
  • To complete its work, the FBR virus must retrieve
    the original FBR on the floppy disk and initiate
    the original bootup sequence as if the virus were
    not present. This is important because a virus
    must be unobtrusive to remain viable.
  • If the FBR virus installed itself in memory,
    infected the hard drive, and caused bootup on the
    floppy disk to fail, it might quickly be detected
    and removed.
  • Most viruses maintain a copy of the original FBR
    in one of the sectors at the end of the floppy
    disk. After the virus installs itself in memory,
    it loads the original FBR into memory and
    executes the original bootstrap routine. The
    bootstrap routine then proceeds normally,
    completely oblivious to the presence of the virus.

87
Infect Non-bootable Disk
  • Most floppy disks contain data and dont carry
    the DOS operating system files thus, after the
    virus transfers control to the original bootstrap
    routine, it displays a message such as
    Non-system disk. At this point, the average
    user realizes that he or she accidentally booted
    from a data disk, removes the disk from the drive
    and reboots.
  • This is why most FBR viruses infect the MBR or
    active Partition Boot Record of the hard drive
    during bootup. This infection guarantees that
    even if the floppy disk doesnt contain the
    proper operating system files, the virus can
    still spread to the hard drive and eventually to
    other disks.

88
When and How the FBR Virus Infects New Items?
  • Most FBR viruses attempt to infect disks whenever
    they get a chance (although some viruses are more
    discriminating than others).
  • If an infected floppy disk is in drive A, the
    first opportunity presented to the FBR virus is
    during a system reset.
  • Almost all FBR viruses also attempt to infect the
    hard drives MBR or active Partition Boot Record
    during the floppy boot process.
  • The FBR virus also has an opportunity to infect
    after it installs itself in memory and designates
    itself as the proxy disk service provider. Any
    time thereafter when DOS or its programs attempt
    to access a floppy disk (or the hard drive), the
    operating system calls upon the virus.

89
Detect Infected Disk
  • Before a virus attempts to infect the floppy
    disk, it must determine whether the disk has
    already been infected. Most often, the virus does
    so by loading the target FBR into memory and
    comparing it to its own contents.
  • If the FBR virus ascertains that the target
    floppy disk isnt yet infected, it proceeds with
    the infection process.

90
Examples
  • Form.
  • Disk Killer.
  • Michelangelo.
  • Stoned.

91
  • Master Boot Record Viruses

92
Master Boot Record Viruses
  • The MBR contains a bootstrap program which
    according to the MBRs partition table determines
    which partition is the active partition, and then
    load and transfer control to the active
    partitions Partition Boot Record (PBR) to finish
    the loading of the DOS into memory.
  • Examples
  • NYB,
  • AntiExe,
  • Unashamed.

93
  • Program File Viruses

94
Program File Viruses
  • Program file viruses (hereafter called just file
    viruses ) use executable files as their medium
    for propagation. They target one or more of the
    three most common executable file formats used in
    DOS COM files, EXE files, and SYS files.
  • The basic file virus replicates by attaching a
    copy of itself to an uninfected executable
    program. The virus then modifies the new host
    program so that when the program executes, the
    virus executes first.

95
Examples
  • Jerusalem
  • Cascade.

96
Infection
  • The file-infecting virus can only gain control of
    the computer if the user or the operating system
    executes a file infected with this virus.
  • In other words, infected files are harmless as
    long as they are not executed they can be
    copied, viewed, or deleted without incident.

97
Execution of a COM Program
  • COM programs have the simplest format of any of
    the DOS executable file formats.
  • They also have the simplest loading sequence
  • DOS reads the program directly into memory,
  • then jumps to the first instruction (at the first
    byte) of the program image.
  • When this action occurs, the program has complete
    control of the computer, until it relinquishes
    control back to DOS upon termination.

98
COM Infections
  • File viruses infect COM files by modifying the
    machine-language program at the start of the
    executable image. A virus can ensure that it
    gains control in at least four different ways,
    because execution in a COM file must begin at the
    first byte in the executable image.
  • Prepending COM Viruses
  • Appending COM Viruses
  • Overwriting COM Viruses
  • Improved Overwriting COM Viruses

99
Prepending COM Viruses
  • A virus can insert itself at the top of the COM
    file, moving the original program down after the
    viral code.
  • The entire virus is then located at the top of
    the executable image, and is the first to execute
    when the program is loaded.
  • This method of infection is known as prepending,
    because the virus affixes itself to the beginning
    of the host COM program

100
Prepending COM Virus Infection
101
Appending COM Viruses Inject the Virus
  • A virus can modify the machine-language program
    at the top of the executable image of the COM
    file to transfer control to the virus, which can
    be located elsewhere in the executable file.
  • The virus often attaches itself to the end of the
    infected program and changes the first few
    instructions at the top of the executable image
    so that they transfer control to the viral code.

102
Appending COM Viruses Handle the Original Code
  • Before the virus changes the first few program
    instructions, it must record what the host
    programs original entry instructions were so
    that it can repair the host program after it has
    completed.
  • Without preserving these instructions, when the
    virus transfers control to the host program, the
    PC would most likely crash or work incorrectly,
    foiling the virus attempts to remain
    undiscovered.
  • This above method of infection is known as
    appending, because the virus affixes its bulk to
    the end of the host program

103
Appending COM Virus Infection
104
Overwriting COM Viruses
  • The third technique used to infect COM files is
    known as overwriting. Viruses that use this
    technique often are crudely written. They infect
    COM programs by entirely overwriting the start of
    the host program with the viral code.

105
Repair Files Infected by Overwriting COM Viruses
  • Overwriting COM Viruses dont attempt to save a
    copy of the hosts bytes that have been
    overwritten. As a result, the original program
    cant work after the virus executes. If a
    computer becomes infected with a virus of this
    type, the only way to repair the infected files
    is to restore them from backups created before
    the infection.

106
Tricks Used by Overwriting COM Viruses to Avoid
Being Detected
  • After overwriting viruses infect program files,
    they either crash or display a bogus error
    message such as Not enough memory to execute
    program. Such error messages appear in an attempt
    to convince the user that the PC has a memory
    management problem rather than a virus.

107
Overwriting COM Virus Infection
Overwriting virus
108
Improved Overwriting COM Viruses
  • The last method used to infect COM programs is
    known as improved overwriting.
  • Assuming the virus is V bytes long, the virus
    first reads the first V bytes of the host program
    and then appends this information to the end of
    the host program. The virus then overwrites the
    top of the COM program using the V bytes of viral
    code.

109
Original Information of Infected Files
  • The host program can be repaired and executed
    normally after the virus completes its dirty
    work, because the information from the uninfected
    host program has been stored.

110
Improved Overwriting COM Virus
Improved Overwriting Virus V bytes long
111
EXE Infections
  • Although numerous methods are used to infect COM
    files, viruses use primarily one method to infect
    EXE format files.
  • EXE files have a variable entry point specified
    by the Code Segment (CS) and Instruction Pointer
    (IP) fields of the file header. In the most
    common form of EXE infection, the virus performs
    the following sequence of actions
  • Records the hosts original entry point in
    itself, so it can later execute the host program
    normally.
  • Appends a copy of itself to the end of the host
    program.
  • Changes the entry point (using CS and IP fields)
    in the EXE header to point to the virus code.
  • Changes other fields in the header, including the
    programs load-image size fields to reflect the
    presence of the virus.

112
EXE File before and after Infection
113
How and When the File-Infecting Virus Gets
Control?
  • Simply stated, a file-infecting virus gains
    control of the computer when the user or
    operating system executes an infected program.
  • When a user executes an infected program, DOS
    loads the entire program into memory, virus and
    all, and begins executing the program at its
    entry point.
  • In infected files, the virus modifies the
    location of the entry point or the machine-code
    at the entry point so that the virus executes
    first.

114
Proliferation of File-Infecting Viruses
  • After the virus machine code begins executing, it
    can immediately seek out and infect other
    executable programs on the computer, or it can
    establish itself as a memory-resident service
    provider in the operating system.
  • As a service provider, the virus can then infect
    subsequent executable files as the operating
    system or other programs execute or access them
    for any reason.

115
Categories of File-infecting Viruses
  • File-infecting viruses are categorized as being
    either direct action or memory-resident file
    infectors.
  • The direct-action file infector
  • The memory-resident file infector

116
The Direct-Action File Infector
  • The direct-action file infector infects other
    program files located somewhere on the path, or
    on the hard drive, as soon as an infected program
    executes.

117
The Memory-Resident File Infector
  • The memory-resident file infector loads itself
    into the computers memory using a method similar
    to that used by the boot infecting viruses.
  • However, the virus must check to see whether it
    has already inserted itself in memory as a system
    service provider.
  • The user may have many infected programs, each
    which represents a different opportunity for the
    virus to load itself in memory during a computing
    session. (Boot record viruses dont concern
    themselves with this issue, as they only install
    themselves once during system bootup. The virus
    cannot inadvertently insert itself in memory as a
    service provider more than once.)

118
Multi-Partite Viruses
  • Multi-partite viruses (a.k.a. polypartite )
    infect both boot records and program files.
  • Examples
  • One_Half,
  • Emperor,
  • Anthrax,
  • Tequilla.

119
Methods to Avoid Detection
  • Avoiding bait files and other undesirable hosts.
  • Anti-virus programs
  • Bait files (small programs or programs containing
    garbage instructions).
  • Stealth
  • Virus intercept anti-viruses request to read
    infected file.
  • Self-modification
  • Encryption with a variable key
  • Polymorphic code.

120
Virus Sources
  • VX Heavens source codes and viruses database.
  • The Virus Source Code Database Virus source code
  • 29A Labs source codes and articles
  • Virus Database List of all computer virus.

121
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com