Virus Infection Strategies

1
Virus Infection Strategies
2
Boot Sector Viruses

• The first successful viruses were boot sector
  viruses such as the PC Brain virus.
• Typically PCs boot, or load the operating
  system, from the hard drive. In earlier
  machines, the systems would boot from the
  diskette (floppy drive). This allowed a virus on
  the diskette to load before the OS.

3

• The ROM-BIOS reads the first sector of the
  specified boot disk and stores it in memory and
  runs the loaded code.
• On more recent systems, the disk is divided into
  heads, tracks, and sectors.
• The Master Boot Record (MBR) is located at head
  0, track 0, and sector 1, the first sector on the
  hard disk.

4

• MBRcontains processor-specific code to locate
  the active boot partition from the partition
  table (PT) records.
• The PT is stored in the data area of the MBR.

5

• Each PT entry contains information about a single
  sector
• Addresses of the first and last sectors of the
  partition
• A flag indicating whenever the partition is
  bootable
• A type byte
• Offset of the first sector of the partition from
  the beginning of the disk in sectors
• The size of the partition in sectors

6

• The loader, a very small piece of code called the
  boot strap loader, locates the active partition
  and loads its first logical sector as the boot
  sector.
• The boot sector contains code specific to the
  operating system. The MBR, on the other hand,
  has general-purpose code not specific to any OS.

7

• This means the IBM PC architecture can support
  ore than one partition with different kinds of
  file systems and operating systems. This also
  means the job of a computer virus is made easier.
• The MBR code can easily be replaced with virus
  code that loads the original MBR after itself and
  stays in memory.

8

• In first-generation PCs, the boot process was
  designed to check for a diskette in the drive
  and, if found, to boot from that. Boot viruses
  were spread by diskettes and took advantage of
  this design vulnerabilty.

9

• Boot sector viruses not so much of a problem
  anymore but .
• New malware report for the first quarter of 2008,
  a surprising prediction that we may see a rise in
  boot sector viruses. Boot sector viruses loaded
  with rootkits are poised to make a comeback.
  These viruses have a simple method of operation.

10

• Continued
• The virus copies itself into the Master Boot
  Record (MBR) of a hard drive and rewrites the
  actual MBR data in a different section of the
  drive.

11

• The problem with boot viruses is their attack
  vector is fairly well-guarded. Almost any
  anti-virus program will detect a suspicious
  attempt to modify the MBR and will sound an alert.

12

• What is Windows Vista doing about this?
• Recommends that you run in user mode even
  though the OS doesnt require it.
• Even in admin mode, a virus cant get away with
  this type of modification.
• The UAC would pick up and flag any attempt to
  overwrite the MBR.
• Even if none of these barriers exist, the
  BIOS-enabled boot sector protection exists
  entirely to prevent this type of attack from
  occurring.

13
File Infection Techniques

• A. Overwriting viruses
• The virus locates another file on the disk and
  overwrites it with a copy of itself.
• End result may beand usually isof a different
  size than the original file.
• Overwriting viruses cannot be disinfected from a
  system. Infected files must be deleted from the
  disk and restored from backup.
• Not very successful threats because their side
  effects are easy to detect.

14

• Better potential when this technique is combined
  with network-based propagation. The
  VBS/LoveLetter.A_at_mm virus mass mails itself to
  other systems. When executed, it overwrites any
  local files with the extensions .vbs, .vbe, .js,
  .jse, .css, .wsh, .sct, .hta, .jpg, .jpeg, .wav,
  .txt, , .mp2
• In the early 1990s, a contest between virus
  authors challenged them to write the smallest
  virus. This became know as the Trivial family
  of related viruses.

15

• The algorithm was basically this
• Search for any (.) new host files in the
  current directory
• Open the file for writing
• Write the virus code on top of the host program

16

• Some of the viruses in this family are as small
  as 22 bytes.
• Designing to minimize the size of the virus makes
  the virus less capable to adjust to a variety of
  environments.
• Because of this, viruses in this family
  frequently cause fatal errors when the code is
  executed on the wrong platform, which may not
  have registers initialized the way that the virus
  expected and required (Blue Screen of Death).

17

• B. Random overwriting virus
• A rare variation of the overwriting method where
  the virus does not change the code at the top of
  the host file. Instead, the virus selects a
  random location in the host program and
  overwrites that part with itself.
• There are consequences the host program
  execution may never reach the virus code (if it
  was placed in a part of the host rarely executed)
  and it may cause the host program to crash before
  the virus can do its damage.

18

• An example of this type of virus is the Russian
  virus, Omud.
• Modern antivirus scanners are optimized to find
  viruses at various well-known locations in the
  files they infect. This reduces disk I/O. Thus
  random overwriting viruses are difficult for
  scanners to find.

19

• Appending viruses
• The virus is appended at the end of the host
  file.
• A jmp instruction is inserted at the front of the
  file. The target of the jmp is the end of the
  original host.
• When the virus-infected program is executed, the
  virus loads in memory along with the actual
  infected host.
• The jmp instruction directs control to the virus
  body. The virus replicates itself by locating a
  new host on the disk. Finally, the virus cleans
  the program in memory by copying the overwritten
  bytes to the original location and the original
  program is executed.

20

• Prepending viruses
• The virus code in inserted at the front of the
  host program.
• Often written in C or another high-level
  language.
• A generic approach involves creation of a new
  temporary file on the disk to hold the original
  program.

21

• Classic parasitic viruses
• These viruses overwrite the top of the host with
  their own code and save the top of the original
  host program to the very end of the host (usually
  virus-sized long).
• Problem when an infected file is repaired
• The repair copies N number of bytes to the front
  of the file by calculating backward from the end
  of the infected program. Then the file is
  truncated. The problem occurs when the file has
  been infected multiple times.

22

• Cavity viruses
• Cavity infectors typically overwrite areas of
  files that contain zeros or spaces in binary
  files. This is space the host doesnt use. This
  eliminates having to store and retrieve the
  original host code.