1.79k likes | 1.8k Views
The Attack and Defense of Computers Dr. 許 富 皓. Virus [ Internet Security Professional Reference ]. Virus Tutorial Computer Virus Resources Introduction of Famous Malware Virus descriptions of viruses in the wild. Virus. A sequence of code that is inserted into other programs .
E N D
The Attack and Defense of Computers Dr.許 富 皓
Virus Tutorial • Computer Virus Resources • Introduction of Famous Malware • Virus descriptions of viruses in the wild
Virus • A sequence of code that is inserted into other programs. • A virus can create a copy of itself to inserted in one or more other programs. • Virus cannot run on their own, and need to have some host program. • e.g. Melissa virus, ILOVEYOU virus.
Virus • Boot sector viruses • Master boot record viruses • File infector viruses • Multi-partite viruses • Macro viruses (infect data files)
Disk Structures • Units used in Floppy Disks and Hard Disks: • Cylinder (for HDs) • Heads • Tracks • Sectors • E.g. A 3 ½ inch high-density disk • 512 bytes/sector • 18 sectors/track • 40 tracks/side • Cluster • Disk space allocation unit • Each cluster contains one or more sectors.
Disk Sectors Magnetic Disk Sector
Boot Record of a Floppy Disk [Sedory] • The first sector of any diskette normally contains the Boot Record for some OS.
Boot Record • Boot Record: • Location: • sector 1, track 0, head 0. • Contents: • the bootstrap routine(a machine language program designed to load the operating system from other part of the disk.) • the BIOS Parameter Block (BPB), which identifies the floppy disk’s operating parameters, including the number of bytes per sector, sectors per cluster and track, and tracks per disk. • The BPB allows an operating system to understand the format of a disk.
Content of a Floppy Boot Record [Sedory] • The bytes between the two dark blue bands are called the BPB (or BIOS Parameter Block). • Most of the Boot Record is executable code; from offsets 03Eh through 19Dh. • The code is followed by one long error message and the two system filenames: IO.SYS and MSDOS.SYS. • Finally, the sector ends with the Word-sizedsignature ID (or Magic number) of AA55 hex (remember hex Words for Intel x86 CPUs are stored in memory with the Lowest-byte first and the Highest-byte last to make processing quicker).
Hard Disk Partition and Master Boot Record • A single physical hard drive can be divided into several differentpartitions. • The user can specify one of the partitions as the active partition (the one from which the user wants to boot.) • TheMaster Boot Record (MBR) is a structure stored on the first track, sector and head of the hard drive. • The MBR contains a partition table, which denotes the allocation of all sectors and their respective partitions. • Programs require the partition table on the hard disk to understand the disk’s characteristics.
Functionality of a MBR • Holding a disk's primary partition table. • Bootstrapping operating systems, after the computer's BIOS passes execution to machine code instructions contained within the MBR. • Uniquely identifying individual disk media, with a 32-bit disk signature.
Master Boot Code [DEW] • The master boot record is the small bit of computer code that the BIOS loads and executes to start the boot process. • This code, when fully executed, transfers control to the boot program stored on the boot (active) partition to load the operating system.
Load Boot Sector [Wikepedia] • On a IBMPC compatible machine the BIOS selects a boot device, then it copies the first sector from the device (which may be an MBR or any executable code), to address location 0x7C00.
Boot Sector Viruses • If a disk has a boot record virus, the virus activates when the PC attempts to boot from the floppy disk or hard disk. • Even if the PC can’t start up from an infected disk (such as when the floppy disk does not contain the proper DOS system files), it attempts to run the bootstrap routine, which is all a virus needs to activate.
Parasitical Place of Boot Sector Viruses • Most boot record viruses • install themselves in the host computer’s memory and • hook into the various system services provided by the computer’s BIOS and operating system. • They remain active in RAM while a workstation remains on. • As long as they stay in memory, they can continue to spread by infecting the floppy disks that a computer accesses.
Floppy Boot Record Viruses • Most floppy boot record viruses can infect • the hard driveMBR • the active partition boot record • the floppy disk boot record • The floppy disk serves as a carrier for the virus, allowing it to spread from one hard drive to another. • After the virus places itself on the hard drive, it can then infect other floppy disks that inevitably make their way to other machines.
When and How Floppy Boot Record Viruses Get Control? • Floppy boot record (FBR) viruses seize control of the computer during system reset. • During the bootup sequence, the BIOS on most PCs determines whether a floppy disk is present in the floppy drive from which the computer is configured to boot. • If the BIOS finds a disk in the drive, it assumes that the user wants to boot from this disk. • After it locates the disk, the BIOS • loads the floppy boot record into the computer’s memory and • executes its bootstrap program.
The Boot Sequence from an Infected Floppy Diskette Virus reserves memory. Virus copies itself to this memory Virus alters IVT to become proxy service provider Virus attempts to infect hard drive MBR or PBR. Virus activities Virus loads original non-viral and executes the bootstrap routine No SYS files Display Message Bootstrap routine checks for DOS system files Bootstrap routine loads DOS system files and execute them stop A: prompt
BIOS Data Area • All PCs contain a reserved region of memory known as the BIOS Data Area (BDA). • During the initial stages of the computer’s bootup sequence (before control transfers to the bootstrap routine) the BIOSbootup program updates the BDA with information about • the configuration and • the initial state of the computer. • DOS relies on the information stored in the BDA of memory to properly use the • peripherals and • memory attached to the computer. • Almost all FBR viruses exploit DOS’s dependence on the BDA and update its contents to install themselves into memory.
Virus Copies Itself to Reserved Memory • After the virus reserves memory for itself by updating the BDA, it moves itself into the newly reserved memory and attempts to hook into the direct disk system services.
Interrupt Vector Table • The PC contains a memory structure, known as the Interrupt Vector Table (IVT), which is like a phone book that contains addresses for each of the services that the computer might need as it operates. • The IVT contains the addresses of ROM BIOSservice programs in the computer’s memory. • When the operating system needs to request a service, it can look up the address of the corresponding service provider in the IVT phone book and determine where to send its request.
IVT Entry Example • The computer’s ROM BIOS contains disk service routines that DOS calls upon to directly read from and write to floppy disks and hard drives. • One of the IVT phone book entries contains the address of the ROMBIOSdisk service routines.
Hook into the IVT Entry for Disk Service Provider • The FBRvirus hooks into the system services by • changing the contents of this entry and • informing the computer and any subsequent operating system that it now is a proxy for the ROM BIOSdisk service provider. • All requests to read and write to disks on the computer then are sent to the virus rather than to the original ROM BIOS disk services.
After the Hook • Later, when the operating system makes a system service request, the IVT is consulted and the virus has the request sent to it. • The virus can then examine the request and, if it desires, infect the floppy disk being accessed. • After the virus performs its mischief, it can then redirect the request to the original ROM BIOS driver so that it can be properly serviced.
IVT BDA Stage 4 Top of RAM The Fully-installed Boot Virus
Hook as a System Service • Most FBRviruses attempt to install themselves as a memory-resident driver at this point in the bootup sequence. • In this way, the virus can monitor all disk service requests during the operation of the computer and infect additional floppy disks at will .
Conceptual Hierarchy of Service Providers after the System is Infected Conceptual hierarchy of service providers after memory installation by the boot record virus Application Virus Resident Service Provider
The Original FBR • To complete its work, the FBR virus must • retrieve the original FBR on the floppy disk and • initiate the original bootup sequence as if the virus were not present. • If the FBRvirus installed itself in memory, infected the hard drive, and caused bootup on the floppy disk to fail, it might quickly be detected and removed. • Most viruses maintain a copy of the original FBR in one of the sectors at the end of the floppy disk. • After the virus installs itself in memory, it loads the original FBR into memory and executes the original bootstrap routine. • The bootstrap routine then proceeds normally, completely oblivious to the presence of the virus.
Infect Non-bootable Disk • Most floppy disks contain data and don’t carry the DOS operating system files; thus, after the virus transfers control to the original bootstrap routine, it displays a message such as “Non-system disk.” At this point, the average user realizes that he or she accidentally booted from a data disk, removes the disk from the drive and reboots. • This is why most FBR viruses infect the MBR or active Partition Boot Record of the hard drive during bootup. This infection guarantees that even if the floppy disk doesn’t contain the proper operating system files, the virus can still spread to the hard drive and eventually to other disks.
When and How the FBR Virus Infects New Items? • Most FBR viruses attempt to infect disks whenever they get a chance (although some viruses are more discriminating than others). • If an infected floppy disk is in drive A:, the first opportunity presented to the FBR virus is during a system reset. • Almost all FBR viruses also attempt to infect the hard drive’s MBR or active Partition Boot Record during the floppy boot process. • The FBR virus also has an opportunity to infect after it installs itself in memory and designates itself as the proxy disk service provider. Any time thereafter when DOS or its programs attempt to access a floppy disk (or the hard drive), the operating system calls upon the virus.
Detect Infected Disk • Before a virus attempts to infect the floppy disk, it must determine whether the disk has already been infected. Most often, the virus does so by loading the target FBR into memory and comparing it to its own contents. • If the FBR virus ascertains that the target floppy disk isn’t yet infected, it proceeds with the infection process.
The Most Common Executable File Formats under Windows • The portable executable file format(PE) is the format of the binary programs (exe, dll, sys, scr) for • MSWindowsNT • Windows 95 • Win32s
Struct IMAGE_FILE_HEADER typedef struct _IMAGE_FILE_HEADER {WORD Machine;WORD NumberOfSections;DWORD TimeDateStamp;DWORD PointerToSymbolTable;DWORD NumberOfSymbols;WORD SizeOfOptionalHeader;WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
An Example of Structure IMAGE_FILE_HEADER [Danehkar] 24 bytes 24=18h
Struct IMAGE_OPTIONAL_HEADER Struct IMAGE_OPTIONAL_HEADER {WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint;DWORD BaseOfCode;DWORD BaseOfData;DWORD ImageBase;DWORD SectionAlignment;DWORD FileAlignment;WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem;WORD DllCharacteristics;DWORD SizeOfStackReserve;DWORD SizeOfStackCommit;DWORD SizeOfHeapReserve;DWORD SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes;IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; };
Some Fields of Struct IMAGE_OPTIONAL_HEADER (1) • AddressOfEntryPoint • A pointer to the entry point function, relative to the image base address. • For executable files, this is the starting address. • For device drivers, this is the address of the initialization function. • The entry point function is optional for DLLs. When no entry point is present, this member is zero. • ImageBase • The preferred address of the first byte of the image when it is loaded in memory. • This value is a multiple of 64K bytes. • The default value for DLLs is 0x10000000. • The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.
Some Fields of Struct IMAGE_OPTIONAL_HEADER(2) • SectionAlignment • The alignment of sections loaded in memory, in bytes. • This value must be greater than or equal to the FileAlignment member. • The default value is the page size for the system. • FileAlignment • The alignment of the raw data of sections in the image file, in bytes. • The value should be a power of 2 between 512 and 64K (inclusive). • The default is 512. • If the SectionAlignment member is less than the system page size, this member must be the same as SectionAlignment. • SizeOfImage • The size of the image, in bytes, including all headers. Must be a multiple of SectionAlignment.