Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Virus [Internet Security Professional Reference ]Internet Security Professional Reference.

Similar presentations

Presentation on theme: "1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Virus [Internet Security Professional Reference ]Internet Security Professional Reference."— Presentation transcript:

1 1 The Attack and Defense of Computers Dr. 許 富 皓

2 2 Virus [Internet Security Professional Reference ]Internet Security Professional Reference

3 3 Virus Tutorial Computer Virus Resources Introduction of Famous Malware Virus descriptions of viruses in the wild

4 4 Virus A sequence of code that is inserted into other programs. A virus can create a copy of itself to inserted in one or more other programs. Virus cannot run on their own, and need to have some host program. e.g. Melissa virus, ILOVEYOU virus.

5 5 Virus Boot sector viruses Master boot record viruses File infector viruses Multi-partite viruses Macro viruses (infect data files)

6 6 Floppy Disks & Hard Disks

7 7 Disk Structures Units used in Floppy Disks and Hard Disks:  Cylinder (for HDs)  Heads  Tracks  Sectors E.g. A 3 ½ inch high-density disk  512 bytes/sector  18 sectors/track  40 tracks/side  Cluster Disk space allocation unit Each cluster contains one or more sectors.

8 8 Floppy Disk Structure

9 9 Disk Sectors Sector Magnetic Disk

10 10 Hard Disk Structure

11 11 Boot Record of a Floppy Disk [Sedory]Sedory The first sector of any diskette normally contains the Boot Record for some OS.

12 12 Boot Record Boot Record:  Location: sector 1, track 0, head 0.  Contents: the bootstrap routine (a machine language program designed to load the operating system from other part of the disk.) the BIOS Parameter Block (BPB), which identifies the floppy disk’s operating parameters, including the number of bytes per sector, sectors per cluster and track, and tracks per disk.  The BPB allows an operating system to understand the format of a disk.

13 13 Content of a Floppy Boot Record [Sedory]Sedory The bytes between the two dark blue bands are called the BPB (or BIOS Parameter Block). Most of the Boot Record is executable code; from offsets 03Eh through 19Dh. The code is followed by one long error message and the two system filenames: IO.SYS and MSDOS.SYS. Finally, the sector ends with the Word-sized signature ID (or Magic number) of AA55 hex (remember hex Words for Intel x86 CPUs are stored in memory with the Lowest-byte first and the Highest-byte last to make processing quicker).

14 14 Hard Disk Partition and Master Boot Record A single physical hard drive can be divided into several different partitions. The user can specify one of the partitions as the active partition (the one from which the user wants to boot.) The Master Boot Record (MBR) is a structure stored on the first track, sector and head of the hard drive. The MBR contains a partition table, which denotes the allocation of all sectors and their respective partitions. Programs require the partition table on the hard disk to understand the disk’s characteristics.

15 15 Structure of a Master Boot Record [Wikipedia]Wikipedia

16 16 Functionality of a MBR Holding a disk's primary partition table. Bootstrapping operating systems, after the computer's BIOS passes execution to machine code instructions contained within the MBR. Uniquely identifying individual disk media, with a 32-bit disk signature.

17 17 Master Boot Code [DEW]DEW The master boot record is the small bit of computer code that the BIOS loads and executes to start the boot process. This code, when fully executed, transfers control to the boot program stored on the boot (active) partition to load the operating system.

18 18 Load Boot Sector [Wikepedia]Wikepedia On a IBM PC compatible machine the BIOS selects a boot device, then it copies the first sector from the device (which may be an MBR or any executable code), to address location 0x7C00.

19 19 Boot Sector Viruses

20 20 Boot Sector Viruses If a disk has a boot record virus, the virus activates when the PC attempts to boot from the floppy disk or hard disk.  Even if the PC can’t start up from an infected disk (such as when the floppy disk does not contain the proper DOS system files), it attempts to run the bootstrap routine, which is all a virus needs to activate.

21 21 Parasitical Place of Boot Sector Viruses Most boot record viruses  install themselves in the host computer’s memory and  hook into the various system services provided by the computer’s BIOS and operating system. They remain active in RAM while a workstation remains on. As long as they stay in memory, they can continue to spread by infecting the floppy disks that a computer accesses.

22 22 Floppy Boot Record Viruses

23 23 Floppy Boot Record Viruses Most floppy boot record viruses can infect  the hard drive MBR  the active partition boot record  the floppy disk boot record The floppy disk serves as a carrier for the virus, allowing it to spread from one hard drive to another. After the virus places itself on the hard drive, it can then infect other floppy disks that inevitably make their way to other machines.

24 24 When and How Floppy Boot Record Viruses Get Control? Floppy boot record (FBR) viruses seize control of the computer during system reset. During the bootup sequence, the BIOS on most PCs determines whether a floppy disk is present in the floppy drive from which the computer is configured to boot.  If the BIOS finds a disk in the drive, it assumes that the user wants to boot from this disk.  After it locates the disk, the BIOS loads the floppy boot record into the computer’s memory and executes its bootstrap program.

25 25 The Boot Sequence from an Infected Floppy Diskette Virus reserves memory. Virus copies itself to this memory Virus alters IVT to become proxy service provider Virus attempts to infect hard drive MBR or PBR. Virus loads original non-viral and executes the bootstrap routine Bootstrap routine checks for DOS system files Display Message stop No SYS files Bootstrap routine loads DOS system files and execute them A: prompt Virus activities

26 26 BIOS Data Area All PCs contain a reserved region of memory known as the BIOS Data Area (BDA). During the initial stages of the computer’s bootup sequence (before control transfers to the bootstrap routine ) the BIOS bootup program updates the BDA with information about  the configuration and  the initial state of the computer. DOS relies on the information stored in the BDA of memory to properly use the  peripherals and  memory attached to the computer. Almost all FBR viruses exploit DOS’s dependence on the BDA and update its contents to install themselves into memory.

27 27 Viruses Reserve Memory – Stage 1

28 28 Viruses Reserve Memory – Stage 2

29 29 Virus Copies Itself to Reserved Memory After the virus reserves memory for itself by updating the BDA, it moves itself into the newly reserved memory and attempts to hook into the direct disk system services.

30 30 Interrupt Vector Table The PC contains a memory structure, known as the Interrupt Vector Table (IVT), which is like a phone book that contains addresses for each of the services that the computer might need as it operates.  The IVT contains the addresses of ROM BIOS service programs in the computer’s memory.  When the operating system needs to request a service, it can look up the address of the corresponding service provider in the IVT phone book and determine where to send its request.

31 31 IVT Entry Example The computer’s ROM BIOS contains disk service routines that DOS calls upon to directly read from and write to floppy disks and hard drives. One of the IVT phone book entries contains the address of the ROM BIOS disk service routines.

32 32 Hook into the IVT Entry for Disk Service Provider The FBR virus hooks into the system services by  changing the contents of this entry and  informing the computer and any subsequent operating system that it now is a proxy for the ROM BIOS disk service provider. All requests to read and write to disks on the computer then are sent to the virus rather than to the original ROM BIOS disk services.

33 33 After the Hook Later, when the operating system makes a system service request, the IVT is consulted and the virus has the request sent to it. The virus can then examine the request and, if it desires, infect the floppy disk being accessed. After the virus performs its mischief, it can then redirect the request to the original ROM BIOS driver so that it can be properly serviced.

34 34 The Fully-installed Boot Virus Top of RAM IVT BDA Stage 4

35 35 Hook as a System Service Most FBR viruses attempt to install themselves as a memory-resident driver at this point in the bootup sequence. In this way, the virus can monitor all disk service requests during the operation of the computer and infect additional floppy disks at will.

36 36 Conceptual Hierarchy of Service Providers after the System is Infected Virus Resident Service Provider Conceptual hierarchy of service providers after memory installation by the boot record virus Application

37 37 The Original FBR To complete its work, the FBR virus must  retrieve the original FBR on the floppy disk and  initiate the original bootup sequence as if the virus were not present. If the FBR virus installed itself in memory, infected the hard drive, and caused bootup on the floppy disk to fail, it might quickly be detected and removed. Most viruses maintain a copy of the original FBR in one of the sectors at the end of the floppy disk. After the virus installs itself in memory, it loads the original FBR into memory and executes the original bootstrap routine. The bootstrap routine then proceeds normally, completely oblivious to the presence of the virus.

38 38 Infect Non-bootable Disk Most floppy disks contain data and don’t carry the DOS operating system files; thus, after the virus transfers control to the original bootstrap routine, it displays a message such as “Non-system disk.” At this point, the average user realizes that he or she accidentally booted from a data disk, removes the disk from the drive and reboots. This is why most FBR viruses infect the MBR or active Partition Boot Record of the hard drive during bootup. This infection guarantees that even if the floppy disk doesn’t contain the proper operating system files, the virus can still spread to the hard drive and eventually to other disks.

39 39 When and How the FBR Virus Infects New Items? Most FBR viruses attempt to infect disks whenever they get a chance (although some viruses are more discriminating than others).  If an infected floppy disk is in drive A:, the first opportunity presented to the FBR virus is during a system reset. Almost all FBR viruses also attempt to infect the hard drive’s MBR or active Partition Boot Record during the floppy boot process. The FBR virus also has an opportunity to infect after it installs itself in memory and designates itself as the proxy disk service provider. Any time thereafter when DOS or its programs attempt to access a floppy disk (or the hard drive), the operating system calls upon the virus.

40 40 Detect Infected Disk Before a virus attempts to infect the floppy disk, it must determine whether the disk has already been infected. Most often, the virus does so by loading the target FBR into memory and comparing it to its own contents.  If the FBR virus ascertains that the target floppy disk isn’t yet infected, it proceeds with the infection process.

41 41 WIN32 PE Infection [Qozah][Rozinov]QozahRozinov

42 42 The Most Common Executable File Formats under Windows The portable executable file format (PE) is the format of the binary programs ( exe, dll, sys, scr ) for  MS Windows NT  Windows 95  Win32s

43 43 Components of a PE File

44 44 PE File Format for Executable Files [MSDN]MSDN

45 45 PE File Format [uglyhunK ]uglyhunK

46 46 Struct IMAGE_FILE_HEADERIMAGE_FILE_HEADER typedef struct _IMAGE_FILE_HEADER { WORD Machine; WORD NumberOfSections; DWORD TimeDateStamp; DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics; } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

47 47 An Example of Structure IMAGE_FILE_HEADER [Danehkar]Danehkar 24 bytes 24=18h

48 48 Struct IMAGE_OPTIONAL_HEADER IMAGE_OPTIONAL_HEADER Struct IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; };

49 49 Some Fields of Struct IMAGE_OPTIONAL_HEADER (1) AddressOfEntryPoint  A pointer to the entry point function, relative to the image base address. For executable files, this is the starting address. For device drivers, this is the address of the initialization function. The entry point function is optional for DLLs. When no entry point is present, this member is zero. ImageBase  The preferred address of the first byte of the image when it is loaded in memory.  This value is a multiple of 64K bytes.  The default value for DLLs is 0x10000000.  The default value for applications is 0x00400000, except on Windows CE where it is 0x00010000.

50 50 SectionAlignment  The alignment of sections loaded in memory, in bytes.  This value must be greater than or equal to the FileAlignment member.  The default value is the page size for the system. FileAlignment  The alignment of the raw data of sections in the image file, in bytes.  The value should be a power of 2 between 512 and 64K (inclusive).  The default is 512.  If the SectionAlignment member is less than the system page size, this member must be the same as SectionAlignment. SizeOfImage  The size of the image, in bytes, including all headers. Must be a multiple of SectionAlignment. Some Fields of Struct IMAGE_OPTIONAL_HEADER (2)

51 51 An Example of Structure IMAGE_OPTIONAL_HEADER [Danehkar]Danehkar 16 bytes 16=10h

52 52 struct IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

53 53 Some Fields of struct IMAGE_SECTION_HEADER (1) VirtualSize  The total size of the section when loaded into memory, in bytes.  If this value is greater than the SizeOfRawData member, the section is filled with zeroes.  This field is valid only for executable images and should be set to 0 for object files. VirtualAddress  The address of the first byte of the section when loaded into memory, relative to the image base.  For object files, this is the address of the first byte before relocation is applied. SizeOfRawData  The size of the initialized data on disk, in bytes.  This value must be a multiple of the FileAlignment member of the IMAGE_OPTIONAL_HEADER structure.  If this value is less than the VirtualSize member, the remainder of the section is filled with zeroes.  If the section contains only uninitialized data, the member is zero.

54 54 Some Fields of struct IMAGE_SECTION_HEADER (2) PointerToRawData  A file pointer to the first page within the COFF file.  This value must be a multiple of the FileAlignment member of the IMAGE_OPTIONAL_HEADER structure.  If a section contains only uninitialized data, this member is zero. Characteristics  The characteristics of the image. IMAGE_SCN_CNT_CODE 0x00000020 The section contains executable code. IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 The section contains initialized data. IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 The section contains uninitialized data.

55 55 Example [Matt Pietrek]Matt Pietrek The following code shows a snippet of PEDUMP output for the.text section of the Windows XP KERNEL32.DLL. Section Table 01.text VirtSize: 00074658 VirtAddr: 00001000 raw data offs: 00000400 raw data size: 00074800 VirtSize: 000028CA VirtAddr: 00076000 raw data offs: 00074C00 raw data size: 00002400 The.text section is at offset 0x400 in the PE file and will be 0x1000 bytes above the load address of KERNEL32 in memory. Likewise, section is at file offset 0x74C00 and will be 0x76000 bytes above KERNEL32 's load address in memory.

56 56 An Example of Structure IMAGE_SECTION_HEADER [Danehkar]Danehkar

57 57 Inject Virus

58 58 Change Size-Related Fields Step 1: Find section header i which has the largest PointerToRawData value among all the section headers. In other words, its corresponding section is the last section in this file. 40 bytes 40=28h Step 2: Added to the size of the virus. Step 3: according to the value of FileAlignment in structure IMAGE_OPTIONAL_HEADER, round VirtualSize. Then save the result to this field.

59 59 Set the Entry Point Value and the New File Size 40 bytes 40=28h 16 bytes 16=10h Step 4: VirtualAddress + old value of VirtualSize. Then save the result to AddressOfEntryPoint Step 5: Add (new SizeOfRawData – old SizeOfRawData )

60 60 Set the New Access Right 40 bytes 40=28h Step 6: make it executable, code and writable, so we have to OR it with 0x00000020 (code), 0x20000000 ( executable ) and 0x80000000 ( writable ). Step 7: append the virus to this file.

61 61 COM, EXE, and SYS Infection

62 62 The Most Common Executable File Formats under DOS The most common executable file formats used under DOS are COM, EXE, and SYS. COM and EXE files are used for standard DOS programs. SYS files are used for system device drivers. Although viruses have targeted each of these file formats, to date, reports of SYS file infections have been rare.

63 63 Entry Points of DOS Program Files A program file consists of  data and  machine language instructions interpreted directly by the computer’s CPU. DOS program files contain one or two entry points, which are the locations in the program of the first instruction for the CPU to execute. All COM and EXE files have a single entry point. SYS files have two entry points.

64 64 Entry Points of DOS Program Files The CPU’s interpretation of a program’s instruction must always start with the instruction at the entry point. This makes the entry point an area that viruses can modify and thereby gain control of the computer. After the virus completes its dirty work, it can then transfer control to the original program.

65 65 COM Files The COM executable file has the simplest DOS program file format. The COM file’s simplicity makes it a major target for file infecting viruses. The contents of the COM file are loaded directly into memory and executed without modification. The operating system transfers control to the first instruction in the memory image of the file. This first instruction is the COM file’s single entry point. COM files have an upper size limit of approximately 64 KB

66 66 How a COM File Is Loaded into RAM and Executed

67 67 EXE Files – Component Sections The EXE executable file format is somewhat more complex than the COM file format. The EXE file consists of two primary sections.  The first section is a header that tells DOS how to load the program.  The second section of the EXE file, known as the program load image, contains the actual memory image of the program and its data.

68 68 EXE Files – the Header Section The header includes two fields that identify the location of the EXE file’s single entry point in the program:  the Code Segment (CS) and  the Instruction Pointer (IP). The header also includes two size fields that specify the actual size of the executable program. When a virus infects an EXE file, it must increase the value in the size fields to equal the total of the executable program file size and the virus program size.  For instance, when a virus that is 2 KB in size appends itself to a 10 KB file, it increases the value in these fields to 12 KB.

69 69 How an EXE File Is Loaded into RAM and Executed overlay data

70 70 SYS Files The SYS executable file format differs from both the COM and EXE file formats in that SYS files have two entry points. SYS format files are used primarily for device drivers. Like COM files, all SYS files must be 64 KB or less in size. The SYS file is composed of three major sections.  The first portion of the SYS file contains the device header. Like the header of an EXE file, the device header contains entry point information and other fields.  The second and third sections of the SYS file contain the two device driver modules, which contain all the machine language code in the program.

71 71 How a SYS File Is Loaded into RAM

72 72 Program Files and Viruses Program files are often targeted by viruses for two primary reasons.  Because each of the executable file types has a simple format, file viruses can piggyback themselves to program files with relative ease.  Executable file types also are common targets for infection because of the frequency of their use. If a virus can infect an executable file, its capability to infect other programs increases.

73 73 Macro Facilities

74 74 Macro Facilities Macro facilities enable a user to record a sequence of operations within the application. The user then uses a key combination to associate these operations. Later, pressing this key combination repeats the recorded steps.  A given macro activated using a key combination, for example, might open a file renumber the items within it then close the file.

75 75 Global Pool of Macros Macro systems have evolved greatly over the years. Most old programs that supported macros had a “global pool” of macros that always were available for use, regardless of what file the user happened to be editing. Individual document or spreadsheet files could NOT contain their own, local, macros.

76 76 New Properties of Modern Macro Systems (1) Modern macro systems differ from their predecessors in several key ways.  First, users now can write entire complex programs in a macro language. These programs have access to  all the host application’s features and  many of the operating system’s features. For example,  Microsoft products enable users to write macros in a language that resembles Visual Basic.  These macros can perform various tasks for the user, including popping up dialog boxes, altering files on the system, or inserting the date and time in a document.  They can also be used to write viruses!

77 77 New Properties of Modern Macro Systems (2)  Second, the user can tote specific macros around in a document or spreadsheet data file. For example,  A user can create a macro for a specific spreadsheet and attach it directly to the spreadsheet file.  Any time the file is used on a new machine, the accompanying macro is available for use.

78 78 Security Concerns of Modern Macro Systems An inherent threat exists with modern macro system: just as normal macros can be attached and carried along with a given document or data file, so can macro viruses!

79 79 Cross-platform Compatibility Modern macro languages, such as Word for Windows’ WordBasic,  are interpreted by the host application and  often are compatible across different operating systems.

80 80 Cross-platform Compatibility Example A Word for Windows 6.0 document that contains macros created on a PC, for instance, can be edited in Word for Macintosh. Because Word for Macintosh provides the same macro facilities as its DOS counterpart, the document’s macros also function on the Macintosh platform.

81 81 Cross-platform Macro Viruses This cross-platform compatibility means that a macro virus can spread from computer to computer, as long as the destination computer supports a macro-capable, compatible version of the host application.

82 82 Microsoft Word [Shauna Kelly] [Better Solutions][ucsb]Shauna KellyBetter Solutionsucsb

83 83 Template A template is a sample document that is used for the basis for a new document. Every Microsoft Word document is based on a template, whether you choose a template explicitly or not. A template determines  the basic structure for a document and  contains document specific settings such as fonts styles page layout macros etc.

84 84 Relationship between a Word File and Its Template When you create a document, the file that is created initially is just a copy of its template.  This means that subsequent changes to the template will not automatically be reflected in the document.  Some changes made to the document, however, can be saved to the template.

85 85 Naming Rule of a Template File A Word template has the file extension (.dot ) and every document is based on a template. When you save a document as a Word template the three-letter extension is added to the end of the name instead of.doc.

86 86 Template The template is the basis for any new blank documents you create. is a special global template created and used by Word. Whenever you create a new document by clicking (File > New) a copy of the file called is created and is presented as a new document. If you change something in the then all new documents will reflect those changes. If Word is unable to find your file or it is damaged then a new one will be created using the default settings.

87 87 What Happens When a Document Is Born? When a document is created, it inherits three things from its parent template:  styles: In Word, a style is a collection of formatting instructions. You use styles to format the paragraphs in your document. styles So you would use the "Title" style for your title, "Body Text" style for body text, "Caption" style for the picture captions, and "Heading 1" for the major headings.  content (e.g. text, pictures, a fax header, a form to fill in, the outline of your monthly management report, any content in headers and footers)  page settings (e.g. margins, paper size, paper orientation, settings for headers and footers).

88 88 When a New Word Document Is Created … The moment a document is created, it loses its connection with its parent with respect to styles, content and page settings.

89 89 Changing a Document Won't Change the Template It's Attached to You can change the margins in a document and the change won't affect the template. You can add, delete or modify styles in a document, and it won't affect the template.

90 90 Changing the Template Won't Change Documents Attached to the Template You can change the margin in a template, and it will affect documents you create from this template in the future. But it won't affect existing documents attached to that template. You can add, delete or modify styles in a template, and the change will affect documents you create from this template in the future. But it won't affect existing documents.

91 91 What Happens after a Document Is Born, While It Is Being Edited? Once a document has been created, the template to which it is attached takes on quite a different role. When a document is being edited, its template sits in the background and makes four things available to a document:  two kinds of functionality: macros AutoTexts  two ways to access the functionality: toolbars keyboard shortcuts (that is, a keyboard way and a mouse way).

92 92 Templates and Existing Word Documents

93 93 Change Template [Kelly]Kelly You can  attach a new template to a Word document or  change the template a Word document is associated with. But nothing happens after you execute the operations, because:  A document inherited styles, content and page settings from its parent template when it was first created.  You're not creating a new document, so the styles, content and page settings in the newly-attached template will not affect the document at all.  The newly-attached template will sit in the background, and make available the four things that templates make available to documents: Macros AutoTexts Toolbars keyboard shortcuts

94 94 Global Template [ucsb]ucsb A global template is a template whose customizations will be available to all documents, no matter what template they're attached to. Word allows a user to make a template “global”. That means that its macros etc. will be available to all templates. is a global template.

95 95 Word Macro (1) A macro is just the name given to a series of keystrokes that can be recorded and then played back in order to automate a task. These keystrokes are then transferred into a series of commands which can then be rerun at any time.

96 96 Word Macro (2) Macros are simple computer programs where the code is often generated for you. These macros run completely within an application like Word and require no additional software. Macros  can be used to play back your actions and  can prevent you from having to perform tedious or repetitive tasks.

97 97 Where to Store Your Macro? [Better Solutions Limited]Better Solutions Limited There are two possible workbooks where you can store your macros:  - Storing your macros here will mean that they are available every time Word is open and are not reliant on any one particular document.  Document - This is the default location and is often the best place if you are relatively new to macros. A macro that has been saved into a specific document is only available when that particular document is open. The currently active document is also referred to as the current document or active document.

98 98 Macros [Shauna Kelly]Shauna Kelly You can copy macros to and from documents and templates using Tools > Templates and Add-ins > Organizer.

99 99 Properties of Microsoft Word Macro Microsoft Word’s macro system actually offers a global pool macro area, as well as document-specific macros.  Users can establish a set of global macros available for use regardless of the document being edited.  They also can use the local macros that accompany a specific document during editing of that document.  In the Microsoft scheme, macros can copy themselves to and from the global and local pools.  The global pool provides the macros with the capability to migrate from one document to another.  Upon execution, a macro can copy itself from a local pool to the global pool. Later, executing the same macro lets it copy itself from the global pool to a new document—a nice feature, as long as the user initiates the actions and knows of the results.  Viruses can target the above facility.

100 100 How Macros can Migrate from File to File Microsoft Word uses a template to create, edit, or assemble a document. The default template is called NORMAL.DOT. This global template contains information that gets pulled into your current document, such as default settings, shortcut keys, toolbars, custom menu settings, AutoText entries, and macros.

101 101 Auto-execution Facility (1) The Word for Windows macro system also includes an auto-execution facility that makes it attractive to viruses. Word for Windows has an AutoExec macro that launches (if it is present in the global pool) when a user starts the Word processor.  This facility can serve to execute other macros and set up the user’s work environment—or a virus can exploit it to ensure that the virus macro executes upon Word for Windows startup.

102 102 Auto-execution Facility (2) In addition to the AutoExec macro, Word for Windows contains numerous other macros that activate during a normal editing session without directly being activated by the user.  Any time the user opens a new document file, for example, a macro known as AutoOpen executes from the document’s local macro pool (if present). A virus could easily use this macro to copy itself to the global pool as soon as a user opens the document.

103 103 Key Factors for the Emergence of Macro Viruses (1) First of all, many popular applications, such as desktop publishing, Word processing, and spreadsheet programs, include macro capabilities.  Such widespread usage is attractive to a macro virus from the standpoint that chances for continued self-replication are high. Secondly, it is far easier to write macro language programs than assemble language programs. The art of virus writing is no longer limited to the technically astute.

104 104 Key Factors for the Emergence of Macro Viruses (2) Finally, executable program viruses rely upon a system’s CPU to directly execute its instructions, whereas macro viruses don’t. Because of this, macros are platform independent.  For example, the same macro that runs in a Windows-based Word processing program can also function in its Macintosh and Unix counterparts.

105 105 Macro Viruses Infect data files. Common viruses nowadays. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Examples:  Melissa,  WM.NicdDay,  W97M.Groov.

106 106 The Evolution of Media Used by Viruses to Spread Themselves In the 1980's, floppy disks where the primary vector for spreading computer viruses because that is how most people shared data. In the late 80's and early 90's, Bulletin Board Systems (BBS) became the primary source for infections. After 1995, almost all new viruses were being spread via e-mail, or by sharing files over the web.  Network administrators have been able to respond to this threat by installing antivirus software on their e-mail servers and restricting internet sites on their firewalls.

107 107 USB Flash Drives [labMice]labMice USB Flash drives are pocket sized ultra portable storage devices (about the size of a highlighter pen) that hold up to tens of GBs of data that can be instantly accessed from any PC with a USB port.

108 108 Security Concerns about Flash Drives The use of USB Flash Drives can bypass  the safeguards against e-mail viruses and  firewalls. Users can either  bring in infected documents from home or  take home a business document to an infected PC, update it, and return it to a corporate file server.

109 109 Bootable USB Flash Drive [TechRepublic] [Shaher]TechRepublicShaher It is actually possible to install a bootable copy of Windows XP onto a flash drive and then boot a PC off of the flash drive.

110 110 Methods to Avoid Detection Avoiding bait files and other undesirable hosts.  Anti-virus programs  Bait files (small programs or programs containing garbage instructions). Stealth  Virus intercept anti-viruses’ request to read infected file. Self-modification Encryption with a variable key Polymorphic code.

111 111 Virus Sources VX Heavens source codes and viruses database. VX Heavens The Virus Source Code Database Virus source code The Virus Source Code Database 29A Labs source codes and articles 29A Labs Virus Database List of all computer virus. Virus Database

112 112 Complementary Material

113 113 Areas of a Disk [1][2]12 Under DOS, A disk is divided into the following four areas:  The boot record.  The file allocation table (FAT).  The root directory.  The data area. A hard drive has a fifth area:  The partition table.

114 114 Boot Record Boot Record:  Location: sector 1, track 0, head 0.  Contents: the bootstrap routine (a machine language program designed to load the operating system from other part of the disk.) the BIOS Parameter Block (BPB), which identifies the floppy disk’s operating parameters, including the number of bytes per sector, sectors per cluster and track, and tracks per disk.  The BPB allows an operating system to understand the format of a disk.

115 115 The Bootstrap Program In a PC, when a machine is turned on, a routine called “The Power-On Self Test (POST)” verifies all hardware components are working properly. After everything is confirmed working well, POST loads up the boot record from the disk and checks for two signature bytes inside it. If the boot record signature is present, the execution control is transferred to the bootstrap program inside the boot record. Under DOS, the bootstrap program in turn loads the OS into the RAM from the disk and eventually transfers control to COMMAND.COM, the command interpreter. On board On disk

116 116 Boot Sequence from Uninfected Floppy Diskette

117 117 Hard Disk Partition and Master Boot Record A single physical hard drive can be divided into several different partitions. The user can specify one of the partitions as the active partition (the one from which the user wants to boot.) The Master Boot Record (MBR) is a structure stored on the first track, sector and head of the hard drive. The MBR contains a partition table, which denotes the allocation of all sectors and their respective partitions. Programs require the partition table on the hard disk to understand the disk’s characteristics.

118 118 Boot Sequence from Uninfected Hard Drive -- (1) Stop Floppy boot Process BBP print error message

119 119 Boot Sequence from Uninfected Hard Drive -- (2)

120 120 8086/8088 INTERRUPTS, BIOS, and DOS

121 121 Interrupt [Gerhard Roehrl]Gerhard Roehrl The 8086/88 microprocessors allow normal program execution to be interrupted by external events or by special instructions embedded in the program code. When the microprocessor is interrupted, it stops executing the current program and calls a procedure which services the interrupt. At the end of the interrupt service routine, the code execution sequence is returned to the original, interrupted program.

122 122 Interrupt Sources An interrupt can be generated by one of three sources:  Internal interrupts  Hardware interrupt  Software interrupt

123 123 Internal Interrupts An interrupt can be generated as a result of a processor state violation, called an exception.  An example would be a divide-by-zero interrupt produced when the div instruction is interpreted to have a zero divisor. Program execution is automatically interrupted and control transferred to an interrupt handler. Conditional interrupts such as this are referred to as internal interrupts.

124 124 Hardware Interrupt An interrupt can also be generated by an external device requesting service. This happens when a device signals its request on either the non-maskable interrupt (NMI) or on the INTR interrupt input lines of the processor.  The NMI interrupt is generally used to signal the occurrence of a catastrophic event, such as the immanent loss of power.  The INTR interrupt is used by all other devices. An interrupt caused by a signal applied to either the NMI or INTR input pin of a CPU is referred to as a hardware interrupt.

125 125 Software Interrupt Interrupts may be generated as a result of executing the int instruction. This is referred to as a software interrupt.

126 126 Functions of Software Interrupts (Only Apply to Real Mode) Software interrupts produced by the INT assembler instruction have many uses. For example,  test various interrupt service routines You could use an INT 2 instruction to start the execution of an NMI interrupt service procedure. This would allow you to test the NMI procedure without needing to apply an external signal to the processors NMI input line.  call commonly used procedures from many different programs The Basic Input/Output System (BIOS) procedures of an IBM computer or compatible are a good example of this use of the INT instruction.

127 127 BIOS Procedures One part of the BIOS is actually a collection of procedures which provides the fundamental I/O services that are needed for the operation of the computer.  Each procedure performs a specific function such as reading a character from the keyboard writing characters to the screen reading information from disk.

128 128 Using BIOS Procedures System I/O procedures are called with the INT instruction. There are 12 BIOS procedures in all, falling into 5 groups.  For example with INT 10h you can access the video display services. This interrupt includes 20 subroutines. Obviously, one of the INT 10h parameters is a data value indicating which one of the twenty subroutines is required.  the AH Register is loaded with the number of the subroutine.  the AL, BX, CX, and DX registers are used to provide the parameters for this subroutines.

129 129 The 12 BIOS Service Routines Supported by the IBM PC (and Compatibles) Dec Hex Use Peripheral Devices Services 16 10 Video-display services 19 13 Diskette services 20 14 Communications services 21 15 Cassette-tape services 22 16 Standard keyboard services 23 17 Printer services Equipment Status Services 17 11 Equipment-list service 18 12 Memory-size service Time/Date Service 26 1A Time and date services Print-Screen Service 5 5 Print-screen service Special Services 24 18 Activate ROM-BASIC language 25 19 Activate bootstrap start-up routine

130 130 Files Constituting DOS When you turn on your PC there are several jobs to do. One is to load the operating system from the system disk. If you use MS-DOS (MicroSoft - Disk Operating System), three system files are loaded;  IBMBIO.COM  COMMAND.COM  IBMDOS.COM

131 131 Comparing DOS and BIOS Services The file IBMDOS.COM contains DOS service routines. The DOS services, like the BIOS services, can be called by programs through a set of interrupts whose vectors are placed in the interrupt vector table.  The ROM-BIOS routines can be thought of as the lowest-level system software available, performing the most fundamental and primitive input and output operations.  The DOS service routines provide more sophisticated and efficient control over the I/O operations than the BIOS routines do, particularly for disk file operations.

132 132 Using DOS Interrupts (a.k.a. DOS Calls) There are nine DOS interrupt services.  Five of them, interrupts 20h, 25h, 26h, 27h, and 2Fh are "true" DOS interrupt services, each one having a specifically-defined task associated with it.  22h, 23h, and 24h : these three interrupts are used to hold segmented addresses.  INT 21h provides under one "umbrella" a set of universal functions we can use in our programs. All of the DOS function calls are invoked by INT 21h.  Individual functions are selected in the same way as BIOS functions, placing the function number in the AH -Register.

133 133 The Nine DOS Interrupts Dec Hex Description 32 20 Program terminate: come to normal ending 33 21 Function-call umbrella interrupt 34 22 Terminate address 35 23 Break address 36 24 Critical error-handler address 37 25 Absolute disk read 38 26 Absolute disk write 39 27 Terminate-but-stay-resident 47 2F Print spool control (DOS-3 versions only)

134 134 Interrupt Vectoring Two 16 bit data words are used to specify the location of a interrupt service routine.  One word is used to load the CS register and points to the base address of the code segment containing the service routine.  The second word is used to load the IP with the offset value for the desired routine within the specified code segment. The base and offset words for all interrupt types are grouped together in an interrupt vector table.

135 135 BIOS (1) [wikipedia]wikipedia BIOS, in computing, stands for Basic Input/Output System or Basic Integrated Operating System. BIOS refers to the firmware code run by an IBM compatible PC when first powered on.  The primary function of the BIOS is to prepare the machine so other software programs stored on various media (such as hard drives, floppies, and CDs) can load to the PC execute on the PC and assume control of the PC.  This process is known as booting up. Boot is short for bootstrapping.

136 136 BIOS (2) BIOS can also be said to be a coded program embedded on a chip that recognizes and controls various devices that make up the PC.

137 137 BIOS Firmware Chips A computer system can contain several BIOS firmware chips. The motherboard BIOS typically contains code to access fundamental hardware components such as  the keyboard  floppy drives  ATA (IDE) hard disk controllers  USB human interface devices  storage devices. Plug-in adapter cards such as SCSI, RAID, Network interface cards, and video boards often include their own BIOS, complementing or replacing the system BIOS code for the given component.

138 138 BIOS Procedures in ROM Chips (1) ROM chips accompany most hardware add-ons, such as hard drives, video boards, and so forth.  These chips contain machine language programs (routines) that handle most of the common requests that operating systems and applications make.

139 139 BIOS Procedures in ROM Chips (2) ROM-based software adheres to a well-known, published standard.  If a program wants to write data to the hard drive, for example, it can call upon the routines on the hard drive ROM chips to perform the operation.  Although the circuitry in each brand of hard drive might differ, this well-defined software interface allows programs to efficiently request services from hard drives and other peripherals without having to understand their internals.

140 140 BIOS Procedures in ROM Chips (3) ROM-based software is referred to as a BIOS procedures. If a program needs to request a service from a peripheral, such as reading data from the hard drive, it can call upon the BIOS procedure in the ROM chip to  communicate with the specific device and  service the request. similar to a device driver in Unix

141 141 An Example Physical Memory Layout of a PC linear address range real-mode address range memory type use 0- 3FF0000:0000-0000:03FF RAM real-mode interrupt vector table (IVT) 400- 4FF0040:0000-0040:00FFBIOS data area (BDA) 500- 9FBFF0050:0000-9000:FBFFfree conventional memory (below 1 M) 9FC00- 9FFFF 9000:FC00- 9000:FFFF extended BIOS data area (EBDA) A0000- BFFFF A000:0000- B000:FFFF video RAM VGA frame buffers C0000- C7FFF C000:0000- C000:7FFF ROMvideo BIOS (32K is typical size) C8000- EFFFF C800:0000- E000:FFFF NOTHING F0000- FFFFFF000:0000-F000:FFFFROMmotherboard BIOS (64K is typical size) 100000- FEBFFFFFRAMfree extended memory (1M and above) FEC00000- FFFFFFFF various motherboard BIOS, PnP NVRAM, ACPI, etc. 1M 640K

142 142 DOS Calls The DOS operating system also offers system services to its applications.  DOS installs its own system service provider software in memory to service common requests, such as opening a file or writing data to a file.  The above DOS software works on top of the various BIOS Procedures and simplifies certain basic operations.

143 143 DOS Call Example Assume an application requests a system service, such as opening a file.  The application makes this request with a simple DOS call.  DOS may make one or more low-level requests to the ROM service provider.  Finally, the ROM service provider may interact with the hardware to service some requests. Because the typical program doesn’t care about how data actually is stored on the hard drive, as long as it can access it, DOS abstracts this for the program and offers a simple way to open files. Similar to a system call in Unix

144 144 System Layering

145 145 An Example of System Layering [Raymond Wisman]Raymond Wisman C++ program: cout << "Hello world"; Machine : Call DOS video function 9 to output Code string "Hello world" DOS: Call BIOS video function by int 10h BIOS: "Hello world" placed in hardware video memory Video hardware: "Hello world" display from video memory

146 146 Invoking a BIOS Procedure or DOS Call Both BIOS procedures or DOS calls are invoked through the int instruction,  e.g. int 20h int 10h

147 147 The Rise and Fall of the BIOS Older operating systems such as DOS relied on the BIOS to carry out most input-output tasks within the PC. A variety of technical reasons eventually made it inefficient—especially for more recent operating systems written for the Intel 80386 such as Linux and Microsoft Windows—to invoke the BIOS directly.  Such operating systems instead used their own better- performing native drivers and were also much easier to extend to support new hardware. As such, the BIOS was mostly relegated to bootstrapping to the point where the operating system's own drivers could take control of the hardware.

148 148 Hook TSRs into DOS System Services Memory-resident programs, called TSRs, can hook into the system service provider software (DOS calls) already resident in the computer’s memory and augment the services offered by the original system service provider software. The “hooking” program can  service all requests on its own or  pass on some or all requests to the original service provider. It also can opt to modify information before passing it to a subservient service provider (one installed before the current service provider).

149 149 How Resident File Viruses Hook into the Operating System Most programs that hook into DOS or ROM services do so for legitimate reasons. Unfortunately, memory-resident viruses also can hook into these system services to damage data or spread to floppy disks and files.

150 150 Examples Form. Disk Killer. Michelangelo. Stoned.

151 151 Master Boot Record Viruses

152 152 Master Boot Record Viruses The MBR contains a bootstrap program which according to the MBR’s partition table determines which partition is the active partition, and then load and transfer control to the active partition’s Partition Boot Record (PBR) to finish the loading of the DOS into memory. Examples:  NYB,  AntiExe,  Unashamed.

153 153 Program File Viruses

154 154 Program File Viruses Program file viruses (hereafter called just file viruses ) use executable files as their medium for propagation. They target one or more of the three most common executable file formats used in DOS: COM files, EXE files, and SYS files. The basic file virus replicates by attaching a copy of itself to an uninfected executable program. The virus then modifies the new host program so that when the program executes, the virus executes first.

155 155 Examples Jerusalem Cascade.

156 156 Infection The file-infecting virus can only gain control of the computer if the user or the operating system executes a file infected with this virus. In other words, infected files are harmless as long as they are not executed; they can be copied, viewed, or deleted without incident.

157 157 Execution of a COM Program COM programs have the simplest format of any of the DOS executable file formats. They also have the simplest loading sequence:  DOS reads the program directly into memory,  then jumps to the first instruction (at the first byte) of the program image.  When this action occurs, the program has complete control of the computer, until it relinquishes control back to DOS upon termination.

158 158 COM Infections File viruses infect COM files by modifying the machine-language program at the start of the executable image. A virus can ensure that it gains control in at least four different ways, because execution in a COM file must begin at the first byte in the executable image.  Prepending COM Viruses  Appending COM Viruses  Overwriting COM Viruses  Improved Overwriting COM Viruses

159 159 Prepending COM Viruses A virus can insert itself at the top of the COM file, moving the original program down after the viral code. The entire virus is then located at the top of the executable image, and is the first to execute when the program is loaded. This method of infection is known as prepending, because the virus affixes itself to the beginning of the host COM program

160 160 Prepending COM Virus Infection

161 161 Appending COM Viruses – Inject the Virus A virus can modify the machine-language program at the top of the executable image of the COM file to transfer control to the virus, which can be located elsewhere in the executable file. The virus often attaches itself to the end of the infected program and changes the first few instructions at the top of the executable image so that they transfer control to the viral code.

162 162 Appending COM Viruses – Handle the Original Code Before the virus changes the first few program instructions, it must record what the host program’s original entry instructions were so that it can repair the host program after it has completed. Without preserving these instructions, when the virus transfers control to the host program, the PC would most likely crash or work incorrectly, foiling the virus’ attempts to remain undiscovered. This above method of infection is known as appending, because the virus affixes its bulk to the end of the host program

163 163 Appending COM Virus Infection

164 164 Overwriting COM Viruses The third technique used to infect COM files is known as overwriting. Viruses that use this technique often are crudely written. They infect COM programs by entirely overwriting the start of the host program with the viral code.

165 165 Repair Files Infected by Overwriting COM Viruses Overwriting COM Viruses don’t attempt to save a copy of the host’s bytes that have been overwritten. As a result, the original program can’t work after the virus executes. If a computer becomes infected with a virus of this type, the only way to repair the infected files is to restore them from backups created before the infection.

166 166 Tricks Used by Overwriting COM Viruses to Avoid Being Detected After overwriting viruses infect program files, they either crash or display a bogus error message such as Not enough memory to execute program. Such error messages appear in an attempt to convince the user that the PC has a memory management problem rather than a virus.

167 167 Overwriting COM Virus Infection

168 168 Improved Overwriting COM Viruses The last method used to infect COM programs is known as improved overwriting. Assuming the virus is V bytes long, the virus first reads the first V bytes of the host program and then appends this information to the end of the host program. The virus then overwrites the top of the COM program using the V bytes of viral code.

169 169 Original Information of Infected Files The host program can be repaired and executed normally after the virus completes its dirty work, because the information from the uninfected host program has been stored.

170 170 Improved Overwriting COM Virus

171 171 EXE Infections Although numerous methods are used to infect COM files, viruses use primarily one method to infect EXE format files. EXE files have a variable entry point specified by the Code Segment (CS) and Instruction Pointer (IP) fields of the file header. In the most common form of EXE infection, the virus performs the following sequence of actions:  Records the host’s original entry point in itself, so it can later execute the host program normally.  Appends a copy of itself to the end of the host program.  Changes the entry point (using CS and IP fields) in the EXE header to point to the virus code.  Changes other fields in the header, including the program’s load- image size fields to reflect the presence of the virus.

172 172 EXE File before and after Infection

173 173 How and When the File-Infecting Virus Gets Control? Simply stated, a file-infecting virus gains control of the computer when the user or operating system executes an infected program. When a user executes an infected program, DOS loads the entire program into memory, virus and all, and begins executing the program at its entry point. In infected files, the virus modifies the location of the entry point or the machine-code at the entry point so that the virus executes first.

174 174 Proliferation of File-Infecting Viruses After the virus machine code begins executing, it can immediately seek out and infect other executable programs on the computer, or it can establish itself as a memory-resident service provider in the operating system.  As a service provider, the virus can then infect subsequent executable files as the operating system or other programs execute or access them for any reason.

175 175 Categories of File-infecting Viruses File-infecting viruses are categorized as being either direct action or memory- resident file infectors.  The direct-action file infector  The memory-resident file infector

176 176 The Direct-Action File Infector The direct-action file infector infects other program files located somewhere on the path, or on the hard drive, as soon as an infected program executes.

177 177 The Memory-Resident File Infector The memory-resident file infector loads itself into the computer’s memory using a method similar to that used by the boot infecting viruses.  However, the virus must check to see whether it has already inserted itself in memory as a system service provider.  The user may have many infected programs, each which represents a different opportunity for the virus to load itself in memory during a computing session. (Boot record viruses don’t concern themselves with this issue, as they only install themselves once during system bootup. The virus cannot inadvertently insert itself in memory as a service provider more than once.)

178 178 Multi-Partite Viruses: Multi-partite viruses (a.k.a. polypartite ) infect both boot records and program files. Examples:  One_Half,  Emperor,  Anthrax,  Tequilla.

Download ppt "1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Virus [Internet Security Professional Reference ]Internet Security Professional Reference."

Similar presentations

Ads by Google