The Attack and Defense of Computers

1

• The Attack and Defense of Computers
• Dr. ? ? ?

2

• Virus Internet Security Professional Reference

3

• Virus Tutorial
• Computer Virus Resources
• Introduction of Famous Malware
• Virus descriptions of viruses in the wild

4
Virus

• A sequence of code that is inserted into other
  programs.
• A virus can create a copy of itself to inserted
  in one or more other programs.
• Virus cannot run on their own, and need to have
  some host program.
• e.g. Melissa virus, ILOVEYOU virus.

5
Virus

• Boot sector viruses
• Master boot record viruses
• File infector viruses
• Multi-partite viruses
• Macro viruses (infect data files)

6

• Floppy Disks Hard Disks

7
Disk Structures

• Units used in Floppy Disks and Hard Disks
• Cylinder (for HDs)
• Heads
• Tracks
• Sectors
• E.g. A 3 ½ inch high-density disk
• 512 bytes/sector
• 18 sectors/track
• 40 tracks/side
• Cluster
• Disk space allocation unit
• Each cluster contains one or more sectors.

8
Floppy Disk Structure
9
Disk Sectors
Magnetic Disk
Sector
10
Hard Disk Structure
11
Boot Record of a Floppy Disk Sedory

• The first sector of any diskette normally
  contains the Boot Record for some OS.

12
Boot Record

• Boot Record
• Location
• sector 1, track 0, head 0.
• Contents
• the bootstrap routine (a machine language program
  designed to load the operating system from other
  part of the disk.)
• the BIOS Parameter Block (BPB), which identifies
  the floppy disks operating parameters, including
  the number of bytes per sector, sectors per
  cluster and track, and tracks per disk.
• The BPB allows an operating system to understand
  the format of a disk.

13
Content of a Floppy Boot Record Sedory

• The bytes between the two dark blue bands are
  called the BPB (or BIOS Parameter Block).
• Most of the Boot Record is executable code from
  offsets 03Eh through 19Dh.
• The code is followed by one long error message
  and the two system filenames IO.SYS and
  MSDOS.SYS.
• Finally, the sector ends with the Word-sized
  signature ID (or Magic number) of AA55 hex
  (remember hex Words for Intel x86 CPUs are stored
  in memory with the Lowest-byte first and the
  Highest-byte last to make processing quicker).

14
Hard Disk Partition and Master Boot Record

• A single physical hard drive can be divided into
  several different partitions.
• The user can specify one of the partitions as the
  active partition (the one from which the user
  wants to boot.)
• The Master Boot Record (MBR) is a structure
  stored on the first track, sector and head of the
  hard drive.
• The MBR contains a partition table, which denotes
  the allocation of all sectors and their
  respective partitions.
• Programs require the partition table on the hard
  disk to understand the disks characteristics.

15
Structure of a Master Boot Record Wikipedia
16
Functionality of a MBR

• Holding a disk's primary partition table.
• Bootstrapping operating systems, after the
  computer's BIOS passes execution to machine code
  instructions contained within the MBR.
• Uniquely identifying individual disk media, with
  a 32-bit disk signature.

17
Master Boot Code DEW

• The master boot record is the small bit of
  computer code that the BIOS loads and executes to
  start the boot process.
• This code, when fully executed, transfers control
  to the boot program stored on the boot (active)
  partition to load the operating system.

18
Load Boot Sector Wikepedia

• On a IBM PC compatible machine the BIOS selects a
  boot device, then it copies the first sector from
  the device (which may be an MBR or any executable
  code), to address location 0x7C00.

19

• Boot Sector Viruses

20
Boot Sector Viruses

• If a disk has a boot record virus, the virus
  activates when the PC attempts to boot from the
  floppy disk or hard disk.
• Even if the PC cant start up from an infected
  disk (such as when the floppy disk does not
  contain the proper DOS system files), it attempts
  to run the bootstrap routine, which is all a
  virus needs to activate.

21
Parasitical Place of Boot Sector Viruses

• Most boot record viruses
• install themselves in the host computers memory
• and
• hook into the various system services provided by
  the computers BIOS and operating system.
• They remain active in RAM while a workstation
  remains on.
• As long as they stay in memory, they can continue
  to spread by infecting the floppy disks that a
  computer accesses.

22

• Floppy Boot Record Viruses

23
Floppy Boot Record Viruses

• Most floppy boot record viruses can infect
• the hard drive MBR
• the active partition boot record
• the floppy disk boot record
• The floppy disk serves as a carrier for the
  virus, allowing it to spread from one hard drive
  to another.
• After the virus places itself on the hard drive,
  it can then infect other floppy disks that
  inevitably make their way to other machines.

24
When and How Floppy Boot Record Viruses Get
Control?

• Floppy boot record (FBR) viruses seize control of
  the computer during system reset.
• During the bootup sequence, the BIOS on most PCs
  determines whether a floppy disk is present in
  the floppy drive from which the computer is
  configured to boot.
• If the BIOS finds a disk in the drive, it assumes
  that the user wants to boot from this disk.
• After it locates the disk, the BIOS
• loads the floppy boot record into the computers
  memory
• and
• executes its bootstrap program.

25
The Boot Sequence from an Infected Floppy Diskette
Virus reserves memory. Virus copies itself to
this memory Virus alters IVT to become proxy
service provider Virus attempts to infect hard
drive MBR or PBR.
Virus activities
Virus loads original non-viral and executes the
bootstrap routine
No SYS files
Display Message
Bootstrap routine checks for DOS system files
Bootstrap routine loads DOS system files and
execute them
stop
A prompt
26
BIOS Data Area

• All PCs contain a reserved region of memory known
  as the BIOS Data Area (BDA).
• During the initial stages of the computers
  bootup sequence (before control transfers to the
  bootstrap routine) the BIOS bootup program
  updates the BDA with information about
• the configuration
• and
• the initial state of the computer.
• DOS relies on the information stored in the BDA
  of memory to properly use the
• peripherals
• and
• memory attached to the computer.
• Almost all FBR viruses exploit DOSs dependence
  on the BDA and update its contents to install
  themselves into memory.

27
Viruses Reserve Memory Stage 1
28
Viruses Reserve Memory Stage 2
29
Virus Copies Itself to Reserved Memory

• After the virus reserves memory for itself by
  updating the BDA, it moves itself into the newly
  reserved memory and attempts to hook into the
  direct disk system services.

30
Interrupt Vector Table

• The PC contains a memory structure, known as the
  Interrupt Vector Table (IVT), which is like a
  phone book that contains addresses for each of
  the services that the computer might need as it
  operates.
• The IVT contains the addresses of ROM BIOS
  service programs in the computers memory.
• When the operating system needs to request a
  service, it can look up the address of the
  corresponding service provider in the IVT phone
  book and determine where to send its request.

31
IVT Entry Example

• The computers ROM BIOS contains disk service
  routines that DOS calls upon to directly read
  from and write to floppy disks and hard drives.
• One of the IVT phone book entries contains the
  address of the ROM BIOS disk service routines.

32
Hook into the IVT Entry for Disk Service Provider

• The FBR virus hooks into the system services by
• changing the contents of this entry
• and
• informing the computer and any subsequent
  operating system that it now is a proxy for the
  ROM BIOS disk service provider.
• All requests to read and write to disks on the
  computer then are sent to the virus rather than
  to the original ROM BIOS disk services.

33
After the Hook

• Later, when the operating system makes a system
  service request, the IVT is consulted and the
  virus has the request sent to it.
• The virus can then examine the request and, if it
  desires, infect the floppy disk being accessed.
• After the virus performs its mischief, it can
  then redirect the request to the original ROM
  BIOS driver so that it can be properly serviced.

34
The Fully-installed Boot Virus
35
Hook as a System Service

• Most FBR viruses attempt to install themselves as
  a memory-resident driver at this point in the
  bootup sequence.
• In this way, the virus can monitor all disk
  service requests during the operation of the
  computer and infect additional floppy disks at
  will .

36
Conceptual Hierarchy of Service Providers after
the System is Infected
Conceptual hierarchy of service providers after
memory installation by the boot record virus
Application
Virus Resident Service Provider
37
The Original FBR

• To complete its work, the FBR virus must
• retrieve the original FBR on the floppy disk
• and
• initiate the original bootup sequence as if the
  virus were not present.
• If the FBR virus installed itself in memory,
  infected the hard drive, and caused bootup on the
  floppy disk to fail, it might quickly be detected
  and removed.
• Most viruses maintain a copy of the original FBR
  in one of the sectors at the end of the floppy
  disk.
• After the virus installs itself in memory, it
  loads the original FBR into memory and executes
  the original bootstrap routine.
• The bootstrap routine then proceeds normally,
  completely oblivious to the presence of the virus.

38
Infect Non-bootable Disk

• Most floppy disks contain data and dont carry
  the DOS operating system files thus, after the
  virus transfers control to the original bootstrap
  routine, it displays a message such as
  Non-system disk. At this point, the average
  user realizes that he or she accidentally booted
  from a data disk, removes the disk from the drive
  and reboots.
• This is why most FBR viruses infect the MBR or
  active Partition Boot Record of the hard drive
  during bootup. This infection guarantees that
  even if the floppy disk doesnt contain the
  proper operating system files, the virus can
  still spread to the hard drive and eventually to
  other disks.

39
When and How the FBR Virus Infects New Items?

• Most FBR viruses attempt to infect disks whenever
  they get a chance (although some viruses are more
  discriminating than others).
• If an infected floppy disk is in drive A, the
  first opportunity presented to the FBR virus is
  during a system reset.
• Almost all FBR viruses also attempt to infect the
  hard drives MBR or active Partition Boot Record
  during the floppy boot process.
• The FBR virus also has an opportunity to infect
  after it installs itself in memory and designates
  itself as the proxy disk service provider. Any
  time thereafter when DOS or its programs attempt
  to access a floppy disk (or the hard drive), the
  operating system calls upon the virus.

40
Detect Infected Disk

• Before a virus attempts to infect the floppy
  disk, it must determine whether the disk has
  already been infected. Most often, the virus does
  so by loading the target FBR into memory and
  comparing it to its own contents.
• If the FBR virus ascertains that the target
  floppy disk isnt yet infected, it proceeds with
  the infection process.

41

• WIN32 PE Infection QozahRozinov

42
The Most Common Executable File Formats under
Windows

• The portable executable file format (PE) is the
  format of the binary programs (exe, dll, sys,
  scr) for
• MS Windows NT
• Windows 95
• Win32s

43
Components of a PE File
44
Struct IMAGE_FILE_HEADER

• typedef struct _IMAGE_FILE_HEADER
• WORD MachineWORD NumberOfSectionsDWORD
  TimeDateStampDWORD PointerToSymbolTableDWORD
  NumberOfSymbolsWORD SizeOfOptionalHeaderWORD
  Characteristics
• IMAGE_FILE_HEADER, PIMAGE_FILE_HEADER

45
An Example of Structure IMAGE_FILE_HEADER
Danehkar
24 bytes 2418h
46
Struct IMAGE_OPTIONAL_HEADER

• Struct IMAGE_OPTIONAL_HEADER WORD MagicBYTE
  MajorLinkerVersionBYTE MinorLinkerVersionDWOR
  D SizeOfCodeDWORD SizeOfInitializedDataDWORD
  SizeOfUninitializedDataDWORD AddressOfEntryPoint
  DWORD BaseOfCodeDWORD BaseOfDataDWORD
  ImageBaseDWORD SectionAlignmentDWORD
  FileAlignmentWORD MajorOperatingSystemVersion
  WORD MinorOperatingSystemVersionWORD
  MajorImageVersionWORD MinorImageVersionWORD
  MajorSubsystemVersionWORD MinorSubsystemVersion
  DWORD Win32VersionValueDWORD
  SizeOfImageDWORD SizeOfHeadersDWORD
  CheckSumWORD SubsystemWORD
  DllCharacteristicsDWORD SizeOfStackReserveDWOR
  D SizeOfStackCommitDWORD SizeOfHeapReserveDWOR
  D SizeOfHeapCommitDWORD LoaderFlagsDWORD
  NumberOfRvaAndSizesIMAGE_DATA_DIRECTORY
  DataDirectoryIMAGE_NUMBEROF_DIRECTORY_ENTRIES

47
Some Fields of Struct IMAGE_OPTIONAL_HEADER (1)

• AddressOfEntryPoint
• A pointer to the entry point function, relative
  to the image base address.
• For executable files, this is the starting
  address.
• For device drivers, this is the address of the
  initialization function.
• The entry point function is optional for DLLs.
  When no entry point is present, this member is
  zero.
• ImageBase
• The preferred address of the first byte of the
  image when it is loaded in memory.
• This value is a multiple of 64K bytes.
• The default value for DLLs is 0x10000000.
• The default value for applications is 0x00400000,
  except on Windows CE where it is 0x00010000.

48
Some Fields of Struct IMAGE_OPTIONAL_HEADER (2)

• SectionAlignment
• The alignment of sections loaded in memory, in
  bytes.
• This value must be greater than or equal to the
  FileAlignment member.
• The default value is the page size for the
  system.
• FileAlignment
• The alignment of the raw data of sections in the
  image file, in bytes.
• The value should be a power of 2 between 512 and
  64K (inclusive).
• The default is 512.
• If the SectionAlignment member is less than the
  system page size, this member must be the same as
  SectionAlignment.
• SizeOfImage
• The size of the image, in bytes, including all
  headers. Must be a multiple of SectionAlignment.

49
An Example of Structure IMAGE_OPTIONAL_HEADER
Danehkar
16 bytes 1610h
50
struct IMAGE_SECTION_HEADER

• typedef struct _IMAGE_SECTION_HEADER
• BYTE NameIMAGE_SIZEOF_SHORT_NAMEunion
  DWORD PhysicalAddressDWORD VirtualSize
  MiscDWORD VirtualAddressDWORD
  SizeOfRawDataDWORD PointerToRawDataDWORD
  PointerToRelocationsDWORD PointerToLinenumbers
  WORD NumberOfRelocationsWORD
  NumberOfLinenumbersDWORD Characteristics
• IMAGE_SECTION_HEADER, PIMAGE_SECTION_HEADER

51
Some Fields of struct IMAGE_SECTION_HEADER (1)

• VirtualSize
• The total size of the section when loaded into
  memory, in bytes.
• If this value is greater than the SizeOfRawData
  member, the section is filled with zeroes.
• This field is valid only for executable images
  and should be set to 0 for object files.
• VirtualAddress
• The address of the first byte of the section when
  loaded into memory, relative to the image base.
• For object files, this is the address of the
  first byte before relocation is applied.
• SizeOfRawData
• The size of the initialized data on disk, in
  bytes.
• This value must be a multiple of the
  FileAlignment member of the IMAGE_OPTIONAL_HEADER
  structure.
• If this value is less than the VirtualSize
  member, the remainder of the section is filled
  with zeroes.
• If the section contains only uninitialized data,
  the member is zero.

52
Some Fields of struct IMAGE_SECTION_HEADER (2)

• PointerToRawData
• A file pointer to the first page within the COFF
  file.
• This value must be a multiple of the
  FileAlignment member of the IMAGE_OPTIONAL_HEADER
  structure.
• If a section contains only uninitialized data,
  this member is zero.
• Characteristics
• The characteristics of the image.

53
An Example of Structure IMAGE_SECTION_HEADER
Danehkar
54

• Inject Virus

55
Change Size-Related Fields
Step 1 Find section header i which has the
largest PointerToRawData value among all the
section headers. In other words, its
corresponding section is the last section in this
file.
Step 2 Added to the size of the virus.
Step 3 according to the value of FileAlignment
in structure IMAGE_OPTIONAL_HEADER, round
VirtualSize. Then save the result to this field.
40 bytes 4028h
56
Set the Entry Point Value and the New File Size
Step 4 VirtualAddress old value of
VirtualSize. Then save the result to
AddressOfEntryPoint
16 bytes 1610h
40 bytes 4028h
Step 5 Add (new SizeOfRawData old
SizeOfRawData )
57
Set the New Access Right
40 bytes 4028h
Step 6 make it executable, code and writable, so
we have to OR it with 0x00000020 (code),
0x20000000 ( executable ) and 0x80000000 (
writable ).
Step 7 append the virus to this file.
58

• COM, EXE, and SYS Infection

59
The Most Common Executable File Formats under DOS

• The most common executable file formats used
  under DOS are COM, EXE, and SYS.
• COM and EXE files are used for standard DOS
  programs.
• SYS files are used for system device drivers.
• Although viruses have targeted each of these file
  formats, to date, reports of SYS file infections
  have been rare.

60
Entry Points of DOS Program Files

• A program file consists of
• data
• and
• machine language instructions interpreted
  directly by the computers CPU.
• DOS program files contain one or two entry
  points, which are the locations in the program of
  the first instruction for the CPU to execute.
• All COM and EXE files have a single entry point.
• SYS files have two entry points.

61
Entry Points of DOS Program Files

• The CPUs interpretation of a programs
  instruction must always start with the
  instruction at the entry point.
• This makes the entry point an area that viruses
  can modify and thereby gain control of the
  computer.
• After the virus completes its dirty work, it can
  then transfer control to the original program.

62
COM Files

• The COM executable file has the simplest DOS
  program file format.
• The COM files simplicity makes it a major target
  for file infecting viruses.
• The contents of the COM file are loaded directly
  into memory and executed without modification.
• The operating system transfers control to the
  first instruction in the memory image of the
  file. This first instruction is the COM files
  single entry point.
• COM files have an upper size limit of
  approximately 64 KB

63
How a COM File Is Loaded into RAM and Executed
64
EXE Files Component Sections

• The EXE executable file format is somewhat more
  complex than the COM file format.
• The EXE file consists of two primary sections.
• The first section is a header that tells DOS how
  to load the program.
• The second section of the EXE file, known as the
  program load image, contains
• the actual memory image of the program
• and
• its data.

65
EXE Files the Header Section

• The header includes two fields that identify the
  location of the EXE files single entry point in
  the program
• the Code Segment (CS)
• and
• the Instruction Pointer (IP).
• The header also includes two size fields that
  specify the actual size of the executable
  program.
• When a virus infects an EXE file, it must
  increase the value in the size fields to equal
  the total of the executable program file size and
  the virus program size.
• For instance, when a virus that is 2 KB in size
  appends itself to a 10 KB file, it increases the
  value in these fields to 12 KB.

66
How an EXE File Is Loaded into RAM and Executed
overlay data
67
SYS Files

• The SYS executable file format differs from both
  the COM and EXE file formats in that SYS files
  have two entry points.
• SYS format files are used primarily for device
  drivers.
• Like COM files, all SYS files must be 64 KB or
  less in size.
• The SYS file is composed of three major sections.
  
• The first portion of the SYS file contains the
  device header. Like the header of an EXE file,
  the device header contains entry point
  information and other fields.
• The second and third sections of the SYS file
  contain the two device driver modules, which
  contain all the machine language code in the
  program.

68
How a SYS File Is Loaded into RAM
69
Program Files and Viruses

• Program files are often targeted by viruses for
  two primary reasons.
• Because each of the executable file types has a
  simple format, file viruses can piggyback
  themselves to program files with relative ease.
• Executable file types also are common targets for
  infection because of the frequency of their use.
  If a virus can infect an executable file, its
  capability to infect other programs increases.

70

• Macro Facilities

71
Macro Facilities

• Macro facilities enable a user to record a
  sequence of operations within the application.
• The user then uses a key combination to associate
  these operations.
• Later, pressing this key combination repeats the
  recorded steps.
• A given macro activated using a key combination,
  for example, might
• open a file
• renumber the items within it
• then close the file.

72
Global Pool of Macros

• Macro systems have evolved greatly over the
  years.
• Most old programs that supported macros had a
  global pool of macros that always were
  available for use, regardless of what file the
  user happened to be editing.
• Individual document or spreadsheet files could
  NOT contain their own, local, macros.

73
New Properties of Modern Macro Systems (1)

• Modern macro systems differ from their
  predecessors in several key ways.
• First, users now can write entire complex
  programs in a macro language.
• These programs have access to
• all the host applications features
• and
• many of the operating systems features.
• For example,
• Microsoft products enable users to write macros
  in a language that resembles Visual Basic.
• These macros can perform various tasks for the
  user, including popping up dialog boxes, altering
  files on the system, or inserting the date and
  time in a document.
• They can also be used to write viruses!

74
New Properties of Modern Macro Systems (2)

• Second, the user can tote specific macros around
  in a document or spreadsheet data file.
• For example,
• A user can create a macro for a specific
  spreadsheet and attach it directly to the
  spreadsheet file.
• Any time the file is used on a new machine, the
  accompanying macro is available for use.

75
Security Concerns of Modern Macro Systems

• An inherent threat exists with modern macro
  system
• just as normal macros can be attached and
  carried along with a given document or data file,
  so can macro viruses!

76
Cross-platform Compatibility

• Modern macro languages, such as Word for Windows
  WordBasic,
• are interpreted by the host application
• and
• often are compatible across different operating
  systems.

77
Cross-platform Compatibility Example

• A Word for Windows 6.0 document that contains
  macros created on a PC, for instance, can be
  edited in Word for Macintosh.
• Because Word for Macintosh provides the same
  macro facilities as its DOS counterpart, the
  documents macros also function on the Macintosh
  platform.

78
Cross-platform Macro Viruses

• This cross-platform compatibility means that a
  macro virus can spread from computer to computer,
  as long as the destination computer supports a
  macro-capable, compatible version of the host
  application.

79

• Microsoft Word Shauna Kelly Better
  Solutionsucsb

80
Template

• A template is a sample document that is used for
  the basis for a new document.
• Every Microsoft Word document is based on a
  template, whether you choose a template
  explicitly or not.
• A template determines
• the basic structure for a document
• and
• contains document specific settings such as
• fonts
• Styles
• page layout
• macros etc.

81
Relationship between a Word File and Its Template

• When you create a document, the file that is
  created initially is just a copy of its template.
  
• This means that subsequent changes to the
  template will not automatically be reflected in
  the document.
• Some changes made to the document, however, can
  be saved to the template.

82
Naming Rule of a Template File

• A Word template has the file extension (.dot) and
  every document is based on a template.
• When you save a document as a Word template the
  three-letter extension of .dot is added to the
  end of the name instead of .doc.

83
Template Normal.dot

• The Normal.dot template is the basis for any new
  blank documents you create.
• Normal.dot is a special global template created
  and used by Word.
• Whenever you create a new document by clicking
  (File gt New) a copy of the file called
  Normal.dot is created and is presented as a new
  document.
• If you change something in the Normal.dot then
  all new documents will reflect those changes.
• If Word is unable to find your Normal.dot file or
  it is damaged then a new one will be created
  using the default settings.

84
What Happens When a Document Is Born?

• When a document is created, it inherits three
  things from its parent template
• styles In Word, a style is a collection of
  formatting instructions. You use styles to format
  the paragraphs in your document.
• So you would use the "Title" style for your
  title, "Body Text" style for body text, "Caption"
  style for the picture captions, and "Heading 1"
  for the major headings.
• content (e.g. text, pictures, a fax header, a
  form to fill in, the outline of your monthly
  management report, any content in headers and
  footers)
• page settings (e.g. margins, paper size, paper
  orientation, settings for headers and footers).

85
When a New Word Document Is Created

• The moment a document is created, it loses its
  connection with its parent with respect to
  styles, content and page settings.

86
Changing a Document Won't Change the Template
It's Attached to

• You can change the margins in a document and the
  change won't affect the template.
• You can add, delete or modify styles in a
  document, and it won't affect the template.

87
Changing the Template Won't Change Documents
Attached to the Template

• You can change the margin in a template, and it
  will affect documents you create from this
  template in the future. But it won't affect
  existing documents attached to that template.
• You can add, delete or modify styles in a
  template, and the change will affect documents
  you create from this template in the future. But
  it won't affect existing documents.

88
What Happens after a Document Is Born, While It
Is Being Edited?

• Once a document has been created, the template to
  which it is attached takes on quite a different
  role.
• When a document is being edited, its template
  sits in the background and makes four things
  available to a document
• two kinds of functionality
• macros
• AutoTexts
• two ways to access the functionality
• toolbars
• keyboard shortcuts (that is, a keyboard way and
  a mouse way).

89
Templates and Existing Word Documents
90
Change Template Kelly

• You can attach a new template to a Word document
  or change the template a Word document is
  associated with. But nothing happens after you
  execute the operations, because
• A document inherited styles, content and page
  settings from its parent template when it was
  first created. You're not creating a new
  document, so the styles, content and page
  settings in the newly-attached template will not
  affect the document at all.
• The newly-attached template will sit in the
  background, and make available the four things
  that templates make available to documents
• Macros
• AutoTexts
• Toolbars
• keyboard shortcuts

91
Global Template ucsb

• A global template is a template whose
  customizations will be available to all
  documents, no matter what template they're
  attached to.
• Word allows a user to make a template global.
  That means that its macros etc. will be available
  to all templates.
• Normal.dot is a global template.

92
Word Macro (1)

• A macro is just the name given to a series of
  keystrokes that can be recorded and then played
  back in order to automate a task.
• These keystrokes are then transferred into a
  series of commands which can then be rerun at any
  time.

93
Word Macro (2)

• Macros are simple computer programs where the
  code is often generated for you.
• These macros run completely within an application
  like Word and require no additional software.
• Macros
• can be used to play back your actions
• and
• can prevent you from having to perform tedious or
  repetitive tasks.

94
Where to Store Your Macro? Better Solutions
Limited

• There are two possible workbooks where you can
  store your macros
• Normal.dot - Storing your macros here will mean
  that they are available every time Word is open
  and are not reliant on any one particular
  document.
• Document - This is the default location and is
  often the best place if you are relatively new to
  macros.
• A macro that has been saved into a specific
  document is only available when that particular
  document is open.
• The currently active document is also referred to
  as the current document or active document.

95
Macros Shauna Kelly

• You can copy macros to and from documents and
  templates using Tools gt Templates and Add-ins gt
  Organizer.

96
Properties of Microsoft Word Macro

• Microsoft Words macro system actually offers a
  global pool macro area, as well as
  document-specific macros.
• Users can establish a set of global macros
  available for use regardless of the document
  being edited.
• They also can use the local macros that accompany
  a specific document during editing of that
  document.
• In the Microsoft scheme, macros can copy
  themselves to and from the global and local
  pools.
• The global pool provides the macros with the
  capability to migrate from one document to
  another.
• Upon execution, a macro can copy itself from a
  local pool to the global pool. Later, executing
  the same macro lets it copy itself from the
  global pool to a new documenta nice feature, as
  long as the user initiates the actions and knows
  of the results.
• Viruses can target the above facility.

97
How Macros can Migrate from File to File
Microsoft Word uses a template to create, edit,
or assemble a document. The default template is
called NORMAL.DOT. This global template contains
information that gets pulled into your current
document, such as default settings, shortcut
keys, toolbars, custom menu settings, AutoText
entries, and macros.
98
Auto-execution Facility (1)

• The Word for Windows macro system also includes
  an auto-execution facility that makes it
  attractive to viruses.
• Word for Windows has an AutoExec macro that
  launches (if it is present in the global pool)
  when a user starts the Word processor.
• This facility can serve to execute other macros
  and set up the users work environmentor a virus
  can exploit it to ensure that the virus macro
  executes upon Word for Windows startup.

99
Auto-execution Facility (2)

• In addition to the AutoExec macro, Word for
  Windows contains numerous other macros that
  activate during a normal editing session without
  directly being activated by the user.
• Any time the user opens a new document file, for
  example, a macro known as AutoOpen executes from
  the documents local macro pool (if present).
• A virus could easily use this macro to copy
  itself to the global pool as soon as a user opens
  the document.

100
Key Factors for the Emergence of Macro Viruses (1)

• First of all, many popular applications, such as
  desktop publishing, Word processing, and
  spreadsheet programs, include macro capabilities.
  
• Such widespread usage is attractive to a macro
  virus from the standpoint that chances for
  continued self-replication are high.
• Secondly, it is far easier to write macro
  language programs than assemble language
  programs. The art of virus writing is no longer
  limited to the technically astute.

101
Key Factors for the Emergence of Macro Viruses (2)

• Finally, executable program viruses rely upon a
  systems CPU to directly execute its
  instructions, whereas macro viruses dont.
  Because of this, macros are platform independent.
  
• For example, the same macro that runs in a
  Windows-based Word processing program can also
  function in its Macintosh and Unix counterparts.

102
Macro Viruses

• Infect data files.
• Common viruses nowadays.
• Macro viruses infect Microsoft Office Word,
  Excel, PowerPoint and Access files.
• Examples
• Melissa,
• WM.NicdDay,
• W97M.Groov.

103
The Evolution of Media Used by Viruses to Spread
Themselves

• In the 1980's, floppy disks where the primary
  vector for spreading computer viruses because
  that is how most people shared data.
• In the late 80's and early 90's, Bulletin Board
  Systems (BBS) became the primary source for
  infections.
• After 1995, almost all new viruses where being
  spread via e-mail, or by sharing files over the
  web.
• Network administrators have been able to respond
  to this threat by installing antivirus software
  on their e-mail servers and restricting internet
  sites on their firewalls.

104
USB Flash Drives labMice

• USB Flash drives are pocket sized ultra portable
  storage devices (about the size of a highlighter
  pen) that hold up to several GBs of data that can
  be instantly accessed from any PC with a USB
  port. 

105
Security Concerns about Flash Drives

• The use of USB Flash Drives can bypass the
  safeguards against e-mail viruses entirely.
• Users can either
• bring in infected documents from home
• or
• take home a business document to an infected PC,
  update it, and return it to a corporate file
  server.

106
Bootable USB Flash Drive TechRepublic Shaher

• It is actually possible to install a bootable
  copy of Windows XP onto a flash drive and then
  boot a PC off of the flash drive.

107
Methods to Avoid Detection

• Avoiding bait files and other undesirable hosts.
• Anti-virus programs
• Bait files (small programs or programs containing
  garbage instructions).
• Stealth
• Virus intercept anti-viruses request to read
  infected file.
• Self-modification
• Encryption with a variable key
• Polymorphic code.

108
Virus Sources

• VX Heavens source codes and viruses database.
• The Virus Source Code Database Virus source code
• 29A Labs source codes and articles
• Virus Database List of all computer virus.

109

• Complementary Material

110
Areas of a Disk 12

• Under DOS, A disk is divided into the following
  four areas
• The boot record.
• The file allocation table (FAT).
• The root directory.
• The data area.
• A hard drive has a fifth area
• The partition table.

111
Boot Record

• Boot Record
• Location
• sector 1, track 0, head 0.
• Contents
• the bootstrap routine (a machine language program
  designed to load the operating system from other
  part of the disk.)
• the BIOS Parameter Block (BPB), which identifies
  the floppy disks operating parameters, including
  the number of bytes per sector, sectors per
  cluster and track, and tracks per disk.
• The BPB allows an operating system to understand
  the format of a disk.

112
The Bootstrap Program

• In a PC, when a machine is turned on, a routine
  called The Power-On Self Test (POST) verifies
  all hardware components are working properly.
• After everything is confirmed working well, POST
  loads up the boot record from the disk and checks
  for two signature bytes inside it.
• If the boot record signature is present, the
  execution control is transferred to the bootstrap
  program inside the boot record.
• Under DOS, the bootstrap program in turn loads
  the OS into the RAM from the disk and eventually
  transfers control to COMMAND.COM, the command
  interpreter.

On board
On disk
113
Boot Sequence from Uninfected Floppy Diskette
114
Hard Disk Partition and Master Boot Record

• A single physical hard drive can be divided into
  several different partitions.
• The user can specify one of the partitions as the
  active partition (the one from which the user
  wants to boot.)
• The Master Boot Record (MBR) is a structure
  stored on the first track, sector and head of the
  hard drive.
• The MBR contains a partition table, which denotes
  the allocation of all sectors and their
  respective partitions.
• Programs require the partition table on the hard
  disk to understand the disks characteristics.

115
Boot Sequence from Uninfected Hard Drive -- (1)
Stop
116
Boot Sequence from Uninfected Hard Drive -- (2)
117

• 8086/8088 INTERRUPTS, BIOS, and DOS

118
Interrupt Gerhard Roehrl

• The 8086/88 microprocessors allow normal program
  execution to be interrupted by external events or
  by special instructions embedded in the program
  code.
• When the microprocessor is interrupted, it stops
  executing the current program and calls a
  procedure which services the interrupt.
• At the end of the interrupt service routine, the
  code execution sequence is returned to the
  original, interrupted program.

119
Interrupt Sources

• An interrupt can be generated by one of three
  sources
• Internal interrupts
• Hardware interrupt
• Software interrupt

120
Internal Interrupts

• An interrupt can be generated as a result of a
  processor state violation, called an exception.
• An example would be a divide-by-zero interrupt
  produced when the div instruction is interpreted
  to have a zero divisor.
• Program execution is automatically interrupted
  and control transferred to an interrupt handler.
• Conditional interrupts such as this are referred
  to as internal interrupts.

121
Hardware Interrupt

• An interrupt can also be generated by an external
  device requesting service. This happens when a
  device signals its request on either the
  non-maskable interrupt (NMI) or on the INTR
  interrupt input lines of the processor.
• The NMI interrupt is generally used to signal the
  occurrence of a catastrophic event, such as the
  immanent loss of power.
• The INTR interrupt is used by all other devices.
• An interrupt caused by a signal applied to either
  the NMI or INTR input pin of a CPU is referred to
  as a hardware interrupt.

122
Software Interrupt

• Interrupts may be generated as a result of
  executing the int instruction.
• This is referred to as a software interrupt.

123
Functions of Software Interrupts (Only Apply to
Real Mode)

• Software interrupts produced by the INT assembler
  instruction have many uses. For example,
• test various interrupt service routines
• You could use an INT 2 instruction to start the
  execution of an NMI interrupt service procedure.
  This would allow you to test the NMI procedure
  without needing to apply an external signal to
  the processors NMI input line.
• call commonly used procedures from many different
  programs
• The Basic Input/Output System (BIOS) procedures
  of an IBM computer or compatible are a good
  example of this use of the INT instruction.

124
BIOS Procedures

• One part of the BIOS is actually a collection of
  procedures which provides the fundamental I/O
  services that are needed for the operation of the
  computer.
• Each procedure performs a specific function such
  as
• reading a character from the keyboard
• writing characters to the screen
• reading information from disk.

125
Using BIOS Procedures

• System I/O procedures are called with the INT
  instruction.
• There are 12 BIOS procedures in all, falling into
  5 groups.
• For example with INT 10h you can access the video
  display services.
• This interrupt includes 20 subroutines.
• Obviously, one of the INT 10h parameters is a
  data value indicating which one of the twenty
  subroutines is required.
• the AH Register is loaded with the number of the
  subroutine.
• the AL, BX, CX, and DX registers are used to
  provide the parameters for this subroutines.

126
The 12 BIOS Service Routines Supported by the IBM
PC (and Compatibles)

• Dec Hex Use
• Peripheral Devices Services
• 16 10 Video-display
  services
• 19 13 Diskette
  services
• 20 14 Communications
  services
• 21 15 Cassette-tape
  services
• 22 16 Standard
  keyboard services
• 23 17 Printer
  services
• Equipment Status Services
• 17 11 Equipment-list
  service
• 18 12 Memory-size
  service
• Time/Date Service
• 26 1A Time and date
  services
• Print-Screen Service
• 5 5 Print-screen
  service
• Special Services
• 24 18 Activate
  ROM-BASIC language
• 25 19 Activate
  bootstrap start-up routine

127
Files Constituting DOS

• When you turn on your PC there are several jobs
  to do. One is to load the operating system from
  the system disk.
• If you use MS-DOS (MicroSoft - Disk Operating
  System), three system files are loaded
• IBMBIO.COM
• COMMAND.COM
• IBMDOS.COM

128
Comparing DOS and BIOS Services

• The file IBMDOS.COM contains DOS service
  routines.
• The DOS services, like the BIOS services, can be
  called by programs through a set of interrupts
  whose vectors are placed in the interrupt vector
  table.
• The ROM-BIOS routines can be thought of as the
  lowest-level system software available,
  performing the most fundamental and primitive
  input and output operations.
• The DOS service routines provide more
  sophisticated and efficient control over the I/O
  operations than the BIOS routines do,
  particularly for disk file operations.

129
Using DOS Interrupts (a.k.a. DOS Calls)

• There are nine DOS interrupt services.
• Five of them, interrupts 20h, 25h, 26h, 27h, and
  2Fh are "true" DOS interrupt services, each one
  having a specifically-defined task associated
  with it.
• 22h, 23h, and 24h these three interrupts are
  used to hold segmented addresses.
• INT 21h provides under one "umbrella" a set of
  universal functions we can use in our programs.
• All of the DOS function calls are invoked by INT
  21h.
• Individual functions are selected in the same way
  as BIOS functions, placing the function number in
  the AH-Register.

130
The Nine DOS Interrupts

• Dec Hex Description
• 32 20 Program terminate come to normal
  ending
• 33 21 Function-call umbrella interrupt
• 34 22 Terminate address
• 35 23 Break address
• 36 24 Critical error-handler address
• 37 25 Absolute disk read
• 38 26 Absolute disk write
• 39 27 Terminate-but-stay-resident
• 47 2F Print spool control (DOS-3 versions
  only)

131
Interrupt Vectoring

• Two 16 bit data words are used to specify the
  location of a interrupt service routine.
• One word is used to load the CS register and
  points to the base address of the code segment
  containing the service routine.
• The second word is used to load the IP with the
  offset value for the desired routine within the
  specified code segment.
• The base and offset words for all interrupt types
  are grouped together in an interrupt vector
  table.

132
BIOS (1) wikipedia

• BIOS, in computing, stands for Basic Input/Output
  System or Basic Integrated Operating System.
• BIOS refers to the firmware code run by an IBM
  compatible PC when first powered on.
• The primary function of the BIOS is to prepare
  the machine so other software programs stored on
  various media (such as hard drives, floppies, and
  CDs) can
• load to the PC
• execute on the PC
• and
• assume control of the PC.
• This process is known as booting up.
• Boot is short for bootstrapping.

133
BIOS (2)

• BIOS can also be said to be a coded program
  embedded on a chip that recognizes and controls
  various devices that make up the PC.

134
BIOS Firmware Chips

• A computer system can contain several BIOS
  firmware chips.
• The motherboard BIOS typically contains code to
  access fundamental hardware components such as
• the keyboard
• floppy drives
• ATA (IDE) hard disk controllers
• USB human interface devices
• storage devices.
• Plug-in adapter cards such as SCSI, RAID, Network
  interface cards, and video boards often include
  their own BIOS, complementing or replacing the
  system BIOS code for the given component.

135
BIOS Procedures in ROM Chips (1)

• ROM chips accompany most hardware add-ons, such
  as hard drives, video boards, and so forth.
• These chips contain machine language programs
  (routines) that handle most of the common
  requests that operating systems and applications
  make.

136
BIOS Procedures in ROM Chips (2)

• ROM-based software adheres to a well-known,
  published standard.
• If a program wants to write data to the hard
  drive, for example, it can call upon the routines
  on the hard drive ROM chips to perform the
  operation.
• Although the circuitry in each brand of hard
  drive might differ, this well-defined software
  interface allows programs to efficiently request
  services from hard drives and other peripherals
  without having to understand their internals.

137
BIOS Procedures in ROM Chips (3)

• ROM-based software is referred to as a BIOS
  procedures.
• If a program needs to request a service from a
  peripheral, such as reading data from the hard
  drive, it can call upon the BIOS procedure in the
  ROM chip to
• communicate with the specific device
• and
• service the request.

similar to a device driver in Unix
138
An Example Physical Memory Layout of a PC
640K
1M
139
DOS Calls

• The DOS operating system also offers system
  services to its applications.
• DOS installs its own system service provider
  software in memory to service common requests,
  such as
• opening a file
• or
• writing data to a file.
• The above DOS software works on top of the
  various BIOS Procedures and simplifies certain
  basic operations.

140
DOS Call Example

• Assume an application requests a system service,
  such as opening a file.
• The application makes this request with a simple
  DOS call.
• DOS may make one or more low-level requests to
  the ROM service provider.
• Finally, the ROM service provider may interact
  with the hardware to service some requests.
• Because the typical program doesnt care about
  how data actually is stored on the hard drive, as
  long as it can access it, DOS abstracts this for
  the program and offers a simple way to open files.

Similar to a system call in Unix
141
System Layering
142
An Example of System Layering Raymond Wisman

• C program  cout ltlt "Hello world"
• Machine     Call DOS video function 9 to
  output
• Code string "Hello world"     
    
• DOS            Call BIOS video function by
• int 10h   
•                        
• BIOS           "Hello world" placed in
• hardware video
  memory                 
• Video hardware "Hello world" display from
• video memory

143
Invoking a BIOS Procedure or DOS Call

• Both BIOS procedures or DOS calls are invoked
  through the int instruction,
• e.g.
• int 20h
• int 10h

144
The Rise and Fall of the BIOS

• Older operating systems such as DOS relied on the
  BIOS to carry out most input-output tasks within
  the PC.
• A variety of technical reasons eventually made it
  inefficientespecially for more recent operating
  systems written for the Intel 80386 such as Linux
  and Microsoft Windowsto invoke the BIOS
  directly.
• Such operating systems instead used their own
  better-performing native drivers and were also
  much easier to extend to support new hardware. As
  such, the BIOS was mostly relegated to
  bootstrapping to the point where the operating
  system's own drivers could take control of the
  hardware.

145
Hook TSRs into DOS System Services

• Memory-resident programs, called TSRs, can hook
  into the system service provider software (DOS
  calls) already resident in the computers memory
  and augment the services offered by the original
  system service provider software.
• The hooking program can
• service all requests on its own
• or
• pass on some or all requests to the original
  service provider.
• It also can opt to modify information before
  passing it to a subservient service provider (one
  installed before the current service provider).

146
How Resident File Viruses Hook into the Operating
System

• Most programs that hook into DOS or ROM services
  do so for legitimate reasons. Unfortunately,
  memory-resident viruses also can hook into these
  system services to damage data or spread to
  floppy disks and files.

147
Examples

• Form.
• Disk Killer.
• Michelangelo.
• Stoned.

148

• Master Boot Record Viruses

149
Master Boot Record Viruses

• The MBR contains a bootstrap program which
  according to the MBRs partition table determines
  which partition is the active partition, and then
  load and transfer control to the acti