The Attack and Defense of Computers - PowerPoint PPT Presentation

1 / 153
About This Presentation
Title:

The Attack and Defense of Computers

Description:

1. The Attack and Defense of Computers. Dr. ? ? ?. 2 ... A sequence of code that is inserted into other programs. ... Interrupt [Gerhard Roehrl] ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 154
Provided by: yanl
Category:

less

Transcript and Presenter's Notes

Title: The Attack and Defense of Computers


1
  • The Attack and Defense of Computers
  • Dr. ? ? ?

2
  • Virus Internet Security Professional Reference

3
  • Virus Tutorial
  • Computer Virus Resources
  • Introduction of Famous Malware
  • Virus descriptions of viruses in the wild

4
Virus
  • A sequence of code that is inserted into other
    programs.
  • A virus can create a copy of itself to inserted
    in one or more other programs.
  • Virus cannot run on their own, and need to have
    some host program.
  • e.g. Melissa virus, ILOVEYOU virus.

5
Virus
  • Boot sector viruses
  • Master boot record viruses
  • File infector viruses
  • Multi-partite viruses
  • Macro viruses (infect data files)

6
  • Floppy Disks Hard Disks

7
Disk Structures
  • Units used in Floppy Disks and Hard Disks
  • Sector
  • Cluster
  • Disk space allocation unit
  • Each cluster contains one or more sectors.
  • Track
  • Head
  • Cylinder (for HDs)
  • E.g. A 3 ½ inch high-density disk
  • 40 tracks/side
  • 18 sectors/track
  • 512 bytes/sector

8
Floppy Disk Structure
9
Disk Sectors
Magnetic Disk
Sector
10
Hard Disk Structure
11
Areas of a Disk 12
  • Under DOS, a disk is divided into the following
    four areas
  • The boot record.
  • The file allocation table (FAT).
  • The root directory.
  • The data area.
  • A hard drive has a fifth area
  • The partition table.

12
Boot Record
  • Boot Record
  • Location
  • sector 1, track 0, head 0.
  • Contents
  • the bootstrap routine (a machine language program
    designed to load the operating system from other
    part of the disk.)
  • the BIOS Parameter Block (BPB), which identifies
    the floppy disks operating parameters, including
    the number of bytes per sector, sectors per
    cluster and track, and tracks per disk.
  • The BPB allows an operating system to understand
    the format of a disk.

13
The Bootstrap Program
  • In a PC, when a machine is turned on, a routine
    called The Power-On Self Test (POST) verifies
    all hardware components are working properly.
  • After everything is confirmed working well, POST
    loads up the boot record from the disk and checks
    for two signature bytes inside it.
  • If the boot record signature is present, the
    execution control is transferred to the bootstrap
    program inside the boot record.
  • Under DOS, the bootstrap program in turn loads
    the OS into the RAM from the disk and eventually
    transfers control to COMMAND.COM, the command
    interpreter.

On board
On disk
14
Boot Sequence from Uninfected Floppy Diskette
15
Hard Disk Partition and Master Boot Record
  • A single physical hard drive can be divided into
    several different partitions.
  • The user can specify one of the partitions as the
    active partition (the one from which the user
    wants to boot.)
  • The Master Boot Record (MBR) is a structure
    stored on the first track, sector and head of the
    hard drive.
  • The MBR contains a partition table, which denotes
    the allocation of all sectors and their
    respective partitions.
  • Programs require the partition table on the hard
    disk to understand the disks characteristics.

16
Boot Sequence from Uninfected Hard Drive -- (1)
Stop
17
Boot Sequence from Uninfected Hard Drive -- (2)
18
  • 8086/8088 INTERRUPTS, BIOS, and DOS

19
Interrupt Gerhard Roehrl
  • The 8086/88 microprocessors allow normal program
    execution to be interrupted by external events or
    by special instructions embedded in the program
    code.
  • When the microprocessor is interrupted, it stops
    executing the current program and calls a
    procedure which services the interrupt.
  • At the end of the interrupt service routine, the
    code execution sequence is returned to the
    original, interrupted program.

20
Interrupt Sources
  • An interrupt can be generated by one of three
    sources
  • Internal interrupts
  • Hardware interrupt
  • Software interrupt

21
Internal Interrupts
  • An interrupt can be generated as a result of a
    processor state violation, called an exception.
  • An example would be a divide-by-zero interrupt
    produced when the div instruction is interpreted
    to have a zero divisor.
  • Program execution is automatically interrupted
    and control transferred to an interrupt handler.
  • Conditional interrupts such as this are referred
    to as internal interrupts.

22
Hardware Interrupt
  • An interrupt can also be generated by an external
    device requesting service. This happens when a
    device signals its request on either the
    non-maskable interrupt (NMI) or on the INTR
    interrupt input lines of the processor.
  • The NMI interrupt is generally used to signal the
    occurrence of a catastrophic event, such as the
    immanent loss of power.
  • The INTR interrupt is used by all other devices.
  • An interrupt caused by a signal applied to either
    the NMI or INTR input pin of a CPU is referred to
    as a hardware interrupt.

23
Software Interrupt
  • Interrupts may be generated as a result of
    executing the int instruction.
  • The above is referred to as a software interrupt.

24
Functions of Software Interrupts (Only Apply to
Real Mode)
  • Software interrupts produced by the INT assembler
    instruction have many uses. For example,
  • test various interrupt service routines
  • You could use an INT 2 instruction to start the
    execution of an NMI interrupt service procedure.
    This would allow you to test the NMI procedure
    without needing to apply an external signal to
    the processors NMI input line.
  • call commonly used procedures from many different
    programs
  • The Basic Input/Output System (BIOS) procedures
    of an IBM computer or compatible are a good
    example of this use of the INT instruction.

25
BIOS Procedures
  • One part of the BIOS is actually a collection of
    procedures which provides the fundamental I/O
    services that are needed for the operation of the
    computer.
  • Each procedure performs a specific function such
    as
  • reading a character from the keyboard
  • writing characters to the screen
  • reading information from disk.

26
Using BIOS Procedures
  • BIOS procedures (system I/O procedures) are
    called with the INT instruction.
  • There are 12 BIOS procedures in all, falling into
    5 groups.
  • For example with INT 10h you can access the video
    display services.
  • This interrupt includes 20 subroutines.
  • Obviously, one of the INT 10h parameters is a
    data value indicating which one of the twenty
    subroutines is required.
  • the AH Register is loaded with the number of the
    subroutine.
  • the AL, BX, CX, and DX registers are used to
    provide the parameters for this subroutines.

27
The 12 BIOS Service Routines Supported by the IBM
PC (and Compatibles)
  • Dec Hex Use
  • Peripheral Devices Services
  • 16 10 Video-display
    services
  • 19 13 Diskette
    services
  • 20 14 Communications
    services
  • 21 15 Cassette-tape
    services
  • 22 16 Standard
    keyboard services
  • 23 17 Printer
    services
  • Equipment Status Services
  • 17 11 Equipment-list
    service
  • 18 12 Memory-size
    service
  • Time/Date Service
  • 26 1A Time and date
    services
  • Print-Screen Service
  • 5 5 Print-screen
    service
  • Special Services
  • 24 18 Activate
    ROM-BASIC language
  • 25 19 Activate
    bootstrap start-up routine

28
Files Constituting DOS
  • When you turn on your PC there are several jobs
    to do. One is to load the operating system from
    the system disk.
  • If you use MS-DOS (MicroSoft - Disk Operating
    System), three system files are loaded
  • IBMBIO.COM
  • COMMAND.COM
  • IBMDOS.COM

29
Comparing DOS and BIOS Services
  • The file IBMDOS.COM contains DOS service
    routines.
  • The DOS services, like the BIOS services, can be
    called by programs through a set of interrupts
    whose vectors are placed in the interrupt vector
    table.
  • The ROM-BIOS routines can be thought of as the
    lowest-level system software available,
    performing the most fundamental and primitive
    input and output operations.
  • The DOS service routines provide more
    sophisticated and efficient control over the I/O
    operations than the BIOS routines do,
    particularly for disk file operations.

30
Using DOS Interrupts (a.k.a. DOS Calls)
  • There are nine DOS interrupt services.
  • Five of them, interrupts 20h, 25h, 26h, 27h, and
    2Fh are "true" DOS interrupt services, each one
    having a specifically-defined task associated
    with it.
  • 22h, 23h, and 24h these three interrupts are
    used to hold segmented addresses.
  • INT 21h provides under one "umbrella" a set of
    universal functions we can use in our programs.
  • All of the DOS function calls are invoked by INT
    21h.
  • Individual functions are selected in the same way
    as BIOS functions, placing the function number in
    the AH-Register.

software interrupt
31
The Nine DOS Interrupts
  • Dec Hex Description
  • 32 20 Program terminate come to normal
    ending
  • 33 21 Function-call umbrella interrupt
  • 34 22 Terminate address
  • 35 23 Break address
  • 36 24 Critical error-handler address
  • 37 25 Absolute disk read
  • 38 26 Absolute disk write
  • 39 27 Terminate-but-stay-resident
  • 47 2F Print spool control (DOS-3 versions
    only)

32
Interrupt Vectoring
  • Two 16 bit data words are used to specify the
    location of a interrupt service routine.
  • One word is used to load the CS register and
    points to the base address of the code segment
    containing the service routine.
  • The second word is used to load the IP with the
    offset value for the desired routine within the
    specified code segment.
  • The base and offset words for all interrupt types
    are grouped together in an interrupt vector
    table.

33
BIOS wikipedia
  • BIOS, in computing, stands for Basic Input/Output
    System or Basic Integrated Operating System.
  • BIOS refers to the firmware code run by an IBM
    compatible PC when first powered on.
  • The primary function of the BIOS is to prepare
    the machine so other software programs stored on
    various media (such as hard drives, floppies, and
    CDs) can load, execute, and assume control of the
    PC.
  • This process is known as booting up.
  • Boot is short for bootstrapping.
  • BIOS can also be said to be a coded program
    embedded on a chip that recognizes and controls
    various devices that make up the PC.

34
BIOS Firmware Chips
  • A computer system can contain several BIOS
    firmware chips.
  • The motherboard BIOS typically contains code to
    access fundamental hardware components such as
  • the keyboard
  • floppy drives
  • ATA (IDE) hard disk controllers
  • USB human interface devices
  • storage devices.
  • Plug-in adapter cards such as SCSI, RAID, Network
    interface cards, and video boards often include
    their own BIOS, complementing or replacing the
    system BIOS code for the given component.

35
BIOS Procedures in ROM Chips
  • ROM chips accompany most hardware add-ons, such
    as hard drives, video boards, and so forth.
  • These chips contain machine language programs
    (routines) that handle most of the common
    requests that operating systems and applications
    make.
  • ROM-based software adheres to a well-known,
    published standard.
  • If a program wants to write data to the hard
    drive, for example, it can call upon the routines
    on the hard drive ROM chips to perform the
    operation.
  • Although the circuitry in each brand of hard
    drive might differ, this well-defined software
    interface allows programs to efficiently request
    services from hard drives and other peripherals
    without having to understand their internals.
  • ROM-based software is referred to as a BIOS
    procedures.
  • If a program needs to request a service from a
    peripheral, such as reading data from the hard
    drive, it can call upon the BIOS procedure in the
    ROM chip to communicate with the specific device
    and service the request.

similar to a device driver in Unix
36
An Example Physical Memory Layout of a PC
640K
1M
37
DOS Calls
  • The DOS operating system also offers system
    services to its applications.
  • DOS installs its own system service provider
    software in memory to service common requests,
    such as opening a file or writing data to a file.
  • The above DOS software works on top of the
    various BIOS Procedures and simplifies certain
    basic operations.

38
DOS Call Example
  • Assume an application requests a system service,
    such as opening a file.
  • The application makes this request with a simple
    DOS call.
  • DOS may make one or more low-level requests to
    the ROM service provider.
  • Finally, the ROM service provider may interact
    with the hardware to service some requests.
  • Because the typical program doesnt care about
    how data actually is stored on the hard drive, as
    long as it can access it, DOS abstracts this for
    the program and offers a simple way to open files.

Similar to a system call in Unix
39
System Layering
40
An Example of System Layering Raymond Wisman
  • C program  cout ltlt "Hello world"
  • Machine     Call DOS video function 9 to
    output
  • Code string "Hello world"     
      
  • DOS            Call BIOS video function by
  • int 10h   
  •                        
  • BIOS           "Hello world" placed in
  • hardware video
    memory                 
  • Video hardware "Hello world" display from
  • video memory

41
Invoking a BIOS Procedure or DOS Call
  • Both BIOS procedures or DOS calls are invoked
    through the int instruction,
  • e.g.
  • int 20h
  • int 10h

42
The Rise and Fall of the BIOS
  • Older operating systems such as DOS relied on the
    BIOS to carry out most input-output tasks within
    the PC.
  • A variety of technical reasons eventually made it
    inefficientespecially for more recent operating
    systems written for the Intel 80386 such as Linux
    and Microsoft Windowsto invoke the BIOS
    directly.
  • Such operating systems instead used their own
    better-performing native drivers and were also
    much easier to extend to support new hardware.
  • As such, the BIOS was mostly relegated to
    bootstrapping to the point where the operating
    system's own drivers could take control of the
    hardware.

43
Hook TSRs into DOS System Services
  • Memory-resident programs, called TSRs, can hook
    into the system service provider software (DOS
    calls) already resident in the computers memory
    and augment the services offered by the original
    system service provider software.
  • The hooking program can service all requests on
    its own or pass on some or all requests to the
    original service provider. It also can opt to
    modify information before passing it to a
    subservient service provider (one installed
    before the current service provider).

44
How Resident File Viruses Hook into the Operating
System
  • Most programs that hook into DOS or ROM services
    do so for legitimate reasons. Unfortunately,
    memory-resident viruses also can hook into these
    system services to damage data or spread to
    floppy disks and files.

45
  • WIN32 PE Infection QozahRozinov

46
The Most Common Executable File Formats under
Windows
  • The portable executable file format (PE) is the
    format of the binary programs (exe, dll, sys,
    scr) for
  • MS Windows NT
  • Windows 95
  • Win32s

47
Components of a PE File
48
Struct IMAGE_FILE_HEADER
  • typedef struct _IMAGE_FILE_HEADER
  • WORD MachineWORD NumberOfSectionsDWORD
    TimeDateStampDWORD PointerToSymbolTableDWORD
    NumberOfSymbolsWORD SizeOfOptionalHeaderWORD
    Characteristics
  • IMAGE_FILE_HEADER, PIMAGE_FILE_HEADER

49
An Example of Structure IMAGE_FILE_HEADER
Danehkar
24 bytes 2418h
50
Struct IMAGE_OPTIONAL_HEADER
  • Struct IMAGE_OPTIONAL_HEADER WORD MagicBYTE
    MajorLinkerVersionBYTE MinorLinkerVersionDWOR
    D SizeOfCodeDWORD SizeOfInitializedDataDWORD
    SizeOfUninitializedDataDWORD AddressOfEntryPoint
    DWORD BaseOfCodeDWORD BaseOfDataDWORD
    ImageBaseDWORD SectionAlignmentDWORD
    FileAlignmentWORD MajorOperatingSystemVersion
    WORD MinorOperatingSystemVersionWORD
    MajorImageVersionWORD MinorImageVersionWORD
    MajorSubsystemVersionWORD MinorSubsystemVersion
    DWORD Win32VersionValueDWORD
    SizeOfImageDWORD SizeOfHeadersDWORD
    CheckSumWORD SubsystemWORD
    DllCharacteristicsDWORD SizeOfStackReserveDWOR
    D SizeOfStackCommitDWORD SizeOfHeapReserveDWOR
    D SizeOfHeapCommitDWORD LoaderFlagsDWORD
    NumberOfRvaAndSizesIMAGE_DATA_DIRECTORY
    DataDirectoryIMAGE_NUMBEROF_DIRECTORY_ENTRIES

51
Some Fields of Struct IMAGE_OPTIONAL_HEADER (1)
  • ImageBase
  • The preferred address of the first byte of the
    image when it is loaded in memory.
  • This value is a multiple of 64K bytes.
  • The default value for DLLs is 0x10000000.
  • The default value for applications is 0x00400000,
    except on Windows CE where it is 0x00010000.
  • AddressOfEntryPoint
  • A pointer to the entry point function, relative
    to the image base address.
  • For executable files, this is the starting
    address.
  • For device drivers, this is the address of the
    initialization function.
  • The entry point function is optional for DLLs.
    When no entry point is present, this member is
    zero.

52
Some Fields of Struct IMAGE_OPTIONAL_HEADER (2)
  • SectionAlignment
  • The alignment of sections loaded in memory, in
    bytes.
  • This value must be greater than or equal to the
    FileAlignment member.
  • The default value is the page size for the
    system.
  • FileAlignment
  • The alignment of the raw data of sections in the
    image file, in bytes.
  • The value should be a power of 2 between 512 and
    64K (inclusive).
  • The default is 512.
  • If the SectionAlignment member is less than the
    system page size, this member must be the same as
    SectionAlignment.
  • SizeOfImage
  • The size of the image, in bytes, including all
    headers. Must be a multiple of SectionAlignment.

53
An Example of Structure IMAGE_OPTIONAL_HEADER
Danehkar
16 bytes 1610h
54
struct IMAGE_SECTION_HEADER
  • typedef struct _IMAGE_SECTION_HEADER
  • BYTE NameIMAGE_SIZEOF_SHORT_NAMEunion
    DWORD PhysicalAddressDWORD VirtualSize
    MiscDWORD VirtualAddressDWORD
    SizeOfRawDataDWORD PointerToRawDataDWORD
    PointerToRelocationsDWORD PointerToLinenumbers
    WORD NumberOfRelocationsWORD
    NumberOfLinenumbersDWORD Characteristics
  • IMAGE_SECTION_HEADER, PIMAGE_SECTION_HEADER

55
Some Fields of struct IMAGE_SECTION_HEADER (1)
  • VirtualSize
  • The total size of the section when loaded into
    memory, in bytes.
  • If this value is greater than the SizeOfRawData
    member, the section is filled with zeroes.
  • This field is valid only for executable images
    and should be set to 0 for object files.
  • VirtualAddress
  • The address of the first byte of the section when
    loaded into memory, relative to the image base.
  • For object files, this is the address of the
    first byte before relocation is applied.
  • SizeOfRawData
  • The size of the initialized data on disk, in
    bytes.
  • This value must be a multiple of the
    FileAlignment member of the IMAGE_OPTIONAL_HEADER
    structure.
  • If this value is less than the VirtualSize
    member, the remainder of the section is filled
    with zeroes.
  • If the section contains only uninitialized data,
    the member is zero.

56
Some Fields of struct IMAGE_SECTION_HEADER (2)
  • PointerToRawData
  • A file pointer to the first page within the COFF
    file.
  • This value must be a multiple of the
    FileAlignment member of the IMAGE_OPTIONAL_HEADER
    structure.
  • If a section contains only uninitialized data,
    this member is zero.
  • Characteristics
  • The characteristics of the image.

57
An Example of Structure IMAGE_SECTION_HEADER
Danehkar
58
  • Inject Virus

59
Change Size-Related Fields
Step 1 Find section header i which has the
largest PointerToRawData value among all the
section headers. In other words, its
corresponding section is the last section in this
file.
Step 2 Added to the size of the virus.
Step 3 according to the value of FileAlignment
in structure IMAGE_OPTIONAL_HEADER, round
VirtualSize. Then save the result to this field.
40 bytes 4028h
60
Set the Entry Point Value and the New File Size
Step 4 VirtualAddress old value of
VirtualSize. Then save the result to
AddressOfEntryPoint
16 bytes 1610h
40 bytes 4028h
Step 5 Add (new SizeOfRawData old
SizeOfRawData )
61
Set the New Access Right
40 bytes 4028h
Step 6 make it executable, code and writable, so
we have to OR it with 0x00000020 (code),
0x20000000 ( executable ) and 0x80000000 (
writable ).
Step 7 append the virus to this file.
62
  • COM, EXE, and SYS Infection

63
The Most Common Executable File Formats under DOS
  • The most common executable file formats used
    under DOS are COM, EXE, and SYS.
  • COM and EXE files are used for standard DOS
    programs, and SYS files are used for system
    device drivers.
  • Although viruses have targeted each of these file
    formats, to date, reports of SYS file infections
    have been rare.

64
Entry Points of DOS Program Files
  • A program file consists of data and machine
    language instructions interpreted directly by the
    computers CPU.
  • DOS program files contain one or two entry
    points, which are the locations in the program of
    the first instruction for the CPU to execute.
  • You might compare a program to a notepad that
    contains a list of tasks. The entry point, then,
    would be the first task on the list.
  • All COM and EXE files have a single entry point,
    while SYS files have two entry points.
  • The CPUs interpretation of a programs
    instruction must always start with the
    instruction at the entry point. This makes the
    entry point an area that viruses can modify and
    thereby gain control of the computer. After the
    virus completes its dirty work, it can then
    transfer control to the original program.

65
COM Files
  • The COM executable file has the simplest DOS
    program file format. The COM files simplicity
    makes it a major target for file infecting
    viruses.
  • The contents of the COM file are loaded directly
    into memory and executed without modification.
    The operating system transfers control to the
    first instruction in the memory image of the
    file. This first instruction is the COM files
    single entry point.
  • COM files have an upper size limit of
    approximately 64 KB

66
How a COM File Is Loaded into RAM and Executed
67
EXE Files Component Sections
  • The EXE executable file format is somewhat more
    complex than the COM file format.
  • The EXE file consists of two primary sections.
  • The first section is a header that tells DOS how
    to load the program.
  • The second section of the EXE file, known as the
    program load image, contains the actual memory
    image of the program and its data.

68
EXE Files the Header Section
  • The header includes two fields that identify the
    location of the EXE files single entry point in
    the program
  • the Code Segment (CS) and
  • the Instruction Pointer (IP).
  • The header also includes two size fields that
    specify the actual size of the executable
    program.
  • When a virus infects an EXE file, it must
    increase the value in the size fields to equal
    the total of the executable program file size and
    the virus program size.
  • For instance, when a virus that is 2 KB in size
    appends itself to a 10 KB file, it increases the
    value in these fields to 12 KB.

69
How an EXE File Is Loaded into RAM and Executed
overlay data
70
SYS Files
  • The SYS executable file format differs from both
    the COM and EXE file formats in that SYS files
    have two entry points.
  • SYS format files are used primarily for device
    drivers.
  • Like COM files, all SYS files must be 64 KB or
    less in size.
  • The SYS file is composed of three major sections.
  • The first portion of the SYS file contains the
    device header. Like the header of an EXE file,
    the device header contains entry point
    information and other fields.
  • The second and third sections of the SYS file
    contain the two device driver modules, which
    contain all the machine language code in the
    program.

71
How a SYS File Is Loaded into RAM
72
Program Files and Viruses
  • Program files are often targeted by viruses for
    two primary reasons.
  • Because each of the executable file types has a
    simple format, file viruses can piggyback
    themselves to program files with relative ease.
  • Executable file types also are common targets for
    infection because of the frequency of their use.
    If a virus can infect an executable file, its
    capability to infect other programs increases.

73
  • Macro Facilities

74
Macro Facilities
  • Macro facilities enable a user to record a
    sequence of operations within the application.
  • The user then uses a key combination to associate
    these operations.
  • Later, pressing this key combination repeats the
    recorded steps.
  • A given macro activated using a key combination,
    for example, might open a file, renumber the
    items within it, then close the file.

75
Global Pool of Macros
  • Macro systems have evolved greatly over the
    years.
  • Most old programs that supported macros had a
    global pool of macros that always were
    available for use, regardless of what file the
    user happened to be editing.
  • Individual document or spreadsheet files could
    not contain their own, local, macros.

76
New Properties of Modern Macro System
  • Modern macro systems differ from their
    predecessors in several key ways.
  • First, users now can write entire complex
    programs in a macro language.
  • These programs have access to all the host
    applications features, as well as many of the
    operating systems features.
  • Microsoft products, for example, enable users to
    write macros in a language that resembles Visual
    Basic.
  • These macros can perform various tasks for the
    user, including popping up dialog boxes, altering
    files on the system, or inserting the date and
    time in a document. They can also be used to
    write viruses!
  • Second, the user can tote specific macros around
    in a document or spreadsheet data file. A user
    can create a macro for a specific spreadsheet,
    for example, and attach it directly to the
    spreadsheet file. Any time the file is used on a
    new machine, the accompanying macro is available
    for use.

77
Security Concerns of Modern Macro System
  • An inherent threat exists with modern macro
    system just as normal macros can be attached and
    carried along with a given document or data file,
    so can macro viruses!

78
Cross-platform Compatibility
  • Modern macro languages, such as Word for Windows
    WordBasic, are interpreted by the host
    application and often are compatible across
    different operating systems.
  • A Word for Windows 6.0 document that contains
    macros created on a PC, for instance, can be
    edited in Word for Macintosh. Because Word for
    Macintosh provides the same macro facilities as
    its DOS counterpart, the documents macros also
    function on the Macintosh platform.
  • This cross-platform compatibility means that a
    macro virus can spread from computer to computer,
    as long as the destination computer supports a
    macro-capable, compatible version of the host
    application.

79
  • Microsoft Word Shauna Kelly Better
    Solutionsucsb

80
Template
  • A template is a sample document that is used for
    the basis for a new document.
  • Every Microsoft Word document is based on a
    template, whether you choose a template
    explicitly or not.
  • A template determines the basic structure for a
    document and contains document specific settings
    such as
  • fonts
  • Styles
  • page layout
  • macros etc.
  • When you create a document, the file that is
    created initially is just a copy of its template.
  • This means that subsequent changes to the
    template will not automatically be reflected in
    the document.
  • Some changes made to the document, however, can
    be saved to the template.

81
Naming Rule of a Template File
  • A Word template has the file extension (.dot) and
    every document is based on a template.
  • When you save a document as a Word template the
    three-letter extension of .dot is added to the
    end of the name instead of .doc.

82
Template Normal.dot
  • The Normal.dot template is the basis for any new
    blank documents you create.
  • Normal.dot is a special global template created
    and used by Word and should be in the User
    Templates folder.
  • Whenever you create a new document by clicking
    (File gt New) a copy of the file called
    Normal.dot is created and is presented as a new
    document.
  • If you change something in the Normal.dot then
    all new documents will reflect those changes.
  • If Word is unable to find your Normal.dot file or
    it is damaged then a new one will be created
    using the default settings.

83
What Happens When a Document Is Born?
  • When a document is created, it inherits three
    things from its parent template
  • styles
  • In Word, a style is a collection of formatting
    instructions.
  • You use styles to format the paragraphs in your
    document, so you would use
  • the "Title" style for your title
  • "Body Text" style for body text
  • "Caption" style for the picture captions
  • "Heading 1" for the major headings
  • content
  • e.g. text, pictures, a fax header, a form to fill
    in, and any content in headers and footers.
  • page settings
  • e.g. margins, paper size, paper orientation,
    settings for headers and footers.

84
When a New Word Document Is Created
  • The moment a document is created, it loses its
    connection with its parent with respect to
    styles, content and page settings.

85
Changing a Document Won't Change the Template
It's Attached to
  • You can change the margins in a document and the
    change won't affect the template.
  • You can add, delete or modify styles in a
    document, and it won't affect the template.

86
Changing the Template Won't Change Documents
Attached to the Template
  • You can change the margin in a template, and it
    will affect documents you create from this
    template in the future. But it won't affect
    existing documents attached to that template.
  • You can add, delete or modify styles in a
    template, and the change will affect documents
    you create from this template in the future. But
    it won't affect existing documents.

87
What Happens after a Document Is Born, While It
Is Being Edited?
  • Once a document has been created, the template to
    which it is attached takes on quite a different
    role.
  • When a document is being edited, its template
    sits in the background and makes four things
    available to a document
  • two kinds of functionality
  • macros
  • AutoTexts
  • two ways to access the functionality
  • toolbars
  • keyboard shortcuts (that is, a keyboard way and
    a mouse way).

88
Templates and Existing Word Documents
89
Change Template Kelly
  • You can attach a new template to a Word document
    or change the template a Word document is
    associated with. But nothing happens after you
    execute the operations, because
  • A document inherited styles, content and page
    settings from its parent template when it was
    first created. You're not creating a new
    document, so the styles, content and page
    settings in the newly-attached template will not
    affect the document at all.
  • The newly-attached template will sit in the
    background, and make available the four things
    that templates make available to documents
  • Macros
  • AutoTexts
  • Toolbars
  • keyboard shortcuts

90
Global Template ucsb
  • A global template is a template whose
    customizations will be available to all
    documents, no matter what template they're
    attached to.
  • Word allows a user to make a template global.
    That means that its macros etc. will be available
    to all templates.
  • Normal.dot is a global template.

91
Word Macro
  • A macro is just the name given to a series of
    keystrokes that can be recorded and then played
    back in order to automate a task.
  • These keystrokes are then transferred into a
    series of commands which can then be rerun at any
    time.
  • Macros are simple computer programs where the
    code is often generated for you.
  • These macros run completely within an application
    like Word and require no additional software.
  • Macros can be used to play back your actions and
    can prevent you from having to perform tedious or
    repetitive tasks.

92
Where to Store Your Macro? Better Solutions
Limited
  • There are two possible workbooks where you can
    store your macros
  • Normal.dot - Storing your macros here will mean
    that they are available every time Word is open
    and are not reliant on any one particular
    document.
  • Document - This is the default location and is
    often the best place if you are relatively new to
    macros.
  • A macro that has been saved into a specific
    document is only available when that particular
    document is open. The currently active document
    is also referred to as the current document or
    active document.

93
Macros Shauna Kelly
  • You can copy macros to and from documents and
    templates using Tools gt Templates and Add-ins gt
    Organizer.

94
Properties of Microsoft Word Macro
  • Microsoft Words macro system actually offers a
    global pool macro area, as well as
    document-specific macros.
  • Users can establish a set of global macros
    available for use regardless of the document
    being edited.
  • They also can use the local macros that accompany
    a specific document during editing of that
    document.
  • In the Microsoft scheme, macros can copy
    themselves to and from the global and local
    pools.
  • The global pool provides the macros with the
    capability to migrate from one document to
    another.
  • Upon execution, a macro can copy itself from a
    local pool to the global pool. Later, executing
    the same macro lets it copy itself from the
    global pool to a new documenta nice feature, as
    long as the user initiates the actions and knows
    of the results.
  • Viruses can target this facility.

95
How Macros can Migrate from File to File
Microsoft Word uses a template to create, edit,
or assemble a document. The default template is
called NORMAL.DOT.
96
Auto-execution Facility
  • The Word for Windows macro system also includes
    an auto-execution facility that makes it
    attractive to viruses.
  • Word for Windows has an AutoExec macro that
    launches (if it is present in the global pool)
    when a user starts the Word processor.
  • This facility can serve to execute other macros
    and set up the users work environmentor a virus
    can exploit it to ensure that the virus macro
    executes upon Word for Windows startup.
  • In addition to the AutoExec macro, Word for
    Windows contains numerous other macros that
    activate during a normal editing session without
    directly being activated by the user.
  • Any time the user opens a new document file, for
    example, a macro known as AutoOpen executes from
    the documents local macro pool (if present). A
    virus could easily use this macro to copy itself
    to the global pool as soon as a user opens the
    document.

97
Key Factors for the Emergence of Macro Viruses
  • First of all, many popular applications, such as
    desktop publishing, Word processing, and
    spreadsheet programs, include macro capabilities.
    Such widespread usage is attractive to a macro
    virus from the standpoint that chances for
    continued self-replication are high.
  • Secondly, it is far easier to write macro
    language programs than assemble language
    programs. The art of virus writing is no longer
    limited to the technically astute.
  • Finally, executable program viruses rely upon a
    systems CPU to directly execute its
    instructions, whereas macro viruses dont.
    Because of this, macros are platform independent.
  • The same macro that runs in a Windows-based Word
    processing program, for example, can also
    function in its Macintosh and Unix counterparts.

98
Macro Viruses
  • Infect data files.
  • Most common viruses nowadays.
  • Macro viruses infect Microsoft Office Word,
    Excel, PowerPoint and Access files.
  • Examples
  • Melissa,
  • WM.NicdDay,
  • W97M.Groov.

99
  • Boot Sector Viruses

100
Boot Sector Viruses
  • If a disk has a boot record virus, the virus
    activates when the PC attempts to boot from the
    floppy disk or hard disk.
  • Even if the PC cant start up from an infected
    disk (such as when the floppy disk does not
    contain the proper DOS system files), it attempts
    to run the bootstrap routine, which is all a
    virus needs to activate.
  • Like a terminate-and-stay-resident program, most
    boot record viruses install themselves in the
    host computers memory and hook into the various
    system services provided by the computers BIOS
    and operating system.
  • They remain active in RAM while a workstation
    remains on. As long as they stay in memory, they
    can continue to spread by infecting the floppy
    disks that a computer accesses.

101
  • Floppy Boot Record Viruses

102
Floppy Boot Record Viruses
  • Most floppy boot record viruses can infect
  • the hard drive MBR
  • the active partition boot record
  • the floppy disk boot record
  • The floppy disk serves as a carrier for the
    virus, allowing it to spread from one hard drive
    to another.
  • After the virus places itself on the hard drive,
    it can then infect other floppy disks that
    inevitably make their way to other machines.

103
When and How Floppy Boot Record Viruses Get
Control?
  • Floppy boot record (FBR) viruses seize control of
    the computer during system reset.
  • During the bootup sequence, the BIOS on most PCs
    determines whether a floppy disk is present in
    the floppy drive from which the computer is
    configured to boot.
  • If the BIOS finds a disk in the drive, it assumes
    that the user wants to boot from this disk. After
    it locates the disk, the BIOS loads the floppy
    boot record into the computers memory and
    executes its bootstrap program.

104
The Boot Sequence from an Infected Floppy Diskette
Virus reserves memory. Virus copies itself to
this memory Virus alters IVT to become proxy
service provider Virus attempts to infect hard
drive MBR or PBR.
Virus activities
Virus loads original non-viral and executes the
bootstrap routine
No SYS files
Display Message
Bootstrap routine checks for DOS system files
Bootstrap routine loads DOS system files and
execute them
stop
A prompt
105
BIOS Data Area
  • All PCs contain a reserved region of memory known
    as the BIOS Data Area (BDA).
  • During the initial stages of the computers
    bootup sequence (before control transfers to the
    bootstrap routine) the BIOS bootup program
    updates the BDA with information about the
    configuration and the initial state of the
    computer.
  • DOS relies on the information stored in the BDA
    of memory to properly use the peripherals and
    memory attached to the computer.
  • Almost all FBR viruses exploit DOSs dependence
    on the BDA and update its contents to install
    themselves into memory.

106
Viruses Reserve Memory Stage 1
107
Viruses Reserve Memory Stage 2
108
Virus Copies Itself to Reserved Memory
  • After the virus reserves memory for itself by
    updating the BDA, it moves itself into the newly
    reserved memory and attempts to hook into the
    direct disk system services.

109
Interrupt Vector Table
  • The PC contains a memory structure, known as the
    Interrupt Vector Table (IVT), which is like a
    phone book that contains addresses for each of
    the services that the computer might need as it
    operates.
  • The IVT contains the addresses of ROM BIOS
    service programs in the computers memory. When
    the operating system needs to request a service,
    it can look up the address of the corresponding
    service provider in the IVT phone book and
    determine where to send its request.

110
IVT Entry Example
  • The computers ROM BIOS contains disk service
    routines that DOS calls upon to directly read
    from and write to floppy disks and hard drives.
  • One of the IVT phone book entries contains the
    address of the ROM BIOS disk service routines.

111
Hook into the IVT Entry for Disk Service Provider
  • The FBR virus hooks into the system services by
    changing the contents of this entry and informing
    the computer and any subsequent operating system
    that it now is a proxy for the ROM BIOS disk
    service provider.
  • All requests to read and write to disks on the
    computer then are sent to the virus rather than
    to the original ROM BIOS disk services.
  • Later, when the operating system makes a system
    service request, the IVT is consulted and the
    virus has the request sent to it. The virus can
    then examine the request and, if it desires,
    infect the floppy disk being accessed.
  • After the virus performs its mischief, it can
    then redirect the request to the original ROM
    BIOS driver so that it can be properly serviced.

112
The Fully-installed Boot Virus
113
Hook as a System Service
  • Most FBR viruses attempt to install themselves as
    a memory-resident driver at this point in the
    bootup sequence.
  • In this way, the virus can monitor all disk
    service requests during the operation of the
    computer and infect additional floppy disks at
    will .

114
Conceptual Hierarchy of Service Providers after
the System is Infected
Conceptual hierarchy of service providers after
memory installation by the boot record virus
Application
Virus Resident Service Provider
115
The Original FBR
  • To complete its work, the FBR virus must retrieve
    the original FBR on the floppy disk and initiate
    the original bootup sequence as if the virus were
    not present. This is important because a virus
    must be unobtrusive to remain viable.
  • If the FBR virus installed itself in memory,
    infected the hard drive, and caused bootup on the
    floppy disk to fail, it might quickly be detected
    and removed.
  • Most viruses maintain a copy of the original FBR
    in one of the sectors at the end of the floppy
    disk. After the virus installs itself in memory,
    it loads the original FBR into memory and
    executes the original bootstrap routine. The
    bootstrap routine then proceeds normally,
    completely oblivious to the presence of the virus.

116
Infect Non-bootable Disk
  • Most floppy disks contain data and dont carry
    the DOS operating system files thus, after the
    virus transfers control to the original bootstrap
    routine, it displays a message such as
    Non-system disk. At this point, the average
    user realizes that he or she accidentally booted
    from a data disk, removes the disk from the drive
    and reboots.
  • This is why most FBR viruses infect the MBR or
    active Partition Boot Record of the hard drive
    during bootup. This infection guarantees that
    even if the floppy disk doesnt contain the
    proper operating system files, the virus can
    still spread to the hard drive and eventually to
    other disks.

117
When and How the FBR Virus Infects New Items?
  • Most FBR viruses attempt to infect disks whenever
    they get a chance (although some viruses are more
    discriminating than others).
  • If an infected floppy disk is in drive A, the
    first opportunity presented to the FBR virus is
    during a system reset.
  • Almost all FBR viruses also attempt to infect the
    hard drives MBR or active Partition Boot Record
    during the floppy boot process.
  • The FBR virus also has an opportunity to infect
    after it installs itself in memory and designates
    itself as the proxy disk service provider. Any
    time thereafter when DOS or its programs attempt
    to access a floppy disk (or the hard drive), the
    operating system calls upon the virus.

118
Detect Infected Disk
  • Before a virus attempts to infect the floppy
    disk, it must determine whether the disk has
    already been infected. Most often, the virus does
    so by loading the target FBR into memory and
    comparing it to its own contents.
  • If the FBR virus ascertains that the target
    floppy disk isnt yet infected, it proceeds with
    the infection process.

119
Examples
  • Form.
  • Disk Killer.
  • Michelangelo.
  • Stoned.

120
  • Master Boot Record Viruses

121
Master Boot Record Viruses
  • The MBR contains a bootstrap program which
    according to the MBRs partition table determines
    which partition is the active partition, and then
    load and transfer control to the active
    partitions Partition Boot Record (PBR) to finish
    the loading of the DOS into memory.
  • Examples
  • NYB,
  • AntiExe,
  • Unashamed.

122
  • Program File Viruses

123
Program File Viruses
  • Program file viruses (hereafter called just file
    viruses ) use executable files as their medium
    for propagation. They target one or more of the
    three most common executable file formats used in
    DOS COM files, EXE files, and SYS files.
  • The basic file virus replicates by attaching a
    copy of itself to an uninfected executable
    program. The virus then modifies the new host
    program so that when the program executes, the
    virus executes first.

124
Examples
  • Jerusalem
  • Cascade.

125
Infection
  • The file-infecting virus can only gain control of
    the computer if the user or the operating system
    executes a file infected with this virus.
  • In other words, infected files are harmless as
    long as they are not executed they can be
    copied, viewed, or deleted without incident.

126
Execution of a COM Program
  • COM programs have the simplest format of any of
    the DOS executable file formats.
  • They also have the simplest loading sequence
  • DOS reads the program directly into memory,
  • then jumps to the first instruction (at the first
    byte) of the program image.
  • When this action occurs, the program has complete
    control of the computer, until it relinquishes
    control back to DOS upon termination.

127
COM Infections
  • File viruses infect COM files by modifying the
    machine-language program at the start of the
    executable image. A virus can ensure that it
    gains control in at least four different ways,
    because execution in a COM file must begin at the
    first byte in the executable image.
  • Prepending COM Viruses
  • Appending COM Viruses
  • Overwriting COM Viruses
  • Improved Overwriting COM Viruses

128
Prepending COM Viruses
  • A virus can insert itself at the top of the COM
    file, moving the original program down after the
    viral code.
  • The entire virus is then located at the top of
    the executable image, and is the first to execute
    when the program is loaded.
  • This method of infection is known as prepending,
    because the virus affixes itself to the beginning
    of the host COM program

129
Prepending COM Virus Infection
130
Appending COM Viruses Inject the Virus
  • A virus can modify the machine-language program
    at the top of the executable image of the COM
    file to transfer control to the virus, which can
    be located elsewhere in the executable file.
  • The virus often attaches itself to the end of the
    infected program and changes the first few
    instructions at the top of the executable image
    so that they transfer control to the viral code.

131
Appending COM Viruses Handle the Original Code
  • Before the virus changes the first few program
    instructions, it must record what the host
    programs original entry instructions were so
    that it can repair the host program after it has
    completed.
  • Without preserving these instructions, when the
    virus transfers control to the host program, the
    PC would most likely crash or work incorrectly,
    foiling the virus attempts to remain
    undiscovered.
  • This above method of infection is known as
    appending, because the virus affixes its bulk to
    the end of the host program

132
Appending COM Virus Infection
133
Overwriting COM Viruses
  • The third technique used to infect COM files is
    known as overwriting. Viruses that use this
    technique often are crudely written. They infect
    COM programs by entirely overwriting the start of
    the host program with the viral code.

134
Repair Files Infected by Overwriting COM Viruses
  • Overwriting COM Viruses dont attempt to save a
    copy of the hosts bytes that have been
    overwritten. As a result, the original program
    cant work after the virus executes. If a
    computer becomes infected with a virus of this
    type, the only way to repair the infected files
    is to restore them from backups created before
    the infection.

135
Tricks Used by Overwriting COM Viruses to Avoid
Being Detected
  • After overwriting viruses infect program files,
    they either crash or display a bogus error
    message such as Not enough memory to execute
    program. Such error messages appear in an attempt
    to convince the user that the PC has a memory
    management problem rather than a virus.

136
Overwriting COM Virus Infection
Overwriting virus
137
Improved Overwriting COM Viruses
  • The last method used to infect COM programs is
    known as improved overwriting.
  • Assuming the virus is V bytes long, the virus
    first reads the first V bytes of the host program
    and then appends this information to the end of
    the host program. The virus then overwrites the
    top of the COM program using the V bytes of viral
    code.

138
Original Information of Infected Files
  • The host program can be repaired and executed
    normally after the virus completes its dirty
    work, because the information from the uninfected
    host program has been stored.

139
Improved Overwriting COM Virus
Improved Overwriting Virus V bytes long
140
EXE Infections
  • Although numerous methods are used to infect COM
    files, viruses use primarily one method to infect
    EXE format files.
  • EXE files have a variable entry point specified
    by the Code Segment (CS) and Instruction Pointer
    (IP) fields of the file header. In the most
    common form of EXE infection, the virus performs
    the following sequence of actions
  • Records the hosts original entry point in
    itself, so it can later execute the host program
    normally.
  • Appends a copy of itself to the end of the host
    program.
  • Changes the entry point (using CS and IP fields)
    in the EXE header to point to the virus code.
  • Changes other fields in the header, including the
    programs load-image size fields to reflect the
    presence of the virus.

141
EXE File before and after Infection
142
How and When the File-Infecting Virus Gets
Control?
  • Simply stated, a file-infecting virus gains
    control of the computer when the user or
    operating system executes an infected program.
  • When a user executes an infected program, DOS
    loads the entire program into memory, virus and
    all, and begins executing the program at its
    entry point.
  • In infected files, the virus modifies the
    location of the entry point or the machine-code
    at the entry point so that the virus executes
    first.

143
Proliferation of File-Infecting Viruses
  • After the virus machine code begins executing, it
    can immediately seek out and infect other
    executable programs on the computer, or it can
    establish itself as a memory-resident service
    provider in the operating system.
  • As a service provider, the virus can then in
Write a Comment
User Comments (0)
About PowerShow.com