Title: The Attack and Defense of Computers
1- The Attack and Defense of Computers
- Dr. ? ? ?
2- Virus Internet Security Professional Reference
3- Virus Tutorial
- Computer Virus Resources
- Introduction of Famous Malware
- Virus descriptions of viruses in the wild
4Virus
- A sequence of code that is inserted into other
programs. - A virus can create a copy of itself to inserted
in one or more other programs. - Virus cannot run on their own, and need to have
some host program. - e.g. Melissa virus, ILOVEYOU virus.
5Virus
- Boot sector viruses
- Master boot record viruses
- File infector viruses
- Multi-partite viruses
- Macro viruses (infect data files)
6 7Disk Structures
- Units used in Floppy Disks and Hard Disks
- Sector
- Cluster
- Disk space allocation unit
- Each cluster contains one or more sectors.
- Track
- Head
- Cylinder (for HDs)
- E.g. A 3 ½ inch high-density disk
- 40 tracks/side
- 18 sectors/track
- 512 bytes/sector
8Floppy Disk Structure
9Disk Sectors
Magnetic Disk
Sector
10Hard Disk Structure
11Areas of a Disk 12
- Under DOS, a disk is divided into the following
four areas - The boot record.
- The file allocation table (FAT).
- The root directory.
- The data area.
- A hard drive has a fifth area
- The partition table.
12Boot Record
- Boot Record
- Location
- sector 1, track 0, head 0.
- Contents
- the bootstrap routine (a machine language program
designed to load the operating system from other
part of the disk.) - the BIOS Parameter Block (BPB), which identifies
the floppy disks operating parameters, including
the number of bytes per sector, sectors per
cluster and track, and tracks per disk. - The BPB allows an operating system to understand
the format of a disk.
13The Bootstrap Program
- In a PC, when a machine is turned on, a routine
called The Power-On Self Test (POST) verifies
all hardware components are working properly. - After everything is confirmed working well, POST
loads up the boot record from the disk and checks
for two signature bytes inside it. - If the boot record signature is present, the
execution control is transferred to the bootstrap
program inside the boot record. - Under DOS, the bootstrap program in turn loads
the OS into the RAM from the disk and eventually
transfers control to COMMAND.COM, the command
interpreter.
On board
On disk
14Boot Sequence from Uninfected Floppy Diskette
15Hard Disk Partition and Master Boot Record
- A single physical hard drive can be divided into
several different partitions. - The user can specify one of the partitions as the
active partition (the one from which the user
wants to boot.) - The Master Boot Record (MBR) is a structure
stored on the first track, sector and head of the
hard drive. - The MBR contains a partition table, which denotes
the allocation of all sectors and their
respective partitions. - Programs require the partition table on the hard
disk to understand the disks characteristics.
16Boot Sequence from Uninfected Hard Drive -- (1)
Stop
17Boot Sequence from Uninfected Hard Drive -- (2)
18- 8086/8088 INTERRUPTS, BIOS, and DOS
19Interrupt Gerhard Roehrl
- The 8086/88 microprocessors allow normal program
execution to be interrupted by external events or
by special instructions embedded in the program
code. - When the microprocessor is interrupted, it stops
executing the current program and calls a
procedure which services the interrupt. - At the end of the interrupt service routine, the
code execution sequence is returned to the
original, interrupted program.
20Interrupt Sources
- An interrupt can be generated by one of three
sources - Internal interrupts
- Hardware interrupt
- Software interrupt
21Internal Interrupts
- An interrupt can be generated as a result of a
processor state violation, called an exception. - An example would be a divide-by-zero interrupt
produced when the div instruction is interpreted
to have a zero divisor. - Program execution is automatically interrupted
and control transferred to an interrupt handler. - Conditional interrupts such as this are referred
to as internal interrupts.
22Hardware Interrupt
- An interrupt can also be generated by an external
device requesting service. This happens when a
device signals its request on either the
non-maskable interrupt (NMI) or on the INTR
interrupt input lines of the processor. - The NMI interrupt is generally used to signal the
occurrence of a catastrophic event, such as the
immanent loss of power. - The INTR interrupt is used by all other devices.
- An interrupt caused by a signal applied to either
the NMI or INTR input pin of a CPU is referred to
as a hardware interrupt.
23Software Interrupt
- Interrupts may be generated as a result of
executing the int instruction. - The above is referred to as a software interrupt.
24Functions of Software Interrupts (Only Apply to
Real Mode)
- Software interrupts produced by the INT assembler
instruction have many uses. For example, - test various interrupt service routines
- You could use an INT 2 instruction to start the
execution of an NMI interrupt service procedure.
This would allow you to test the NMI procedure
without needing to apply an external signal to
the processors NMI input line. - call commonly used procedures from many different
programs - The Basic Input/Output System (BIOS) procedures
of an IBM computer or compatible are a good
example of this use of the INT instruction.
25BIOS Procedures
- One part of the BIOS is actually a collection of
procedures which provides the fundamental I/O
services that are needed for the operation of the
computer. - Each procedure performs a specific function such
as - reading a character from the keyboard
- writing characters to the screen
- reading information from disk.
26Using BIOS Procedures
- BIOS procedures (system I/O procedures) are
called with the INT instruction. - There are 12 BIOS procedures in all, falling into
5 groups. - For example with INT 10h you can access the video
display services. - This interrupt includes 20 subroutines.
- Obviously, one of the INT 10h parameters is a
data value indicating which one of the twenty
subroutines is required. - the AH Register is loaded with the number of the
subroutine. - the AL, BX, CX, and DX registers are used to
provide the parameters for this subroutines.
27The 12 BIOS Service Routines Supported by the IBM
PC (and Compatibles)
- Dec Hex Use
- Peripheral Devices Services
- 16 10 Video-display
services - 19 13 Diskette
services - 20 14 Communications
services - 21 15 Cassette-tape
services - 22 16 Standard
keyboard services - 23 17 Printer
services - Equipment Status Services
- 17 11 Equipment-list
service - 18 12 Memory-size
service - Time/Date Service
- 26 1A Time and date
services - Print-Screen Service
- 5 5 Print-screen
service - Special Services
- 24 18 Activate
ROM-BASIC language - 25 19 Activate
bootstrap start-up routine
28Files Constituting DOS
- When you turn on your PC there are several jobs
to do. One is to load the operating system from
the system disk. - If you use MS-DOS (MicroSoft - Disk Operating
System), three system files are loaded - IBMBIO.COM
- COMMAND.COM
- IBMDOS.COM
29Comparing DOS and BIOS Services
- The file IBMDOS.COM contains DOS service
routines. - The DOS services, like the BIOS services, can be
called by programs through a set of interrupts
whose vectors are placed in the interrupt vector
table. - The ROM-BIOS routines can be thought of as the
lowest-level system software available,
performing the most fundamental and primitive
input and output operations. - The DOS service routines provide more
sophisticated and efficient control over the I/O
operations than the BIOS routines do,
particularly for disk file operations.
30Using DOS Interrupts (a.k.a. DOS Calls)
- There are nine DOS interrupt services.
- Five of them, interrupts 20h, 25h, 26h, 27h, and
2Fh are "true" DOS interrupt services, each one
having a specifically-defined task associated
with it. - 22h, 23h, and 24h these three interrupts are
used to hold segmented addresses. - INT 21h provides under one "umbrella" a set of
universal functions we can use in our programs. - All of the DOS function calls are invoked by INT
21h. - Individual functions are selected in the same way
as BIOS functions, placing the function number in
the AH-Register.
software interrupt
31The Nine DOS Interrupts
- Dec Hex Description
- 32 20 Program terminate come to normal
ending - 33 21 Function-call umbrella interrupt
- 34 22 Terminate address
- 35 23 Break address
- 36 24 Critical error-handler address
- 37 25 Absolute disk read
- 38 26 Absolute disk write
- 39 27 Terminate-but-stay-resident
- 47 2F Print spool control (DOS-3 versions
only)
32Interrupt Vectoring
- Two 16 bit data words are used to specify the
location of a interrupt service routine. - One word is used to load the CS register and
points to the base address of the code segment
containing the service routine. - The second word is used to load the IP with the
offset value for the desired routine within the
specified code segment. - The base and offset words for all interrupt types
are grouped together in an interrupt vector
table.
33BIOS wikipedia
- BIOS, in computing, stands for Basic Input/Output
System or Basic Integrated Operating System. - BIOS refers to the firmware code run by an IBM
compatible PC when first powered on. - The primary function of the BIOS is to prepare
the machine so other software programs stored on
various media (such as hard drives, floppies, and
CDs) can load, execute, and assume control of the
PC. - This process is known as booting up.
- Boot is short for bootstrapping.
- BIOS can also be said to be a coded program
embedded on a chip that recognizes and controls
various devices that make up the PC.
34BIOS Firmware Chips
- A computer system can contain several BIOS
firmware chips. - The motherboard BIOS typically contains code to
access fundamental hardware components such as - the keyboard
- floppy drives
- ATA (IDE) hard disk controllers
- USB human interface devices
- storage devices.
- Plug-in adapter cards such as SCSI, RAID, Network
interface cards, and video boards often include
their own BIOS, complementing or replacing the
system BIOS code for the given component.
35BIOS Procedures in ROM Chips
- ROM chips accompany most hardware add-ons, such
as hard drives, video boards, and so forth. - These chips contain machine language programs
(routines) that handle most of the common
requests that operating systems and applications
make. - ROM-based software adheres to a well-known,
published standard. - If a program wants to write data to the hard
drive, for example, it can call upon the routines
on the hard drive ROM chips to perform the
operation. - Although the circuitry in each brand of hard
drive might differ, this well-defined software
interface allows programs to efficiently request
services from hard drives and other peripherals
without having to understand their internals. - ROM-based software is referred to as a BIOS
procedures. - If a program needs to request a service from a
peripheral, such as reading data from the hard
drive, it can call upon the BIOS procedure in the
ROM chip to communicate with the specific device
and service the request.
similar to a device driver in Unix
36An Example Physical Memory Layout of a PC
640K
1M
37DOS Calls
- The DOS operating system also offers system
services to its applications. - DOS installs its own system service provider
software in memory to service common requests,
such as opening a file or writing data to a file.
- The above DOS software works on top of the
various BIOS Procedures and simplifies certain
basic operations.
38DOS Call Example
- Assume an application requests a system service,
such as opening a file. - The application makes this request with a simple
DOS call. - DOS may make one or more low-level requests to
the ROM service provider. - Finally, the ROM service provider may interact
with the hardware to service some requests. - Because the typical program doesnt care about
how data actually is stored on the hard drive, as
long as it can access it, DOS abstracts this for
the program and offers a simple way to open files.
Similar to a system call in Unix
39System Layering
40An Example of System Layering Raymond Wisman
- C program cout ltlt "Hello world"
- Machine Call DOS video function 9 to
output - Code string "Hello world"
- DOS Call BIOS video function by
- int 10h
-
- BIOS "Hello world" placed in
- hardware video
memory - Video hardware "Hello world" display from
- video memory
41Invoking a BIOS Procedure or DOS Call
- Both BIOS procedures or DOS calls are invoked
through the int instruction, - e.g.
- int 20h
- int 10h
42The Rise and Fall of the BIOS
- Older operating systems such as DOS relied on the
BIOS to carry out most input-output tasks within
the PC. - A variety of technical reasons eventually made it
inefficientespecially for more recent operating
systems written for the Intel 80386 such as Linux
and Microsoft Windowsto invoke the BIOS
directly. - Such operating systems instead used their own
better-performing native drivers and were also
much easier to extend to support new hardware. - As such, the BIOS was mostly relegated to
bootstrapping to the point where the operating
system's own drivers could take control of the
hardware.
43Hook TSRs into DOS System Services
- Memory-resident programs, called TSRs, can hook
into the system service provider software (DOS
calls) already resident in the computers memory
and augment the services offered by the original
system service provider software. - The hooking program can service all requests on
its own or pass on some or all requests to the
original service provider. It also can opt to
modify information before passing it to a
subservient service provider (one installed
before the current service provider).
44How Resident File Viruses Hook into the Operating
System
- Most programs that hook into DOS or ROM services
do so for legitimate reasons. Unfortunately,
memory-resident viruses also can hook into these
system services to damage data or spread to
floppy disks and files.
45- WIN32 PE Infection QozahRozinov
46The Most Common Executable File Formats under
Windows
- The portable executable file format (PE) is the
format of the binary programs (exe, dll, sys,
scr) for - MS Windows NT
- Windows 95
- Win32s
47Components of a PE File
48Struct IMAGE_FILE_HEADER
- typedef struct _IMAGE_FILE_HEADER
- WORD MachineWORD NumberOfSectionsDWORD
TimeDateStampDWORD PointerToSymbolTableDWORD
NumberOfSymbolsWORD SizeOfOptionalHeaderWORD
Characteristics - IMAGE_FILE_HEADER, PIMAGE_FILE_HEADER
49An Example of Structure IMAGE_FILE_HEADER
Danehkar
24 bytes 2418h
50Struct IMAGE_OPTIONAL_HEADER
- Struct IMAGE_OPTIONAL_HEADER WORD MagicBYTE
MajorLinkerVersionBYTE MinorLinkerVersionDWOR
D SizeOfCodeDWORD SizeOfInitializedDataDWORD
SizeOfUninitializedDataDWORD AddressOfEntryPoint
DWORD BaseOfCodeDWORD BaseOfDataDWORD
ImageBaseDWORD SectionAlignmentDWORD
FileAlignmentWORD MajorOperatingSystemVersion
WORD MinorOperatingSystemVersionWORD
MajorImageVersionWORD MinorImageVersionWORD
MajorSubsystemVersionWORD MinorSubsystemVersion
DWORD Win32VersionValueDWORD
SizeOfImageDWORD SizeOfHeadersDWORD
CheckSumWORD SubsystemWORD
DllCharacteristicsDWORD SizeOfStackReserveDWOR
D SizeOfStackCommitDWORD SizeOfHeapReserveDWOR
D SizeOfHeapCommitDWORD LoaderFlagsDWORD
NumberOfRvaAndSizesIMAGE_DATA_DIRECTORY
DataDirectoryIMAGE_NUMBEROF_DIRECTORY_ENTRIES
51Some Fields of Struct IMAGE_OPTIONAL_HEADER (1)
- ImageBase
- The preferred address of the first byte of the
image when it is loaded in memory. - This value is a multiple of 64K bytes.
- The default value for DLLs is 0x10000000.
- The default value for applications is 0x00400000,
except on Windows CE where it is 0x00010000. - AddressOfEntryPoint
- A pointer to the entry point function, relative
to the image base address. - For executable files, this is the starting
address. - For device drivers, this is the address of the
initialization function. - The entry point function is optional for DLLs.
When no entry point is present, this member is
zero.
52Some Fields of Struct IMAGE_OPTIONAL_HEADER (2)
- SectionAlignment
- The alignment of sections loaded in memory, in
bytes. - This value must be greater than or equal to the
FileAlignment member. - The default value is the page size for the
system. - FileAlignment
- The alignment of the raw data of sections in the
image file, in bytes. - The value should be a power of 2 between 512 and
64K (inclusive). - The default is 512.
- If the SectionAlignment member is less than the
system page size, this member must be the same as
SectionAlignment. - SizeOfImage
- The size of the image, in bytes, including all
headers. Must be a multiple of SectionAlignment.
53An Example of Structure IMAGE_OPTIONAL_HEADER
Danehkar
16 bytes 1610h
54struct IMAGE_SECTION_HEADER
- typedef struct _IMAGE_SECTION_HEADER
- BYTE NameIMAGE_SIZEOF_SHORT_NAMEunion
DWORD PhysicalAddressDWORD VirtualSize
MiscDWORD VirtualAddressDWORD
SizeOfRawDataDWORD PointerToRawDataDWORD
PointerToRelocationsDWORD PointerToLinenumbers
WORD NumberOfRelocationsWORD
NumberOfLinenumbersDWORD Characteristics - IMAGE_SECTION_HEADER, PIMAGE_SECTION_HEADER
55Some Fields of struct IMAGE_SECTION_HEADER (1)
- VirtualSize
- The total size of the section when loaded into
memory, in bytes. - If this value is greater than the SizeOfRawData
member, the section is filled with zeroes. - This field is valid only for executable images
and should be set to 0 for object files. - VirtualAddress
- The address of the first byte of the section when
loaded into memory, relative to the image base. - For object files, this is the address of the
first byte before relocation is applied. - SizeOfRawData
- The size of the initialized data on disk, in
bytes. - This value must be a multiple of the
FileAlignment member of the IMAGE_OPTIONAL_HEADER
structure. - If this value is less than the VirtualSize
member, the remainder of the section is filled
with zeroes. - If the section contains only uninitialized data,
the member is zero.
56Some Fields of struct IMAGE_SECTION_HEADER (2)
- PointerToRawData
- A file pointer to the first page within the COFF
file. - This value must be a multiple of the
FileAlignment member of the IMAGE_OPTIONAL_HEADER
structure. - If a section contains only uninitialized data,
this member is zero. - Characteristics
- The characteristics of the image.
57An Example of Structure IMAGE_SECTION_HEADER
Danehkar
58 59Change Size-Related Fields
Step 1 Find section header i which has the
largest PointerToRawData value among all the
section headers. In other words, its
corresponding section is the last section in this
file.
Step 2 Added to the size of the virus.
Step 3 according to the value of FileAlignment
in structure IMAGE_OPTIONAL_HEADER, round
VirtualSize. Then save the result to this field.
40 bytes 4028h
60Set the Entry Point Value and the New File Size
Step 4 VirtualAddress old value of
VirtualSize. Then save the result to
AddressOfEntryPoint
16 bytes 1610h
40 bytes 4028h
Step 5 Add (new SizeOfRawData old
SizeOfRawData )
61Set the New Access Right
40 bytes 4028h
Step 6 make it executable, code and writable, so
we have to OR it with 0x00000020 (code),
0x20000000 ( executable ) and 0x80000000 (
writable ).
Step 7 append the virus to this file.
62- COM, EXE, and SYS Infection
63The Most Common Executable File Formats under DOS
- The most common executable file formats used
under DOS are COM, EXE, and SYS. - COM and EXE files are used for standard DOS
programs, and SYS files are used for system
device drivers. - Although viruses have targeted each of these file
formats, to date, reports of SYS file infections
have been rare.
64Entry Points of DOS Program Files
- A program file consists of data and machine
language instructions interpreted directly by the
computers CPU. - DOS program files contain one or two entry
points, which are the locations in the program of
the first instruction for the CPU to execute. - You might compare a program to a notepad that
contains a list of tasks. The entry point, then,
would be the first task on the list. - All COM and EXE files have a single entry point,
while SYS files have two entry points. - The CPUs interpretation of a programs
instruction must always start with the
instruction at the entry point. This makes the
entry point an area that viruses can modify and
thereby gain control of the computer. After the
virus completes its dirty work, it can then
transfer control to the original program.
65COM Files
- The COM executable file has the simplest DOS
program file format. The COM files simplicity
makes it a major target for file infecting
viruses. - The contents of the COM file are loaded directly
into memory and executed without modification.
The operating system transfers control to the
first instruction in the memory image of the
file. This first instruction is the COM files
single entry point. - COM files have an upper size limit of
approximately 64 KB
66How a COM File Is Loaded into RAM and Executed
67EXE Files Component Sections
- The EXE executable file format is somewhat more
complex than the COM file format. - The EXE file consists of two primary sections.
- The first section is a header that tells DOS how
to load the program. - The second section of the EXE file, known as the
program load image, contains the actual memory
image of the program and its data.
68EXE Files the Header Section
- The header includes two fields that identify the
location of the EXE files single entry point in
the program - the Code Segment (CS) and
- the Instruction Pointer (IP).
- The header also includes two size fields that
specify the actual size of the executable
program. - When a virus infects an EXE file, it must
increase the value in the size fields to equal
the total of the executable program file size and
the virus program size. - For instance, when a virus that is 2 KB in size
appends itself to a 10 KB file, it increases the
value in these fields to 12 KB.
69How an EXE File Is Loaded into RAM and Executed
overlay data
70SYS Files
- The SYS executable file format differs from both
the COM and EXE file formats in that SYS files
have two entry points. - SYS format files are used primarily for device
drivers. - Like COM files, all SYS files must be 64 KB or
less in size. - The SYS file is composed of three major sections.
- The first portion of the SYS file contains the
device header. Like the header of an EXE file,
the device header contains entry point
information and other fields. - The second and third sections of the SYS file
contain the two device driver modules, which
contain all the machine language code in the
program.
71How a SYS File Is Loaded into RAM
72Program Files and Viruses
- Program files are often targeted by viruses for
two primary reasons. - Because each of the executable file types has a
simple format, file viruses can piggyback
themselves to program files with relative ease. - Executable file types also are common targets for
infection because of the frequency of their use.
If a virus can infect an executable file, its
capability to infect other programs increases.
73 74Macro Facilities
- Macro facilities enable a user to record a
sequence of operations within the application. - The user then uses a key combination to associate
these operations. - Later, pressing this key combination repeats the
recorded steps. - A given macro activated using a key combination,
for example, might open a file, renumber the
items within it, then close the file.
75Global Pool of Macros
- Macro systems have evolved greatly over the
years. - Most old programs that supported macros had a
global pool of macros that always were
available for use, regardless of what file the
user happened to be editing. - Individual document or spreadsheet files could
not contain their own, local, macros.
76New Properties of Modern Macro System
- Modern macro systems differ from their
predecessors in several key ways. - First, users now can write entire complex
programs in a macro language. - These programs have access to all the host
applications features, as well as many of the
operating systems features. - Microsoft products, for example, enable users to
write macros in a language that resembles Visual
Basic. - These macros can perform various tasks for the
user, including popping up dialog boxes, altering
files on the system, or inserting the date and
time in a document. They can also be used to
write viruses! - Second, the user can tote specific macros around
in a document or spreadsheet data file. A user
can create a macro for a specific spreadsheet,
for example, and attach it directly to the
spreadsheet file. Any time the file is used on a
new machine, the accompanying macro is available
for use.
77Security Concerns of Modern Macro System
- An inherent threat exists with modern macro
system just as normal macros can be attached and
carried along with a given document or data file,
so can macro viruses!
78Cross-platform Compatibility
- Modern macro languages, such as Word for Windows
WordBasic, are interpreted by the host
application and often are compatible across
different operating systems. - A Word for Windows 6.0 document that contains
macros created on a PC, for instance, can be
edited in Word for Macintosh. Because Word for
Macintosh provides the same macro facilities as
its DOS counterpart, the documents macros also
function on the Macintosh platform. - This cross-platform compatibility means that a
macro virus can spread from computer to computer,
as long as the destination computer supports a
macro-capable, compatible version of the host
application.
79- Microsoft Word Shauna Kelly Better
Solutionsucsb
80Template
- A template is a sample document that is used for
the basis for a new document. - Every Microsoft Word document is based on a
template, whether you choose a template
explicitly or not. - A template determines the basic structure for a
document and contains document specific settings
such as - fonts
- Styles
- page layout
- macros etc.
- When you create a document, the file that is
created initially is just a copy of its template.
- This means that subsequent changes to the
template will not automatically be reflected in
the document. - Some changes made to the document, however, can
be saved to the template.
81Naming Rule of a Template File
- A Word template has the file extension (.dot) and
every document is based on a template. - When you save a document as a Word template the
three-letter extension of .dot is added to the
end of the name instead of .doc.
82Template Normal.dot
- The Normal.dot template is the basis for any new
blank documents you create. - Normal.dot is a special global template created
and used by Word and should be in the User
Templates folder. - Whenever you create a new document by clicking
(File gt New) a copy of the file called
Normal.dot is created and is presented as a new
document. - If you change something in the Normal.dot then
all new documents will reflect those changes. - If Word is unable to find your Normal.dot file or
it is damaged then a new one will be created
using the default settings.
83What Happens When a Document Is Born?
- When a document is created, it inherits three
things from its parent template - styles
- In Word, a style is a collection of formatting
instructions. - You use styles to format the paragraphs in your
document, so you would use - the "Title" style for your title
- "Body Text" style for body text
- "Caption" style for the picture captions
- "Heading 1" for the major headings
- content
- e.g. text, pictures, a fax header, a form to fill
in, and any content in headers and footers. - page settings
- e.g. margins, paper size, paper orientation,
settings for headers and footers.
84When a New Word Document Is Created
- The moment a document is created, it loses its
connection with its parent with respect to
styles, content and page settings.
85Changing a Document Won't Change the Template
It's Attached to
- You can change the margins in a document and the
change won't affect the template. - You can add, delete or modify styles in a
document, and it won't affect the template.
86Changing the Template Won't Change Documents
Attached to the Template
- You can change the margin in a template, and it
will affect documents you create from this
template in the future. But it won't affect
existing documents attached to that template. - You can add, delete or modify styles in a
template, and the change will affect documents
you create from this template in the future. But
it won't affect existing documents.
87What Happens after a Document Is Born, While It
Is Being Edited?
- Once a document has been created, the template to
which it is attached takes on quite a different
role. - When a document is being edited, its template
sits in the background and makes four things
available to a document - two kinds of functionality
- macros
- AutoTexts
- two ways to access the functionality
- toolbars
- keyboard shortcuts (that is, a keyboard way and
a mouse way).
88Templates and Existing Word Documents
89Change Template Kelly
- You can attach a new template to a Word document
or change the template a Word document is
associated with. But nothing happens after you
execute the operations, because - A document inherited styles, content and page
settings from its parent template when it was
first created. You're not creating a new
document, so the styles, content and page
settings in the newly-attached template will not
affect the document at all. - The newly-attached template will sit in the
background, and make available the four things
that templates make available to documents - Macros
- AutoTexts
- Toolbars
- keyboard shortcuts
90Global Template ucsb
- A global template is a template whose
customizations will be available to all
documents, no matter what template they're
attached to. - Word allows a user to make a template global.
That means that its macros etc. will be available
to all templates. - Normal.dot is a global template.
91Word Macro
- A macro is just the name given to a series of
keystrokes that can be recorded and then played
back in order to automate a task. - These keystrokes are then transferred into a
series of commands which can then be rerun at any
time. - Macros are simple computer programs where the
code is often generated for you. - These macros run completely within an application
like Word and require no additional software. - Macros can be used to play back your actions and
can prevent you from having to perform tedious or
repetitive tasks.
92Where to Store Your Macro? Better Solutions
Limited
- There are two possible workbooks where you can
store your macros - Normal.dot - Storing your macros here will mean
that they are available every time Word is open
and are not reliant on any one particular
document. - Document - This is the default location and is
often the best place if you are relatively new to
macros. - A macro that has been saved into a specific
document is only available when that particular
document is open. The currently active document
is also referred to as the current document or
active document.
93Macros Shauna Kelly
- You can copy macros to and from documents and
templates using Tools gt Templates and Add-ins gt
Organizer.
94Properties of Microsoft Word Macro
- Microsoft Words macro system actually offers a
global pool macro area, as well as
document-specific macros. - Users can establish a set of global macros
available for use regardless of the document
being edited. - They also can use the local macros that accompany
a specific document during editing of that
document. - In the Microsoft scheme, macros can copy
themselves to and from the global and local
pools. - The global pool provides the macros with the
capability to migrate from one document to
another. - Upon execution, a macro can copy itself from a
local pool to the global pool. Later, executing
the same macro lets it copy itself from the
global pool to a new documenta nice feature, as
long as the user initiates the actions and knows
of the results. - Viruses can target this facility.
95How Macros can Migrate from File to File
Microsoft Word uses a template to create, edit,
or assemble a document. The default template is
called NORMAL.DOT.
96Auto-execution Facility
- The Word for Windows macro system also includes
an auto-execution facility that makes it
attractive to viruses. - Word for Windows has an AutoExec macro that
launches (if it is present in the global pool)
when a user starts the Word processor. - This facility can serve to execute other macros
and set up the users work environmentor a virus
can exploit it to ensure that the virus macro
executes upon Word for Windows startup. - In addition to the AutoExec macro, Word for
Windows contains numerous other macros that
activate during a normal editing session without
directly being activated by the user. - Any time the user opens a new document file, for
example, a macro known as AutoOpen executes from
the documents local macro pool (if present). A
virus could easily use this macro to copy itself
to the global pool as soon as a user opens the
document.
97Key Factors for the Emergence of Macro Viruses
- First of all, many popular applications, such as
desktop publishing, Word processing, and
spreadsheet programs, include macro capabilities.
Such widespread usage is attractive to a macro
virus from the standpoint that chances for
continued self-replication are high. - Secondly, it is far easier to write macro
language programs than assemble language
programs. The art of virus writing is no longer
limited to the technically astute. - Finally, executable program viruses rely upon a
systems CPU to directly execute its
instructions, whereas macro viruses dont.
Because of this, macros are platform independent.
- The same macro that runs in a Windows-based Word
processing program, for example, can also
function in its Macintosh and Unix counterparts.
98Macro Viruses
- Infect data files.
- Most common viruses nowadays.
- Macro viruses infect Microsoft Office Word,
Excel, PowerPoint and Access files. - Examples
- Melissa,
- WM.NicdDay,
- W97M.Groov.
99 100Boot Sector Viruses
- If a disk has a boot record virus, the virus
activates when the PC attempts to boot from the
floppy disk or hard disk. - Even if the PC cant start up from an infected
disk (such as when the floppy disk does not
contain the proper DOS system files), it attempts
to run the bootstrap routine, which is all a
virus needs to activate. - Like a terminate-and-stay-resident program, most
boot record viruses install themselves in the
host computers memory and hook into the various
system services provided by the computers BIOS
and operating system. - They remain active in RAM while a workstation
remains on. As long as they stay in memory, they
can continue to spread by infecting the floppy
disks that a computer accesses.
101- Floppy Boot Record Viruses
102Floppy Boot Record Viruses
- Most floppy boot record viruses can infect
- the hard drive MBR
- the active partition boot record
- the floppy disk boot record
- The floppy disk serves as a carrier for the
virus, allowing it to spread from one hard drive
to another. - After the virus places itself on the hard drive,
it can then infect other floppy disks that
inevitably make their way to other machines.
103When and How Floppy Boot Record Viruses Get
Control?
- Floppy boot record (FBR) viruses seize control of
the computer during system reset. - During the bootup sequence, the BIOS on most PCs
determines whether a floppy disk is present in
the floppy drive from which the computer is
configured to boot. - If the BIOS finds a disk in the drive, it assumes
that the user wants to boot from this disk. After
it locates the disk, the BIOS loads the floppy
boot record into the computers memory and
executes its bootstrap program.
104The Boot Sequence from an Infected Floppy Diskette
Virus reserves memory. Virus copies itself to
this memory Virus alters IVT to become proxy
service provider Virus attempts to infect hard
drive MBR or PBR.
Virus activities
Virus loads original non-viral and executes the
bootstrap routine
No SYS files
Display Message
Bootstrap routine checks for DOS system files
Bootstrap routine loads DOS system files and
execute them
stop
A prompt
105BIOS Data Area
- All PCs contain a reserved region of memory known
as the BIOS Data Area (BDA). - During the initial stages of the computers
bootup sequence (before control transfers to the
bootstrap routine) the BIOS bootup program
updates the BDA with information about the
configuration and the initial state of the
computer. - DOS relies on the information stored in the BDA
of memory to properly use the peripherals and
memory attached to the computer. - Almost all FBR viruses exploit DOSs dependence
on the BDA and update its contents to install
themselves into memory.
106Viruses Reserve Memory Stage 1
107Viruses Reserve Memory Stage 2
108Virus Copies Itself to Reserved Memory
- After the virus reserves memory for itself by
updating the BDA, it moves itself into the newly
reserved memory and attempts to hook into the
direct disk system services.
109Interrupt Vector Table
- The PC contains a memory structure, known as the
Interrupt Vector Table (IVT), which is like a
phone book that contains addresses for each of
the services that the computer might need as it
operates. - The IVT contains the addresses of ROM BIOS
service programs in the computers memory. When
the operating system needs to request a service,
it can look up the address of the corresponding
service provider in the IVT phone book and
determine where to send its request.
110IVT Entry Example
- The computers ROM BIOS contains disk service
routines that DOS calls upon to directly read
from and write to floppy disks and hard drives. - One of the IVT phone book entries contains the
address of the ROM BIOS disk service routines.
111Hook into the IVT Entry for Disk Service Provider
- The FBR virus hooks into the system services by
changing the contents of this entry and informing
the computer and any subsequent operating system
that it now is a proxy for the ROM BIOS disk
service provider. - All requests to read and write to disks on the
computer then are sent to the virus rather than
to the original ROM BIOS disk services. - Later, when the operating system makes a system
service request, the IVT is consulted and the
virus has the request sent to it. The virus can
then examine the request and, if it desires,
infect the floppy disk being accessed. - After the virus performs its mischief, it can
then redirect the request to the original ROM
BIOS driver so that it can be properly serviced.
112The Fully-installed Boot Virus
113Hook as a System Service
- Most FBR viruses attempt to install themselves as
a memory-resident driver at this point in the
bootup sequence. - In this way, the virus can monitor all disk
service requests during the operation of the
computer and infect additional floppy disks at
will .
114Conceptual Hierarchy of Service Providers after
the System is Infected
Conceptual hierarchy of service providers after
memory installation by the boot record virus
Application
Virus Resident Service Provider
115The Original FBR
- To complete its work, the FBR virus must retrieve
the original FBR on the floppy disk and initiate
the original bootup sequence as if the virus were
not present. This is important because a virus
must be unobtrusive to remain viable. - If the FBR virus installed itself in memory,
infected the hard drive, and caused bootup on the
floppy disk to fail, it might quickly be detected
and removed. - Most viruses maintain a copy of the original FBR
in one of the sectors at the end of the floppy
disk. After the virus installs itself in memory,
it loads the original FBR into memory and
executes the original bootstrap routine. The
bootstrap routine then proceeds normally,
completely oblivious to the presence of the virus.
116Infect Non-bootable Disk
- Most floppy disks contain data and dont carry
the DOS operating system files thus, after the
virus transfers control to the original bootstrap
routine, it displays a message such as
Non-system disk. At this point, the average
user realizes that he or she accidentally booted
from a data disk, removes the disk from the drive
and reboots. - This is why most FBR viruses infect the MBR or
active Partition Boot Record of the hard drive
during bootup. This infection guarantees that
even if the floppy disk doesnt contain the
proper operating system files, the virus can
still spread to the hard drive and eventually to
other disks.
117When and How the FBR Virus Infects New Items?
- Most FBR viruses attempt to infect disks whenever
they get a chance (although some viruses are more
discriminating than others). - If an infected floppy disk is in drive A, the
first opportunity presented to the FBR virus is
during a system reset. - Almost all FBR viruses also attempt to infect the
hard drives MBR or active Partition Boot Record
during the floppy boot process. - The FBR virus also has an opportunity to infect
after it installs itself in memory and designates
itself as the proxy disk service provider. Any
time thereafter when DOS or its programs attempt
to access a floppy disk (or the hard drive), the
operating system calls upon the virus.
118Detect Infected Disk
- Before a virus attempts to infect the floppy
disk, it must determine whether the disk has
already been infected. Most often, the virus does
so by loading the target FBR into memory and
comparing it to its own contents. - If the FBR virus ascertains that the target
floppy disk isnt yet infected, it proceeds with
the infection process.
119Examples
- Form.
- Disk Killer.
- Michelangelo.
- Stoned.
120- Master Boot Record Viruses
121Master Boot Record Viruses
- The MBR contains a bootstrap program which
according to the MBRs partition table determines
which partition is the active partition, and then
load and transfer control to the active
partitions Partition Boot Record (PBR) to finish
the loading of the DOS into memory. - Examples
- NYB,
- AntiExe,
- Unashamed.
122 123Program File Viruses
- Program file viruses (hereafter called just file
viruses ) use executable files as their medium
for propagation. They target one or more of the
three most common executable file formats used in
DOS COM files, EXE files, and SYS files. - The basic file virus replicates by attaching a
copy of itself to an uninfected executable
program. The virus then modifies the new host
program so that when the program executes, the
virus executes first.
124Examples
125Infection
- The file-infecting virus can only gain control of
the computer if the user or the operating system
executes a file infected with this virus. - In other words, infected files are harmless as
long as they are not executed they can be
copied, viewed, or deleted without incident.
126Execution of a COM Program
- COM programs have the simplest format of any of
the DOS executable file formats. - They also have the simplest loading sequence
- DOS reads the program directly into memory,
- then jumps to the first instruction (at the first
byte) of the program image. - When this action occurs, the program has complete
control of the computer, until it relinquishes
control back to DOS upon termination.
127COM Infections
- File viruses infect COM files by modifying the
machine-language program at the start of the
executable image. A virus can ensure that it
gains control in at least four different ways,
because execution in a COM file must begin at the
first byte in the executable image. - Prepending COM Viruses
- Appending COM Viruses
- Overwriting COM Viruses
- Improved Overwriting COM Viruses
128Prepending COM Viruses
- A virus can insert itself at the top of the COM
file, moving the original program down after the
viral code. - The entire virus is then located at the top of
the executable image, and is the first to execute
when the program is loaded. - This method of infection is known as prepending,
because the virus affixes itself to the beginning
of the host COM program
129Prepending COM Virus Infection
130Appending COM Viruses Inject the Virus
- A virus can modify the machine-language program
at the top of the executable image of the COM
file to transfer control to the virus, which can
be located elsewhere in the executable file. - The virus often attaches itself to the end of the
infected program and changes the first few
instructions at the top of the executable image
so that they transfer control to the viral code.
131Appending COM Viruses Handle the Original Code
- Before the virus changes the first few program
instructions, it must record what the host
programs original entry instructions were so
that it can repair the host program after it has
completed. - Without preserving these instructions, when the
virus transfers control to the host program, the
PC would most likely crash or work incorrectly,
foiling the virus attempts to remain
undiscovered. - This above method of infection is known as
appending, because the virus affixes its bulk to
the end of the host program
132Appending COM Virus Infection
133Overwriting COM Viruses
- The third technique used to infect COM files is
known as overwriting. Viruses that use this
technique often are crudely written. They infect
COM programs by entirely overwriting the start of
the host program with the viral code.
134Repair Files Infected by Overwriting COM Viruses
- Overwriting COM Viruses dont attempt to save a
copy of the hosts bytes that have been
overwritten. As a result, the original program
cant work after the virus executes. If a
computer becomes infected with a virus of this
type, the only way to repair the infected files
is to restore them from backups created before
the infection.
135Tricks Used by Overwriting COM Viruses to Avoid
Being Detected
- After overwriting viruses infect program files,
they either crash or display a bogus error
message such as Not enough memory to execute
program. Such error messages appear in an attempt
to convince the user that the PC has a memory
management problem rather than a virus.
136Overwriting COM Virus Infection
Overwriting virus
137Improved Overwriting COM Viruses
- The last method used to infect COM programs is
known as improved overwriting. - Assuming the virus is V bytes long, the virus
first reads the first V bytes of the host program
and then appends this information to the end of
the host program. The virus then overwrites the
top of the COM program using the V bytes of viral
code.
138Original Information of Infected Files
- The host program can be repaired and executed
normally after the virus completes its dirty
work, because the information from the uninfected
host program has been stored.
139Improved Overwriting COM Virus
Improved Overwriting Virus V bytes long
140EXE Infections
- Although numerous methods are used to infect COM
files, viruses use primarily one method to infect
EXE format files. - EXE files have a variable entry point specified
by the Code Segment (CS) and Instruction Pointer
(IP) fields of the file header. In the most
common form of EXE infection, the virus performs
the following sequence of actions - Records the hosts original entry point in
itself, so it can later execute the host program
normally. - Appends a copy of itself to the end of the host
program. - Changes the entry point (using CS and IP fields)
in the EXE header to point to the virus code. - Changes other fields in the header, including the
programs load-image size fields to reflect the
presence of the virus.
141EXE File before and after Infection
142How and When the File-Infecting Virus Gets
Control?
- Simply stated, a file-infecting virus gains
control of the computer when the user or
operating system executes an infected program. - When a user executes an infected program, DOS
loads the entire program into memory, virus and
all, and begins executing the program at its
entry point. - In infected files, the virus modifies the
location of the entry point or the machine-code
at the entry point so that the virus executes
first.
143Proliferation of File-Infecting Viruses
- After the virus machine code begins executing, it
can immediately seek out and infect other
executable programs on the computer, or it can
establish itself as a memory-resident service
provider in the operating system. - As a service provider, the virus can then in