home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Experimental BBS Explossion 3
/
Experimental BBS Explossion III.iso
/
virus
/
diskse24.zip
/
DISKSEC2.DOC
< prev
next >
Wrap
Text File
|
1993-12-28
|
22KB
|
441 lines
DISKSECURE II version 2.4
Hard Disk Protection Program Copyright (c)1990, 1991, 1993 by
Padgett Peterson
All Rights Reserved
I - Why low-level protection ?
II - What is DISKSECURE II ?
III - How is DISKSECURE II Loaded ?
IV - How is DISKSECURE II Removed ?
V - Malicious Software (viruses) and DISKSECURE II
VI - Return Codes
VII - Licensing - Now FreeWare
Appendix A - Hidden Sectors/Changing MBR/Changing DBR
Appendix B - DS2BYP and DS2MOVE
Appendix C - Other Files
I - Why Low-Level Protection ?
Today there are many anti-viral software products available
for the IBM-PC (and clones) platform running MS-DOS, OS/2, and UNIX but
nearly all are invoked following load of the operation system (usually
from CONFIG.SYS or AUTOEXEC.BAT in MS-DOS). In many cases this is too late
for effective protection from common boot sector infectors (BSI) such as
STONED, MICHELANGELO, or the MUSICBUG. In the case of the "stealth"
variants, even state-of-the-art anti-virus routines such as the McAfee
programs must rely on detection of a viral signature in memory rather than
detection of infected files.
At the operating system level, too many extra programs have been
piled upon the basic disk access routines to be able to reliably separate
the actions of legitimate drivers and TSRs from the activity of malicious
software.
There is a point at which executable code may be placed that
will always be executed during the boot of a hard disk when the low
level activities have not yet been masked - during the execution of
the Master Boot Record. At this point the organization of a PC is defined
according to the IBM BIOS specification. In most cases this structure is
impossible for malicious software to subvert without causing a detectable
change. As of August, 1993 there are no known boot sector viruses that
can bypass detection at this level.
Additionally, there are many access control packages available
that provide strict control and full encryption of systems. DISKSECURE II
does not attempt to do this, rather it is intended as a simple, unobtrusive
primary access and virus control mechanism that does not require
administration, and which may be installed/removed/modified with a simple
menu-driven interface.
II - What DISKSECURE II Does
Simply put, DISKSECURE II replaces the Master Boot Record on
a hard disk with its own code. The necessary elements of the original
partition table are stored on an unused part of the disk and presented
to the authenticated operating system as required. Unauthorized boot
programs (such as the BRAIN, STONED, or AZUSA viruses) will not be
able to access the partition table as expected.
DISKSECURE II has multiple elements: three are contained in the file
DISKSEC2.EXE supplied with this document. The first is an interactive
installation/maintenance/removal module that allows the user to activate,
change, or remove DISKSECURE II from a hard disk. The second is a replacement
for the hard disk partition table that performs load-time checking, prevents
DOS access to the hard disk if booted from a floppy, and contains the
password access routine if implemented. The third element is a resident
protection program that takes up 1k of RAM memory and protects the partition
table, hidden sectors, and boot sector of a conventionally partitioned hard
disk.
To this, DISKSECURE II adds Novell Server compatability, Windows
3.1 32BitDiskAccess compatability, and the ability to transform itself
from a 1K TSR at the Top of Memory into a 304 byte TSR in low memory (DOS
3.2 and above only).
Once loaded, DISKSECURE II will prevent access to the fixed disk from
DOS if the resident portion of DISKSECURE II is not in memory. If password
access has been invoked, this password must be given before DISKSECURE II
will become resident, allow the OS to load, and before DISKSECURE II can be
changed or removed.
In the event of accidental booting from an infected floppy disk,
DISKSECURE II adds the ability to automatically detect and disinfect any
virus that does not overwrite the MBR. Such viruses are rare though these
will render the system unbootable. In this event, the Recovery Disk has two
different means for recovery (use of the DiskSec2.exe and the Dspart.dat
files).
Recently, a single easily detectable virus has been seen which
blindly corrupts the Dos Boot Record. DS II will detect these and removal
is generally a matter of booting through DS II to a floppy and using the
BYPASS module to SYS the fixed disk. This mechanism should work so long as
the fixed disk is accessable on a floppy boot (cntrl key depressed).
However, the user must realize that should a boot from an infected
floppy occur before DS II loads, anything could happen and the best that
can be done is to detect that action. See the comments on BIOSes which allow
boot disk selection.
DISKSECURE II adds the capability to boot from a conventional floppy
if the Ctrl key is held down during boot. No special Maintenance floppy is
needed. This should remove all opposition to setting those BIOSes which
permit it to boot from the fixed disk only.
Other elements of DISKSECURE II include an automated installation
program (DS2INST.BAT) - installation may be dome manually if desired,
a program to verify proper operation of DISKSECURE II (DS2CHK.EXE), a
program to move the DISKSECURE II TSR into low memory (DSMOVE.SYS), and
a program to allow compatability with incompatable programs (DS2BYP.EXE).
III - How DISKSECURE II is Loaded
The modification program may be loaded either from the fixed
disk or from a separate, bootable floppy (recommended). It is designed
to recognize if DISKSECURE II is resident, will make many checks to
ensure the integrity of the program, and will warn the user of anything
unusual that it finds.
If DOS 6.0 or above is in use, it is suggested that DS II be
installed following a "Bypass Boot" (press F5 during boot so that
CONFIG.SYS and AUTOEXEC.BAT are bypassed)
THE DISKSEC program is invoked by executing from either the DOS
prompt (automatic installation from other OSs is not yet available) or a
batch (DSINSTALL.BAT) file. DISKSECURE II will check the number of fixed
disks present and verify this with the user before proceeding. Following
this, DISKSECURE II will require the user to input a password if this
additional protection is in use before proceeding. At this point, a
first-time user will be presented with a warning message before the menu
is presented. The user may then select a choice from the menu (the menu
will change to accommodate the state of DISKSECURE II in the system).
During installation, the user will be asked to save the partition
tables to a file (default: DSPART.COM). This file should be copied to
a known clean, bootable floppy disk. If all else fails, the system may be
booted from the floppy, and DSPART executed. Even if the disk is
unrecognizable by DOS, this will replace the partition table. WARNING: if
this file is executed on a machine other than the original or the partition
table has been changed by repartitioning all data on the disk could be lost.
Where multiple machines are to be protected, it is suggested that
each machine have a unique and identifiable recovery disk and DSPART.DAT
be renamed to identify it with each creating PC. However recovery files
for multiple machines can be stored on a single floppy along with a single
copy of DiskSec2.exe.
Should it be necessary to repartition a disk or the operating
system upgraded, it is necessary that the simple removal procedure be
followed first as DISKSECURE II will trap any attempt to write to the MBR,
hidden sectors, or the boot record. DS2BYP should not be used for this
function as essential signatures will have changed.
Also provided is the program DS2CHK.EXE. This will allow the user
to check if DISKSECURE II is in memory - on activation, nothing will return
if DISKSECURE II is not active - the DISKSECURE II logo will display if it is
active. An errorlevel of (0) will return if DISKSECURE II is not found,
(1) if DISKSECURE II is resident but not in control (e.g. QEMM 6.0+ "stealth"
in use), and (2) if in memory and in control. DS2CHK.EXE may be invoked
as part of a network login script to verify proper use on a client PC.
The other two major programs included are DS2MOVE.SYS (explained
above) and DS2BYP.EXE. The second should be used with care and only when
necessary to accomodate programs requiring low level access. See also
Appendix B
Note: After activation, if booted from a floppy DOS will not recognize
the hard disk(s) and, if additional removable media are present,
DOS may recognize them as the C: drive. This will not affect
the operation of DS2CHK.EXE nor will it endanger the data on the
fixed disk. If DISKSECURE II is removed, on the next boot the fixed
disk(s) will again be recognizable by DOS from a floppy. The disk will
always be recognized when booted from a floppy disk through DISKSECURE
II (by holding the Ctrl key down during boot) so long as DISKSECURE II
maintains validity. (if failure occurs, see RECOVERY above).
Use of the DSPART.DAT file as outlined above from a standard DOS
bootable floppy will recover the disk even if DOS reports the
disk unavailable. On the next boot, the drive will be again
accessible, however DISKSECURE II will have been removed and must
be re-installed to restore protection.
IV - How DISKSECURE II is Removed
In the event that it is necessary to remove DISKSECURE II from a PC,
the best way is to utilize the DiskSec.EXE program either from the
MAINTENANCE floppy, or from the c:\ds directory. When DS is resident, the
program will detect this and modify the menu to include a REMOVE option.
If a password is in use, it will be necessary to provide this also.
Secondly, the machine can be booted from a regular floppy disk
and the DiskSec2.exe program executed. If a password is in effect this
must be entered for activity.
If the disk should become corrupt, the DSPART.COM program on the
RECOVERY disk may be used for an emergency recovery of the low levels after
which the machine may be rebooted and conventional recovery tools used.
While effective, this should be used only as a "last resort".
V - Malicious Software and DISKSECURE II
DISKSECURE II is a software program. Consequently, even though it
is the first software loaded from a fixed disk it CAN be infected or
damaged , should an indadvertant boot from an infected floppy disk take
place, even though DOS will not recognize the fixed disk . Only hardware
in the form of a ROM extension or custom BIOS can prevent this.
One effective means with newer BIOSes is to set the CMOS so that
the PC will always boot from the C: drive first. Since DISKSECURE II
allows transfer of a boot to floppy by holding the Ctrl key down during boot,
selection of the A: drive need never be automatic. This combined with
DiskSecure II is effective against every known virus or viral technique
(and a few that haven't been seen yet - don't ask 8*).
What DISKSECURE II can and does do is to recognize immediately
when it is loaded that an infection has occurred, display an error
message as listed below, and refuse to proceed with the boot process until
corrected (in most case this will be automatic and wait only permission from
the user. In rare cases, booting from a floppy will be necessary for
correction however the machine will not boot unless DISKSECURE II's
multiple redundant criteria are met.
Additionally, certain destructive viruses (such as AZUSA) can
destroy DISKSECURE II. In this event, the disk will be unable to boot and
the drive will be unrecognizable from a floppy. The use of DSPART.DAT,
stored on a bootable floppy, renamed DSPART.COM, and executed will
restore the partition table to a usable condition. In any event, the
attack will be immediately noticeable and containable.
DISKSECURE II boot error messages: see ERROR.MSG file.
Additionally, some malicious software (as well as some low-level
programs) may try to write to DISKSECURE II protected areas on the disk. In
this case a message may appear on the screen "DISKSECURE II TRAP: x" where x
indicates the trapped function. If this should happen during a legitimate
program, use of DS2BYP will be necessary. This should be done only under
known safe conditions.
A DISKSECURE II trap will occur on an attempt to write to any of the
"hidden" sectors as well as the first partition's boot sector, or an
attempt to format any sector on the protected disk(s) (note: many OS format
programs do not actually "format" the disk, only the low-level formatting
such as done by programs that set the interleave of a disk may do this. (A
MS-DOS 3.3 "FORMAT" will not trigger a DISKSECURE II trap until it is nearly
complete and information may be lost).
Generally, this will only occur if a program attempts to change disk
interleave, boot record/partitioning, or on complete replacement of the
operating system (Central Point Software's COMPRESS and Peter Norton's
SpeedDisk are not affected, Peter Norton's CONFIGUR, MS-DOS FDISK, and
Steve Gibson's SPINRITE are).
Further, DISKSECURE II has proven safe with all major disk
compression programs including Stacker, SuperStor Pro, and DblSpace.
DISKSECURE II cannot protect the FATs or Directory structure since
the user must be able to modify these. Other programs such as Enigma-
Logic's VIRUS-SAFE, Certus International's CERTUS, Fischer's PC-WATCHDOG, the
McAfee Programs, the Dr. Panda Utilities, Ross Greenberg's FLUSHOT, and
Fridrik Skulasen's F-PROT exist for this function. DISKSECURE II was created
to plug a hole that exists under the operating system so that a reasonable
expectation of a clean system can be had when the "C:\>" prompt appears.
VI - Return Codes
On termination (if not a reboot) DISKSECURE II returns various error
codes to indicate the reason. These may be used by a batch file
for checking/corrective action, however DISKSECURE II is primarily
a manual, interactive program.
DISKSEC2.EXE
user terminated codes
code (hex)
0 (0) Program completed with no errors
1 (1) Following warning message
2 (2) Following TOM/COMPARE message - possible virus
3 (3) Following number of fixed disks message
7 (7) Following save to file request
program terminated codes
code (hex)
8 (8) No hard disk responding
9 (9) Disk access failure
10 (A) No active partition table located
11 (B) Error in sector one on disk - possible virus
12 (C) Active partition table not in proper place - possible virus
14 (E) No "Hidden Sectors" on disk (used early version of FDISK).
or Changing MBR (see actual error message) See Appendix B
DS2CHK.EXE
0 (0) DISKSECURE II not present in memory
1 (1) DISKSECURE II present in memory but not in control
(low interrupt vector seen only with QEMM 6.0+ "stealth")
2 (2) DISKSECURE II present in memory and in control
4 (4) DISKSECURE II has been disabled in some other manner
8 (8) Disk did not respond (should not occur)
VII - Licensing
DISKSECURE II is copyrighted material distributed both as individual
copies and on site/entity licenses.
With version 2.4, DISKSECURE follows the trend I began with the
FixUtilities of being FreeWare to individuals, however retaining Copyright.
It is not public domain material. It may not be altered in any way or
distributed except as a complete package (see the DSxx.VAL file for a list
of contents).
Customized versions including special switches, logos, encryption,
full partition protection, enforced acceptance, and disclaimers such as:
"Property of the XYZ Corporation & is for Authorized Users Only.
The right is reserved to monitor any and all transmissions, keystrokes,
and storage on this system."
are available on a site licensing basis.
Donations cheerfully accepted 8*) Padgett Peterson
POB 1203
Windermere, Florida, 32819
407.352.6027
Appendix A - Hidden Sectors / Mutable MBR
While all disk partitioning schemes since the release of PC-DOS
3.0 in early 1984 have aligned partitions on cylinder boundaries, very
early disk partitioning programs (e.g. FDISK 1.00) did not perform this
alignment. DISKSECURE II relies on this alignment for installation and
protection, therefore the installation procedure verifies that no partition
violates this requirement.
Should a disk be found on the system (DISKSECURE II checks all fixed disks),
the installation process will terminate with the warning "No Hidden
Sectors...". In this case, it will be necessary to repartition the disk
using a later version of the partitioning software.
Note: It is possible to be running a later version of DOS or other OS
with a disk partitioned using the early scheme so the DOS "VER"
command cannot be used to reliably test for this condition. Peter
Norton's DI (DiskInfo) and other software will report the number
of "hidden sectors" on a disk. This value should be equal to the
number of sectors per track.
Changing MBR
Another condition that DISKSECURE II cannot cope with is that
a very small number of disk controllers write directly to the MBR at
intervals. This has only been observed on early XT hard disk units,
however the integrity of a DISKSECURE IId disk's MBR must be maintained.
If discovered at load time, the installation process will issue a warning
and the installation will abort. If this should occur during a boot,
the MATCH ERROR termination will occur and the recovery disk should
be used to restore the disk. Re-installation should not occur until the
cause (viral or otherwise) has been determined.
Changing DBR
Even rarer are the operating systems which write often to the
DBR but they do exist. Zenith ZDS 3.0, 3.1, and 3.2 plus a few early
HP Vectras are known to exhibit this behavior. Should periodic "DS II
TRAP: 3" messages occur during the boot process, this may be the cause
since DS II will protect the DBR from writing by any software.
One virus has been seen which on boot from floppy will blindly
write to a common DBR location. If DS II is not running then there is
no means of protection from this. It will be detected on the next full
boot. (see section 2). It is unlikely that this virus will be very
successful.
Appendix B - DS2BYP and DS2MOVE
The two special adjunct files provided with DISKSECURE II have
unique properties that are only functional with versions of DOS of 3.2
or above.
DS2MOVE.SYS is the most important as it allows moving of DISKSECURE II
from a 1k area at the Top of Memory (a 640k machine will report 639k)
to a 304 byte area of low memory restoring the full 640k to DOS. This
program is placed in CONFIG.SYS (best if first driver loaded except when
QEMM DOSDATA driver is in use) and has no switches.
DS2BYP.EXE is for use *only* when a program proves completely incompatable
with DISKSECURE II (such as WIndows 3.1 in 32BitDiskAccess mode). It
is invoked as follows DS2BYP <drive>:<path><filename.ext>. DS2BYP
only accepts programs with .COM and .EXE extensions and the drive, path
and filemname must be fully expanded (no PATH searches or wildcards
are permitted). Only one program will run on each invocation. This
rigorous approach is to prevent as far as possible any possibility of a
spoof or companion attack. Use with caution.
Appendix C - Other executable and batch files
DS2INST.BAT - a batch file to be used when installing DISKSECURE II
from a floppy disk. It will create a directory \DS
on the C: drive, copy the files from the floppy
into that directory, patch the AUTOEXEC.BAT file
to include verification of DISKSECURE II in memory on
boot (recommended but may be omitted), and invoke
the main program for installation.
DS.B - Batch file commands to be added to AUTOEXEC.BAT for
checking referred to in DSINSTAL.BAT
ASK.COM - 10 byte file for making .BATch files interactive. ASK
will wait for a keystroke and return an errorlevel
that may be used by an "IF ERRORLEVEL" construct.
CHK512.COM - Short .COM file to identify certain incompatable drives
CHKINT13.COM - Short .COM file to verify a "clean" path to the BIOS disk
access.
DOS32.COM - Short .COM file to verify use of DOS 3.2 or later.
QEMMST.COM - Short .COM file to detect use of QEMM 6.0 & above "stealth"