home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
VIRUS101.001
< prev
next >
Wrap
Internet Message Format
|
1994-07-17
|
14KB
From: woodside@ttidca.TTI.COM (George Woodside)
Newsgroups: comp.sys.atari.st,comp.sys.apple,comp.sys.mac,comp.sys.ibm.pc
Subject: Virus 101 - Chapter 1
Date: 1 Mar 89 14:39:58 GMT
Preface: The program VKILLER is specific to the ATARI ST. My apologies
for not making this clear in the previous posting, which went to
several newsgroups. I have recieved far too many requests for the
program from users of other systems to reply to each one individually,
and the mailer has bounced some of the replies I tried to send. If you
have an Atari, VKILLER was posted here a few weeks ago, and is
available in the archives, on GEnie, Compuserve, and from most public
domain disk distributors and User Group libraries. The current version
is 2.01.
Initial postings will cover virus fundamentals, as they apply to the
area of the Atari ST and, similarly, to MS-DOS systems. The file
systems of the two machines are nearly identical. These general
information articles will be cross-posted to the newsgroups in which
this topic is now active. Future postings will be made only to the
Atari newsgroup, since they will deal with viruses (the plural,
according to Webster's, is viruses) known to exist in the ST world.
They would automatically be different than an IBM virus, since they
are in the 68000 instruction set, or from a Mac or Amiga virus, since
the file systems differ. Since all the viruses I have located are the
"BOOT SECTOR" type (far and away the most common), that's what I will
dwell upon. If and when the proposed newsgroup comp.virus becomes
active, it will be added to the list for all postings.
Your generic disclaimer: I just an old-school computer hacker, with 20
years in the software business. I built my first IMSAI many years ago,
and have had several different computers. That qualifies me to have
spent a lot of time on computers, but nothing further. I may be wrong
about some things, may have a different opinion than you or anybody
else, or most anything else you'd care to have disclaimed. What I
think is my own opinion, and in no way represents the opinion or
position of my employer or anyone else. I've written several articles
for magazines as well as software related to virus detection and
killing, but I have been known to be wrong (so they tell me :^)).
While posting any kind of information about viruses may trigger
someone to attempt creating one, I believe that the benefit of the
knowledge to potential victims outweighs that risk. I don't believe
that you can stop someone (who wishes to) from creating a virus by
withholding information - it is already available from many sources.
Since not all viruses act the same, or attempt to attack in the same
manner, it may help potential (or current) victims to learn about the
symptoms of the viruses known to exist, and how to protect themselves.
While the concept of viruses can be complex, I'll try to keep things
at a level that should be understandable by most anyone past the
casual user genre. However, since I've been at this sort of thing for
some time, what I consider basic knowledge may not be familiar to
everyone. Advance apologies are offered here for any invalid
assumptions, typos, smart alec remarks, grammatic errors, or whatever
offends you.
Some basic terms, as they have come to be used in this area:
A VIRUS is any program which spreads itself secretly. It may be
destructive, a prank, or even intended to be helpful, but it spreads.
A TROJAN HORSE is a program which executes one function secretly while
appearing to be accomplishing some other task, or appearing to be some
other program entirely. One task a Trojan Horse may accomplish is to
install a virus, which would then spread itself.
A WORM is a program or function which imbeds itself inside another
program, be it an application, part of a system, a library or
whatever. It may or may not spread itself by some means, and may or
may not have destructive intents.
Now, to the basics of a disk (specifically floppies, but true of most
hard disks as well):
A DIRECTORY is a list of files and sub-directories. There is one
primary directory (called the root directory) on a disk. It contains
the entries for files, and other directories (called sub-directories,
or folders on the Atari). Sub-directories (folders) may contain
entries of other sub-directories, files, or both. Every file has one
entry in the disk directory (or in some sub-directory). That entry
contains, among other things, the file name, date and time of
creation, length, and the address of the first entry in the File
Allocation Table (FAT) for the file.
A FAT is a File Allocation Table. It is a road map of how the
operating system will locate data on a disk. Essentially, it is a
series of pointers. The directory entry of a file points to the first
FAT entry of that file. That entry points to the next, and so on,
until the last entry, which contains a special value indicating end of
file. There are two copies of the FAT on the disk, since it is
absolutely critical. Lose the FAT, and the data on the disk becomes
un-accessable.
A BOOT SECTOR is the first sector on a floppy disk. With the Atari
(and MS-DOS) system, it contains configuration information about the
disk. That information includes how many tracks are on the disk, how
many sectors per track, how many sides on the disk, how big the FATs
and directories are, where the data begins, etc. On the MS-DOS
systems, the boot sector contains the ID of the operating system under
which it was formatted. On the Atari, that value is not used, but
replaced (in part) by a number. That number should be different on
every disk, and is used as part of the mechanism by which disk changes
are detected. The boot sector may or may not contain executable code.
If it does contain executable code, it is normally executed only at system
powerup or system reset time.
On all such disks, the boot sector is number 0, the first sector on the
first side of the first track. On a standard format Atari disk, the
next five sectors are the first copy of the FAT, the next five sectors
are the second copy of the FAT, the next seven sectors are the root
directory, and the remainder of the disk is available for data.
Now, on with the show:
Floppy disks are changed on a regular basis while the computer is
being used. More so on systems with no hard disks, but periodically on
most all systems. This event, referred to as a "Media Change", is
detected by the computer's disk drive. The disk door is opened, the
status of the write protection changes as one disk is removed and
another is inserted, etc. When that happens, the operating system must
recognize that the disk has been changed before attempting to read or
write to the new disk. The operating system reads the disk's boot
sector to learn about the newly inserted disk. That instant, when the
operating system checks the new disk, is when nearly all the boot
sector viruses spread. We'll get to that in the next chapter, but first,
a more primary question:
How did the virus get in there?
When a computer is booted up from a power off state, or reset (in most
cases), it starts executing code from internal ROMs. Those ROMs set up
primary vectors, minimal configuration information, and perform some
fundamental tests. Then they start moving into uncharted waters. They
have to find out what devices are attached, and get them into
operating status. They also have to provide a means of expanding their
own capabilities to support new devices, functions, and whatever else
which may not have existed when the ROMs were created. One of the
means by which this is accomplished is by checking various addresses
for special codes, magic numbers, or any kind of response to a read
or write. Another function which may be enabled is checking the boot
sector on an inserted floppy disk for executable status. If that boot
sector has executable status, the code contained in the boot sector is
executed. That code may cause other portions of the disk to be loaded
and executed, set variables or vectors, or nearly anything imaginable.
That includes infecting the system with a virus, if that's what the
boot sector code contains