Introduction* In this presentation Im going to discuss about file inflection techniquesthat are being used by the computer viruses and virus writers.* A computer virus just simply a executable mobil code.But the problem is it cantstand alone it should find a host and inflect it.* One good host to a computer virus is a computer file. It can be a data file ora executable file.* no matter data files or executable files the , almost all files can be inflectedwith a virus.* After all file inflection is just only a one mechanism that virus writers are using.There are tons of other techiniques that are being exploited by virus writers.The naked truth about computing is whatever the computer operating system you using,what security it provides , what AV/Scanners you installed , no matter how much yoube careful ,almost every computer environment is a hostile environment.
Windows Executable Files and Windows Architecture.Before Windows: Before windows there is a open system called Dos, where all the code was ran inreal mode and have no security and any wild executable file can do anything to yourcomputer. In this time we had DOS viruses. Dos viruses are just simple because thevirus writer dont need t deal how to bypass security of a operating system.In Windows: Windows running on protected mode but still a creates a more hostile environmentthan the older dos. Inside windows a hostile executable code cant access theprivilege mode in a microprocessor , so it cant access to the devices directly.But windows provides something called "Win32 API" ,and calling that API itssufficient for a computer virus to survive inside windows and also do a damage tothe computer.
Ring0 vs Ring3• Alost all modern moden microprocessor provides at least two modes of privileges when executing instructions.• Intel x86 supports four modes. They are ring0,ring1 , ring2 and ring3. Where ring0 is the most privileged mode and ring3 is the least privilege mode. Ring3 ring0 is completely a• But microsoft windows operating system only hardware security mechanism. uses two modes, ring0 and ring3. Ring0 is also known as “kernel mode” and operating system kernel is running in that mode.• When you are in ring0 you can use privileged instructions like outp inp , and read/write any memory location or interrupt the processor.• Application Programs like Microsoft Excel, World ,notepad are running in the mode ring3.
Executable File Inflection Techniques• In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32 executable format and windows uses win32 PE and PE+ executable file formats.• Executable file is nothing more than a big data-structure which have following. * header. * sections In a typical executable file there are following sections. text[executable code] data [global variables and statistically initialized data] bss [dynamically initialized data] stack [defines the hardware stack for the executable]There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessionsinto memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words ithave to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new textsession is also possible. Following are some different techniques that virus writers are using . * Overwriting Viruses. * Append last to the text section. * Viruses that inject it’s code to the padded aligned spaces between segments. * Random Inflection. * Viruses that hijack Entry points. * and many more unspecified wild techniques are used among the virus writer underground communities.An example Executable virus source code: By M S D Perera
left picture is photo courtesy of http://www.thehackademy.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm
Shows the ‘MZ’ and ‘PE’ header signatures in a particularexecutable file
Windows Dynamic Link Librariesas it name says its a dynamic library. Where it can be loaded at the runtime when itsnecessary. Win32 API calls are implemented as set of dynamic link libraries. You can seeyour dynamic link libraries with .dll extension in your C:windowssystem32 folder.For a example kernel32.dll provides basic process creation , initialization ,scheduling, security and termination facilities. It provides apis like CreateProcess() ,ExitProcess() , etc etc.The code in the DLL file also lives in the ring3 [ restricted executable mode] and it willtransfer its control to the ring0 [priviledged mode] by a software interrupt.calling theint 02 instruction.So , no way a windows executable can directly access to the computers resources. Butit can access through windows win32 api. So which means a virus code also can accessthem, so nothing prevents virus writer writing a workable virus in Windowsenvironment, again no environment is secure.
Dependency walker – a software that can be used to track and walk trough whatexecutable depend on what dll’s and they again recusively depend on another dll’s.Photo courtecy of http://www.brothersoft.com/dependency-walker-11721.html
Limitations of Windows VirusesIf a windows virus need to do a damage to computer hardware its not easy. It shouldsomehow access to ring ring0 executable mode. Or exploit a predefined service or usesome other complex techniques. .For a example. * ex - http://technet.microsoft.com/en-us/security/advisory/935423 [microsoft windows Animate cursor ring0 exploit] ^- there you cant find enough information about "how to exploit it" in Microsoft web site. Because they want to cover their Operating system. If you interested you can go to the following link: use it for Educational/research purposes only , dont exploit it to make a real computer viruses. http://www.exploit-db.com/exploits/3636/ - exploit-db.com contains dozens of resources for a computer virology researcher.In windows 7 you have a option called "Run as Admin" where it will give that executableall the privileges , when you need to install some software you need to chose thatoption.
FinallyThe internet outside your computer is a wild place , computer viruses cant do magicbut all the things and techniques that I above mentioned are technically possibleand have been used by computer virus writers.Even a simple mid level computer virus cant damage your computer hardware it coulddo a big damage to your data stored, personal life, steal credit card pin numbers, sentpunk messages to your friends, etc etc. Computer viruses cant think but those thingsare technically very possible and complex, but complex is not a problem for a evilgenius mind.So, * Keep your virus guard up-to-date. Everyday there around 100 new viruses are released in the world. So you need to update it everyday, every hour , every minute as soon as possible. * Keep upto date your operating systems , software ,so your operating system vendor can fix the holes in your operating system. * Do not execute executable files in "Run As Admin" mode where you dont trust. Check for the author of the software. And their signature. * Keep touch with the security advisory , ex- http://www.securityfocus.com/ * Almost all file can contain a virus, so dont assume its a JPG and how it could contain a virus ? it do. Seriously not joking.And In my next presentation Im going to discuss about buffer overflow attacks andhow they can be used in wild by the virus writers. Thank you Listening.