56 lines
3.1 KiB
Plaintext
56 lines
3.1 KiB
Plaintext
FUNBOT2.CVP 910918
|
|
|
|
Boot sequence
|
|
|
|
In order to point out the areas of possible viral program attack, it is
|
|
helpful to outline the sequence of operations in the boot process.
|
|
|
|
When the machine is first powered up, there is a certain amount of
|
|
programming contained in boot ROM. The amount of this varies greatly
|
|
between different types of machines, but basically describes the most
|
|
central devices, such as the screen and keyboard, and "points" to the
|
|
disk drives. A very basic location on the disk is addressed for further
|
|
information. This is the generic "boot sector"; as mentioned in the last
|
|
column, on MS-DOS hard disks it is the partition boot record that is
|
|
accessed first.
|
|
|
|
The boot record or sector contains further information about the
|
|
structure of the disk. It, or a subsequent linked sector, also describes
|
|
the location of further operating system files. This description is in
|
|
the form of a program, rather than simply data. Because this outline is
|
|
in the form of a program, and because this sector is "writable", in order
|
|
to allow for different structures, the boot record or sector is
|
|
vulnerable to attack or change. Boot sector infecting programs may
|
|
overwrite either the boot record or the boot sector, and may or may not
|
|
move the original boot sector or record to another location on disk. The
|
|
repositioning of the original sector's program allows the viral program
|
|
to "pretend" that everything is as it was.
|
|
|
|
This pretence is not absolute. A computer with an active viral program
|
|
resident will, of necessity, be different in some way from the normal
|
|
environment. The original sector position will, of course, have
|
|
different information in it. The viral program will need to "hook"
|
|
certain vectors for its own use in order to monitor activity within the
|
|
computer and in order to function. The viral program will have to occupy
|
|
a certain portion of memory, and may be identified by a memory map, or,
|
|
in the case of the Stoned virus, may try to hide by "telling" the
|
|
computer that it has less memory than is actually the case.
|
|
|
|
These tell-tale indicators are not absolute. There may be various
|
|
reasons why the "top of memory" marker is set to less than 640K. Each
|
|
different type of disk drive, and each drive of the same type which is
|
|
partitioned differently, will have a different boot record. As operating
|
|
systems or versions change, so will the boot sector. Therefore, the
|
|
environment of newly booted machines cannot, in isolation, be examined
|
|
and said to be infected or free from infection.
|
|
|
|
It is possible, however, to compare any machine with itself in a "known
|
|
clean" state. By saving information on the environment after a minimal
|
|
clean boot, and comparing this with subsequent boots, changes can be
|
|
detected, and the user alerted to a potential problem. Since a boot
|
|
sector infector can only infect a machine if the machine is booted from
|
|
an infected disk, it is also possible to replace the boot record with a
|
|
non-standard one, in order to prevent access to the hard disk unless
|
|
booted from the hard disk.
|
|
|
|
copyright Robert M. Slade, 1991 FUNBOT2.CVP 910918 |