53 lines
2.6 KiB
Plaintext
53 lines
2.6 KiB
Plaintext
FUNGEN3.CVP 910811
|
|
|
|
Viral use of operating systems
|
|
|
|
Viral programs use basic computer functions in more ways than
|
|
one. It is easier to use standard system calls for purposes
|
|
such as accessing disks and writing files or formatting. Most
|
|
programs use the standard operating system calls, rather than
|
|
write their own system function when "using" the hardware. For
|
|
one thing, it's more "polite" to do this with applications
|
|
programs, which, if they follow "the rules" will be better
|
|
"behaved" when it comes to other programs, particularly resident
|
|
programs and drivers. But it is also easier to use system
|
|
functions than write your own.
|
|
|
|
Operating system functions are generally accessible if you know
|
|
the memory address at which the function starts, or the specific
|
|
"interrupt" that invokes it. Viral programs can use this fact
|
|
in two possible ways.
|
|
|
|
The first is to use the standard system calls in order to
|
|
perform the copying, writing or destructive actions. This,
|
|
however, has unfortunate consequences for the viral author (and
|
|
fortunate for the computer community) in that it is easy to
|
|
identify these system calls within program code. Therefore, if
|
|
viral programs used only this method of operation, it would be
|
|
possible to write a "universal" virus scanner which would be
|
|
able to identify any potentially damaging code. It would also
|
|
be possible to write programs which "trapped" all such system
|
|
calls, and allowed the user to decide whether a particular
|
|
operation should proceed. (In fact, in the MS-DOS world, two
|
|
such programs, BOMBSQAD and WORMCHEK, are available, and were
|
|
used to check for early trojan programs.)
|
|
|
|
Operating systems are, however, programs, and therefore it is
|
|
possible for any program, including any viral program, to
|
|
implement a completely different piece of code which writes
|
|
directly to the hardware. The "Stoned" virus has used this very
|
|
successfully.
|
|
|
|
Unfortunately, viral programs have even more options, one of
|
|
which is to perform the same "trapping" functions themselves.
|
|
Viral programs can trap all functions which perform disk access
|
|
in order to hide the fact that the virus is copying itself to
|
|
the disk under the "cover" of a directory listing. Viral
|
|
programs can also trap system calls in order to evade detection.
|
|
Some viri will "sense" an effort to "read" the section of memory
|
|
that they occupy, and will cause the system to hang. Others
|
|
trap all reading of disk information and will return only the
|
|
"original" information for a file or disk: the commonly named
|
|
"stealth" viral technology.
|
|
|
|
copyright Robert M. Slade, 1991 FUNGEN3.CVP 910811 |