FUNGEN3.CVP 910811
Viral use of operating systems
Viral programs use basic computer functions in more ways than
one. It is easier to use standard system calls for purposes
such as accessing disks and writing files or formatting. Most
programs use the standard operating system calls, rather than
write their own system function when "using" the hardware. For
one thing, it's more "polite" to do this with applications
programs, which, if they follow "the rules" will be better
"behaved" when it comes to other programs, particularly resident
programs and drivers. But it is also easier to use system
functions than write your own.
Operating system functions are generally accessible if you know
the memory address at which the function starts, or the specific
"interrupt" that invokes it. Viral programs can use this fact
in two possible ways.
The first is to use the standard system calls in order to
perform the copying, writing or destructive actions. This,
however, has unfortunate consequences for the viral author (and
fortunate for the computer community) in that it is easy to
identify these system calls within program code. Therefore, if
viral programs used only this method of operation, it would be
possible to write a "universal" virus scanner which would be
able to identify any potentially damaging code. It would also
be possible to write programs which "trapped" all such system
calls, and allowed the user to decide whether a particular
operation should proceed. (In fact, in the MS-DOS world, two
such programs, BOMBSQAD and WORMCHEK, are available, and were
used to check for early trojan programs.)
Operating systems are, however, programs, and therefore it is
possible for any program, including any viral program, to
implement a completely different piece of code which writes
directly to the hardware. The "Stoned" virus has used this very
successfully.
Unfortunately, viral programs have even more options, one of
which is to perform the same "trapping" functions themselves.
Viral programs can trap all functions which perform disk access
in order to hide the fact that the virus is copying itself to
the disk under the "cover" of a directory listing. Viral
programs can also trap system calls in order to evade detection.
Some viri will "sense" an effort to "read" the section of memory
that they occupy, and will cause the system to hang. Others
trap all reading of disk information and will return only the
"original" information for a file or disk: the commonly named
"stealth" viral technology.
copyright Robert M. Slade, 1991 FUNGEN3.CVP 910811
==============
Vancouver ROBERTS@decus.ca | "In questions of science, the
Institute for Robert_Slade@sfu.ca | authority of a thousand is not
Research into rslade@cue.bc.ca | worth the humble reasoning
User p1@CyberStore.ca | of a single individual."
Security Canada V7K 2G6 | - Galileo