File inflection techniques allow computer viruses to infect files by inserting malicious code. Viruses can infect both executable files and data files. Executable files contain code that runs when the file is opened, while data files may contain scripts or code that can be executed through buffer overflow exploits or by hijacking entry points. In Windows, applications run in a restricted mode while the operating system kernel runs in a privileged mode, but viruses can access system resources through Windows API calls. Updates, antivirus software, and care regarding untrusted files can help prevent infection.
2. Introduction
* In this presentation I'm going to discuss about file inflection techniques
that are being used by the computer viruses and virus writers.
* A computer virus just simply a executable mobil code.But the problem is it can't
stand alone it should find a host and inflect it.
* One good host to a computer virus is a computer file. It can be a data file or
a executable file.
* no matter data files or executable files the , almost all files can be inflected
with a virus.
* After all file inflection is just only a one mechanism that virus writers are using.
There are tons of other techiniques that are being exploited by virus writers.
The naked truth about computing is whatever the computer operating system you using
,what security it provides , what AV/Scanners you installed , no matter how much you
be careful ,almost every computer environment is a hostile environment.
3. Data Files vs Executable Files
Executable files are the files contain executable code , or contain srcipts/macros or
contain byte code for a virtual machine.
* examples for a raw executable files are , linux elf executable , windows
win32 and win64 executable or mac os executable.
* examples for scripts are , javascript, vb scripts , linux bash scripts , etc
etc.
* Java and .Net is a good example for a byte code executables.
Data files,
* DAT , Digitial Audio tape.
* Image formats like jpeg, png, bmp etc.
* Microsoft office formats like .xls microsoft world , power point (ppt) , etc
etc.
Conclusion:
If the data file only contain data streams how a virus could reside inside it?
[answer] first of all, data files are not just contain just a simple data streams. A binary file Open with a
for a example , JPEG format have some simple segment of javascript code.
and microsoft excel have executable macros embedded capability. hex editor program.
Even if it's simply contain a raw data structure , still a computer virus
can reside inside it.
* there are techniques like buffer-overflows which will exploits
it's target software system and can be forced to execute the
binary code that came as a data stream.
[ I'm not going to discuss what's a buffer overflow exploit here,
but I do in my next presentation].
* so don't just skip data files when you doing a scan for viruses with your virus
scanner.
4. Windows Executable Files and
Windows Architecture.
Before Windows:
Before windows there is a open system called Dos, where all the code was ran in
real mode and have no security and any wild executable file can do anything to your
computer. In this time we had DOS viruses. Dos viruses are just simple because the
virus writer don't need t deal how to bypass security of a operating system.
In Windows:
Windows running on protected mode but still a creates a more hostile environment
than the older dos. Inside windows a hostile executable code can't access the
privilege mode in a microprocessor , so it can't access to the devices directly.
But windows provides something called "Win32 API" ,and calling that API it's
sufficient for a computer virus to survive inside windows and also do a damage to
the computer.
5. Ring0 vs Ring3
• Alost all modern moden microprocessor provides
at least two modes of privileges when executing
instructions.
• Intel x86 supports four modes. They are
ring0,ring1 , ring2 and ring3. Where ring0 is the
most privileged mode and ring3 is the least
privilege mode.
Ring3 ring0 is completely a
• But microsoft windows operating system only hardware security mechanism.
uses two modes, ring0 and ring3. Ring0 is also
known as “kernel mode” and operating system
kernel is running in that mode.
• When you are in ring0 you can use privileged
instructions like outp inp , and read/write any
memory location or interrupt the processor.
• Application Programs like Microsoft Excel, World
,notepad are running in the mode ring3.
6. Executable File Inflection Techniques
• In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32
executable format and windows uses win32 PE and PE+ executable file formats.
• Executable file is nothing more than a big data-structure which have following.
* header.
* sections
In a typical executable file there are following sections.
text[executable code]
data [global variables and statistically initialized data]
bss [dynamically initialized data]
stack [defines the hardware stack for the executable]
There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessions
into memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words it
have to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new text
session is also possible. Following are some different techniques that virus writers are using .
* Overwriting Viruses.
* Append last to the text section.
* Viruses that inject it’s code to the padded aligned spaces between segments.
* Random Inflection.
* Viruses that hijack Entry points.
* and many more unspecified wild techniques are used among the virus writer underground communities.
An example Executable virus source code:
By M S D Perera
7. left picture is photo courtesy of http://www.thehackademy.net/madchat/vxdevl/papers/winsys/pefile/pefile.htm
8. Shows the ‘MZ’ and ‘PE’ header signatures in a particular
executable file
9. Windows Dynamic Link Libraries
as it name says it's a dynamic library. Where it can be loaded at the runtime when it's
necessary. Win32 API calls are implemented as set of dynamic link libraries. You can see
your dynamic link libraries with .dll extension in your C:windowssystem32 folder.
For a example kernel32.dll provides basic process creation , initialization ,scheduling
, security and termination facilities. It provides api's like CreateProcess() ,
ExitProcess() , etc etc.
The code in the DLL file also lives in the ring3 [ restricted executable mode] and it will
transfer it's control to the ring0 [priviledged mode] by a software interrupt.calling the
'int 02' instruction.
So , no way a windows executable can directly access to the computer's resources. But
it can access through windows win32 api. So which means a virus code also can access
them, so nothing prevents virus writer writing a workable virus in Windows
environment
, again no environment is secure.
10. Dependency walker – a software that can be used to track and walk trough what
executable depend on what dll’s and they again recusively depend on another dll’s.
Photo courtecy of http://www.brothersoft.com/dependency-walker-11721.html
11. Limitations of Windows Viruses
If a windows virus need to do a damage to computer hardware it's not easy. It should
somehow access to ring ring0 executable mode. Or exploit a predefined service or use
some other complex techniques. .For a example.
* ex - http://technet.microsoft.com/en-us/security/advisory/935423
[microsoft windows Animate cursor ring0 exploit]
^- there you can't find enough information about "how to exploit it" in Microsoft
web site. Because they want to cover their Operating system.
If you interested you can go to the following link:
use it for Educational/research purposes only , don't exploit it to make a real computer
viruses.
http://www.exploit-db.com/exploits/3636/
- exploit-db.com contains dozens of resources for a computer virology researcher.
In windows 7 you have a option called "Run as Admin" where it will give that executable
all the privileges , when you need to install some software you need to chose that
option.
12. Metasploit software – photo courtecy of
http://blog.c22.cc/2011/01/09/metasploit-sap-
management-console-aux-modules/
13. Finally
The internet outside your computer is a wild place , computer viruses can't do magic
but all the things and techniques that I above mentioned are technically possible
and have been used by computer virus writers.
Even a simple mid level computer virus can't damage your computer hardware it could
do a big damage to your data stored, personal life, steal credit card pin numbers, sent
punk messages to your friends, etc etc. Computer viruses can't think but those things
are technically very possible and complex, but complex is not a problem for a evil
genius mind.
So,
* Keep your virus guard up-to-date. Everyday there around 100 new viruses are released
in the world. So you need to update it everyday, every hour , every minute as
soon as possible.
* Keep upto date your operating systems , software ,so your operating system vendor
can fix the holes in your operating system.
* Do not execute executable files in "Run As Admin" mode where you don't trust. Check
for the author of the software. And their signature.
* Keep touch with the security advisory , ex- http://www.securityfocus.com/
* Almost all file can contain a virus, so don't assume it's a JPG and how it
could contain a virus ? it do. Seriously not joking.
And In my next presentation I'm going to discuss about buffer overflow attacks and
how they can be used in wild by the virus writers.
Thank you Listening.