FUNGEN3.CVP 910811 Viral use of operating systems Viral programs use basic computer functions in more ways than one. It is easier to use standard system calls for purposes such as accessing disks and writing files or formatting. Most programs use the standard operating system calls, rather than write their own system function when "using" the hardware. For one thing, it's more "polite" to do this with applications programs, which, if they follow "the rules" will be better "behaved" when it comes to other programs, particularly resident programs and drivers. But it is also easier to use system functions than write your own. Operating system functions are generally accessible if you know the memory address at which the function starts, or the specific "interrupt" that invokes it. Viral programs can use this fact in two possible ways. The first is to use the standard system calls in order to perform the copying, writing or destructive actions. This, however, has unfortunate consequences for the viral author (and fortunate for the computer community) in that it is easy to identify these system calls within program code. Therefore, if viral programs used only this method of operation, it would be possible to write a "universal" virus scanner which would be able to identify any potentially damaging code. It would also be possible to write programs which "trapped" all such system calls, and allowed the user to decide whether a particular operation should proceed. (In fact, in the MS-DOS world, two such programs, BOMBSQAD and WORMCHEK, are available, and were used to check for early trojan programs.) Operating systems are, however, programs, and therefore it is possible for any program, including any viral program, to implement a completely different piece of code which writes directly to the hardware. The "Stoned" virus has used this very successfully. Unfortunately, viral programs have even more options, one of which is to perform the same "trapping" functions themselves. Viral programs can trap all functions which perform disk access in order to hide the fact that the virus is copying itself to the disk under the "cover" of a directory listing. Viral programs can also trap system calls in order to evade detection. Some viri will "sense" an effort to "read" the section of memory that they occupy, and will cause the system to hang. Others trap all reading of disk information and will return only the "original" information for a file or disk: the commonly named "stealth" viral technology. copyright Robert M. Slade, 1991 FUNGEN3.CVP 910811 ============== Vancouver ROBERTS@decus.ca | "In questions of science, the Institute for Robert_Slade@sfu.ca | authority of a thousand is not Research into rslade@cue.bc.ca | worth the humble reasoning User p1@CyberStore.ca | of a single individual." Security Canada V7K 2G6 | - Galileo