FFFE0011This is my comment
2.20 Virus Hiding Methods 77 parameters, icons, and extra code segments It is possible to hide a virus in the resource
fork of a file as a code resource. The virus still has to be executed, which means that some executable program (most likely the one in the data fork of the same file) must be modified to read the virus, store it in memory, and execute it.
A file infector virus (Section 2.7) embeds itself in an executable file and therefore has to modify the file in some way. Such a virus can be detected by detecting the modifications to the infected file. The modifications may affect (1) the file size, (2) its most recent modification date, (3) the code inside the file, and (4) the file’s access permissions.
An overwriting virus writes itself over the code of the original file and therefore preserves the size of the infected file. A nonoverwriting virus modifies the size of the file but may be able to fake this modification and thereby fool anti-virus software. (The virus may save the original size, embed itself in the file, then restore the size. Stealth techniques are discussed in Section 2.22.) The obvious conclusion is that virus detection software should not rely only on the size of a file to detect infection.
The header of a file may also contain a simple checksum of the rest of the file. (In its simplest form, the checksum is a byte that’s the exclusive-or of all the bytes of the file.) Almost any change in the composition of the file affects the checksum, and this may be an indicator of file corruption, a better indicator than just the size of the file. However, a clever virus may fake the checksum (it may copy the original checksum from the header and restore it later, a common stealth technique).
Even a simple virus that modifies the file size may avoid detection because anti-virus software cannot tell why the size of an executable file has changed. When anti-virus software is executed, it may scan the disk and save the sizes of all the executable files it finds. The next time it is executed, it may discover that the size of an executable file A has changed, but this may be the result of updating A. After all, programs go through new versions all the time, and many new versions update the original program file instead of creating a new file.
Some viruses infect only large files, because a virus embedded in a small file may significantly modify the size of the file, thereby raising suspicion. This behavior may be termed apsychological factor and it illustrates the great lengths to which virus writers may go in their attempts to foil detection.
A program consists of instructions and data. The data part consists of constants and variables, and some of the variables are arrays. An array is a set of consecutive memory locations reserved by the program. When the program starts executing, the array is normally empty (more precisely, undefined). During its execution, the program may store data in the array. A virus author who is very familiar with a particular program may write an overwriting virus that embeds itself in an array in the executable file of the program. (The author has to know precisely where the array is located in the file, because everything in an executable file, instructions, data, and arrays, consists of bits and therefore looks the same.) A virus located in an array does not change the size of the file and does not affect its executable code. However, once the program starts executing, it may write data in the array, thereby erasing the virus’ code. There is also the question of how the virus can get executed, because a program does not execute arrays of data.
An operating system may impose restrictions on files and such restrictions may be exploited by viruses. An operating system may require, for example, that a file size be always a multiple of 512 or some other number of bytes. A virus writer who plans to attack a certain computer and is familiar with the popular programs on that computer, may know that a certain program file has a long, empty “tail” where a virus can be hidden. There is still the question of the virus being executed. The original code of the program must be modified to include at least a jump or a procedure call to the virus.
Detailed knowledge of the operating system and the files and tables it uses may lead to sophisticated viruses that hide themselves in a variety of ways. A favorite of some virus authors is a virus that modifies the disk directory instead of modifying the infected files.
For each file on a disk, the disk directory contains, in addition to the file name, type, size, and other items, also the start address of the file on the disk (the sector number or sector and track numbers). When the virus is executed for the first time in an infected computer it writes itself on the main hard disk as a file, but does not include itself in the directory (or includes itself as an invisible file). It then scans the directory until it finds a fileAit wants to infect. It saves the disk address ofA and changes this address in the directory to its own start address. When the user wants to execute fileA, the operating system follows the disk address found in the directory, which leads it to the virus. The virus is executed, and when done it may decide to execute programAto avoid raising suspicion. The termmisdirection virusis sometimes applied to this type of virus. It can be implemented such that it will misdirect the execution of several different programs to (different entry points in) the virus. This is only one of many examples that illustrate the ingenious ways in which viruses and other malicious software can be hidden in a computer. (a) (b) v v i A A V V B B v v i A A V V B B
Disk Directory Disk Directory
Figure 2.10: (a) Original Directory. (b) Modified Directory.
Figure 2.10 illustrates how this technique works. Part a of the figure shows a disk with three files A,B, and V and a file directory with three items per file, disk address (the pointers), name, and a visibility flag. Note that fileV (the virus) is invisible. In part b we see how the directory entry for file A is pointing to the virus, and how the
2.20 Virus Hiding Methods 79