|
|
|
Modern Operating Systems by Herbert Bos and Andrew S. Tanenb...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf
Showing 697-698 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 697
666
SECURITY
CHAP. 9
A somewhat related attack uses the Windows desktop, which contains short-
cuts (symbolic links) to programs.
A virus can change the target of a shortcut to
make it point to the virus.
When the user double clicks on an icon, the virus is ex-
ecuted. When it is done, the virus just runs the original target program.
Executable Program Viruses
One step up in complexity are viruses that infect executable programs. The
simplest of this type just overwrites the executable program with itself. These are
called
overwriting viruses
.
The infection logic of such a virus is given in
Fig. 9-28.
#include <sys/types.h>
/
*
standard POSIX headers
*
/
#include <sys/stat.h>
#include <dirent.h>
#include <fcntl.h>
#include <unistd.h>
struct stat sbuf;
/
*
for lstat call to see if file is sym link
*
/
search(char
*
dir
name)
{
/
*
recursively search for executables
*
/
DIR
*
dirp;
/
*
pointer to an open directory stream
*
/
struct dirent
*
dp;
/
*
pointer to a directory entry
*
/
dirp = opendir(dir
name);
/
*
open this directory
*
/
if (dirp == NULL) return;
/
*
dir could not be opened; forget it
*
/
while (TRUE) {
dp = readdir(dirp);
/
*
read next directory entry
*
/
if (dp == NULL) {
/
*
NULL means we are done
*
/
chdir ("..");
/
*
go back to parent directory
*
/
break;
/
*
exit loop
*
/
}
if (dp->d
name[0] == ’.’) continue;
/
*
skip the . and .. directories
*
/
lstat(dp->d
name, &sbuf);
/
*
is entry a symbolic link?
*
/
if (S
ISLNK(sbuf.st
mode)) continue;
/
*
skip symbolic links
*
/
if (chdir(dp->d
name) == 0) {
/
*
if chdir succeeds, it must be a dir
*
/
search(".");
/
*
yes, enter and search it
*
/
} else {
/
*
no (file), infect it
*
/
if (access(dp->d
name,X
OK) == 0)
/
*
if executable, infect it
*
/
infect(dp->d
name);
}
closedir(dirp);
/
*
dir processed; close and return
*
/
}
Figure 9-28.
A recursive procedure that finds executable files on a
UNIX
system.
The main program of this virus would first copy its binary program into an
array by opening
argv
[0] and reading it in for safekeeping. Then it would traverse
Page 698
SEC. 9.9
MALWARE
667
the entire file system starting at the root directory by changing to the root directory
and calling
search
with the root directory as parameter.
The recursive procedure
search
processes a directory by opening it, then read-
ing the entries one at a time using
readdir
until a
NULL
is returned, indicating that
there are no more entries.
If the entry is a directory, it is processed by changing to
it and then calling
search
recursively; if it is an executable file, it is infected by cal-
ling
infect
with the name of the file to infect as parameter.Files starting with ‘‘.’’
are skipped to avoid problems with the . and .. directories. Also, symbolic links are
skipped because the program assumes that it can enter a directory using the
chdir
system call and then get back to where it was by going to .. , something that holds
for hard links but not symbolic links.
A fancier program could handle symbolic
links, too.
The actual infection procedure,
infect
(not shown), merely has to open the file
named in its parameter, copy the virus saved in the array over the file, and then
close the file.
This virus could be ‘‘improved’’ in various ways. First, a test could be inserted
into
infect
to generate a random number and just return in most cases without
doing anything. In, say, one call out of 128, infection would take place, thereby
reducing the chances of early detection, before the virus has had a good chance to
spread. Biological viruses have the same property: those that kill their victims
quickly do not spread nearly as fast as those that produce a slow, lingering death,
giving the victims plenty of chance to spread the virus.
An alternative design
would be to have a higher infection rate (say, 25%) but a cutoff on the number of
files infected at once to reduce disk activity and thus be less conspicuous.
Second,
infect
could check to see if the file is already infected. Infecting the
same file twice just wastes time.
Third, measures could be taken to keep the time
of last modification and file size the same as it was to help hide the infection. For
programs larger than the virus, the size will remain unchanged, but for programs
smaller than the virus, the program will now be bigger. Since most viruses are
smaller than most programs, this is not a serious problem.
Although this program is not very long (the full program is under one page of
C and the text segment compiles to under 2 KB), an assembly-code version of it
can be even shorter.
Ludwig (1998) gives an assembly-code program for MS-DOS
that infects all the files in its directory and is only 44 bytes when assembled.
Later in this chapter we will study antivirus programs, that is, programs that
track down and remove viruses. It is interesting to note here that the logic of
Fig. 9-28, which a virus could use to find all the executable files to infect them,
could also be used by an antivirus program to track down all the infected programs
in order to remove the virus. The technologies of infection and disinfection go
hand in hand, which is why it is necessary to understand in detail how viruses work
in order to be able to fight them effectively.
From Virgil’spoint of view, the problem with an overwriting virus is that it is
too easy to detect. After all, when an infected program executes, it may spread the
Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Concordia_University
School:
Operating_Systems
Course:
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades
Know more
Students also viewed documents
lab 18.docx
lab_18.docx
Course
Course
3
Module5QuizSTA2023.d...
Module5QuizSTA2023.docx.docx
Course
Course
10
Week 7 Test Math302....
Week_7_Test_Math302.docx.docx
Course
Course
30
Chapter 1 Assigment ...
Chapter_1_Assigment_Questions.docx.docx
Course
Course
5
Week 4 tests.docx.do...
Week_4_tests.docx.docx
Course
Course
23
Week 6 tests.docx.do...
Week_6_tests.docx.docx
Course
Course
106
