ch14.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,271 行 · 第 1/5 页

	Today, computer virus researchers refer to the Internet (or any publicly accessible
	computing environment) as <I>the wild</I>. 
<HR>


</BLOCKQUOTE>

<P>Reportedly, the first virus ever detected in the wild emerged in 1986. It was
called the Brain virus. According to the CIAC Virus Database at the U.S. Department
of Energy, the Brain virus was a memory-resident boot sector virus:

<DL>
	<DD>This virus only infects the boot sectors of 360 KB floppy disks. It does no malicious
	damage, but bugs in the virus code can cause loss of data by scrambling data on diskette
	files or by scrambling the File Allocation Table. It does not tend to spread in a
	hard disk environment.
</DL>

<P>The following year brought with it a host of different viruses, including some
that did actual damage. The Merrit virus (which emerged in 1987) could destroy the
file allocation table (FAT) on a floppy disk. This virus apparently went through
several stages of evolution, the most dangerous of which was a version called Golden
Gate. Golden Gate reportedly could reformat the hard disk drive.</P>
<P>Since then, innovations in virus technology have caused these creatures to become
increasingly complex. This has led to classifications. For example, there are basically
three types of virus:

<UL>
	<LI>Master boot sector viruses
	<LI>Boot sector viruses
	<LI>File viruses
</UL>

<P>I have already briefly examined a MBR virus in this chapter. The only material
difference between that type and a garden-variety boot sector virus is that boot
sector viruses target floppies. However, the third class of virus (the file virus)
is a bit different. In contrast to boot sector viruses (which attack only a small
portion of the disk), file viruses can spread systemwide.</P>
<P>Most often, file viruses infect only a particular class of file--usually executable
files. COM and EXE files are good examples. File viruses, however, are not restricted
to executables; some will infect overlay files (OVL) or even system driver files
(SYS, DRV).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Do you remember that I explained
	that viruses are rarely found in upper memory? When such viruses are found, they
	are usually riding on a driver, such as a SYS or DRV file. PC users who worked extensively
	with the DOS/Windows combination will remember various drivers that required an upper-memory
	load. 
<HR>


</BLOCKQUOTE>

<P>It is estimated that there are currently more than 7,000 file viruses on the DOS
platform alone. As you might expect, virus authors are eager to write file viruses
because of how far these can spread. Given 10 days on a computer system, a file virus
can effectively infect the majority (or perhaps even all) of the executable files
on the hard disk drive. This is due to the manner in which file viruses operate.
(See Figure 14.8.)</P>
<P><A NAME="08"></A><A HREF="08.htm"><B>Figure 14.8.</B></A><B><BR>
</B><I>Normal operation and execution of a program.</I></P>
<P>Under normal operations (on a noninfected machine), a command is executed and
loaded into memory without event. (This could equally be a COM file. In Figure 14.8,
I just happened to have used the <TT>.EXE</TT> extension.) When a file virus is present,
however, the process is complicated because the virus now intercepts the call. (See
Figure 14.9.)</P>
<P><A NAME="09"></A><A HREF="09.htm"><B>Figure 14.9.</B></A><B><BR>
</B><I>Loading a program with a file virus present.</I></P>
<P>First, the virus temporarily intercepts the process for long enough to infect
the program file. After infecting the program file, the virus releases its control
over the system, returning the reins to the operating system. The operating system
then loads the infected file into memory. This process will be repeated for each
file loaded into the system memory. Stop and think for a moment about this. How many
files are loaded into memory in the course of a business day? This is how file viruses
ultimately achieve systemic infection of the system.</P>
<P>In addition to the classifications of viruses, there are also different <I>types</I>
of viruses. These types are derived from the manner in which the virus operates or
what programming techniques were employed in its creation. Here are two:

<UL>
	<LI><I>Stealth viruses</I> use any of a number of techniques to conceal the fact
	that the drive has been infected. For example, when the operating system calls for
	certain information, the stealth virus responds with that information as it was prior
	to infection. In other words, when the infection first occurs, the virus records
	the information necessary to later fool the operating system (and virus scanners).<BR>
	<BR>
	
	<LI><I>Polymorphic viruses</I> are a relatively new phenomenon, and they are infinitely
	more complex than their counterparts. Polymorphic viruses can <I>change</I>, making
	them more difficult to identify. There have been instances of a polymorphic virus
	using advanced encryption techniques. This amounts to a signature that may change.
	This process of changing is called <I>mutation</I>. In mutation, the virus may change
	its size and composition. Because virus scanners most often search for known patterns
	(by size, checksum, date, and so forth), a well-crafted polymorphic virus can evade
	detection. To combat this new technique, virus specialists create scanners that can
	identify encryption patterns.
</UL>

<P>Virus technology continues to increase in complexity, largely due to the number
of new viruses that are discovered. The likelihood of contracting a virus on the
Internet is slim, but not impossible. It depends on where you go. If you are an individual
and you frequent the back alleys of the Internet, you should exercise caution in
downloading any file (digitally signed or otherwise). Usenet newsgroups are places
where viruses might be found, especially in those newsgroups where hot or restricted
material is trafficked. Examples of such material include warez (pirated software)
or pornography. I would strongly caution against downloading any zipped or archived
file from groups trafficking this type of material. Similarly, newsgroups that traffic
cracking utilities are suspect.</P>
<P>If you are a system administrator, I have different advice. First, it is true
that the majority of viruses are written for the IBM-compatible platforms (specifically,
platforms on which users run DOS, Windows, Windows NT, and Windows 95). If your network
is composed of machines running these operating systems and you offer your users
access to the Internet, you have a problem.</P>
<P>There is no reliable way to restrict the types of files that your users download.
You can institute policies that forbid all downloads, and your users will probably
still download a file here and a file there. Human nature is just that way. Therefore,
I would recommend that you run memory-resident virus scanners on all machines in
the domain, 24 hours a day. (At the end of this section, you will find some resources
for obtaining such products.)</P>
<P>To learn more about how viruses work, you should spend some time at a virus database
on the Internet. There are several such databases that provide exhaustive information
on known viruses. The most comprehensive and useful site I have ever found is at
the Department of Energy.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find the Department of
	Energy site online at <A HREF="http://ciac.llnl.gov/ciac/CIACVirusDatabase.html"><TT>http://ciac.llnl.gov/ciac/CIACVirusDatabase.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The list is presented in alphabetical order, but can be traversed by searching
for platform. You will instantly see that most viruses were written for the Microsoft
platform, and the majority of those for DOS. What you will not see are any known
in-the-wild viruses for UNIX. However, by the time this book is printed, such information
may be available. There is talk on the Internet of a virus for the Linux platform
called <I>Bliss</I>.</P>
<P>Reports on Bliss at the time of this writing are sketchy, but it appears that
Bliss <I>is</I> a virus. There is some argument on the Internet as to whether Bliss
qualifies more as a trojan, but the majority of reports suggest otherwise. Furthermore,
it is reported that it compiles cleanly on other UNIX platforms.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The only known system
	tool that checks for Bliss infection was written by Alfred Huger and is located online
	at <A HREF="ftp://ftp.secnet.com/pub/tools/abliss.tar.gz"><TT>ftp://ftp.secnet.com/pub/tools/abliss.tar.gz</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>It is extremely unlikely that your box would be infected. The author of the program
took steps to prevent all but experienced programmers from unpacking and using this
virus. However, if you should discover that your machine is infected with this new
virus, you should immediately submit a report to Usenet and several bug lists, describing
what, if any, damage has been done to your system.</P>
<P>I would like to explain why the majority of viruses are written for personal computer
platforms and not for UNIX, for example. In UNIX (and also in Windows NT), great
control can be exercised over who has access to files. Restrictions can be placed
on a file so that user A can access the file but user B cannot. Because of this phenomenon
(called <I>access control</I>), viruses would be unable to travel very far in such
an environment. They would not, for example, be able to cause a systemic infection.</P>
<P>In any event, viruses do represent a risk on the Internet. That risk is obviously
more relevant to those running DOS or any variant of Windows. Following are some
tools to keep your system safe from virus attack.
<H3><FONT COLOR="#000077"><B>Virus Utilities</B></FONT></H3>
<P>Following is a list of well-known and reliable virus-detection utilities. I have
experience using all the entries in this list, and can recommend every one. However,
I should stress that just because a utility is absent from this list does not mean
that it isn't good. Hundreds of virus-detection utilities are available on the Internet.
Most of them employ similar techniques of detection.
<H4><FONT COLOR="#000077"><B>VirusScan for Windows 95</B></FONT></H4>
<P>VirusScan for Windows 95 by McAfee can be found online at

<UL>
	<LI><A HREF="http://www.mcafee.com"><TT>http://www.mcafee.com</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Thunderbyte Anti-Virus for Windows 95</B></FONT></H4>
<P>Thunderbyte Anti-Virus for Windows 95 can be found online at

<UL>
	<LI><A HREF="http://www.thunderbyte.com"><TT>http://www.thunderbyte.com</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Norton Anti-Virus for DOS, Windows 95, and Windows NT</B></FONT></H4>
<P>Norton Anti-Virus for DOS, Windows 95, and Windows NT by Symantec can be found
online at

<UL>
	<LI><A HREF="http://www.symantec.com/avcenter/index.html"><TT>http://www.symantec.com/avcenter/index.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>ViruSafe</B></FONT></H4>
<P>ViruSafe by Eliashim can be found online at

<UL>
	<LI><TT>h</TT><A HREF="ttp://www.eliashim.com/"><TT>ttp://www.eliashim.com/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>PC-Cillin II</B></FONT></H4>
<P>PC-Cillin II by Check-It can be found online at

<UL>
	<LI><A HREF="http://www.checkit.com/tshome.htm"><TT>http://www.checkit.com/tshome.htm</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>FindVirus for DOS v. 7.68</B></FONT></H4>
<P>Dr. Solomon's FindVirus for DOS version 7.68 can be found online at

<UL>
	<LI><A HREF="http://www.drsolomon.com/"><TT>http://www.drsolomon.com/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Sweep for Windows 95 and Windows NT</B></FONT></H4>
<P>Sweep for Windows 95 and Windows NT by Sophos can be found online at

<UL>
	<LI><A HREF="http://www.sophos.com/"><TT>http://www.sophos.com/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Iris Antivirus Plus</B></FONT></H4>
<P>Iris Antivirus Plus by Iris Software can be found online at

<UL>
	<LI><A HREF="http://www.irisav.com/"><TT>http://www.irisav.com/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>LANDesk Virus Protect v4.0 for NetWare and Windows NT</B></FONT></H4>
<P>LANDesk Virus Protect version 4.0 for NetWare and Windows NT by Intel can be found
online at

<UL>
	<LI><A HREF="http://www.intel.com/comm-net/sns/showcase/netmanag/ld_virus/"><TT>http://www.intel.com/comm-net/sns/showcase/netmanag/ld_virus/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Norman Virus Control</B></FONT></H4>
<P>Norman Virus Control by Norman Data Defe