First Example of Malicious Code: The Brain Virus
One of the earliest viruses
is also one of the most intensively studied. The so-called Brain virus was given its name because it changes the label of any
disk it attacks to the word "BRAIN." This particular virus, believed
to have originated in Pakistan, attacks PCs running an old Microsoft operating
system. Numerous variants have been produced; because of the number of
variants, people believe that the source code of the virus was released to the
underground virus community.
What It Does
The Brain, like all viruses,
seeks to pass on its infection. This virus first locates itself in upper memory
and then executes a system call to reset the upper memory bound below itself so
that it is not disturbed as it works. It traps interrupt number 19 (disk read)
by resetting the interrupt address table to point to it and then sets the
address for interrupt number 6 (unused) to the former address of the interrupt
19. In this way, the virus screens disk read calls, handling any that would
read the boot sector (passing back the original boot contents that were moved
to one of the bad sectors); other disk calls go to the normal disk read
handler, through interrupt 6.
The Brain virus appears to have no effect other
than passing its infection, as if it were an experiment or a proof of concept.
However, variants of the virus erase disks or destroy the file allocation table
(the table that shows which files are where on a storage medium).
How It Spreads
The Brain virus positions
itself in the boot sector and in six other sectors of the disk. One of the six
sectors will contain the original boot code, moved there from the original boot
sector, while two others contain the remaining code of the virus. The remaining
three sectors contain a duplicate of the others. The virus marks these six
sectors "faulty" so that the operating system will not try to use
them. (With low-level calls, you can force the disk drive to read from what the
operating system has marked as bad sectors.) The virus allows the boot process
to continue.
Once established in memory,
the virus intercepts disk read requests for the disk drive under attack. With
each read, the virus reads the disk boot sector and inspects the fifth and
sixth bytes for the hexadecimal value 1234 (its signature). If it finds that
value, it concludes that the disk is infected; if not, it infects the disk as
described in the previous paragraph.
What Was Learned
This virus uses some of the
standard tricks of viruses, such as hiding in the boot sector, and intercepting
and screening interrupts. The virus is almost a prototype for later efforts. In
fact, many other virus writers seem to have patterned their work on this basic
virus. Thus, one could say it was a useful learning tool for the virus writer
community.
Sadly, its infection did not
raise public consciousness of viruses, other than a certain amount of fear and
misunderstanding. Subsequent viruses, such as the Lehigh virus that swept
through the computers of Lehigh University, the nVIR viruses that sprang from
prototype code posted on bulletin boards, and the Scores virus that was first
found at NASA in Washington D.C. circulated more widely and with greater
effect. Fortunately, most viruses seen to date have a modest effect, such as
displaying a message or emitting a sound. That is, however, a matter of luck,
since the writers who could put together the simpler viruses obviously had all
the talent and knowledge to make much more malevolent viruses.
There is no general cure for
viruses. Virus scanners are effective against today's known viruses and general
patterns of infection, but they cannot counter tomorrow's variant. The only
sure prevention is complete isolation from outside contamination, which is not
feasible; in fact, you may even get a virus from the software applications you
buy from reputable vendors.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.