tech blog

Let’s start by logically starting at the root and working our way up.

BIOS

The BIOS is the computer’s firmware. It’s purpose is to identify what is attached and start it up. All of the BIOS functions are stored on a chip physically attached to the system board. The CIH Virus was able to corrupt the BIOS on old system boards by attacking a certain chipset. Newer system boards use different chipsets so the threat of this particular virus is irrelevant. However, like a proof of concept, the CIH virus shows a capability for infection in the future.

Boot Sector

The Boot Sector is essentially the Master Boot Record (MBR). The Master Boot Record acts like an Air Traffic Controller. It directs data through the different partitions and along the different segments to the different sectors

Kernel

The Operating System Kernel whether it be a UNIX, OSX or Windows Kernel is the brain behind the whole operating system. The kernel leverages the physical hardware (CPU/RAM/Hard Disk) and provides a space for Applications to run. Like a brain tumour, if the kernel is infected than it affects all the other systems, File System, Network System, etc….

Services

Services are essentially the same in each operating system. Services are an executable that runs when the operating system is started up. Certain services such as the SYSTEM, NETWORK SERVICE and LOCAL SERVICE are vulnerable to injection from a virus. However, additional services may be created (they may be hidden) to facilitate the execution of a virus.

Startup

When the operating system first starts there are a number of applications that start with it, these applications can be classified as “Terminate and Stay Resident Applications (TSR)” Good examples of TSR applications are “Adobe Reader_sl” or the “iTunes Helper”. Most viruses exploit the startup group in one way or another. Simply removing the virus/Trojan from the startup group will not always completely remove the virus. We will have to resort to more drastic measures

Registry

The registry is the place where almost all viruses infect a workstation. Some notable places are the

RunServicesOnce, RunOnce and the RunServices sections of the Registry

[HKEY_CLASSES_ROOT\exefile\shell\open\command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\comfile\shell\open\command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\batfile\shell\open\command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] =”\”%1\” %*”
[HKEY_CLASSES_ROOT\piffile\shell\open\command] =”\”%1\” %*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] =”\”%1\”
%*”
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] =”\”%1\”

Browser Helper Objects

Browser helper objects are neutral. They can be used for good purposes however, most of the time they are used for nefarious purposes. Browser Helpers Objects or BHO’s can be installed in numerous ways. Some are installed by ActiveX control and some come bundled with a “helpful” utility. BHO’s can do anything from tracking and reporting web browsing, to opening a pop up every 5 seconds to being a “hook” to get a more pervasive virus into the Operating System. Internet Explorer 6 and previous versions are notorious for being vulnerable to attack.

Frameworks

This leads us to the last area we will address in this document, and that is browsing and frameworks. When one browses to a website, the website developer  gains a lot more tools to develop the website by using a framework. When the webserver is Unix or Linux based the framework typically used is the Java Runtime Environment. On a Windows server and when the Webserver is IIS the framework typically utilized is the .NET framework. Both of these frameworks have their share of exploits and can allow a hacker to gain access to the computer and workstation.

What this means for the end user is that by simply browsing to a website their system or workstation can be compromised. So the executive in your organization that browses to College Girls Gone Wild on his lunch break is opening your infrastructure to infection, not to mention a harassment suit. In recent months, the Flash Platform has been gaining notoriety for various exploits that having allowed for keystrokes to be logged and sent outside.