2 cissp ® Official Study Guide Eighth Edition

Virus Propagation Techniques

Download 19,3 Mb.

Pdf ko'rish

bet	852/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 848 849 850 851 852 853 854 855 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Master Boot Record Viruses

Virus Propagation Techniques
By definition, a virus must contain technology that enables it to spread from system to sys-
tem, aided by unsuspecting computer users seeking to share data by exchanging disks, shar-
ing networked resources, sending electronic mail, or using some other means. Once they’ve
“touched” a new system, they use one of several propagation techniques to infect the new
victim and expand their reach. In this section, we’ll look at four common propagation tech-
niques: master boot record infection, file infection, macro infection, and service injection.
Master Boot Record Viruses
The
master boot record (MBR) virus
is one of the earliest
known forms of virus infection. These viruses attack the MBR—the portion of bootable
media (such as a hard disk, Universal Serial Bus (USB), or compact disc/digital versatile
disc (CD/DVD)) that the computer uses to load the operating system during the boot pro-
cess. Because the MBR is extremely small (usually 512 bytes), it can’t contain all the code
required to implement the virus’s propagation and destructive functions. To bypass this
space limitation, MBR viruses store the majority of their code on another portion of the
storage media. When the system reads the infected MBR, the virus instructs it to read and
execute the code stored in this alternate location, thereby loading the entire virus into mem-
ory and potentially triggering the delivery of the virus’s payload.
The Boot Sector and the Master Boot record
You’ll often see the terms
boot sector
and
master boot record
used interchangeably to
describe the portion of a storage device used to load the operating system and the types
of viruses that attack that process. This is not technically correct. The MBR is a single disk
sector, normally the first sector of the media that is read in the initial stages of the boot
process. The MBR determines which media partition contains the operating system and
then directs the system to read that partition’s boot sector to load the operating system.
Viruses can attack both the MBR and the boot sector, with substantially similar results.
MBR viruses act by redirecting the system to an infected boot sector, which loads the
virus into memory before loading the operating system from the legitimate boot sector.
Boot sector viruses actually infect the legitimate boot sector and are loaded into memory
during the operating system load process.
Most MBR viruses are spread between systems through the use of infected media inadver-
tently shared between users. If the infected media is in the drive during the boot process,

Malicious Code
919
the target system reads the infected MBR, and the virus loads into memory, infects the
MBR on the target system’s hard drive, and spreads its infection to yet another machine.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 848 849 850 851 852 853 854 855 ... 881