Any difference between the length of useful code or data in an object and the chosen section alignment is normally padded with nulls by the linker. Information on the alignment of the objects and the size of each object is stored in the PE header and in a series of object tables just after the header. Typical PE files contain five or six objects, all of which have some space that is effectively wasted. It is in these areas that CIH stores its code, thus infecting a file without increasing its length.
CIH breaks its code into chunks that it uses to fill “slack space” at the end of the sections in its hosts. It checks for files with insufficient slack space, refusing to infect them. However, this is unlikely, since all known variants are just under 1KB along and most PEs will have at least that much free space. A peculiarity of the Borland Linker means files produced by it are uninfectible.
When infecting a file, CIH builds a table of data about the length and location of its code fragments. This, and the minimal code to allocate memory for itself and to piece its code fragment back together, is stored between the PE header and the first object of the host. If there is insufficient space in the header to take this crucial data and code the file is also deemed uninfectible.
Executing an infected file on an uninfected machine causes the virus to hook INT 03H via the interrupt descriptor table and install its own interrupt handier. This makes debugging more difficult and allows the virus to run code at ring zero (with CPU supervisor privileges). It then calls the hooked interrupt and checks the value in Debug Register 0 (DR0). CIH assumes it is already resident if this is non-zero, transferring control back to its host program.
Protected mode interrupts are allocated a CPU privilege level at which their code runs. For INT 03H this is usually ring zero. The pointer to the interrupt handler can, however, be altered from ring three, thus CIH can gain ring zero access to the file system from an infected user application.
CIH sits in the file system API chain waiting for EXE files to be opened. On receiving such a call, it checks whether the file is a PE that is not already infected. Files with a nonzero value in the byte immediately before the PE signature are considered infected. The virus itself writes the first byte from the Ring0 File IO routine into this location when infecting files. This is usually 55h (U’) -- the PUSH EBP epode. When a potential target is found, its header and object table are processed to determine how much of the virus can be placed at the end of each object. There is no lower limit to the code fragment size CIH will place at the end of each object. In testing, it readily inserted a one-byte fragment into a specially modified PE, using eight bytes of its fragment table space to record the fact.
【Vocabulary】
replicate
v. 复制
halt
n. 停止,暂停,中断
fragment
n. 碎片,断片,片段
bypass
vt. 设旁路,迂回
intriguing
adj. 迷人的,有迷惑力的
payload
n. 有效荷载
trigger
vt. 引发,引起,触发
bootstrap
n. 解靴带
random
adj. 任意的,随意的,胡乱的
reprogram
v. 改编,程序重调
align
vt. 排列,使结盟,使成一行
ultraviolet
adj. 紫外线的,紫外的
privilege
n/vt. 给予…特权,特免
variant
adj. 不同的 n. 变数
alignment
n. 队列,结盟
hook
vt. 勾住,沉迷,上瘾
descriptor
n. 描述符
debug
vt. 调试
supervisor
n. 监督人,管理人,检查员
crucial
adj. 至关紧要的,重要的
procedure
n. 程序,手续
【参考译文】
计算机病毒
大部分的病毒能进行自我复制。所有的计算机病毒都是人为制造的。能够反复进行自我复制的简单病毒是很容易制作的。即使一种简单的病毒也是危险的,因为它会很快进驻可用的内存空间并使系统进入停机状态。一种更为危险的病毒类型能够通过网络进行传播并且能够绕过安全系统。
CIH病毒的传播机制的技术细节令病毒研究者很感兴趣,它与其他病毒的不同在于它的本体。这种本体由两部分组成,当条件满足时,这两部分都会发作。由于本体是感染机制的一部分,直到病毒在内存中驻留时它才会发作。CIH发作的条件是一个具有EXE扩展名的非宿主在特定的发作日期被打开。
本体的第一部分发作代码使得CIH病毒受到世界的极大关注。闪存技术已经诞生几年了。把BIOS“闪存化”,通过把BIOS存储在这样的一个芯片中,使得PC的基本引导程序和I/O程序可以用软件来改写。早期的EPROM技术也允许改写BIOS,但需要将芯片拆除下来,在紫外线灯下照射删除原来的内容,然后再用专门的硬件写入新内容。
本体的第二部分是共同的,它用内存中产生的随机数据覆盖系统中每个硬盘的前2048个扇区(1MB)。以这种方式被覆盖的数据将很难或不可能恢复。病毒无止休地寻找新的磁盘,而机器——尽管不断地运行硬盘驱动——对用户的输入毫无反应。
PE 档是可以在Windows 9x 和Windows NT 下运行的可执行档。一个PE档由一个DOS可执行段(通常只是表明程序应在Windows下运行的片段)、PE头部分和几个数据对象组成。这些对象可能包含可执行代码、输入和输出函数信息、数据或复位信息。PE头后面的每个对象都必须在文件中顺序排列,并且以2的偶数次幂为起始边界,范围在512B到64KB之间。
对象中有用的代码或数据的长度和选定扇区的长度的任何不同,通常被连接器以零来填充。对象队列的信息和每个对象的尺寸被保存在 PE 头和一系列紧跟在头后面的对象列表中。典型的头文件包含5~6个对象,它们都有很多空间被浪费了。CIH病毒正是将它的代码存储在这些被浪费的区域,从而感染了档但并没有增加其长度。
CIH将自己使用的代码断成几大块填入宿主片段尾部的“闲散空间”。它检查档是否有足够的闲散空间,如果没有的话,它就不会去感染这样的档。然而,这是不可能的,因为所有已知变量的长度都在1KB以下,而且大多数PE档至少都有那么大的自由空间。唯有 Borland 连接器的特性使得它生成的档无法被感染。
当感染一个档时,CIH将建立一张它自己的代码段数据长度和位置的表,这样,以最小的代码段为自己分配内存,并将这些代码段进行重组,存储于PE头和宿主的第一个对象间。如果头中没有足够的空间来容纳这个重要数据和代码,那么档也被认为无法感染。
在没有被感染的机器上运行一个被感染的文件使得病毒通过中断描述符表占用INT 03H,并安装它自己的中断处理程序,这使得调试更加困难而且允许病毒运行在特权环0 下(CPU超级特权)。然后,它调用被占用的中断并检测调试寄存器0(DR0)的值,如果为非0,CIH会认定它已经驻留在内存中,并放弃控制返回宿主程序。
保护模式下中断会被分配一个CPU优先级,中断程序代码在这一优先级下运行。因为INT 03H 一般是特权环0。但是,指向中断管理程序的指针可以从特权环3改过来,这样CIH就获得了从被感染的用户应用程序到文件系统的特权环0的访问权。
CIH处于文件系统API链中,等待EXE档被打开。一接到这样的命令,它检查这个档是否是一个尚未被感染的PE档。PE标志紧邻的前一个字节是非0值的文件被认为已被感染。当病毒感染文件时,它从特权环0文件输入输出程序向这个位置写入第一个字节,通常是 55H(U’)——PUSH EBP 操作码。当找到一个可能感染的目标时,它的头和对象表会被处理,以确定病毒的多大一部分可以被写入每个对象的末尾。CIH病毒写在每个对象的末尾的代码段的大小没有最低限制。在测试中发现,它能够插入1个字节的片段到一个经过特殊修改的PE档中,同时利用8个字节的片段表空间来记录这一事项。
【Reading Material】
Cyber Security
Hide your Identity
Before you venture online, keep the following facts in mind:
Someone on the Net can make money by selling your personal data.
Every time you go online, you give someone new information--however small a piece it may be--about your preferences.
Some data collectors are not content to wait for you to come to them and may try to trick or steal more information from you.a
