|
Network Chico security
terms glossary
| @ | A
| B | C | D | E | F
| G | H | I
| J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
Welcome to the Network Chico
computer security terms glossary.
=C=
CARO: Computer Antivirus
Research Organization. An informal group of professional
antivirus researchers committed to improving the state of the
art.
Cavity Infector: A virus
that searches for a 'hole' in the infection target and inserts
its code there is known as a cavity infector. This infection
technique has the advantage of not increasing the size of the
target - a common telltale of viral infection that can giveaway
the virus' presence to observant victims. Many programs have
pre-initialized arrays (usually filled with null characters)
and/or stack space filled with common patterns and viruses can
easily search for areas matching these patterns. If a cavity
infector finds a suitably sized 'hole', it copies itself into
that hole then patches the program's entry point so the virus
code runs first (or makes whatever other change to the host to
gain control). This gives the virus a chance to copy itself elsewhere
in memory or just run and be done with before the host program
possibly uses the data area overwritten by the virus. Although
cavity infection is a rarely used technique, one of the first
parasitic file infectors Lehigh, was a cavity virus. See also
Multiple Cavity Infector; c.f. Appender, Companion Virus, Overwriter,
Prepender.
CHS: Cylinder, Head,
Sector. The notation by which the location of a disk sector
is supplied to some disk access routines. In this usage, the
term 'track' is analogous to cylinder and 'side' (or occasionally
'surface') is analogous to head, but CHS/Cylinder, Head, Sector
has the advantage of being non-ambiguous. Its significance in
antivirus work is that boot sector viruses (particularly MBR
infectors) commonly make a 'safe' copy of the original contents
of the sector they infect, and this is often located by a fixed
CHS address. Thus, you may see descriptions of such viruses saying
something like 'the original MBR is saved to 0,0,7' meaning,
in this case, that the original MBR was saved to the seventh
sector on head (or 'side') zero of cylinder (or 'track') zero.
Class Infector: A class
infector is a macro virus whose code resides in one or more class
modules. Class infectors became popular among macro virus writers
shortly after the SR-1 (Service Release 1) version of Word 97
became available. With that version of Word, Microsoft introduced
an undocumented antivirus feature that prevented the successful
replication of most existing Word macro viruses. Under that version
of Word, the most that earlier viruses can do is infect the normal
template. They are not able to spread from there to documents.
(This feature is present in all later versions of Word, including
Word 98 for the Macintosh). Class infection, per se, was not
necessary to subvert the SR-1 measures, but the first virus writer
who realized what was happening coincidentally moved to infecting
the default document class object.
Cluster Virus: Apart from
directly infecting host files as appenders and prependers do,
there are other ways to intercept calls to an executable file
and have some other code run instead of, or before, the code
from the intended file. One such method is cluster infection,
used by a small number of DOS viruses. On a FAT file system this
method usually involves saving the virus' code to the hard drive
then altering the directory entry of an 'infected' file. The
required directory entry change is to set the field that points
to the first cluster of the file to the cluster holding the virus
code and record the original initial cluster of the infected
file in an unused field in the directory entry. When the user
tries to execute an infected program, the operating system reads
the virus from the apparent first cluster of the executable file
and runs it. The virus does whatever else it is designed to do
then loads and executes the original file, using the correct
first cluster information it saved during the infection process.
Dir-II was the first cluster virus and in the wild for some time.
Because the cluster infection technique interferes with the linking
of cluster chains apparently assigned to a file, these viruses
are occasionally referred to as 'link viruses', although this
usage should be avoided.
CMOS: Complementary
Metal Oxide Semiconductor. The battery backed RAM used in
AT and later PCs to store hardware configuration information
uses CMOS technology. As this memory is not in the CPU address
space, but addressed via I/O port reads and writes, its contents
cannot be directly executed. This means that viruses cannot reside
in nor infect the CMOS RAM. Some viruses alter the contents of
the CMOS RAM as a payload, either scrambling them or removing
the reference to the floppy drive so the hard drive's (infected)
MBR will always run first during boot-up.
Collection Virus: See
Zoo Virus.
Commercial RAT: Any commercial
product that is normally used for remote administration, but
which might be exploited to do this without user consent or awareness.
Companion Virus: There
are other methods of infecting a system other than the most commonly
used one of modifying an existing file (see Parasitic Virus.
Given the way command-line interpreters (or shells) of several
operating systems work, a virus can copy itself onto the system
as an entire program yet be sure that much of the time, attempts
to invoke a program will result in the virus' code being run
first. Such programs are known as companion viruses and there
are several forms of this infection method.
For example, under DOS (and at least from the command-line or
'Command Prompt' of its Windows relatives), if the shell is given
a command that does not begin with a fully-specified filename,
it searches the current directory, then each directory in the
PATH environment variable (in the order they are listed), for
a COM file matching the command name, then an EXE file and then
a BAT file. Thus, a companion virus can 'infect' an EXE file
by copying itself to the same directory as that file and using
its filename but with a COM extension. (Similarly a BAT file
could be 'infected' by copying the virus code to either an EXE
or COM with the same filename.) Once the virus has done its work,
it loads and executes the original program file. If the virus
acts quickly the user is unlikely to notice the short delay this
introduces and the fact the target runs 'normally' also reduces
the likelihood of user suspicion. This infection technique is
known as the program execution order companion method or the
execution precedence companion method. Another companion infection
method should be obvious from the preceding description of DOS'
command interpretation process. Known as the path order companion
method or the path precedence companion method, it depends on
a copy of the virus being made in a directory earlier in the
path than the directory housing the target. The virus file is
given the same name as the target file (although it need not
have the same extension - any executable extension will do) so
the virus program will be found and executed instead of its target.
As with execution order companions, path companions must take
steps to ensure the original program runs after the virus has
done its thing. Unlike execution order companions, path companions
should also be successful on operating systems that do not depend
on filename extensions to determine whether a file is 'executable',
so long as they have something akin to the concept of a PATH
variable. Yet another companion infection method involves renaming
the target program to a non-executable extension then copying
the virus to the same location, filename and extension as the
target. When the user calls the program, instead of the intended
one running, the virus is executed. Again, to avoid immediate
detection, such renaming companion viruses must load and execute
the original program. This approach has the advantage of being
more likely to work under GUI shells (such as the Windows desktop)
because such environments usually record full path and filenames
when configuring desktop and menu shortcuts and the like. Under
such an environment, path and execution order companions will
have little effect as they leave the original program intact.
Of course, replacing the original program as a renaming companion
virus must, makes them much more visible to integrity checking
methods. Although quite simple (because they are not required
to alter existing executable files), companion viruses have been
rarely seen until recently, when another companion infection
technique started to become popular. Windows 95 and NT introduced
(or, more correctly, promoted) more complex techniques for controlling
how the usual operating system shell (normally Windows Explorer)
handles files. Complex inter-relationships between file extensions
and more finely described file types exist in the registry. For
example, handling of EXE files is defined through a series of
values in HKEY_CLASSES_ROOT. This sequence includes a handler
for the 'opening' of EXE files. Normally the shell just loads
and executes EXE files, much as earlier versions of Windows and
DOS did. However, this can be usurped by altering the appropriate
registry values so another program runs. So long as the introduced
handler launches the original EXE 'as normal', the user will
not become suspicious. Companion infection methods that do not
involve replacing the target program defeat simple integrity
checkers that only look for modifications to existing programs.
For this reason, good integrity checkers also monitor the addition
of new program files to a system. (c.f. Appender, Cavity Infector,
Overwriter, Prepender)
Constructor Kit: Some
virus writers are not content with writing their own viruses
and have wondered about bringing the 'opportunity' of becoming
a virus writer to the masses. The solution to this is usually
some form of 'construction kit' - a program even a non-programmer
can run, feed some parameters into and then produce a virus.
Many have been produced over the years covering simple COM and/or
EXE infectors, polymorphics, batch, macro and script viruses.
Perhaps the best-known of the early ones were the Virus Construction
Laboratory (VCL) and Phalcon/Skism Mass-Produced Code Generator
(MS-MPC).
Cracking Misc: Any document
and/or tool that provides guidance on how to remove copy protection.
Cracking Tool: Any software
designed to modify other software for the purpose of removing
usage restrictions. An example is a 'patcher' or 'patch generator',
that will replace bytes at specified locations in a file, rendering
it a licensed version. A music file ripper is a program that
enables the user to digitally copy songs from a CD into many
different formats such as MP3, WAV, or AIFC.
| @ | A
| B | C | D | E | F
| G | H | I
| J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
|
