MARCO LEGAL

Although companion viruses do not rank among the most popular viruses, they represent however a real challenge as far as antiviral protection is con- cerned. Indeed, this infection mode is quite different from the three above- mentioned modes. In this mode, the target code is not modified, thus pre-

serving the code integrity16. Therein lies the great interest of this infection mode. These viruses operate as follows (see Figure 4.8): the viral code identi-

virus 2 1 Exec. Target Viral copy Target Infected file Fig. 4.8.Companion Virus Infection Mode

fies a target program and duplicates its own code (the virus), but instead of inserting its code in the target code, it creates an additional file (in a possi- bly different directory, for example), which is somehow linked to the target code as far as execution is concerned (hence the term companion virus). Whenever the user executes a target program which has been infected by this type of virus, the viral copy contained in the additional file is executed first, thus enabling the virus to spread using the same mechanism. Then, the virus calls the original, legitimate target program which is then executed.

What are the different potential mechanisms which allow the viral copy to take execution precedence over the original target program? The following three different mechanisms can be put forward:

• the first type of mechanism is called the preemptive (or prior) execution. This mechanism exploits a specific feature in the given operating system designed to set an order of precedence among the different operations which take place during the execution process of binaries. A fairly elo- quent example can be found in MS-DOS systems. In the DOS operating system, the order of precedence in the execution process is defined by the executable filename extension: in terms of execution, files with aCOM extension (these simple executables only use a segment of memory) take 16_{Let us define first what the term “file integrity” really means (it refers to the general}

problem of integrity in cryptology; see [110, chap. 9] for more details). We will explain in Chapter 8 what a genuine integrity mechanism must take into account.

precedence over those with an EXE extension (these more sophisticated executables use several segments of memory). As for the EXE extension, they take precedence over batch files with a BATextension.

If the target is a file denoted FILE.EXE(they are the most common files), the virus will infect it by creating a file denoted FILE.COM in the same directory (among many other possibilities) and will run it (instead of the former one). Similarly, a file denoted FILE.BAT will be infected through a FILE.COM or a FILE.EXE file (in this latter case, a virus will benefit from more functionalities than a simple COM file).

This technique simply makes thus use of features inherent to the given operating system and does not require any modification of the environ- ment. Let us precise than such features exist in other operating systems, especially graphical ones, such as Windows (use of transparent and/or chained icons17 or executable extensions which are naturally invisible18, and so on). This mechanism of preemptive execution is very efficient and can be used in all modern operating systems. It is thus surprising that only a few viruses or worms in this class are known;

• the second type of mechanism exploits the hierarchical structure in the search path of executable files. The viruses using this second approach are also known as PATH viruses. Incidently, it turns out that the term PATH also refers to the name of the environment variable used in the Unix operating system (but other operating systems also have the same environment management mechanism). This variable allows the system to directly locate potential execution directories. Thus the user needs not to use the files full pathname in the tree structure to find a specific executable file. The only thing to do is to indicate the locations where this executable file may be found. The system then scans in strict order all the directories included in this variable and checks whether one of them contains the desired executable file.

The virus then activates an infection process by creating an extra file with the same name. This file will be inserted in a directory included in 17_{It is possible to stack icons, the one on top being transparent (in the proper sense) or}

having a color which is almost identical (mimicking icon) to the original target icon. The top icon refers to the virus itself and launched it whenever the icon receive a mouse event. Then, the virus will give control to the target program (infected host) either directly or through the second icon which is located right under the top icon, on the desktop. Another technique consist in creating an additional “ viral” icon and to chain it with the target program’s own icon (the first icon points to the second one). This last approach has however less stealth features than the first one.

18_{In this respect, the reader will refer to the very interestingFloydman’s paper provided}

the environment variable designed to locate executable files (such as the PATHvariable under Unix/Linux, as an example), and upstream of the le- gitimate contents directories (provided however that a writing/execution permission has been granted). In this case, the viral code will be executed first. Generally, the virus also alters the PATH variable (see Chapter 8), and this special feature means thatPATH viruses fall into a separate cat- egory owing to an (possible) alteration of the environment. Let us notice that this modification does not occur in the first above-mentioned type of mechanism.

An alternative approach19consists of bypassing the existing file indexing structures on the hard disk rather than bypassing thePATH variable. For instance, this can be done by bypassing theFile Allocation Tableor FAT for short (FAT/FAT32) under DOS/Windows operating systems. These chained lists structures enable the operating system to locate on the hard disk the file image which is to be mapped into memory. For instance, its entry point in this structure is the first cluster address (a set of several sectors). The chained list20 structure then enables clusters including the rest of the file to be located and mapped into memory. Once the virus has stored the first cluster address of the target file (within the virus’s own code), it then replaces it with the first cluster of the viral file. Whenever the infected file is run, the operating system loads the viral file instead. After its own execution, the viral file then passes control to the target program by using the first cluster address which has been stored within the viral code during the infection process;

• the third type of mechanism works independently of the operating system (unless access permission are required). Chapter 8 will be devoted to this mechanism. The latter is based on a quite simple principle: once the target has been identified, the virus renames it making sure that the execute permissions are preserved (at least temporarily). Then the virus makes an exact copy of itself which replaces the attacked program. At this stage, two programs still coexist. Whenever the target program is run, the virus operates first, spreads the infection and executes the renamed program. Of course, some problems will have to be solved from a practical point of view to avoid any early detection (for instance, all the infected executables – to be more precise, their viral part – will be likely to have the same size, or the number of files will increase significantly). Later 19_{Viruses belonging to this class are incorrectly called FAT viruses. Incidently, the FAT}

is only the infection medium, in no case it is the target.

20_{A chained lists structure is a list of items, each of them contains a pointer to the next}

in Chapter 8, further details on basic viral algorithmics of companion viruses will be provided which proved to be very powerful in removing such constraints.