Protection against unauthorized entry is designed to prevent unauthorized persons from accessing the protected computer. This group of funds, as mentioned earlier, includes:
- software and hardware means of identification and authentication;
- function of temporary blocking of the computer;
- hardware protection against booting the OS from a floppy disk.
User identification and authentication is performed every time a user logs on to the system. When the computer boots, the Secret Net system asks the user for his ID and password. Then it is checked whether a user with this name has been registered in the system and whether his password is correct. The following can be used as identifiers: unique names and unique numbers of hardware identification devices (personal identifiers).
Secret Net supports work with passwords up to 16 characters long. If the password is incorrect, an unauthorized access attempt to the computer is logged in the security log. After a certain number of incorrect password attempts, the user account is blocked.
User identifiers (names and numbers of hardware identifiers) are stored in the security system database in clear text, and user passwords are stored in encrypted form.
Input control hardware is designed to work with various electronic identifiers (iButton, eToken, Smart Card, Smarty). And when using the EZ Sobol device, additional opportunities appear:
- control of OS loading from removable media (floppy and CD-ROMs);
- control of the integrity of files and disk sectors before loading the OS.
The work of the protection system with hardware is provided by special driver programs that control the exchange of information between the device and the modules of the protection system.
Let’s consider the operation of a simple boot virus that infects floppy disks. When the computer is turned on, control is transferred to the bootstrap program, which is stored in read-only memory (ROM).
This program tests the hardware and, if it succeeds, tries to find a floppy disk in drive A :
Every floppy disk is divided into sectors and tracks, sectors are combined into clusters.
Among the sectors there are several service sectors used by the operating system for its own needs (these sectors cannot accommodate user data). Among the service sectors, one is of interest – the so-called boot-sector.
The boot sector stores information about the floppy disk – the number of surfaces, the number of tracks, the number of sectors, etc. But it is not this information that is of interest, but a small bootstrap program (PNZ), which must load the operating system itself and transfer control to it.
Now let’s look at the virus. In boot viruses, two parts are distinguished – the so-called head and tail. The tail, generally speaking, may be empty.
Suppose you have a blank floppy disk and an infected computer, which means a computer with an active resident virus. As soon as this virus detects that a suitable environment has appeared in the drive – in this case, an unwritten and not yet infected floppy disk, it proceeds to infect. Infecting a floppy disk, the virus performs the following actions:
- allocates a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, the sectors occupied by the virus are marked as bad (bad);
- copies its tail and original (healthy) boot sector to the selected disk area;
- replaces the boot program in the boot sector (present) with his head;
- organizes the chain of transfer of control according to the scheme.
Thus, the virus head is now the first to gain control, the virus is installed in memory and transfers control to the original boot sector.
The scheme of functioning of a simple boot (“rubble”) virus located in the boot sectors of floppy disks was considered. As a rule, viruses are capable of infecting not only the boot sectors of floppy disks, but also the boot sectors of hard disks – hard drives. However, unlike floppy disks, a hard drive has two types of boot sectors that contain boot programs that are controlled. When booting the computer from the hard drive, the boot program in the MBR takes over control first. If the hard disk is divided into several partitions, then only one of them is marked as bootable (boot). The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program for that partition. The code of the latter is the same as the code of the bootstrap program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, there are two objects of attack by boot viruses on the hard drive – the boot program in the MBR and the boot program in the boot sector of the boot disk.
Let’s give a generalized example of the structure of a virus program. It consists of DOS pseudo-commands and subroutines – small internal programs (their constituent instructions are kept separate from the main program) that perform some special functions whenever they are called.
A subroutine called findfile looks at the directory of executable files or programs on disk, takes an arbitrary file name, and assigns the name of that file to the variable this. The next line of the program uses the DOS load pseudo-command to place the file into the computer’s RAM.
Another subroutine called search scans the program you just loaded for an instruction that might serve as a suitable place to put the virus. When search finds such a statement, it determines the appropriate line number and assigns it to the loc variable. Now everything is ready for the virus subroutine to penetrate into the program randomly selected from the catalog.
The insert subroutine replaces the selected instruction with another (such as a call to a subroutine). The replaced instruction transfers control to the block of instructions that make up the main body of the virus subroutine, which is appended to the end of the program. Then, at the end of the added subroutine, an instruction is attached that returns control to the “infected” program to the instruction following the inserted one. Thus, when a virus subroutine is executed, the substituted instruction of the infected program is also executed. The original program behaves like nothing special happened. However, in reality, the virus subroutine took advantage of a moment to seize power over the operating system tools and attach its copy to another program stored on disk. This example demonstrates just one of the techniques used by the authors of viruses. At present, experts have identified other techniques that differ from each other in ideas and sophistication of implementation.
Signs of the virus
When a virus infects a computer, it is important to detect it. To do this, you should know about the main signs of the manifestation of viruses. These include the following:
- termination of work or incorrect operation of previously successfully functioning programs;
- slow computer work;
- impossibility of loading the operating system;
- disappearance of files and directories or distortion of their contents;
- changing the date and time of file modification;
- resizing files;
- unexpected significant increase in the number of files on disk;
- significant reduction in the size of free RAM;
- display of unexpected messages or images;
- submission of unintended sound signals;
- frequent freezes and failures of the computer.
It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be due to other causes. Therefore, it is always difficult to correctly diagnose the state of the computer.