PoiNtEr->: November 2012

                             Difference between a dream and an aim. A dream requires soundless sleep, whereas an aim requires sleepless efforts.

Search This Blog

Monday, November 12, 2012

Virus Programming Tutorial-3

Boot Sector Virus
The boot sector virus can be the simplest or the most sophisticated of all computer viruses. On the one hand, the boot sector is always located in a very specific place on disk. Therefore,both the search and copy mechanisms can be extremely quick and simple, if the virus can be contained wholly within the boot sector.
On the other hand, since the boot sector is the first code to gain control after the ROM startup code, it is very difficult to stop before it loads. If one writes a boot sector virus with sufficiently sophisticated anti-detection routines, it can also be very difficult to detect after it loads, making the virus nearly invincible.

When a PC is first turned on, the CPU begins executing the machine language code at the location F000:FFF0. The system BIOS ROM (Basic-Input-Output-System Read-Only-Memory) is located in this high memory area, so it is the first code to be executed by the computer. This ROM code is written in assembly language and stored on chips (EPROMS) inside the computer. Typically this code will perform several functions necessary to get the computer up and running properly. First, it will check the hardware to see what kinds of devices are a part of the computer (e.g., color or mono monitor, number and type of disk drives) and it will see whether these devices are working correctly. The most familiar part of this startup code is the memory test, which cycles through all the memory in the machine twice, displaying the addresses on the screen. The startup code will also set up an interrupt table in the
lowest 1024 bytes of memory. This table provides essential entry points (interrupt vectors) so all programs loaded later can access the BIOS services. The BIOS startup code also initializes a data
area for the BIOS starting at the memory location 0040:0000H, right above the interrupt vector table. Once these various house-keeping chores are done, the BIOS is ready to transfer control to
the operating system for the computer, which is stored on disk.

//Sample Kilroy Virus Code
                   MOV SI,OFFSET MESSAGE      ;set offset of message up
                   MOV AH,0EH                               ;Exxecute BIOS INT 10H,Fctn OEH
LODSB                                                              ;get character to display
OR              AL,AL
JZ                DM2                                               ;repeat until 0
INT             10H                                                 ;Display it
JMP             SHORT DM1                                ;and get another
DM2:           RET

MESSAGE:               DB          'Kilroy and #!sh@1 was  here!' ,0DH,0AH,0AH,0          

 Besides displaying a message, the virus can be noticed as it searches for drives to infect,especially if you have a second floppy or drive. If your hard disk is infected,or if you have no hard disk, you will notice that the second floppy lights up for a second or two before your machine boots up.
This is a pretty rudimentary virus. It can make mistakes when infecting the hard drive and miss the boot sector. It can only replicate when the machine boots up. And it can get stuck in places
where it cannot replicate any further (for example, on a system with only one floppy disk and a hard disk). Still, it will do it’s job, and travel all around the world if you’re not careful with it.

Friday, November 9, 2012

Jail Bind-9 in Linux

On Unix-like operating systems, such as Linux, a chroot jail is the common expression used to describe a section of a filesystem that is sectioned off for a particular user. On a web server, it is particularly useful for the security of shared hosting accounts.
Without a chroot jail, a user with limited file permissions would still be able to navigate to top-level directories. As an example, suppose the user’s directory is /home/user. Without chroot, nothing would prevent the user from navigating up to /home to see other users’ directories or even navigating up to / where they can see /etc, /usr, /var, /lib, and other system-critical directories. Although the user would not have the permissions to edit them, they would be able to see the files and target specific ones to try to exploit.

We can use following steps to jail bind in linux operating systems.

1:create a jail path
mkdir /named/jail

2:create following directories inside jail folder
mkdir -p /named/jail/etc
mkdir -p /named/jail/var 

mkdir -p /named/jail/dev

3:Create following files inside /named/jail/dev
mknod null c 1 3
mknod zero c 1 5
mknod random c 1 8

4:Edit the default file in etc of bind 9
gedit /etc/default/bind9

OPTIONS="-u bind -t /named/jail -c /named/jail/etc/bind/named.conf "

This file contain three parameters.
-t: jail path
-c: configuration file
-u: user

5:Cut /etc/bind folder and paste it inside /named/jail/etc
mv /etc/bind /named/jail/etc/bind

6:Create a symbolic link of file in /etc folder
ln -s /named/jail/etc/bind /etc/bind

7:Use following command to run bind in debugging mode.
named -g -d 9

8:Now use nslookup,dig to check whether bind9 is working properly or not.
>server host-ip-address {ipv4 adress of host that is running bind server}
>localhost          {domain name for which you want to find ipv4 address}


dig @host-ip-address-of-bind-server doamin-name
example:dig @ eva.localhost

/*Also change path used in named.conf and named.conf.local */