CIH Virus - Flash version, courtesy of PowerShow.com

The Adobe Flash plugin is needed to view this content

Get the plugin now

Send

Flag

Favorite

Save as PPS or open with PowerPoint Viewer

Rate:

0 ratings

Title:CIH Virus

Description:

Provides sidt Instruction to Retrieve Base Address and Length of the Interrupt Descriptor Table ... CIH hacks the IDT to point to code that does the following ...

Learn more at:http://pages.cs.wisc.edu/~tobler/_private

Presentation added: 11 June 2009

Slides: 14

Category:Unassigned

Tags: hacks

Add more tags

more less

Total views:22782

Avg rating:3.0

Write a Comment

User Comments (0)

Transcript & Presenter Notes

Title: CIH Virus

1
CIH Virus

Kevin OConnor
and
John Tobler

2
Overview

Virus Description
Relevant System Vulnerabilities
Virus Specifics
Countermeasures

3
Virus Description

Author CIH
Virus Names CIH and Chernobyl
Created 1998 in Taiwan
Attacks Hard Drive and BIOS
Trigger April 26th or the 26th of any month
(depending on virus version)

4
System Vulnerabilities
Intel x86
Windows 9x

Provides 4 Privilege Levels for Code Execution
(Ring0-3)
Provides sidt Instruction to Retrieve Base
Address and Length of the Interrupt Descriptor
Table

Ring0Kernel Ring3User Code
IDT is not stored on a Protected Memory Pageany
user program can edit the IDT

5
Infection Overview

An infected Windows Portable Executable file is
opened on an uninfected machine (any
.exe file)
CIH hacks the IDT to point to code that does the
following
CIH allocates system memory for itself to run in
CIH hooks the file system and infects any
uninfected PE file that is subsequently opened

6
CIH Infects PE Files

CIH is a Fragmented Cavity Filler
PE files consist of several sections (code data
etc.) that must start on certain boundaries
The virus resides in holes located between these
sections of the PE file
This does not increase the size of an infected
filemaking the virus harder to detect

7
(No Transcript)
8
CIH Goes LiveStep 1 Hacking an Interrupt

Get the location and length of the IDT using the
Intel provided sidt instruction
Each descriptor is 8 bytes Index into the Table
by 8n bytes to change int n
This descriptor contains the address of the Ring0
code to run for int n
This address for int03h is changed to point to
reassembly and file system hooking code

Fires int03h
9
Step 2 Virus Reassembly

CIH allocates memory in system space for itself
to run in
The virus uses a fragment table contained in its
reassembly code to copy itself contiguously into
the allocated memory space

10
Step 3 Install File System Hook

CIH uses a Windows provided System Call to
install its own code in the file access path
CIH can now monitor all file accesses and infect
any uninfected PE file that is run
Infection is complete. Control is returned to
the original infected executable so it can run

11
KILL KILL KILL -CIH

CIH is triggered to attack when the following
conditions are met
The virus is resident in memory
A file with an exe extension is opened that is
not a suitable host on the trigger date
CIH will overwrite the first 1MB of each hard
disk with random data
CIH will also write directly to Flash ROM
chipsmaking the system unbootable until the chip
is replaced

12
CIH Countermeasures

Run Virus Scanning Software
In order to write to BIOS the correct
programming voltage is necessary. This voltage
is frequently set by a jumper on the motherboard.
If the jumper is not present the BIOS cannot be
destroyed by CIH.
Use an operating system other that Windows 9x.
Windows NT is not susceptible to attack because
it properly protects the IDT.

13
The End