The present invention relates to the detection and removal of undesirable programs from computer systems.
Many computer users have encountered computer viruses, sometimes with painful results. Computer viruses can cause unrecoverable errors, delete files, create intermittent problems and otherwise cause individuals and businesses much frustration and other damage. As used herein, xe2x80x9ccomputer virusxe2x80x9d or xe2x80x9cvirusxe2x80x9d means a computer program that is unauthorized and undesired, and which operates or propagates surreptitiously.
Some viruses can make copies of themselves. Some viruses can modify their own code, making them harder to identify and remove. A distinction is sometimes made between self-replicating viruses and another threat to system security, known as a xe2x80x9cTrojan Horse.xe2x80x9d However, for purposes of this discussion a Trojan Horse program is considered to be a virus because it operates surreptitiously. A Trojan Horse is a program that has been designed or modified to perform some hostile act but is disguised as a familiar or non-threatening program. All viruses are capable of wasting time or otherwise adversely affecting the operation of an infected subject computer system. Certain viruses, known as xe2x80x9cstealth virusesxe2x80x9d, hide behind a facade. That is, they manipulate an infected system to hide their presence by redirecting commands, relocating system structures, overwriting signatures, or other means.
An Overview of Computer Components and the Boot Process
Many computer viruses exploit the underlying mechanisms of the computer operating system. A better understanding of the ways viruses operate and propagate can be gained by considering the basic steps performed in starting a computer.
Computers include hardware, such as a keyboard, screen, memory, and disk drives. They also include system software, such as boot software, operating system software, and file system software. Boot software includes non-volatile programs used to load the initial program or operating system. Operating system software includes a wide variety of routines for tasks such as launching programs, managing memory, displaying windows, and enforcing security. File system software includes routines for organizing and accessing data on a disk or other persistent storage medium.
An interface is often provided between the hardware and the system software to enable programmers or users to program their machines with less detailed knowledge of a particular hardware device. In many personal computers, for example, a BIOS (Basic Input/Output System) disk module permits a programmer to operate a floppy disk drive (or a hard disk drive) without a thorough knowledge of the specific brand of drive hardware being used. Thus, a number of drives designed and manufactured by different companies can be used in the system. This not only lowers the cost of the system, but permits a user to choose from a number of drives with equal facility. The BIOS is typically stored in memory chips, such as read-only memory chips (xe2x80x9cROMxe2x80x9d).
The process of starting a computer is called xe2x80x9cbootstrappingxe2x80x9d, often shortened to xe2x80x9cbootingxe2x80x9d, because a small piece of computer code is read and then used to load a larger program, which in turn loads additional programs. In a figurative way, the computer pulls itself up by its own bootstraps.
To start a computer, a small boot program stored in ROM is first executed. The ROM boot program contains at least three critical pieces of information, namely, the location on disk of a Master Boot Record (xe2x80x9cMBRxe2x80x9d), the starting address at which the MBR should be copied into memory, and instructions for making a copy of the MBR contents in memory and passing control of the processor to that copy. The MBR contains a disk boot program that will load the operating system code and eventually pass control to the command interpreter or other user interface. In theory, the ROM boot program and the disk boot program could be consolidated and stored in ROM, but this requires more expensive hardware and makes the computer less flexible. Indeed, the entire system software could be stored in ROM (at considerable expense) but any updates to the system software would require swapping in different ROM chips.
As used here, xe2x80x9cboot sectorxe2x80x9d refers generally to the Master Boot Record or another location in persistent storage which contains at least part of the information used to boot the computer. Architectures other than IBM-PC-compatible architectures may use other names for the MBR, the BIOS, and other computer system components discussed here; the role played by a component is more important than the component""s name. A boot sector is typically stored on a persistent medium, such as a hard disk or a floppy disk, at a fixed location such as the first, last, or middle sector of an entire disk or a disk partition. The boot sector may contain boot code, or it may refer to another location which contains boot code.
In some cases, a distinction is made between the MBR and other sectors that contain information used during the boot process. As used herein, the term xe2x80x9cvirus targetsxe2x80x9d refers to the MBR, to various boot sectors, and to other parts of a computer system which may be targeted by a virus. In general, virus targets contain low-level system information such as boot information, but some viruses target word processor macros or other information that is closer to the user/application level.
An Overview of Virus Methods
Viruses generally move from computer to computer using an infected portable storage medium, such a floppy disk or a removable hard drive, but they may also enter a system when code is downloaded over the Internet or another network. Viruses try to penetrate computers during the boot process, at or below the system software level, because that gives the viruses greater access to disks and other system resources and because anti-virus measures may not yet be running if the boot process has not finished.
Viruses try to penetrate the boot process in various ways. Stealth virus invasions modify operating system file access procedures by intercepting the procedure call and passing back incorrect information when the correct information would reveal the virus"" presence. For instance, a virus can install itself in the Master Boot Record and then modify attempts to read the MBR so it appears that no virus is present. A virus may also create a facade MBR at a location other than the fixed location of the MBR, and fill the facade with the contents of the original MBR. Any anti-virus checks on the MBR to determine its integrity through checksums or data values will be intercepted and performed on the facade instead of the actual modified MBR, so the invasion will go undetected.
A similar trick may be performed on other boot sectors or even on sectors that contain macros created by a user. That is, one or more of the virus target sectors are modified and copies of the original sectors are stored elsewhere. Legitimate calls to read or write a sector are intercepted, and passed to the facade sector to avoid detection of the unauthorized modifications.
Because working portions of the BIOS or references to the BIOS are often stored in modifiable random access memory (xe2x80x9cRAMxe2x80x9d), another virus method alters the copy of BIOS or BIOS reference in RAM. A virus may also intercept parameters which specify BIOS activities and pass back false information.
An Overview of Virus Detection and Removal
Many methods have been developed to discover and remove viruses. Three of the most common methods currently employed to protect against viruses are known as xe2x80x9cscannerxe2x80x9d, xe2x80x9cself-testxe2x80x9d, and xe2x80x9cvaccinationxe2x80x9d methods.
Scanner methods check for known viruses by looking for identifying sections of virus code in system files, in boot sectors, and in memory. Although scanning works well on some known viruses, it is less effective or even useless on viruses that modify their own code because the scanner will not find the modified code fragments. Scanning also becomes less effective as time passes and the pool of new and enhanced viruses grows, even if the scanners are periodically updated. Scanning methods also fail when a stealth virus successfully uses a facade to trick detection efforts that rely on reading the targeted sectors. The facade is scanned instead of the actual infected sectors, so the virus goes undetected.
Self-test methods perform a checksum on the virus target, and compare the results with an original checksum value that has been previously calculated on the virus target known to be uninfected and then stored out of reach of the virus. These methods are also vulnerable to facade records, because the virus detection software read is diverted, and the checksum is calculated on the uninfected (but relocated) virus target. The virus remains undisturbed in the location intended to hold the virus target.
Another method used by viruses to circumvent self-test methods infects the virus target in such a way as to produce the same checksum as the original unmodified virus target. The virus can do this by filling particular spaces in the infected virus target with appropriate data.
Vaccination methods make it appear to the virus that the system is already infected. This virus prevention method has many of the same problems as the scanner method, and works best for known viruses.
To remove a computer virus it is often necessary to have a clean, uninfected disk, so the MBR or other infected sectors can be overwritten with their uninfected versions without intervention by the virus. Because viruses easily infect all available disks (including anti-virus disks!), clean disks can be hard to find.
Thus, it would be an improvement in the art to provide a virus detection system and method that do not depend solely on the computer operating system or BIOS to detect viruses.
It would be a further improvement in the art to provide a virus removal system and method that do not require a clean uninfected disk to work.
Such a system and method are disclosed and claimed herein.
The present invention provides a virus detection system and method that do not depend on the system software or the standard BIOS to detect viruses. In conventional systems, viruses alter the path between application programs and storage media In an IBM-compatible system using the MS-DOS operating system, for instance, disk reads requested by an application are serviced by a BIOS routine; a stealth virus hides its presence by modifying the BIOS or BIOS references to redirect attempts to read the MBR (MS-DOS is a registered trademark of Microsoft Corporation). The invention provides an alternate path to the disk (or other storage medium) by providing an alternate BIOS or other means for translating between application access requests and storage media hardware. The alternate path provided by the invention is more trustworthy than the standard path because the alternate BIOS is not readily accessible to viruses. Viruses can be detected by noting differences between results obtained using the infected standard BIOS and the uninfected alternate BIOS.
In one embodiment, a computer system according to the invention includes a storage subsystem containing a storage medium and a controller; the controller has a controller interface for controlling access to the storage medium. Possible storage media include magnetic storage media, optical storage media, and other computer storage media. Possible controllers thus include hard disk controllers, floppy disk controllers, and other hardware/firmware storage media controllers.
The invention uses a trusted translation means for translating between logical requests for access to the storage medium and corresponding parameters used in the controller interface, such as a trusted BIOS. Thus, the invention does not depend on the possibly infected system software or the possibly infected BIOS to detect viruses. Instead, the invention uses a separate BIOS designed specifically for virus detection and removal. Like the standard BIOS, this alternate BIOS is tailored to the controller hardware. Unlike the standard BIOS, this alternate BIOS is trusted because it has been protected against infestation by being kept inaccessible to viruses.
A method of the invention includes a detecting step. During the detecting step virus detection software according to the invention searches for viruses, focusing on selected targets but not necessarily limiting all activity to those targets. Selected targets include the controller hardware state, the Master Boot Record, and boot sectors which are not part of the Master Boot Record. The detecting step may detect an altered interrupt vector, detect alteration of a BIOS parameter, and/or detect a facade system structure. The detection means can be applied locally or across a network communications link.
Some embodiments of the invention include both a virus detector and a virus remover. The virus remover relocates facade structures to their proper location, reconstructs boot sectors and Master Boot Records, and otherwise removes viruses. The removal steps used may depend on the type of virus detected. If a facade Master Boot Record or facade boot sectors are discovered, then they may be relocated or they may be reconstructed in their proper location using redundant data.
Other features and advantages of the present invention will become more fully apparent through the following description.