This document discusses the topic of computer virology. It begins with an introduction to virology and the history of computer viruses. It then covers the different categories of viruses and malware. The document discusses the environment that viruses need to survive, including operating systems, file formats, and networks. It provides details on how viruses replicate, including through boot sectors and by infecting executable files. It promises to cover more on executable file internals and infection techniques in future presentations.

1. Modern Computer Virology
The black art of breaking and
defending malicious computing.
By M S D Perera 1

2. Introduction
• What is virology?
• Then what is computer virology?
• How it differ from conventional biological
virology?
• History of computer virology.
By M S D Perera

3. Categories of Virology
• Worms.
• Viruses.
• Trojan Horses.
• Malware.
• Spyware.
• Rabbits.
• Other , malicious code but directly can’t
categorize under virology. [ ex-logic bombs, root-
kits,shell-code, key loggers ,spammers/ floders.
By M S D Perera

4. Environment Of Virology
• As biological virus can’t live without a host computer virus also can’t live without a
host or a proper environment.
Like parasites need a host[a human] to live a computer virus also need a host[a
computer to live].
• What makes environment heterogeneous or homogenous?
* Computer Architecture [x86,x64, ARM,SunSolaris.. Etc etc],and CPU version.
* Operating systems and software Environment. And their versions.
for list of Operating systems refer: http://os-dev.org/
* File systems and file formats.
for list of different file systems refer:
* Network and media.
Different internetworking and media exists today. For a example we can take
internet as a popular network for spreading worms, and thumb drives as a
popular media for spreading to viruses.
By M S D Perera

5. Media of Replication
• So as I mentioned in my previous note a computer virus is a
malicious code that it have the ability to reclusively replicate itself
within a one host, if it can automatically replicate itself to outside
the hos it’s considered as a ‘worm’.
• Basic Three parts of a typical computer virus.
* replication engine * bomb * polymorphic engine.
• There are numerous ways that have been used by virus writers to
replicate.
* using the boot sector [boot sector virus]
* File inflection techniques. [win32,win64
executable files].
* scripts, macros and data file viruses.[explain why almost every
file is guilty as same as executable files for viruses].
By M S D Perera

6. Boot Sector Virus
• In x86 computer architecture a boot sector is 512 bytes long executable code. Every
computer physical storage medium have this boot sector called a master boot record and
may exists alternative number of boot sectors as equal to it’s number of partitions.
• Some boot viruses are killing it’s host instantly and made host operating system unbootable.
But some smart viruses spread the virus to other boot sectors of the accessible media and
wait for the correct time to execute the bomb. It can be logically programmed by the virus
writer. However in the second strategy the user should not notice any strange till the correct
time and it should boot the OS as normal. To do that Boot sector viruses use different
mechanisms. Following explains few.
* Relocate original bootsector to somewhere else and later load it to memory and
execute it.
* Relocate original bootsector at the end of the partition.
* Change the PT entries of a particular partition and allow it to execute arbitrary code
of sector [virus code] and finally let execute the original boot sector.
An Example boot sector virus source code:
By M S D Perera

7. Executable File Inflection Techniques
• In Windows platform a executable file ends with the suffix “.exe” and in Linux they have no extension. Linux uses elf32
executable format and windows uses win32 PE and PE+ executable file formats.
• Executable file is nothing more than a big data-structure which have following.
* header.
* sections
In a typical executable file there are following sections.
text[executable code]
data [global variables and statistically initialized data]
bss [dynamically initialized data]
stack [defines the hardware stack for the executable]
There is a entry point in the text section. It’s where your operating systems starts executing after it loads data and text sessions
into memory and bss and stack have been initialized. So a virus code have to insert it’s code to the text section , in other words it
have to alter to the text section of a particular executable file. There are other methods too., for a example inserting a new text
session is also possible. Following are some different techniques that virus writers are using .
* Overwriting Viruses.
* Append last to the text section.
* Viruses that inject it’s code to the padded aligned spaces between segments.
* Random Inflection.
* Viruses that hijack Entry points.
* and many more unspecified wild techniques are used among the virus writer underground communities.
An example Executable virus source code:
By M S D Perera

8. Summary
• Introduction and history about viruses.
• Environment and category.
• Media of Replication.
• Into about mechanisms about Boot sector viruses and executable
viruses.
• In My next Presentation:
More about Executable file internals.
More about Win32 PE and PE+ executable file format.
More about executable file inflection techniques which are
used by the win32 viruses in the windowing platform.
Thanks for the audience 
By M S D Perera

9. By M S D Perera