,......................, .' '. : BOOT CD INFECTION : / by LiTlLe VxW : / Written FOR 29A ,' / _......................' /.' - INTRODUCTION - REVIEW OF MBR OF FLOPPY AND HARD DRIVE - El Torito Bootable CD-ROM Format Specification v1.0 - COMMENTED EXAMPLE OF A BOOTABLE CD - METHODS OF INFECTION OF THE BOOT OF CDROM - CONCLUSION ,.................., .' '. : INTRODUCTION : / ,' / _...................' /.' Viruses which infect Master Boot Record of floppy and hard disk were very common when DOS were still alive because everyone used floppy to exchange programs and datas every time when they switched on their computer. Nowdays, boot viruses are dead with the apparition of CDROM. BOOT virus were nice to code because they dealed only with the processor and the BIOS, and not with win32 API or VB script. Under DOS, it is easy to write directly in the MBR, but in win32 it is a bit more complex, because you should use the good APIs, and produce some dirty code. If you code a virus which infect MBR of floppy or hard drive he has no chance to survive! because nobody give to someone else programs or games in a floppy! (did you remember the last time when you were using a floppy???) BUT if you code a virus which can infect boot section of CDROM, then he can survive. The problem is to infect CDROM, the best way is to code a virus (PE infector for example) which can infect CD images, like ISO image... ISO images are currently used by P2P users. The power of a BOOT/CDROM infector reside in the fact that the only way to destruct such a kind of disease is to put the CDROM into the trash! (not the virtual trash on your microsoft windows desktop but into the real trash of your real life...) The disavantage of a BOOT/CDROM infector is that you can't write directly on CDROM but only on CD images (like .ISO files) There is no asm code in this tutorial, do it yourself, you've have all to code something nice. +------------------------+ +-----------------+ | OS specific virus |--infect CD images-->| BOOT/CDROM virus|----------------------------+ | (PE infector for expl.)| +-------+---------+ | +------------------------+ | | | | +--------------------+ | | | MBR(floppy) virus |<---infect MBR of floppy-----+-<-+ | +---------+----------+ /|\ | | +----------+------------+ | +--infect MBR of hard drive-->| MBR(hard drive) virus |<--infect MBR of hard drive--+ +----------+------------+ | | \|/ ' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! the problem is that it is very hard to create a virus ! ! able to infect files from MBR (like PE .EXE files) ! ! you should deal with file system (FAT32, NTFS,...,) and ! ! fragmentation ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ,............................................., .' '. : REVIEW OF MBR OF FLOPPY AND HARD DRIVE : / ,' / _..............................................' /.' first read old tutorials to know what we are speaking about, sorry I've not enough time to explain you some old stuff: - MBR/BS infection (Virtual Daemon) in slam#4 - Boot Sector Infection (Qark) in Vlad1 - Your First Lesson in Boot infection (Techno Phunk) in technological illusion#1 - Windows Compatible BS/MBR and Multipartite Viruses (SPo0Ky) in codebreakers#5 - The Assembly Language Tutorial (vultupe) in codebreakers#5 You can't understand what you will read next if you don't have any knowledges about MBR and asm using only BIOS interupts. ,........................................................., .' '. : El Torito Bootable CD-ROM Format Specification v1.0 : / ,' / _..........................................................' /.' The Digital Audio Compact Disc was born in the 80's only to store audio data, but several year later appeared the ISO-9660 format to store binary data such as files.But this format don't allow a computer to boot from a CRROM, that's why El Torito Bootable CD-ROM Format Specification was created. El torito format should respect the ISO-9660 format. - ISO-9660 defines that a Primary Volume Descriptor must reside at sector 10h, relative to the start of the session - El Torito Bootable CD-ROM Format Specification defines that the Boot Record must reside at sector 11h in the last session on the CD. *==-------------------------------------------------------------------==* *==---> KEEP in mind this value: A CD Sector is 800h bytes long <---==* *==-------------------------------------------------------------------==* Remark: There is single BOOT CDROM and multiple BOOT CDROM. NON bootable CDROM BOOTABLE CDROM with 2 bootable images +---------------------+ +--------------------------+ - Sector 0 | System | | System | | (unused) | | (unused) | +---------------------+ +--------------------------+ - Sector 10h | volume | | Primary volume | | descriptors | | descriptors | +---------------------+ +--------------------------+ - Sector 11h | CDROM | __ | BOOT record | | image | | | Volume | +---------------------+ | +--------------------------+ | CDROM | | . . | image | | . . +---------------------+ | . . | | | +--------------------------+ | | | | Set terminator | +---------------------+ | | volume | |_\ +--------------------------+ / | [Booting catalog] | | -Validation Entry | | -Initial/Default Entry | | -Section Header | | -Section Entry | | -Section Entry Extension | +--------------------------+ | BOOTABLE | | DISK IMAGE | +--------------------------+ | BOOTABLE | | DISK IMAGE | +--------------------------+ | CDROM | | image | +--------------------------+ +=====================================================================================+ | The Primary Volume Descriptor (ISO-9660 format) | +========+============================================================================+ | Offset | Description | +========+============================================================================+ | 0 | Volume Descriptor Type MUST BE 1 | +--------+----------------------------------------------------------------------------+ | 1-5 | Standard Identifier MUST BE CD001 | +--------+----------------------------------------------------------------------------+ | 6 | Volume Descriptor Version MUST BE 1 | +--------+----------------------------------------------------------------------------+ | 7 | Unused | +--------+----------------------------------------------------------------------------+ | 8-27 | System Identifier | +--------+----------------------------------------------------------------------------+ | 28-47 | Volume Identifier | +--------+----------------------------------------------------------------------------+ | 48-4F | Unused | +--------+----------------------------------------------------------------------------+ | 50-57 | Volume Space Size: Number of logical blocks in the Volume | +--------+----------------------------------------------------------------------------+ | 58-77 | Unused | +--------+----------------------------------------------------------------------------+ | 78-7B | Volume Set Size: The assigned Volume Set size of the Volume | +--------+----------------------------------------------------------------------------+ | 7C-7F | Volume Sequence Number: The ordinal number of the volume in the Volume Set | +--------+----------------------------------------------------------------------------+ | 80-83 | Logical Block Size: The size in bytes of a Logical Block | . . . . . . . . . . . . . . . | -800 | | +--------+----------------------------------------------------------------------------+ Logical Block Size seems to be 800h most of the time but you can find sometimes other values here!!! Paste/copy from "El Torito Bootable CD-ROM Format Specification Version 1.0": " The Boot Record contains an absolute pointer to the Boot Catalog. The Boot Catalog is a collection of 20 byte entries, packed 40 entries to the sector. This catalog allows the system to pick a proper boot image and then to boot from the selected image. The image may be virtualized into INT 13 drive number 00 or 80 for bootable disk emulation, or n+1 for a non-bootable emulation, where n is the number of the last hard drive initialized by the BIOS. The image may also simply be some code which will be loaded at boot time (no emulation). The BIOS will choose a drive number between 81 and FF when no emulation is specified. . There are 5 types of entries. These entries define a validation procedure for the bootable CD, an Initial/Default entry, a section header, a section entry, and a Section Entry Extension. +================================================================================+ | Boot Record Volume Descriptor | +========+=======+===============================================================+ | Offset | Type | Description | +========+=======+===============================================================+ | 0 | Byte | Boot record Indicator, must be 0 | +--------+-------+---------------------------------------------------------------+ | 1-5 | Byte | ISO-9660 Identifier, must be "CD001" | +--------+-------+---------------------------------------------------------------+ | 6 | Byte | Version of this descriptor, must be 1 | +--------+-------+---------------------------------------------------------------+ | 7-26 | Byte | Boot system identifier, must be "EL TORITO SPECIFICATION" | | | | padded with 0's. | +--------+-------+---------------------------------------------------------------+ | 27-46 | Byte | Unused, must be 0 | +--------+-------+---------------------------------------------------------------+ | 47-4A | Dword | Absolute pointer to first sector of Boot catalog(nb of sector)| +--------+-------+---------------------------------------------------------------+ | 4A-7FF | Byte | Unused, must be 0 | +--------+-------+---------------------------------------------------------------+ ************************* *** Booting catalog *** ************************* \./\./\./\./\./\./ Validation Entry /'\/'\/'\/'\/'\/'\ This is the 1rst entry in the boot catalog. The Validation entry validates that a booting catalog is present on the disk and identifies the manufacturer of the CD. If this entry is valid, it is assumed that the rest of the entries are valid. +==========================================================================================+ | Validation Entry | +=======+===========+======================================================================+ | Offset| Type | Description | +=======+===========+======================================================================+ | 0 | Byte | Header ID, must be 01 | +-------+-----------+----------------------------------------------------------------------+ | 1 | Byte | Platform ID : 0 = 80x86 | | | | 1=Power PC | | | | 2=Mac | +-------+-----------+----------------------------------------------------------------------+ | 2-3 | Word | Reserved, must be 0 | +-------+-----------+----------------------------------------------------------------------+ | 4-1B | Character | ID string. This is intended to identify the | | | | manufacturer/developer of the CD-ROM. | +-------+-----------+----------------------------------------------------------------------+ | 1C-1D | Integer | Checksum Word. This sum of all the words in this record should be 0. | +-------+-----------+----------------------------------------------------------------------+ | 1E | Byte | Key byte, must be 55. This value is included in the checksum. | +-------+-----------+----------------------------------------------------------------------+ | 1F | Byte | Key byte, must be AA. This value is included in the checksum. | +-------+-----------+----------------------------------------------------------------------+ \./\./\./\./\./\./\./ Initial/Default Entry /'\/'\/'\/'\/'\/'\/'\ The initial entry must contain a boot image which consists of generic programs/drivers that use only the BIOS provided INT 13 interface. The BIOS INT 13 interface consists of functions 0-19 and may optionally include functions 40-48. This entry will always be used by a BIOS that does not use any of the provided section headers. +==============================================================================================+ | Initial/Default Entry | +========+======+==============================================================================+ | Offset | Type | Description | +========+======+==============================================================================+ | 0 | Byte | Boot Indicator. 88 = Bootable, 00 = Not Bootable | +--------+------+------------------------------------------------------------------------------+ | 1 | Byte | Boot media type. This specifies what media the boot image is intended to | | | | emulate in bits 0-3 as follows, bits 4-7 are reserved and must be 0. | | | | Bits 0-3 count as follows: | | | | 0 No Emulation | | | | 1 1.2 meg diskette | | | | 2 1.44 meg diskette | | | | 3 2.88 meg diskette | | | | 4 Hard Disk (drive 80) | | | | 5-F Reserved, invalid at this time | +--------+------+------------------------------------------------------------------------------+ | 2-3 | Word | Load Segment. This is the load segment for the initial boot image. If this | | | | value is 0 the system will use the traditional segment of 7C0. If this value | | | | is non-zero the system will use the specified segment. This applies to x86 | | | | architectures only. For flat model architectures (such as Motorola) this | | | | is the address divided by 10. | +--------+------+------------------------------------------------------------------------------+ | 4 | Byte | System Type. This must be a copy of byte 5 (System Type) from the | | | | Partition Table found in the boot image. | +--------+------+------------------------------------------------------------------------------+ | 5 | Byte | Unused, must be 0 | +--------+------+------------------------------------------------------------------------------+ | 6-7 | Word | Sector Count. This is the number of virtual/emulated sectors the system | | | | will store at Load Segment during the initial boot procedure. | +--------+------+------------------------------------------------------------------------------+ | 8-0B |DWord | Load RBA. This is the start address of the virtual disk. CD’s use | | | | Relative/Logical block addressing. | +--------+------+------------------------------------------------------------------------------+ | 0C-1F | Byte | Unused, must be 0. | +--------+------+------------------------------------------------------------------------------+ \./\./\./\./\./ Section Header /'\/'\/'\/'\/'\ If the CD was created for a machine with a BIOS supporting this specification, the Section Header precedes a group of entries from which the BIOS may boot the computer.The section header has an identification string.If the BIOS understands the ID, string it may choose to boot the system using one of these entries in place of the INITIAL/DEFAULT entry. A good example would be a BIOS that supports multi-language capability. The BIOS manufacturer defines a header string and selection criteria. When CD’s have a section that incorporates the header string and section entries,the BIOS automatically boots software in the native language of the BIOS. +================================================================================+ | Section Header | +========+===========+===========================================================+ | Offset | Type | Description | +========+===========+===========================================================+ | 0 | Byte | Header Indicator as follows: | | | | 90 -Header, more headers follow | | | | 91 - Final Header | +--------+-----------+-----------------------------------------------------------+ | 1 | Byte | Platform ID: | | | | 0 = 80x86 | | | | 1=Power PC | | | | 2=Mac | +--------+-----------+-----------------------------------------------------------+ | 2-3 | | Word Number of section entries following this header | +--------+-----------+-----------------------------------------------------------+ | 4-1F | Character | ID string. This identifies a section. This string will be | | | | checked by BIOS and BOOT software. If the string matches, | | | | scanned for bootthe section should be images. | +--------+-----------+-----------------------------------------------------------+ \./\./\./\./\./ Section Entry /'\/'\/'\/'\/'\ Section Entries must follow a Section Header. The Section Entry looks a lot like the Initial/Default Entry except the unused bytes contain selection criteria.The format of the selection criteria is a function of the BIOS vendor, the other fields are standardized for compatibility reasons. In the case of a foreign language BIOS three bytes would be used to identify the language. If the BIOS does not support languages,the Default entry determines the appropriate language and reinitiates the boot procedure using the proper boot image. If the 13 bytes provided for selection criteria are insufficient, a Section Entry Extension can be added by setting bit 5 of byte 1. +============================================================================================+ | Section Entry | +========+======+============================================================================+ | Offset | Type | Description | +========+======+============================================================================+ | 0 | Byte | Boot Indicator. 88 = Bootable, 00 = Not Bootable | +--------+------+----------------------------------------------------------------------------+ | 1 | Byte | Boot media type: specifies what media the boot image emulates in bits 0-32.| | | | Bits 6 and 7 are specific to the type of system. | | | | Bits 0-3 count as follows 0 No Emulation | | | | 1 1.2 meg diskette | | | | 2 1.44 meg diskette | | | | 3 2.88 meg diskette | | | | 4 Hard Disk (drive 80) | | | | 5-F Reserved, invalid at this time | | | | bit 4 - Reserved, must be 0 | | | | bit 5 - Continuation Entry Follows | | | | bit 6 - Image contains an ATAPI driver | | | | bit 7 - Image contains SCSI drivers | +--------+------+----------------------------------------------------------------------------+ | 2-3 | Word | Load Segment. This is the load segment for the initial boot image. | | | | If this value is 0 the system will use the traditional segment of 7C0. | | | | If this value is non-zero the system will use the specified segment. | | | | This applies to x86 architectures only. For flat model architectures | | | | (such as Motorola) this is the address divided by 10. | +--------+------+----------------------------------------------------------------------------+ | 4 | Byte | System Type. This must be a copy of byte 5 (System Type) from the | | | | Partition Table found in the boot image. | +--------+------+----------------------------------------------------------------------------+ | 5 | Byte | Unused, must be 0 | +--------+------+----------------------------------------------------------------------------+ | 6-7 | Word | Sector Count. This is the number of virtual/emulated sectors the | | | | system will store at Load Segment during the initial boot procedure. | +--------+------+----------------------------------------------------------------------------+ | 8-0B |DWord | Load RBA. This is the start address of the virtual disk. CD’s use | | | | Relative/Logical block addressing. | +--------+------+----------------------------------------------------------------------------+ | 0C | Byte | Selection criteria type. This defines a vendor unique format for | | | | bytes 0D-1F. The following formats have currently been assigned: | | | | 0 - No selection criteria | | | | 1- Language and Version Information (IBM) | | | | 2-FF - Reserved | +--------+------+----------------------------------------------------------------------------+ | 0D-1F | Byte | Vendor unique selection criteria. | +--------+------+----------------------------------------------------------------------------+ \./\./\./\./\./\./\./\./ Section Entry Extension /'\/'\/'\/'\/'\/'\/'\/'\ Section Entry Extension must follow a Section Entry. This Extension defines additional selection criteria. When the 13 bytes provided by the Section entry are insufficient for representing the selection criteria a Section Entry Extension should immediately follow the Section Entry. Several Section Entry Extensions may be chained together by setting bit 5 of byte 1 for as many Extensions as necessary. The final extension should have bit 5 clear (set to 0) to indicate that no more Extensions follow. +===============================================================================+ | Section Entry Extension | +========+======+===============================================================+ | Offset | Type | Description | +========+======+===============================================================+ | 0 | Byte | Extension Indicator. Must be 44 | +--------+------+---------------------------------------------------------------+ | 1 | Byte | Bits 1-4 - Unused | | | | 5 - 1 = Extension Record follows, 0 = This is final Extension | | | | 6-7 - Unused | +--------+------+---------------------------------------------------------------+ | 2-1F | Byte | Vendor unique selection criteria | +--------+------+---------------------------------------------------------------+ ,........................................, .' '. : COMMENTED EXAMPLE OF A BOOTABLE CD : / ,' / _.........................................' /.' +--------+-------------------------------------------------+----------------+ | OFFSET | 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | ASCII VIEW | +--------+-------------------------------------------------+----------------+ |00000000| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |00000010| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| . . . . . . . . . . . . |00008000| 01 43 44 30 30 31 01 00 20 20 20 20 20 20 20 20 |.CD001..........| |00008010| 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |................| |00008020| 20 20 20 20 20 20 20 20 57 49 4E 39 38 20 53 45 |........WIN98 SE| |00008030| 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |................| |00008040| 20 20 20 20 20 20 20 20 00 00 00 00 00 00 00 00 |................| |00008050| 1F E6 04 00 00 04 E6 1F 00 00 00 00 00 00 00 00 |................| |00008060| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |00008070| 00 00 00 00 00 00 00 00 01 00 00 01 01 00 00 01 |................| |00008080| 00 08 08 00 6A 12 00 00 00 00 12 6A ED 02 00 00 |................| |00008090| 00 00 00 00 00 00 02 F0 00 00 00 00 22 00 57 04 |................| |000080A0| 00 00 00 00 04 57 BE 01 00 00 00 00 01 BE 63 05 |................| |000080B0| 05 16 16 00 00 02 00 00 01 00 00 01 01 00 57 49 |..............WI| |000080C0| 4E 39 38 20 53 45 20 20 20 20 20 20 20 20 20 20 |N98 SE | . . . . . . . . . . . . - at offset 8000h begin the Primary Volume Descriptor - at offset 8000h is the Volume Descriptor Type : 1 - at offset 8002h is the Standard Identifier : CD001 - at offset 8050h is the Number of logical blocks : 4E61Fh TAKE CARE to this value, it seems to be 2 DWORDs value!!! - at offset 8080h is the Logical Block Size: 800 TAKE CARE to this value, it seems to be 2 DWORDs value!!! Be carefull: here seems to be a problem: for example at offset 80h is the Logical Block Size value, if we look at Primary Volume Descriptor description, we will have this value: 00 08 08 00 , but it's impossible: this are 2 words inversed, take only the first! . . . . . . . . |00008800| 00 43 44 30 30 31 01 45 4C 20 54 4F 52 49 54 4F |.CD001.EL TORITO| |00008810| 20 53 50 45 43 49 46 49 43 41 54 49 4F 4E 00 00 | SPECIFICATION..| |00008820| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |00008830| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |00008840| 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 00 |................| . . . . . . . . -at offset 8800h (11h*800h) begin the Boot Record (reside at sector 11h) -at offset 8801h is the ISO-9660 Identifier : "CD001" -at offset 8807h is the Boot system identifier : "EL TORITO SPECIFICATION" -at offset 8847h is the pointer to 1st sector of Boot catalog : 00000014h so boot catalog begin at offset A000h (14h*800h) . . . . . . . . |0000A000| 01 00 00 00 4D 69 63 72 6F 73 6F 66 74 20 43 6F |....Microsoft Co| |0000A010| 72 70 6F 72 61 74 69 6F 6E 00 00 00 4C 49 55 AA |rporation...LIU.| |0000A020| 88 02 00 00 00 00 01 00 15 00 00 00 00 00 00 00 |................| |0000A030| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| |0000A040| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| . . . . . . . . -at offset A000h begin the boot catalog with the Validation Entry (20h bytes long): -at offset A001h is the Platform ID : 00h which means it's 80x86 platform -at offset A004h is the manufacturer of the CD-ROM : Microsoft Corporation -at offset A020h begin the Initial/Default Entry (20h bytes long): -at offset A021h is the boot indicator : 88h so it's bootable -at offset A022h is the Boot media type : 1.44 meg diskette emulation -at offset A023h is the Load Segment : defaul is 7C0h -at offset A026h is the the number of virtual/emulated sectors the system will store at Load Segment during the initial boot procedure : 1 sector -at offset A028h is the Load RBA. This is the start address of the virtual disk. CD’s use Relative/Logical block addressing. : sector number 15 So go at offset A800h (15h*800h) to find the virtual master boot record of a 1.44meg diskette emulation: . . . . . . . . |0000A800| EB 3C 90 29 3D 74 42 3B 49 48 43 00 02 01 01 00 |................| |0000A810| 02 E0 00 40 0B F0 09 00 12 00 02 00 00 00 00 00 |................| |0000A820| 00 00 00 00 00 00 29 D9 1B 33 07 46 52 4E 49 4D |...........FRNIM| |0000A830| 41 47 45 20 20 20 46 41 54 31 32 20 20 20 33 C9 |AGE FAT12 ..| . . . . . . . . ,..............................................., .' '. : METHODS OF INFECTION OF THE BOOT OF CDROM : / ,' / _................................................' /.' To my mind there is two ways to infect boot image of CDROM in a .ISO file (image of a CDROM) ===--------------=== ==- FIRST METHOD -== ===--------------=== You can choose to infect directly the BOOT image of the CDROM if the CDROM is already bootable, but this image can be an virtual MBR image of a floopy or of hard drive, or can be only the code to load by the BIOS. It is possible to have multiple boot image, but it's not common... - Find Boot Record Volume Descriptor - Find Booting catalog - Find and identify boot image (floppy/hard drive/none emulation) - Use normal technique of old boot infection ===---------------=== ==- SECOND METHOD -== ===---------------=== If the CDROM is not bootable (most of the time): - Check file size to know if we can add 2 sectors - create the Boot Record Volume Descriptor - create a new sector which will contain Booting catalog - create a new sector which will contain a boot image (emulation or not) - Modify values in the The Primary Volume Descriptor, such as "Number of logical blocks". ===---------------=== ==- IN ALL CASE -== ===---------------=== In all case you should include in the code in the boot sector of infected CDROM, a code to pass control to the boot code of the hard drive, in order to boot the PC in a clean and none suspicious way... ,................, .' '. : CONCLUSION : / ,' / _.................' /.' I hope that I've open your eyes, and that you realize that BOOT/MBR infectors can survive, and that they should be combine with PE infectors. Of course it should be encrypted and polymorph but it's another story ;-) see you soon, LiTlLe VxW December 2004 \./\./\./\./ THANKS TO /'\/'\/'\/'\ Lord Julus I've learn a lot with you. With VXtazy wonderfull zine and your (dead mailling) list... are TKT zine ready ? Ultras I love your tutorials: after PRC, INF, HLP infection, did you never thought to infect .AVI files??? ;-) IKX members WAKE UP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Zombie I've read all you've done about vx. SeCoNd PaRt To HeLl You have always good idea about vx: It's nice that you have learn asm, isn't it? Dark Angel Are you still alive?