Tech Off Thread

14 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Question Regarding Windows & DOS Environment.

Back to Forum: Tech Off
  • User profile image
    Shark_M

    Hello guys,
      A few hours ago I was talking to a friend of mine about the Windows Environment. Namely, were were talking about security and how its possible to load an DOS program and let it load before even windows has loaded. Such DOS program would then circumvent any security programs (firewalls, virus scanners) and would just monitors how windows is interacting with the hardware.

    He says to me that some crackers some-where in asia have already done something like that, and no antivirus program you run or firewall will even detect these things.

    Is there any truth to this? Is it technically possible for another program to be running under DOS environment that would bypass firewalls running inside windows in the background?

    if exists, how to know if your infected?

  • User profile image
    koorb

    Not sure about the whole DOS and XP relationship, but I do know that there are such things as boot viruses where a virus is placed on the boot-up sector of a drive and through this infect the computer everytime it boots from the infected disk. I also know that Anti Viruses will scan boot sectors for these little nasties so as long as you have a good Anti Virus there is no need to worry.

  • User profile image
    Shark_M

    koorb wrote:
    Not sure about the whole DOS and XP relationship, but I do know that there are such things as boot viruses where a virus is placed on the boot-up sector of a drive and through this infect the computer everytime it boots from the infected disk. I also know that Anti Viruses will scan boot sectors for these little nasties so as long as you have a good Anti Virus there is no need to worry.


    I know about these, but this assumes that there are anti-virus definitions for newly emerging viruses like that.

    I am talking about specialized tools that antiviruses would not consider as a virus. I guess what I want to be sure of is , if Windows is running in a given PC does that execlude other programs outside of windows from running at the same time? Programs that monitor hardware, like key-strokes and network cards etc..., and how to check for these?

  • User profile image
    megame

    There is no way that DOS program can do anything like that in NT-based (2000, XP, 2K3) Windows, since DOS environment is being emulated and DOS apps cannot start before Windows.

    He might be talking about rootkits or viruses using virtualization technology. These are not DOS based. See www.sysinternals.com for rootkits. Viruses using virtualization technology are still in theoretical phase, since they are very complicated to write.

  • User profile image
    Matthew van Eerde

    In principle a virus could write itself into boot.ini as the OS, then turn around and call the "real" OS after doing certain nasty things, sure.

    The viruses I worry about though are the ones that trade the user something they want in exchange for something the user doesn't care about as much as they should.  Comet Cursor, for example (if I may go so far as to call that a "virus") or those programs that put smiley faces in your email client.

  • User profile image
    cheong

    I can think of one example that'll affect the system's "view" of disk geometry - the Seagate On-track disk loader that has been used to bypass some BIOS limit.

    While I haven't seen boot-sector virus nowadays that can block the virus scanners yet, I think it's possible.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    littleguru

    It is possible, but I haven't seen them so far. Boot sector viruses were a lot more popular during the old DOS ages. I don't know how difficult it is to disable a anti virus from there. I think it is quite a lot work. You need to scan the disk somehow, get the FAT, get the files, override the disk blocks allocated by the antivirus... The blocks could be encrypted... Sound like a lot work.

  • User profile image
    cheong

    littleguru wrote:
    

    It is possible, but I haven't seen them so far. Boot sector viruses were a lot more popular during the old DOS ages. I don't know how difficult it is to disable a anti virus from there. I think it is quite a lot work. You need to scan the disk somehow, get the FAT, get the files, override the disk blocks allocated by the antivirus... The blocks could be encrypted... Sound like a lot work.


    Yes. Things are relatively easy at the age of DOS... at the "if you conquer BIOS interrupts, you overrules everything" age.

    But now since the OS now talks to the hardware directly through the self supplied drivers, and "direct disk access" no longer possible because most of us don't know the exact structure of NTFS, I believe hiding virus code as essential driver service that will be loaded on system startup will be far more effective.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    Sven Groot

    I remember a lot of old DOS virus scanners had special boot sector protectors that would load into the MBR.

    I've got a huge case of old 3.5" disks with all kinds of stuff on them, from old BASIC programs I've written to Stunts tracks. I'm willing to bet 50% of them have a boot sector virus. The other 50% probably doesn't work anymore. Smiley

  • User profile image
    littleguru

    Sven Groot wrote:
    ...Stunts tracks...


    Nice. I did also quite a few of them Big Smile

  • User profile image
    ZippyV

    littleguru wrote:
    
    Sven Groot wrote: ...Stunts tracks...


    Nice. I did also quite a few of them


    mmmm Stunts, now that's a game that should be remade in .net.

  • User profile image
    Sven Groot

    Trackmania Nations comes close to being a stunts remake, plus you can play it online and it's free. Smiley

  • User profile image
    Shark_M

    Matthew van Eerde wrote:
    In principle a virus could write itself into boot.ini as the OS, then turn around and call the "real" OS after doing certain nasty things, sure.

    The viruses I worry about though are the ones that trade the user something they want in exchange for something the user doesn't care about as much as they should.  Comet Cursor, for example (if I may go so far as to call that a "virus") or those programs that put smiley faces in your email client.


    So how to protect against it? Why would windows not prevent any other program from running alongside with it since it is supposed to be the OS? And how to "see" if another virus-like tool is running somewhere outside the windows environment concurrently with windows? i.e, execlusive control of every thing by windows.

    Did MS make Vista prevent other DOS like programs from loading into memory as Vista loads? Are there checks for these things??

    if the virus is running within windows environment then that can be dealt with, but if its outside, how do you even detect it?

    I use Kaspersky Anti-Virus as my anti-virus solution, its never let me down and I trust it. But after that talk with my friend, I begand to be alittle worried about external threats running outside windows OS.

  • User profile image
    Sven Groot

    A virus can never run concurrently with Windows like that. What Matthew was talking about is a virus that launches through boot.ini, does its stuff, exits, and the loads windows.

    As soon as Windows starts it gets exclusive control of the CPU. Anything that is not running in Windows so gets CPU time allotted by the Windows scheduler will never run. Windows will also trap all interrupts afaik. So a virus could never work like that.

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.