| Clark F. Morris, Jr. 2005-01-19, 3:55 am |
| Joe Zitzelberger wrote:
> It seems that all of the elements of a decent virus for MVS are included
> with the operating system.
>
> Consider the simple "head patch" approach, where a CSECT is linked in
> and marked as the main, or default CSECT to execute. That can be done
> using the linker/binder with a few simple commands. If the virus is
> smart enough, it can look at the original default CSECT and save that at
> a well known offset in its infecting CSECT.
>
> Our original module might look like this:
>
> Name XMPL0001
> RSECT DFHEI1 main
> CSECT SOMECODE
> CSECT SOMEMORE
> CSECT EVENMORE
>
> The virus would need to inspect this module to determine that DFHEI1
> was the default CSECT -- then it would have to insert a call to that
> section in its own malsect. Then it simply invokes the linker to
> include itself.
>
> The infected section looks like:
>
> Name XMPL0001
> RSECT DFHEI1
> CSECT SOMECODE
> CSECT SOMEMORE
> CSECT EVENMORE
> CSECT malware main
>
> Nothing that a few hours with the IDENTIFY macro and the manual for the
> linker (SMS utilities I think) can't accomplish.
The access is trickier than you might think. If the site is serious
about security the library would be protected and you would not be
allowed to change or add a load module in any authorized library.
Outsiders including non-IT people would probably be barred from updating
any executable or source library. Of course any system is vulnerable to
authorized people. IT people would normally be restricted to test
libraries and have to go through normal change control to affect normal
production libraries let alone libraries that contain modules that are
authorized to use special system services.
>
> So the question becomes how do you get access to the load modules. I
> think the easiest approach would be to just look at the current STEPLIB.
> It seems a reasonable assumption that if you can read from it, you can
> write to it.
Highly unlikely on any properly protected z/OS, z/VM (don't know about
z/TPF or z/VSE), Unisys system or protectable Unix system of choice or
affliction. I am treating STEPLIB here as any executable in a path
accessible to user even though the original statement was for IBM
mainframe. Many systems differentiate between execute access and read
access where you can have the former without the latter. Some systems
also differentiate between create and update.
>
> Iterate through each member and apply the process above.
>
> A little knowledge of RACF and ACF2 would go a long way toward making it
> a better virus. When the virus code was executed, it could inspect the
> rules for update access to loadlibs -- then select PDSs that qualify
> using the ICF facility.
>
> This would be a fun one to write, but I doubt I'll ever try...
>
>
>
> In article <cs67ue02qo5@news2.newsguy.com>,
> mwojcik@newsguy.com (Michael Wojcik) wrote:
>
>
>
>
|