Page 1458 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1458

during the boot process. Because the MBR is extremely small (usually
               512 bytes), it can’t contain all the code required to implement the

               virus’s propagation and destructive functions. To bypass this space
               limitation, MBR viruses store the majority of their code on another
               portion of the storage media. When the system reads the infected
               MBR, the virus instructs it to read and execute the code stored in this
               alternate location, thereby loading the entire virus into memory and
               potentially triggering the delivery of the virus’s payload.




                  The Boot Sector and the Master Boot Record


                  You’ll often see the terms boot sector and master boot record used
                  interchangeably to describe the portion of a storage device used to
                  load the operating system and the types of viruses that attack that
                  process. This is not technically correct. The MBR is a single disk
                  sector, normally the first sector of the media that is read in the

                  initial stages of the boot process. The MBR determines which
                  media partition contains the operating system and then directs the
                  system to read that partition’s boot sector to load the operating
                  system.

                  Viruses can attack both the MBR and the boot sector, with
                  substantially similar results. MBR viruses act by redirecting the
                  system to an infected boot sector, which loads the virus into

                  memory before loading the operating system from the legitimate
                  boot sector. Boot sector viruses actually infect the legitimate boot
                  sector and are loaded into memory during the operating system
                  load process.



               Most MBR viruses are spread between systems through the use of
               infected media inadvertently shared between users. If the infected
               media is in the drive during the boot process, the target system reads
               the infected MBR, and the virus loads into memory, infects the MBR

               on the target system’s hard drive, and spreads its infection to yet
               another machine.

               File Infector Viruses Many viruses infect different types of
               executable files and trigger when the operating system attempts to
   1453   1454   1455   1456   1457   1458   1459   1460   1461   1462   1463