The task of protecting against software bookmarking can be considered in three fundamentally different ways:
prevent software bookmarking in the computer system; detect embedded software bookmark; remove embedded software bookmark. When considering these options, solving the problem of protection against software bookmarks is similar to solving the problem of protecting computer systems against viruses. As in the case of the antivirus problem, the task is solved with the help of means of control over integrity of the started system and application programs, and also over integrity of the information stored in computer system and critical for system functioning events. However, these tools are only effective when they themselves are not affected by software bookmarks that can:
impose the final results of control checks; influence the process of reading information and launching programs, which are controlled; change algorithms of control means functioning. At the same time, it is extremely important that the activation of the means of control is performed before the beginning of the impact of the software bookmark or when the control is performed only using the control programs that are in the ROM of the computer system.
Protection against software bookmarking
A universal means of protection against software bookmarking is to create an isolated computer. A computer is called sandboxed if the following conditions are met:
it has a BIOS system that does not contain program bookmarks; the operating system has been checked for bookmarks; the BIOS and operating system for a given session have been reliably determined to be unchanged; no programs other than those already checked for bookmarks have been or are running on the computer; the tested programs are not run in any other conditions than those listed above, that is, outside the isolated computer. To determine if a computer is isolated, a step-by-step control model can be used. First it is checked if there are no changes in BIOS. Then, if everything is OK, the disk boot sector and operating system drivers are read, which in turn are also analyzed to see if unauthorized changes have been made to them. Finally, the operating system runs a program call control driver, which ensures that only verified programs are run in the computer.
An interesting method of combating software bookmarking can be used in a banking information system where only document files circulate. In order to prevent software bookmark penetration through communication channels, no executable code is allowed to be received in this system. In order to recognize events such as REQUIRED EXECUTIVE CODE and RECEIVED FILE DOCUMENT, control is applied for the presence of prohibited characters in the file: a file is considered to contain executable code if it contains characters that never occur in file-documents.
Identifying an embedded software bookmark
Detection of embedded code is about detecting indications of its presence in a computer system. These indications can be divided into the following two classes:
qualitative and visual; detected by testing and diagnostic tools. Qualitative and visual signs include perceptions and observations of the user of the computer system, which notes certain deviations in its operation (changes in the composition and length of files, old files disappear somewhere, and new files appear instead, programs begin to work more slowly, or end their work too quickly, or at all cease to run). Although judging the presence of this class of signs seems too subjective, nevertheless they often indicate the presence of malfunctions in a computer system and, in particular, the need to carry out additional checks for the presence of software bookmarks. For example, users of encryption and digital signature package Cryptocenter since some time began to notice that the digital signature under electronic documents is put too quickly. An investigation carried out by FAPSI experts revealed the presence of a software tab that worked based on imposing file length. In another case, users of the encryption and digital signature package Krypton have sounded the alarm and noted with surprise that the encryption speed using the GOST 28147-89 cryptographic algorithm has suddenly increased by more than 30 times. And in the third case, a software bookmark revealed its presence in a keyboard input program by the fact that the affected program stopped working normally.
Signs detected by testing and diagnostic tools are characteristic of both software bookmarks and computer viruses. For example, boot bookmarks are successfully detected by anti-virus programs that signal the presence of suspicious code in the boot sector of a disk. The Disk Doctor, included in the popular Norton Utilities suite, deals well with the initiation of a static error on disks. Adinf type tools for checking disk data integrity allow successfully detecting changes made to files by program bookmarks. In addition, searching for code fragments of software bookmarks by their characteristic sequences of zeros and ones (signatures) is effective, as well as allowing only programs with known signatures to be executed.
Removing an embedded software bookmark
The specific way to remove an embedded software bookmark depends on how it is embedded in the computer system. If it is a software-hardware bookmark, then the computer’s ROM should be reprogrammed. If it is a boot, driver, application, masked, or mimic bookmark, you can replace it with an appropriate boot record, driver, utility, application, or utility program obtained from a trustworthy source. Finally, if it is an executable software module, you can try to mine its source code, remove any existing bookmarks or suspicious fragments from it, and then recompile.