the Art of Virology 03h

…finally after three months of inactivity (exams, parties and so) I made some time to write this virus and this article… so for the ones who read this series… ENjOY =)

The Old School Virus

Yeah, I gave up writting infant-b because even the [a] version was full of bugs, and had to logicaly restructure the code so I could implement the things I promised for this virus, which bears the name Old School (oldskl)…

A mutant?

I said that in this virus I’m going to implement and encryption scheme, xor based one and mutational (this I forgot to mention). The basics of the XOR is that when comparing two bits, if there are the same the result is 0 (zero) and if different (1).


0 xor 0 = 0
0 xor 1 = 1
1 xor 0 = 1
1 xor 1 = 0

Well also you could use other functions as rotate (left or right), increase/decrease, and, or, not and any other variation of these… The mutation of the virus happens before every infection. It simply adds 1 to the key (which is of dimension byte maxvalue = 255) until it reaches 0FFh (255), moment when it resets the key to 1, not 00 because then the virus would be no more encrypted. So it has 253 posible states (255 and 00 are out)…

The famous transversal infection (.. or Dot Dot)

I had to implement a multi-directory infector. Not all the files are in one single directory, so I implemented the dotdot technique, nothing fancy it works as a simple cd .. command… it’s a clasic …

Multiple infections per run

Simple implementation, but heavy result…
Some info on how it works… I used a tree type infection, just to make it funkier…

]The first infection wave infects 5 files, including itself (the first)…

]]The second file infects other 4 files

]]]The third file infects other 3

]]]]The fourth other 2

]]]]]The fifth just 1

When these infected files are executed, the above scheme starts over again, but decreasing from the number the have. So after another infection wave the second infected files infects other 4 files which infect as follows:

]The first 3 files

]The second 2 files

]The third 1 file

]The fourth 1 file

I think you got the idea… After going to 1 infections per run it stays there and infect just 1 file per run…

Stealth

Actually semy stealth because it only saves the time and date of the file and save the attributes of the files (because it resets them)… Why does it reset the attributes of the files? Because this way it can infect read-only files…

COM’s

You need some COM files to play with this baby… so I created a batch file which will automatically create you ten COM files per run (5 normal, 5 read-only)… Here is the code for the createCOM.bat:


@echo off
debug <> nul
copy com.com 1.com > nul
copy com.com 2.com > nul
copy com.com 3.com > nul
copy com.com 4.com > nul
copy com.com 5.com > nul
copy com.com 6.com > nul
copy com.com 7.com > nul
copy com.com 8.com > nul
copy com.com 9.com > nul
copy com.com 10.com > nul
del com.com > nul
attrib +R 1.com
attrib +R 3.com
attrib +R 5.com
attrib +R 7.com
attrib +R 9.com
@echo off

Besides of this BAT file you also need the following file named gencom without any extension:


a100
mov ah, 4C
int 21h
nop
nop
nop
nop
nop
nop

n com.com
rcx
A
w
q

I advice you to make 2 directories: one Virus and a subfolder Start… Place the virus you assemble in start, where you also run createCOM.bat, and also run createCOM.bat in the folder Virus… Atention if the file gencom isn’t in the same directory with the bat, then no com files will be created..

Give me the virus
Again don’t spread this virus… It would an ok virus about 20 years ago, but not it’s god damn old for these times…

Oldskl by backbone: oldskl.asm

The ending of 03…

If you understand everything until now than you know the basics of computer viruses… If not don’t panic (i didn’t also understand viruses at the beginning) the following article will be a fully detailed one about every function we used… for the ones that have learned a bit of assembly… for the others: check my first article and get a good assembly book to learn…

EOF

Catagory

the Art of Virology 02h

This is the one and only (and first article) which will present you the source code of a virus on Darknet, and a lame one too :)

Theory again…

First should mention a couple of things which haven’t been specified till now. This virus is going to be an appending virus:

An appending virus is a virus that writes all of his code to the end of the file, after which it writes a simple jump to the code at the start of the file

I will use this method, for first in the virus i’ll present here, maybe later I will adopt another technique as EPO:

Entry Point Obscuring is a method which inserts the entry point of the virus somewhere in the host file, where it can do an interception of the code for later replication, but not at the start.

…but definitely not overwriting viruses:

An overwriting virus has a simple routine to overwrite the host file, thus being easily detected because of the fact that infected files in 99% of cases won’t run anymore

Back to reality

So my first virus is called infant-a, because it only does a single thing (like an infant); also it is a DOS COM infecter, so you won’t have much trouble with it. What to say more, the source if fully commented, and if you have read the book I have suggested you in the 00h article than you won’t have any problems in understanding it.It is not detected by Avira anti virus, check it with other anti viruses and tell me if it found and under which name, oh yeah Kaspersky doesn’t find it either.

BTW: don’t compile and infect other files (computers) with it because I will look lame not you

The brilliant (and simple code) follows: infant-a

How to play with it?

Everything goes in 3 steps, or 2 depends on you…

1st step - dummy com files

Enter in DOS mode (run cmd from Windows run) and write the following lines:


C:\ >debug
-a100
xxxx:0100 mov  ax,4c00
xxxx:0103 int    21h
xxxx:0105 ^C
// this is a comment ^C means CTRL+C :)
-rcx
CX 0000
:5
-n dummy.com
-w
Writing 00005 bytes
-q
C:\>copy dummy.com uninfectedFile.com

2nd step - compile the virus

For this one you need TASM & TLINK, google to get them; if you have them enter the following lines supposing infant-a.asm is the virus:


C:\ >tasm infant-a.asm
C:\ >tlink /t infant-a.obj
//comment: /t tells tlink to make it a dos image file = com file

3rd step - optional

Download DOSBox, install it and use the following commands (after starting DOSBox):


Z:\ >mount C:\ Folder\ Where\ The\ Virus\ And\ Dummy\ COM\ Files\ Are\ Located c:
//comment: c with : (c:) or without I don't remember exactly
Z:\ >C:
C:\ >
//comment: and now your C drive (in DOSBox) is C:\ Folder\ Where\ The\ Virus\ And\ Dummy\ COM\ FIles\ Are\ Located

Let’s play

And now you can start the virus and see how it infects one file per run, the dummy COM files should have 6 bytes length, and after infection 161, you can’t miss them…

Are we done already?

Well 02h is over, but 03h is there waiting to be written; whats next? infant-b of course which will have:

  • An encryption method (XOR)
  • A traversal infection (dotdot [..] method)
  • More infections per run
  • Stealth?

Till then have fun with infant-a, and see you as soon as possible (if anybody reads this series).

Catagory

the Art of Virology 01h

In this part we will discuss the basic framework of a computer virus… The basics of a virus consists of two elementary procedures (others will tell you three). These are:

  • a search routine
  • a infection routine
  • [anti-detection routines]

The search routine

This routine will have to be a more delicate one [but not hard to analyze at all], because as besides the search routine itself we will include file validation two, we will check within this routine if the file is read-only file, not as in some cases in which I saw that the virus search the file, found it and only when trying to infect it he realised that is read-only, and if no check done for it the virus would crash.

The infection routine

The trivial routine in a virus, because we do not need a search routine if we say for example we make a list of wanted to infect files, this routine (in COM viruses) will only write the whole virus in the host program and write a jump to it at the start of the file… simple don’t you think?

Pseudo-Code Virus

I know it’s the second article and what do you get? only a pseudo-code virus, but be pacient because I’m not so trustful to think that you have already read the book I recommended you in the first part… so wait until the 02h will be out; till then let’s check out our first virus:

virusName "infant-alfa"     
virusAuthor "backbone"    

begin
  SEARCH:
     if find_com_file is true then INFECT
     else SEARCH
  INFECT:
     if file_read_only then SEARCH
     else OPEN_WRITE
       OPEN_WRITE:
          write_virus from virusName to FINISH
          write jump to virusName at start_of_host_program

          //jump in machine-code = 0e9h

          if write_ok goto FINISH
          else SEARCH
  FINISH:
end

If you don’t like it in pseudo-code, maybe you’ll like it in Pascal, so dowload Dirty Nazi Virus Generator and create a virus to analyze… I didn’t try them out but in theory it should work fine… if you don’t have a pascal compiler you can try freepascal

What more do I need to know before actually starting to write viruses?

This is an excellent question because even if the actual search and infect routine are simple to build in assembly, the DTA (Disk Transfer Area) is a little hard to understand so i’ll give you a book which will jump in your help (I advice you to read only the DTA part because the rest of it and even more I’ll treat them myself)…

The Little Black Book Of Computer Viruses

Almost forgot to mention, the password to the archive is Ludwig with the big L.

Another bitter end…

So this second part of the Art of Virology which is a bit easier to diggest than the first one, has finally ended. See you next time and hope that by the next chapter you have learned asm and read about the DTA… till then take five…

Catagory
Subscribe to: Comments (Atom)