-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=-=-=-= =-=-=-=- -=-=-=-= An few ideas for viruses =-=-=-=- -=-=-=-= =-=-=-=- -=-=-=-= Kalkin/EViL =-=-=-=- -=-=-=-= =-=-=-=- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- These are difficult times for us, viruswriters. No, I don't mean the cops, society or the press. I mean the process of writing a virus. Yes, there are tons of materials about this subject and quite some people who can help, but that's usually by a technical problems. What if you want to do something radically new? It's actually not so easy coz everything has already been done: polymorphic macroviruses, ACCESS infection, LINUX-viruses. You can realize some parts of the virus in a never-seen-before way, but these parts are mainly only some solutions to some x technical problems. But you want to do something NEW and INTERESTING, something like the spying virus from CodeBreakers or the payload of CIH. Maybe this article will help you. .LNK and/or .PIF infection Maybe this has already been done, but I haven't heard about it (on the other hand, I'm not too informed about what goes on in the scene). Anyway, if it's so then the credit goes to the one who had this idea. Like you all know .LNKs are small link files, so called shortcuts, that were presented with Windows 95 (in Microsoft's OS world) and should eliminate the need to copy one program into several folders. .PIFs are basically the same, just they also contain usefull loading information and are for DOS programs. Both formats contain the path of the original program. It wouldn't be hard to replace this path with the path to our infected file, which would execute after it's actions the real program. This would be like some kind of companion virus. It would be even better, coz how many AV programs check for changes in .LNK/.PIF files? Another plus is that this infecting method basically works on every OS where are .LNKs (LINUX for example). The only problem is that a virus which uses just this method of infecting won't spread to any other computer (it will "travel" only if somebody for some x reason copys our file to another PC). But this method can be used to increase the change of executing the virus, especially in the case of runtime viruses. Alias "infection" This idea is based on the previous one and works on DOS (under 4DOS and NDOS) and *NIX systems (I think). A virus could set some aliases to itself and after infecting some files execute the original program. Name changing What if a DOS virus hooks INT 21h, saves and then changes the name (set by exec, found by findfirstfile) to the name of an infected file (in memory)? The infected file would be executed, copied to disk, included in a ZIP archive. If the proper code is included then this viralized item wouldn'd be opend for editing (the real one would). The same could do a WIN virus. And this method is better for spreading than the above two. Infection of format programs This idea was originally by MiKE The Hacker/TPT Gang and describes a hybrid virus, that infects formatting programs and modifies them so that they put the same virus on the bootsector of formatted disk. This would be better then just a bootsector-infector, coz you can't get rid of the virus by re-formatting the disk (atleast with this formatter). Reboot won't help eighter. This idea can be enhanced: infecting of CD writing programs, so that an AUTORUN.INF and an infected file would be written to CD. It should be a little bit easier (no need for a hybrid virus) and also better, coz there's no way you can get rid of the virus on CD (unless you're burning CD-RWs). Disadvanages: not too few formatting/CD-burning programs exist. Intel Pentium Pro fucking I came to this idea when I was surfing through Ralf Browns Interrupt List. There's written, that by using interrupt 15h and seting AX to D042h it's possible to install a microcode patch into the Pentium Pro processor. I haven't checked this and have no idea how much can the patch effect the CPU, so I don't know if the proper code will really fuck the processor or will it do nothing. It's too bad that there aren't so many Pentium Pros around, coz there seems to be CIH potetial. "Collection" viruses This idea was inspired by GriYo/29A's SIMBIOSIS project. If you don't know what it is then: it outputted a polymorphing virus on an Internet worm that contained SMTP engine. A so called collection-virus is a virus (or worm) that contains several (let's say 5) viruses which will be released in a random order. "Part-upgrading" viruses Those viruses would have a "serial number" about every part of itself: the procedure of finding files, polymorphing engine, infecting part. When now such a virus would "meet" another part-upgrading-virus, it would check all serial numbers and if some of them are newer than it's own, it would copy the updated procedure to itself. But when it finds a part that it doesn't have then the virus would copy the part to itself and add a call or jump to it. So basically those viruses expand themselves. A direct action COM infector could for example add to itself parts to go TSR and infect EXEs. Quotating viruses It's a lame and not new idea. Such a virus would as payload display quotations of some famous person. For example Sokrates's. The good thing is that there are MANY people who have said something (I never said it should be something smart or meaningfull). Intro/demo viruses I don't mean here product demos, but graphics demos like they are presented on demo-parties and compos (check http://www.hornet.org to get the picture). Intro-viruses would play such videoeffects as payload. Advantages: usually small size, nice, different (what do you think, will people remember better a lame textmode "Infecto-ViruZ" in black and white or a "IntroVirus" in 24 bit colours companioned by breath-taking-beautiful moving clouds?) Simulating anti anti-virus viruses Most viruses today have retro abillities, but I'm talking about a virus, that is specially coded to destroy anti-virus programs. It would turn off resident AV monitors, install troyans in anti-viruses (*.AVC and TBSCAN.DEF infection). It would also overwrite part of AV programs by installing itself in them and then simulate that the AV scans. There are several viruses that patched the "File system" status on TbScan's output to hide the fact that it suddenly used DOS services to read the disk. A SAAV virus would for example execute the graphics procedure to display message "Scanning for known viruses in memory" by F-Prot/DOS but then just wait for some time. It would use the necessary procedure to bring up the scanning window, display filenames and instead of checking infect them. Or for example display "Checking partition table" by ThunderByte Partition (created by TbUtil) and check nothing. It could be like the real AIDS, which doesn't kill, it just destroys the immunity system and makes the way free for other deseases. It doesn't take much code to do so, just some small patches. The problem is how the virus finds what to patch coz AV companies would change the inner structure of the program with every new version. At this moment the fact, that most AV programs don't let to encrypt/compress themselves (coz of the CRC check), comes real handy. Simulating viruses Based on the above idea these viruses would install themselves in some specific programs and then simulate. One example could be PGP (so that the signature is always GOOD, and goodbye to trustfull software). It could also be one virus that patches several products. "Expensive" viruses It's actually a image of what happened here in Estonia: quite some Internet users recived a file called Estonia.Exe This was a SFX ZIP and contained a client program for some sex-server. Anyway, after executing the program did also some other things and as a result the PC began to connect to Net through a Malaysian (if I remember correctly) server, which had quite high prices. Nobody knew it and everyone was REALLY surprised when in the end of the month the telephone bill was HUGE. There were talks that this was a virus, but most (including specialists) don't think so. It seems that it was just a troyan. But, this idea can be used in viruses (a good way to compromize the lamest ISP near you). Destroying the PC-speaker As last a destructive payload from KUTT/TPT Gang. The idea is based on the fact that speakers may get damaged when the music is too loud. KUTT though that it would be interesting if a virus did that to PC-speaker: generate a high and loud sound and play it quite some time. It's probably technically impossible to realize, but who knows? An enhanced version of this idea is to damage the speakers that are connected to the sound card. This should actually be more realistic, coz usually the hardware of a sound card is capable of that and the speakers aren't made for this situation.