The top infector this month being Adware for the first time ever, not a virus. 29A is one of the old skool groups that has been around for a long time, they have quite some accolades for ‘firsts’ in virus development.

29A, hexadecimal for 666, is an underground VXer collective known for creating the first Win 2000 virus, the first 64bit virus, and early examples of mobile malware that infected devices such as PDAs.

The group also published information on how to create viruses through an irregular magazine, seven editions of which were republished on its website. The magazine contained examples of virus source code and tutorials on how to write malware.

The group has been in decline since its heyday at the turn of the century. A steady exodus of members over recent years accelerated early this year as it emerged that GriYo, Vecna, and Z0MBiE left the collective.

I guess within 5-10 years most hacking and VX groups will die out as the business gets taken over by people doing it for purely commercial reasons, accelerating development to make more money from infecting people with simplistic variants of proven strains of worms and trojans.

As previously reported, other less well known VXer groups are dying the death, a development symptomatic of changes in the malware market. Profit has replaced mischief, intellectual curiosity, or a desire to make a name for yourself as the motive for creating malware.

Traditional virus writers have drifted away from the scene to be replaced by more shadowy coders creating sophisticated Trojans aimed at turning an illicit profit. Enforcement action against virus writers has acted as a further disincentive for hobbyists, at least.

Instead of getting proof of concept malware from the likes of 29A, we’re dealing with the Storm Worm Trojan and other sophisticated “professionally developed” botnet clients.

The interesting malware is likely to die out, proof of concept and doing things because they are difficult are not very profitable. The control channels and bots are likely to get more sophisticated, but the infectors will remain based around social engineering and hiding from AV signatures.

Source: The Register

…just kidding, it does not exist but such a virus would be something great =)

The Old School Virus

Yeah, I gave up writting infant-b because even the [a] version was full of bugs, and had to logicaly restructure the code so I could implement the things I promised for this virus, which bears the name Old School (oldskl)…

A mutant?

I said that in this virus I’m going to implement and encryption scheme, xor based one and mutational (this I forgot to mention). The basics of the XOR is that when comparing two bits, if there are the same the result is 0 (zero) and if different (1).


0 xor 0 = 0
0 xor 1 = 1
1 xor 0 = 1
1 xor 1 = 0


Well also you could use other functions as rotate (left or right), increase/decrease, and, or, not and any other variation of these… The mutation of the virus happens before every infection. It simply adds 1 to the key (which is of dimension byte maxvalue = 255) until it reaches 0FFh (255), moment when it resets the key to 1, not 00 because then the virus would be no more encrypted. So it has 253 posible states (255 and 00 are out)…

The famous transversal infection (.. or Dot Dot)

I had to implement a multi-directory infector. Not all the files are in one single directory, so I implemented the dotdot technique, nothing fancy it works as a simple cd .. command… it’s a clasic …

Multiple infections per run

Simple implementation, but heavy result…
Some info on how it works… I used a tree type infection, just to make it funkier…

]The first infection wave infects 5 files, including itself (the first)…

]]The second file infects other 4 files

]]]The third file infects other 3

]]]]The fourth other 2

]]]]]The fifth just 1

When these infected files are executed, the above scheme starts over again, but decreasing from the number the have. So after another infection wave the second infected files infects other 4 files which infect as follows:

]The first 3 files

]The second 2 files

]The third 1 file

]The fourth 1 file

I think you got the idea… After going to 1 infections per run it stays there and infect just 1 file per run…

Stealth

Actually semy stealth because it only saves the time and date of the file and save the attributes of the files (because it resets them)… Why does it reset the attributes of the files? Because this way it can infect read-only files…

COM’s

You need some COM files to play with this baby… so I created a batch file which will automatically create you ten COM files per run (5 normal, 5 read-only)… Here is the code for the createCOM.bat:


@echo off
debug < gencom.file > nul
copy com.com 1.com > nul
copy com.com 2.com > nul
copy com.com 3.com > nul
copy com.com 4.com > nul
copy com.com 5.com > nul
copy com.com 6.com > nul
copy com.com 7.com > nul
copy com.com 8.com > nul
copy com.com 9.com > nul
copy com.com 10.com > nul
del com.com > nul
attrib +R 1.com
attrib +R 3.com
attrib +R 5.com
attrib +R 7.com
attrib +R 9.com
@echo off


Besides of this BAT file you also need the following file named gencom without any extension:


a100
mov ah, 4C
int 21h
nop
nop
nop
nop
nop
nop

n com.com
rcx
A
w
q


I advice you to make 2 directories: one Virus and a subfolder Start… Place the virus you assemble in start, where you also run createCOM.bat, and also run createCOM.bat in the folder Virus… Atention if the file gencom isn’t in the same directory with the bat, then no com files will be created..

Give me the virus
Again don’t spread this virus… It would an ok virus about 20 years ago, but not it’s god damn old for these times…

Oldskl by backbone: oldskl.asm

The ending of 03…

If you understand everything until now than you know the basics of computer viruses… If not don’t panic (i didn’t also understand viruses at the beginning) the following article will be a fully detailed one about every function we used… for the ones that have learned a bit of assembly… for the others: check my first article and get a good assembly book to learn…

EOF

Theory again…

First should mention a couple of things which haven’t been specified till now. This virus is going to be an appending virus:

An appending virus is a virus that writes all of his code to the end of the file, after which it writes a simple jump to the code at the start of the file

I will use this method, for first in the virus i’ll present here, maybe later I will adopt another technique as EPO:

Entry Point Obscuring is a method which inserts the entry point of the virus somewhere in the host file, where it can do an interception of the code for later replication, but not at the start.

…but definitely not overwriting viruses:

An overwriting virus has a simple routine to overwrite the host file, thus being easily detected because of the fact that infected files in 99% of cases won’t run anymore

Back to reality

So my first virus is called infant-a, because it only does a single thing (like an infant); also it is a DOS COM infecter, so you won’t have much trouble with it. What to say more, the source if fully commented, and if you have read the book I have suggested you in the 00h article than you won’t have any problems in understanding it.It is not detected by Avira anti virus, check it with other anti viruses and tell me if it found and under which name, oh yeah Kaspersky doesn’t find it either.

BTW: don’t compile and infect other files (computers) with it because I will look lame not you

The brilliant (and simple code) follows: infant-a

How to play with it?

Everything goes in 3 steps, or 2 depends on you…

1st step – dummy com files

Enter in DOS mode (run cmd from Windows run) and write the following lines:

C:\ >debug
-a100
xxxx:0100 mov  ax,4c00
xxxx:0103 int    21h
xxxx:0105 ^C
// this is a comment ^C means CTRL+C 
-rcx
CX 0000
:5
-n dummy.com
-w
Writing 00005 bytes
-q
C:\>copy dummy.com uninfectedFile.com

2nd step – compile the virus

For this one you need TASM & TLINK, google to get them; if you have them enter the following lines supposing infant-a.asm is the virus:

C:\ >tasm infant-a.asm
C:\ >tlink /t infant-a.obj
//comment: /t tells tlink to make it a dos image file = com file

3rd step – optional

Download DOSBox, install it and use the following commands (after starting DOSBox):

Z:\ >mount C:\ Folder\ Where\ The\ Virus\ And\ Dummy\ COM\ Files\ Are\ Located c:
//comment: c with : (c:) or without I don't remember exactly
Z:\ >C:
C:\ >
//comment: and now your C drive (in DOSBox) is C:\ Folder\ Where\ The\ Virus\ And\ Dummy\ COM\ FIles\ Are\ Located

Let’s play

And now you can start the virus and see how it infects one file per run, the dummy COM files should have 6 bytes length, and after infection 161, you can’t miss them…

Are we done already?

Well 02h is over, but 03h is there waiting to be written; whats next? infant-b of course which will have:

• An encryption method (XOR)
• A traversal infection (dotdot [..] method)
• More infections per run
• Stealth?

Till then have fun with infant-a, and see you as soon as possible (if anybody reads this series).

• a search routine
• a infection routine
• [anti-detection routines]

The search routine

This routine will have to be a more delicate one [but not hard to analyze at all], because as besides the search routine itself we will include file validation two, we will check within this routine if the file is read-only file, not as in some cases in which I saw that the virus search the file, found it and only when trying to infect it he realised that is read-only, and if no check done for it the virus would crash.

The infection routine

The trivial routine in a virus, because we do not need a search routine if we say for example we make a list of wanted to infect files, this routine (in COM viruses) will only write the whole virus in the host program and write a jump to it at the start of the file… simple don’t you think?

Pseudo-Code Virus

I know it’s the second article and what do you get? only a pseudo-code virus, but be pacient because I’m not so trustful to think that you have already read the book I recommended you in the first part… so wait until the 02h will be out; till then let’s check out our first virus:

virusName "infant-alfa"      
virusAuthor "backbone"     

begin
   SEARCH:
      if find_com_file is true then INFECT
      else SEARCH
   INFECT:
      if file_read_only then SEARCH
      else OPEN_WRITE
        OPEN_WRITE:
           write_virus from virusName to FINISH
           write jump to virusName at start_of_host_program

           //jump in machine-code = 0e9h

           if write_ok goto FINISH
           else SEARCH
   FINISH:
end

If you don’t like it in pseudo-code, maybe you’ll like it in Pascal, so dowload Dirty Nazi Virus Generator and create a virus to analyze… I didn’t try them out but in theory it should work fine… if you don’t have a pascal compiler you can try freepascal…

What more do I need to know before actually starting to write viruses?

This is an excellent question because even if the actual search and infect routine are simple to build in assembly, the DTA (Disk Transfer Area) is a little hard to understand so i’ll give you a book which will jump in your help (I advice you to read only the DTA part because the rest of it and even more I’ll treat them myself)…

The Little Black Book Of Computer Viruses

Almost forgot to mention, the password to the archive is Ludwig with the big L.

Another bitter end…

So this second part of the Art of Virology which is a bit easier to diggest than the first one, has finally ended. See you next time and hope that by the next chapter you have learned asm and read about the DTA… till then take five…

Definition

A virus is (taken from Windows XP’s Help And Support Center):

A program that attempts to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (by printing messages or altering what is displayed on the screen).

But wait a second… to this definition is not correct from some points of view; for example we could place in this category also programs that only reproduce, parasite different files, and do not do damage to users data, or annoy them, except maybe for the disk usage…
But you should not confuse viruses with John von Neumann’s self-reproducing mathematical automata. Google for more information about it because it’s not part of our subject, or maybe I don’t want to get scientific and speak about it…

What programs are connected to virology?

The abstract definition of viruses has become more abstract with the help of know-it-all antivirus programmers, which for some money integrated in there software Trojan / hoaxes / malware / backdoor removers, so anytime a antivirus product pop’s up with a notification of such a program being found on a computer, a normal user doesn’t get interested in this aspect and it’s concerned of being infected with a virus (disinterest, what else)!
But what is the difference between these programs? I’ll make for you a little list with some personal definitions… ok so let’s start:

adware – belong to the malware category, besides spyware; it’s not a virus, it’s and application normally shifted alongside with other programs, it’s main role being to pop up, while your connected to the web, some ads… most of the time they get installed because you do not read the files accompanying different software which are free or get free doing some ads for big/medium/small companies.

spyware – these are the fierce animals of malware, they spy on you, but not the subtle way James Bond does, they get installed through different exploits and surveillance the websites you visit, personal information, etc. and send them to different firms (or government, NSA, FBI, CIA ?)

Trojan – Trojans are programs written for specific tasks, in this list we could include flooders (DoS), hidden proxy server, virus droppers, also for different purposes that antivirus vendors think that could do harm to other people’s data…

backdoor – a backdoor is a program which if it’s not released by an underground website could be called ‘Remote Administration Tool’, so it’s a tool that let’s you control, or do specific tasks on other computers; famous backdoor/Trojan backdoor clients (and server) are: BO2K, SubSeven, R3C, Insane Network.

virus – this one belongs to our subject, of course could it is well divided in more types of viruses, classified by language used to create them, how they infect, and what they infect…

worm – these programs/scripts also belong to virology (think so?!) because they also have the basic concept of viruses (parasites, worms… ring a bell?) to spread, beautifully, widely, and all other fancy adjectives you can find.

Viral History

The “first” virus
Sometime in the early 1970s, the Creeper virus was detected on ARPANET a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, ’I’M THE CREEPER : CATCH ME IF YOU CAN.’
Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
And now a list of the first viruses “to be the first”:
1981 :: Elk Cloner – Boot sector virus

1986 :: Brain – Stealth file virus
1986 :: Virdem – DOS COM file infector

1987 :: Suriv-1 – DOS COM real time file infector
1987 :: Suriv-2 – DOS EXE file infector
1987 :: Suriv-3 – DOS COM & EXE file infector
1987 :: Cascade – Encrypted Virus
1987 :: Christmas Tree Worm – Worm (Internet Virus)

1988 :: Morris Worm – Worm which used exploits against Unix system to spread

1990 :: the Chameleon family – A polymorphic virus family

1991 :: Tequila – A polymorphic boot virus
1991 :: Dir II – The one and only virus to use link-technology

1992 :: Win.Vir_1_4 –Windows virus

1994 :: Shifter –OBJ file infector
1994 :: ScrVir-a – C and Pascal source code files infector

1995 :: Winstart –BAT file virus

1996 :: Boza – Windows 95 virus
1996 :: OS2.AEP – OS/2 EXE file infector
1996 :: Laroux – Excel virus

1997 :: Linux Bliss – Linux virus
1997 :: ShareFun – Macro virus spreading through mail, with MS Mail
1997 :: Homer – Worm that used FTP to propagate
1997 :: Win95.Mad – Self-encrypting Windows 95 virus

1998 :: Win95.HPS and Win95.Marburg – Windows polymorphic viruses
1998 :: Cross – Multi-platform virus, infected MS Access and Word files
1998 :: Triplicate (Tristate) – MS Word, Excel and PowerPoint file infector
1998 :: Red Team – EXE infector virus, spreading through Eudora
1998 :: Java.StrangeBrew – Java web application virus

1999 :: Happy99 (Ska) – Modern-Day Worm
1999 :: SK; – HLP file infector virus
1999 :: Melissa – Word Macro virus incorporating Internet Worm functionality
1999 :: Gala – Corel Draw, Photo-Paint, Ventura file infector
1999 :: Bubbleboy and KakWorm – Worms spreading through IE vulnerabilities
1999 :: Babylonia – Worm with remote self-rejuvenation (don’t get scared by the term, it means that it automatically downloaded new versions of it)

2000 :: Inta – Windows 2000 file infector
2000 :: LoveLetter – Script Virus to break Guiness Book record
2000 :: Star – AutoCAD package virus
2000 :: Jer – Internet Worm using social engineering and mass marketing to get user to let them be infected
2000 :: Liberty – PalmOS virus
2000 :: Stream – ADS and NTFS filesystem viruses
2000 :: Fable – PIF file infector
2000 :: Pirus – PHP Script virus
2000 :: Hybris – Worm with self-rejuvenating based on a 128-bit RSA key

2001 :: Mandragore – Gnutella file-sharing Internet Worm

2002 :: LFM and Donut – .NET Framework viruses
2002 :: Spida – SQL Server worm
2002 :: Benjamin – Kazza file-sharing network worm

2003 :: Slammer – Fileless Worm with flash-worm capabilities

Wow… that’s quite a long list, don’t you think? And it isn’t all; if you want to see it all, then go to viruslist and read all the history of malware, and then surely you can say that this list is even to small = )

Classification

I think that we should classify viruses so we will now better about which kind of viruses we speak… you’d probably seen in the list different classifications, but it’s time we clearly point them out (of course this is my personal classification, agree with it or not, it’s your choice):

By what they infect

• Binary File Infector
  In this category we will include the classic ones: exe, com, obj file infectors; plus the CAD, Corel and any other weird (?_?) extension virus we can find.
• SourceCode File Infectors
  As you would imagine, in this category will be included viruses that infect source code files Pascal, C, etc. Think that I know a couple or two of this type.(?)
• BOOT Sector Infectors
  Simple, complex, tiny and all other boot sector viruses will be part of this category. P.S. I hate doggie-B
• MS Office Infectors
  We all have heard of them, laught about them, though they were dead, but we all know that they are extremely dangerous viruses… yes I’m talking about macro viruses, that populate Word, Excel, PowerPoint, Access…
• Script Infectors
  And finally our last category dedicated for the viruses which infect script files like js, vbs, mrc and inject themselves into html files including a <script> area.
• None infectors
  This will be, and is, a special category for our fellow friends of virology: worms. They often do not infect anything, they just multiply via different methods.

By their abilities

• Stealth
  A common, or maybe told “would have to be common”, ability of viruses is that they can work in a stealth mode; things that help in this are timestamp maintenance, encoding different strings in the code so they won’t “scream” to users that simply view the source of the file, etc,
• Encryption
  Since it’s appearance has passed long time, and we have even surpassed this ability, but it’s worth mentioning for the classification.
• Polymorphism
  This category threads viruses which have more than one method of dencryption, thus making them harder to detect; the dencryption algorithm changes at every infection..
• Metamorphism
  In this category are the most modern viruses, I mean viruses which have passed from polymorphism to a new generation, the generation of code variability.
• Anti-Bait
  In this category do not go the worms (you know… fishing), just viruses which do not fall for it and don’t infect bait files created by AV.
• Anti-Heuristic
  If a virus can survive in this heuristically environment, created by AV programs, than his place is in this category.
• Anti-Debug
  Which viruses would fall in this category except the ones that can stop users, AV developers, or anything to debug there code?

Language used for writing viruses

On this one I have to think for a while… Yes I know, you can use php, pascal, c (and any other variation), javascript, visualbasic (script), python, perl, etc. and assembly, that’s it assembly is the one you will learn…

Why, you ask?
Because most of the virus source code I will print you out will be in assembly language, and this is the basic language of classic viruses… But don’t complain, you will be happy after having learned assembly and able to create viruses this way, trust me

Books I recommend?
I have found recently some very fine books regarding this language (they are free and LEGAL two), and one of them threats assembly language as an art, so I recommend the Art of Assembly, but it’s ok for you to check out others two, can find them on computer-books. You’ll see there the Assembly category. One little note, the assembly language you will learn must be compatible with TASM (Turbo Assembler) or MASM (Microsoft Assembler).

Toolbox

I don’t think there is any need for plenty “useless” tools at this point of virology, I will point you just the basic ones you need at this stage, and later on we will add other ones, but just step-by-step, so here’s the “mega-sized” list:

• Tasm & Tlink : the turbo assembler and turbo linker
• Masm & Ml : Micro$oft’s assembler and linker
• Windows Debug is an alternative two

Both tools can be found on the net, I didn’t have more patience with the article so I advice you to Google/Yahoo/Altavist for them = ). The last one can be found by running debug.exe from any Windows console.

Some Extra!
If you have a small HDD (2-4GB) drive I advice you to format it and install a fresh copy of Windows, which you will use if want to play with viruses or if you want to try them out. Of course you will disconnect your primary HDD so it won’t infect you clean one… But of course this step is not necessary if you trust the specification (concerning the payload) of different viruses that I will present, and don’t want to see them with your eyes (like Judas), to believe in what you hear…

End of 00h

By this I make it official, the first part of the Art of Virology has definitely ended. See you next time when I will present the general framework of a virus, so stick your eyes on Darknet, because the 01h article will be posted as soon as possible. If you think this article isn’t complete, then I ask you politely to post some comments and add “that” extra to it. ; )

P.S. I recommend you get some beers, cigarettes, and some hardcore music because the Art of Assembly is a damn long book, and you could make an indigestion…