the Art of Virology 00h

[ad]

This is the first part (of many others to come) consisting of basic a introduction to different viruses, some terminology and other aspects required before starting to understand or write viruses.

Definition

A virus is (taken from Windows XP’s Help And Support Center):

A program that attempts to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (by printing messages or altering what is displayed on the screen).

But wait a second… to this definition is not correct from some points of view; for example we could place in this category also programs that only reproduce, parasite different files, and do not do damage to users data, or annoy them, except maybe for the disk usage…
But you should not confuse viruses with John von Neumann’s self-reproducing mathematical automata. Google for more information about it because it’s not part of our subject, or maybe I don’t want to get scientific and speak about it

What programs are connected to virology?

The abstract definition of viruses has become more abstract with the help of know-it-all antivirus programmers, which for some money integrated in there software Trojan / hoaxes / malware / backdoor removers, so anytime a antivirus product pops up with a notification of such a program being found on a computer, a normal user doesn’t get interested in this aspect and it’s concerned of being infected with a virus (disinterest, what else)!
But what is the difference between these programs? I’ll make for you a little list with some personal definitions ok so let’s start:

adware – belong to the malware category, besides spyware; it’s not a virus, it’s and application normally shifted alongside with other programs, it’s main role being to pop up, while your connected to the web, some ads. most of the time they get installed because you do not read the files accompanying different software which are free or get free doing some ads for big/medium/small companies.

spyware – these are the fierce animals of malware, they spy on you, but not the subtle way James Bond does, they get installed through different exploits and surveillance the websites you visit, personal information, etc. and send them to different firms (or government, NSA, FBI, CIA ?)

Trojan – Trojans are programs written for specific tasks, in this list we could include flooders (DoS), hidden proxy server, virus droppers, also for different purposes that antivirus vendors think that could do harm to other people’s data.

backdoor – a backdoor is a program which if it’s not released by an underground website could be called “˜Remote Administration Tool’, so it’s a tool that let’s you control, or do specific tasks on other computers; famous backdoor/Trojan backdoor clients (and server) are: BO2K, SubSeven, R3C, Insane Network.

virus – this one belongs to our subject, of course could it is well divided in more types of viruses, classified by language used to create them, how they infect, and what they infect.

worm – these programs/scripts also belong to virology (think so?!) because they also have the basic concept of viruses (parasites, worms. ring a bell?) to spread, beautifully, widely, and all other fancy adjectives you can find.

Viral History

The “first” virus
Sometime in the early 1970s, the Creeper virus was detected on ARPANET a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, ‘I’M THE CREEPER : CATCH ME IF YOU CAN.’
Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
And now a list of the first viruses “to be the first”:
1981 :: Elk Cloner – Boot sector virus

1986 :: Brain – Stealth file virus
1986 :: Virdem – DOS COM file infector

1987 :: Suriv-1 – DOS COM real time file infector
1987 :: Suriv-2 – DOS EXE file infector
1987 :: Suriv-3 – DOS COM & EXE file infector
1987 :: Cascade – Encrypted Virus
1987 :: Christmas Tree Worm – Worm (Internet Virus)

1988 :: Morris Worm – Worm which used exploits against Unix system to spread

1990 :: the Chameleon family – A polymorphic virus family

1991 :: Tequila – A polymorphic boot virus
1991 :: Dir II – The one and only virus to use link-technology

1992 :: Win.Vir_1_4 -Windows virus

1994 :: Shifter -OBJ file infector
1994 :: ScrVir-a – C and Pascal source code files infector

1995 :: Winstart -BAT file virus

1996 :: Boza – Windows 95 virus
1996 :: OS2.AEP – OS/2 EXE file infector
1996 :: Laroux – Excel virus

1997 :: Linux Bliss – Linux virus
1997 :: ShareFun – Macro virus spreading through mail, with MS Mail
1997 :: Homer – Worm that used FTP to propagate
1997 :: Win95.Mad – Self-encrypting Windows 95 virus

1998 :: Win95.HPS and Win95.Marburg – Windows polymorphic viruses
1998 :: Cross – Multi-platform virus, infected MS Access and Word files
1998 :: Triplicate (Tristate) – MS Word, Excel and PowerPoint file infector
1998 :: Red Team – EXE infector virus, spreading through Eudora
1998 :: Java.StrangeBrew – Java web application virus

1999 :: Happy99 (Ska) – Modern-Day Worm
1999 :: SK; – HLP file infector virus
1999 :: Melissa – Word Macro virus incorporating Internet Worm functionality
1999 :: Gala – Corel Draw, Photo-Paint, Ventura file infector
1999 :: Bubbleboy and KakWorm – Worms spreading through IE vulnerabilities
1999 :: Babylonia – Worm with remote self-rejuvenation (don’t get scared by the term, it means that it automatically downloaded new versions of it)

2000 :: Inta – Windows 2000 file infector
2000 :: LoveLetter – Script Virus to break Guiness Book record
2000 :: Star – AutoCAD package virus
2000 :: Jer – Internet Worm using social engineering and mass marketing to get user to let them be infected
2000 :: Liberty – PalmOS virus
2000 :: Stream – ADS and NTFS filesystem viruses
2000 :: Fable – PIF file infector
2000 :: Pirus – PHP Script virus
2000 :: Hybris – Worm with self-rejuvenating based on a 128-bit RSA key

2001 :: Mandragore – Gnutella file-sharing Internet Worm

2002 :: LFM and Donut – .NET Framework viruses
2002 :: Spida – SQL Server worm
2002 :: Benjamin – Kazza file-sharing network worm

2003 :: Slammer – Fileless Worm with flash-worm capabilities

Wow. that’s quite a long list, don’t you think? And it isn’t all; if you want to see it all, then go to viruslist and read all the history of malware, and then surely you can say that this list is even to small = )

Classification

I think that we should classify viruses so we will now better about which kind of viruses we speak. you’d probably seen in the list different classifications, but it’s time we clearly point them out (of course this is my personal classification, agree with it or not, it’s your choice):

By what they infect

• Binary File Infector
  In this category we will include the classic ones: exe, com, obj file infectors; plus the CAD, Corel and any other weird (?_?) extension virus we can find.
• SourceCode File Infectors
  As you would imagine, in this category will be included viruses that infect source code files Pascal, C, etc. Think that I know a couple or two of this type.(?)
• BOOT Sector Infectors
  Simple, complex, tiny and all other boot sector viruses will be part of this category. P.S. I hate doggie-B
• MS Office Infectors
  We all have heard of them, laught about them, though they were dead, but we all know that they are extremely dangerous viruses. yes I’m talking about macro viruses, that populate Word, Excel, PowerPoint, Access.
• Script Infectors
  And finally our last category dedicated for the viruses which infect script files like js, vbs, mrc and inject themselves into html files including a <script> area.
• None infectors
  This will be, and is, a special category for our fellow friends of virology: worms. They often do not infect anything, they just multiply via different methods.

By their abilities

• Stealth
  A common, or maybe told “would have to be common”, ability of viruses is that they can work in a stealth mode; things that help in this are timestamp maintenance, encoding different strings in the code so they won’t “scream” to users that simply view the source of the file, etc,
• Encryption
  Since it’s appearance has passed long time, and we have even surpassed this ability, but it’s worth mentioning for the classification.
• Polymorphism
  This category threads viruses which have more than one method of dencryption, thus making them harder to detect; the dencryption algorithm changes at every infection..
• Metamorphism
  In this category are the most modern viruses, I mean viruses which have passed from polymorphism to a new generation, the generation of code variability.
• Anti-Bait
  In this category do not go the worms (you know. fishing), just viruses which do not fall for it and don’t infect bait files created by AV.
• Anti-Heuristic
  If a virus can survive in this heuristically environment, created by AV programs, than his place is in this category.
• Anti-Debug
  Which viruses would fall in this category except the ones that can stop users, AV developers, or anything to debug there code?

Language used for writing viruses

On this one I have to think for a while. Yes I know, you can use php, pascal, c (and any other variation), javascript, visualbasic (script), python, perl, etc. and assembly, that’s it assembly is the one you will learn.

Why, you ask?
Because most of the virus source code I will print you out will be in assembly language, and this is the basic language of classic viruses. But don’t complain, you will be happy after having learned assembly and able to create viruses this way, trust me ;)

Books I recommend?
I have found recently some very fine books regarding this language (they are free and LEGAL two), and one of them threats assembly language as an art, so I recommend the Art of Assembly, but it’s ok for you to check out others two, can find them on computer-books. You’ll see there the Assembly category. One little note, the assembly language you will learn must be compatible with TASM (Turbo Assembler) or MASM (Microsoft Assembler).

Toolbox

I don’t think there is any need for plenty “useless” tools at this point of virology, I will point you just the basic ones you need at this stage, and later on we will add other ones, but just step-by-step, so here’s the “mega-sized” list:

• Tasm & Tlink : the turbo assembler and turbo linker
• Masm & Ml : Micro$oft’s assembler and linker
• Windows Debug is an alternative two

Both tools can be found on the net, I didn’t have more patience with the article so I advice you to Google/Yahoo/Altavist for them = ). The last one can be found by running debug.exe from any Windows console.

Some Extra!
If you have a small HDD (2-4GB) drive I advice you to format it and install a fresh copy of Windows, which you will use if want to play with viruses or if you want to try them out. Of course you will disconnect your primary HDD so it won’t infect you clean one. But of course this step is not necessary if you trust the specification (concerning the payload) of different viruses that I will present, and don’t want to see them with your eyes (like Judas), to believe in what you hear.

End of 00h

By this I make it official, the first part of the Art of Virology has definitely ended. See you next time when I will present the general framework of a virus, so stick your eyes on Darknet, because the 01h article will be posted as soon as possible. If you think this article isn’t complete, then I ask you politely to post some comments and add “that” extra to it. ; )

P.S. I recommend you get some beers, cigarettes, and some hardcore music because the Art of Assembly is a damn long book, and you could make an indigestion.