{"id":393,"date":"2006-11-08T20:07:43","date_gmt":"2006-11-08T20:07:43","guid":{"rendered":"https:\/\/www.darknet.org.uk\/2006\/11\/the-art-of-virology-00h\/"},"modified":"2015-09-09T19:40:31","modified_gmt":"2015-09-09T11:40:31","slug":"the-art-of-virology-00h","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2006\/11\/the-art-of-virology-00h\/","title":{"rendered":"the Art of Virology 00h"},"content":{"rendered":"
[ad]<\/p>\n
This is the first part (of many others to come) consisting of basic a introduction to different viruses, some terminology and other aspects required before starting to understand or write viruses.<\/p>\n
A virus is (taken from Windows XP’s Help And Support Center<\/em>): <\/p>\n \nA program that attempts to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (by printing messages or altering what is displayed on the screen).\n<\/p><\/blockquote>\n But wait a second… to this definition is not correct from some points of view; for example we could place in this category also programs that only reproduce, parasite different files, and do not do damage to users data, or annoy them, except maybe for the disk usage… The abstract definition of viruses has become more abstract with the help of know-it-all antivirus programmers, which for some money integrated in there software Trojan \/ hoaxes \/ malware \/ backdoor removers, so anytime a antivirus product pops up with a notification of such a program being found on a computer, a normal user doesn’t get interested in this aspect and it’s concerned of being infected with a virus (disinterest, what else)! adware<\/strong> – belong to the malware category, besides spyware; it’s not a virus, it’s and application normally shifted alongside with other programs, it’s main role being to pop up, while your connected to the web, some ads. most of the time they get installed because you do not read the files accompanying different software which are free or get free doing some ads for big\/medium\/small companies. <\/p>\n spyware<\/strong> – these are the fierce animals of malware, they spy on you, but not the subtle way James Bond does, they get installed through different exploits and surveillance the websites you visit, personal information, etc. and send them to different firms (or government, NSA, FBI, CIA ?) <\/p>\n Trojan<\/strong> – Trojans are programs written for specific tasks, in this list we could include flooders (DoS), hidden proxy server, virus droppers, also for different purposes that antivirus vendors think that could do harm to other people’s data.<\/p>\n backdoor<\/strong> – a backdoor is a program which if it’s not released by an underground website could be called “\u02dcRemote Administration Tool’, so it’s a tool that let’s you control, or do specific tasks on other computers; famous backdoor\/Trojan backdoor clients (and server) are: BO2K, SubSeven, R3C, Insane Network. <\/p>\n virus<\/strong> – this one belongs to our subject, of course could it is well divided in more types of viruses, classified by language used to create them, how they infect, and what they infect.<\/p>\n worm<\/strong> – these programs\/scripts also belong to virology (think so?!) because they also have the basic concept of viruses (parasites, worms. ring a bell?) to spread, beautifully, widely, and all other fancy adjectives you can find.<\/p>\n The “first” virus<\/strong> 1986 :: Brain – Stealth file virus 1987 :: Suriv-1 – DOS COM real time file infector 1988 :: Morris Worm – Worm which used exploits against Unix system to spread<\/p>\n 1990 :: the Chameleon family – A polymorphic virus family<\/p>\n 1991 :: Tequila – A polymorphic boot virus 1992 :: Win.Vir_1_4 -Windows virus<\/p>\n 1994 :: Shifter -OBJ file infector 1995 :: Winstart -BAT file virus<\/p>\n 1996 :: Boza – Windows 95 virus 1997 :: Linux Bliss – Linux virus 1998 :: Win95.HPS and Win95.Marburg – Windows polymorphic viruses 1999 :: Happy99 (Ska) – Modern-Day Worm 2000 :: Inta – Windows 2000 file infector 2001 :: Mandragore – Gnutella file-sharing Internet Worm<\/p>\n 2002 :: LFM and Donut – .NET Framework viruses 2003 :: Slammer – Fileless Worm with flash-worm capabilities<\/p>\n Wow. that’s quite a long list, don’t you think? And it isn’t all; if you want to see it all, then go to viruslist<\/a> and read all the history of malware, and then surely you can say that this list is even to small = )<\/p>\n I think that we should classify viruses so we will now better about which kind of viruses we speak. you’d probably seen in the list different classifications, but it’s time we clearly point them out (of course this is my personal classification, agree with it or not, it’s your choice):<\/p>\n By what they infect<\/strong><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n By their abilities<\/strong><\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/p>\n <\/ul>\n On this one I have to think for a while. Yes I know, you can use php, pascal, c (and any other variation), javascript, visualbasic (script), python, perl, etc. and assembly, that’s it assembly is the one you will learn.<\/p>\n Why, you ask? Books I recommend? I don’t think there is any need for plenty “useless” tools at this point of virology, I will point you just the basic ones you need at this stage, and later on we will add other ones, but just step-by-step, so here’s the “mega-sized” list:<\/p>\n \nBoth tools can be found on the net, I didn’t have more patience with the article so I advice you to Google\/Yahoo\/Altavist for them = ). The last one can be found by running debug.exe from any Windows console.<\/p>\n Some Extra!<\/strong> By this I make it official, the first part of the Art of Virology<\/em> has definitely ended. See you next time when I will present the general framework of a virus, so stick your eyes on Darknet, because the 01h article will be posted as soon as possible. If you think this article isn’t complete, then I ask you politely to post some comments and add “that” extra to it. ; )<\/p>\n <\/p>\n P.S.<\/strong> I recommend you get some beers, cigarettes, and some hardcore music because the Art of Assembly is a damn long book, and you could make an indigestion. <\/p>\n","protected":false},"excerpt":{"rendered":" [ad] This is the first part (of many others to come) consisting of basic a introduction to different viruses, some terminology and other aspects required before starting to understand or write viruses. Definition A virus is (taken from Windows XP’s Help And Support Center): A program that attempts to spread from computer to computer and […]<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[30],"tags":[68,1281,127,1280,392,206,510,111,8874,112,497],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"backbone","author_link":"https:\/\/www.darknet.org.uk\/author\/backbone\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/393"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=393"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/393\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nBut you should not confuse viruses with John von Neumann’s self-reproducing mathematical automata. Google for more information about it because it’s not part of our subject, or maybe I don’t want to get scientific and speak about it<\/p>\nWhat programs are connected to virology?<\/h3>\n
\nBut what is the difference between these programs? I’ll make for you a little list with some personal definitions ok so let’s start: <\/p>\nViral History<\/h2>\n
\nSometime in the early 1970s, the Creeper virus was detected on ARPANET a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, ‘I’M THE CREEPER : CATCH ME IF YOU CAN.’
\nShortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
\nAnd now a list of the first viruses “to be the first”:
\n1981 :: Elk Cloner – Boot sector virus<\/p>\n
\n1986 :: Virdem – DOS COM file infector<\/p>\n
\n1987 :: Suriv-2 – DOS EXE file infector
\n1987 :: Suriv-3 – DOS COM & EXE file infector
\n1987 :: Cascade – Encrypted Virus
\n1987 :: Christmas Tree Worm – Worm (Internet Virus) <\/p>\n
\n1991 :: Dir II – The one and only virus to use link-technology <\/p>\n
\n1994 :: ScrVir-a – C and Pascal source code files infector<\/p>\n
\n1996 :: OS2.AEP – OS\/2 EXE file infector
\n1996 :: Laroux – Excel virus<\/p>\n
\n1997 :: ShareFun – Macro virus spreading through mail, with MS Mail
\n1997 :: Homer – Worm that used FTP to propagate
\n1997 :: Win95.Mad – Self-encrypting Windows 95 virus<\/p>\n
\n1998 :: Cross – Multi-platform virus, infected MS Access and Word files
\n1998 :: Triplicate (Tristate) – MS Word, Excel and PowerPoint file infector
\n1998 :: Red Team – EXE infector virus, spreading through Eudora
\n1998 :: Java.StrangeBrew – Java web application virus<\/p>\n
\n1999 :: SK; – HLP file infector virus
\n1999 :: Melissa – Word Macro virus incorporating Internet Worm functionality
\n1999 :: Gala – Corel Draw, Photo-Paint, Ventura file infector
\n1999 :: Bubbleboy and KakWorm – Worms spreading through IE vulnerabilities
\n1999 :: Babylonia – Worm with remote self-rejuvenation (don’t get scared by the term, it means that it automatically downloaded new versions of it) <\/p>\n
\n2000 :: LoveLetter – Script Virus to break Guiness Book record
\n2000 :: Star – AutoCAD package virus
\n2000 :: Jer – Internet Worm using social engineering and mass marketing to get user to let them be infected
\n2000 :: Liberty – PalmOS virus
\n2000 :: Stream – ADS and NTFS filesystem viruses
\n2000 :: Fable – PIF file infector
\n2000 :: Pirus – PHP Script virus
\n2000 :: Hybris – Worm with self-rejuvenating based on a 128-bit RSA key<\/p>\n
\n2002 :: Spida – SQL Server worm
\n2002 :: Benjamin – Kazza file-sharing network worm<\/p>\nClassification<\/h2>\n
\n
\nIn this category we will include the classic ones: exe, com, obj file infectors; plus the CAD, Corel and any other weird (?_?) extension virus we can find.<\/li>\n
\nAs you would imagine, in this category will be included viruses that infect source code files Pascal, C, etc. Think that I know a couple or two of this type.(?)<\/li>\n
\nSimple, complex, tiny and all other boot sector viruses will be part of this category. P.S. I hate doggie-B<\/li>\n
\nWe all have heard of them, laught about them, though they were dead, but we all know that they are extremely dangerous viruses. yes I’m talking about macro viruses, that populate Word, Excel, PowerPoint, Access.<\/li>\n
\nAnd finally our last category dedicated for the viruses which infect script files like js, vbs, mrc and inject themselves into html files including a <script> area.<\/li>\n
\nThis will be, and is, a special category for our fellow friends of virology: worms. They often do not infect anything, they just multiply via different methods.<\/li>\n\n
\nA common, or maybe told “would have to be common”, ability of viruses is that they can work in a stealth mode; things that help in this are timestamp maintenance, encoding different strings in the code so they won’t “scream” to users that simply view the source of the file, etc,<\/li>\n
\nSince it’s appearance has passed long time, and we have even surpassed this ability, but it’s worth mentioning for the classification.<\/li>\n
\nThis category threads viruses which have more than one method of dencryption, thus making them harder to detect; the dencryption algorithm changes at every infection..<\/li>\n
\nIn this category are the most modern viruses, I mean viruses which have passed from polymorphism to a new generation, the generation of code variability.<\/li>\n
\nIn this category do not go the worms (you know. fishing), just viruses which do not fall for it and don’t infect bait files created by AV.<\/li>\n
\nIf a virus can survive in this heuristically environment, created by AV programs, than his place is in this category.<\/li>\n
\nWhich viruses would fall in this category except the ones that can stop users, AV developers, or anything to debug there code?<\/li>\nLanguage used for writing viruses<\/h2>\n
\nBecause most of the virus source code I will print you out will be in assembly language, and this is the basic language of classic viruses. But don’t complain, you will be happy after having learned assembly and able to create viruses this way, trust me ;) <\/p>\n
\nI have found recently some very fine books regarding this language (they are free and LEGAL two), and one of them threats assembly language as an art, so I recommend the Art of Assembly<\/a>, but it’s ok for you to check out others two, can find them on computer-books<\/a>. You’ll see there the Assembly category. One little note, the assembly language you will learn must be compatible with TASM (Turbo Assembler) or MASM (Microsoft Assembler).<\/p>\nToolbox<\/h2>\n
\n
\nIf you have a small HDD (2-4GB) drive I advice you to format it and install a fresh copy of Windows, which you will use if want to play with viruses or if you want to try them out. Of course you will disconnect your primary HDD so it won’t infect you clean one. But of course this step is not necessary if you trust the specification (concerning the payload) of different viruses that I will present, and don’t want to see them with your eyes (like Judas), to believe in what you hear.<\/p>\nEnd of 00h<\/h2>\n