The content of the article
Virus design is a great incentive to learn assembler. And although the virus, in principle, can be written in C, it will somehow not be hacky and generally wrong. The following text is a note by Chris Kaspersky, which had not previously been published in Hacker. From it you will learn how viruses are created and how to write a simple virus for Windows using FASM.
A couple of opening words
So, let's plunge into the dark labyrinth of the cybernetic world, the ranks of the inhabitants of which will soon be replenished with another evil creature. The introduction of a virus into an executable file is generally a rather complicated and painful process. At a minimum, you need to study the PE file format and master dozens of API functions. But after all, at such a pace, we will not write a virus in a season, but we want it right here and now. But are we hackers or not? The NTFS file system (the main Windows file system) contains streams of data, also called attributes. Within a single file, there may be several independent data streams.
All information in this article is provided for informational purposes only. Neither the editors nor the author are responsible for any possible harm caused by the materials in this article. Remember that unauthorized access to computer information and the spread of malware entail liability in accordance with Articles 272 and 273 of the Criminal Code of the Russian Federation.
The stream name is separated from the file name by a colon (:), for example
my_file:stream. The main body of the file is stored in an unnamed stream, but we can also create our own streams. We go into the FAR Manager, press the keyboard combination
Shift + F4, enter the name of the file and data stream from the keyboard, for example
xxx:yyy, and then enter some text. We exit the editor and see a file of zero length with the name
Why is the file zero length? And where is the text we just entered? Press the key
and … really we will not see any text. However, there is nothing surprising in this. If you do not specify a stream name, then the file system displays the main stream, and it is empty in this case. The size of the remaining streams is not displayed, and you can reach their contents only by specifying the stream name explicitly. Thus, to see the text, you must enter the following command:
more < xxx:yyy.
We will think this way: since the creation of additional streams does not change the visible file size, the presence of extraneous code in it will most likely go unnoticed. However, in order to transfer control to your thread, you must modify the main thread. In this case, the checksum will inevitably change, which anti-virus programs will probably not like. We will consider methods for deceiving anti-virus programs in the future, but for now, we will decide on the implementation strategy.
The algorithm of the virus
Close the manual for the executable file format (Portable Executable, PE). To solve the problem, we do not need it. We will act like this: create an additional stream inside the infected file, copy the main body of the file there, and write our code to the free space, which does its dirty work and transfers control to the main body of the virus. Such a virus will work only on Windows and only under NTFS. To work with other file systems, it was not originally designed.
The original contents of the infected file, for example, on FAT partitions, will simply be lost. The same thing happens if you pack the file using ZIP or any other archiver that does not support file streams.
An example of an archiver that supports file streams is WinRAR. The Advanced tab in the Archive Name and Settings dialog box contains a group of NTFS options. As part of this group of options there is a checkbox “Save file streams”. Set this option if you need to save all of them when packing files containing several streams.
Now the time has come to talk about antivirus programs. Embedding a virus body in a file is only half the task, and the easiest one. Now the creator of the virus should consider how to protect his creation from all kinds of antiviruses. This task is not as difficult as it seems at first glance. It is enough to lock the file immediately after launch and keep it in this state for the entire Windows session until rebooting. Antiviruses simply cannot open the file, which means they cannot detect the fact of its change. There are many ways to block - from
CreateFile with flag off
The main mistake of most viruses is that, once embedded in a file, they sit and dutifully wait until the antivirus detects them and removes them. But scanning modern hard drives takes considerable time, it often stretches for many hours. At each point in time, the antivirus scans only one file, therefore, if the virus leads a nomadic life, migrating from one file to another, the probability that it will be detected is rapidly reduced.
We will act this way: we are embedded in a file, we wait 30 seconds, we remove our body from the file, and then it is embedded in another. The shorter the waiting period, the higher the chances of the virus to go unnoticed, but the higher the disk activity. And the regular flashing of the red light for no apparent reason will immediately alert experienced users, so you have to trick.
For example, you can monitor disk activity and infect it only when a file is accessed. In solving this problem, specialized software, such as a process monitor, will help us. Procmon.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru