Home

Chapter Contents

How does a Virus Work?
Types of Virus
Virus Protection
Writing Viruses
The Virus Community

Chapter Index

1: Introduction to Hacking
2: Newbie Corner
3: Hacker History & Culture
4: The Hacker's Toolbox
5: First Principles
6: The Direct Approach
7: Hacking the Web
8: Tips for Specific Systems
9: Phone Phreaking
10: Viruses
11: MP3's & Warez
12: The Elements of Cracking
13: Maximising Security
14: Learning More

Computer Security Books

Advertisements

BLOG

Dr. K's Blog

Email

mailto:drk@!spam!hush.ai

Introduction

A computer virus is a program which intentionally makes copies of itself. It may contain some sort of "payload", which can be destructive or non-destructive program code, that is activated and run when certain conditions are fulfilled.

Legality of Viruses

The laws about writing and releasing viruses vary from country to country and state to state. In the US there are both Federal and State laws preventing damage to data and property, and these ensure that virus writers whose viruses infect large numbers of computers pay the penalty. David Smith, writer of the infamous Melissa MACRO virus, has been successfully prosecuted and awaits sentencing, with a possible fine of anything up to $150,000 and up to 10 years in prison.

In the UK the Computer Misuse Act makes it illegal to modify a computer without authorization, and this was successfully used to prosecute the author of the SMEG virus Christopher Pile, AKA the Black Baron, who received a total of 18 months in prison. During sentencing the judge commented that "those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment". Not every country is so active in finding and prosecuting virus writers, however. A Taiwanese university only reprimanded and demoted the author of the highly destructive and costly CIH virus. Even just collecting viruses, passing source code and writing viruses for non-destructive purposes is illegal in some places, and any wannabe virus writer needs to understand the implications of the law, wherever they are based.

From a more hackish viewpoint I can understand the attraction of looking at the theory of virus writing, the appeal of studying virus source code to see how viruses work, the thrill of capturing and disassembling live viruses, and even, to some extent, the pride felt when writing a new virus as "proof of concept". All of this is fine, as it combines a very healthy curiosity coupled with sound technical skills, something that draws respect from hackers the world over. But, and it's a very big "but", the juvenile egotistic idiots who release these viruses "in the wild", often with their handle and the name of their group in it, have crossed the ethical border that distinguishes hacking from crime.

On a more personal note, I resent the amount of time wasted cleaning up networks of PCs after an infection, evaluating anti-virus software, installing anti-virus software and updating signature files - time that could have been put to more productive use, like hacking. Anyone who chooses to write a virus had better be sure that it never escapes, because if it causes major damage and the police break in their door, the authorities are not going to be convinced by any lame argument about "proof of concept".



How does a Virus Work?

Most viruses are written in assembly code for a specific computer and tightly tied to the operating system of the target computer. This enables them to protect themselves while continuing to spread the viral infection. But viruses don't have to be written in assembly language, and the growth of sophisticated programming languages embedded inside large software packages has allowed the spread of so-called "MACRO" viruses, which infect documents rather than programs.

Nearly everyone gets a virus from time to time, especially when they share floppy disks with friends. But if anyone starts downloading hacker tools from that hot new hacking web site, or start using warez from some dodgy ftp server, then they had better make sure that they have adequate anti-virus (A/V) protection. Although millions of computers are infected with viruses every year, the majority of cases are due to a small handful of persistent offenders out of the estimated 8,000 viruses in the wild.

Anti-virus software detects and removes viruses either by looking for a "viral signature", a string of bytes unique to that virus, or by using heuristic rules to look for "viral behaviour" which may indicate a program seeking to infect other files or cause destructive behaviour. The A/V software will have been programmed to understand how the virus detected hides itself, and will "clean" the infected file, boot sector or document thus removing the virus from the system.



Types of Virus
  • A "boot sector" virus occupies the boot sector of a floppy or hard disk and loads itself into memory during the boot-up sequence. Once in memory, it will attempt to infect the boot sector of any floppy disk used in the computer.
  • An "executable load" virus is a type of virus which attaches itself to executable files and runs when the program is started. Once in memory, it will attempt to infect other program files by attaching itself to them.
  • A "polymorphic virus" is a virus which encrypts itself, changing its viral "signature" each time using a "mutation engine" in an attempt to evade detection and destruction.
  • A "MACRO" virus is one which is written in a programming language embedded inside another program, such as a word processor. The commonest program suite targeted by MACRO viruses is the Microsoft Office group of applications, with the "Concept" and "LaRoux" viruses targeting Word and Excel, but any program which hosts a complex embedded macro programming language could be used to write such a virus.

Types of Payload

  • Viruses with non-destructive payloads play tunes, display banner messages or pop-up messages without causing any data loss, but they are a distraction, and they still need to be removed
  • Random destruction, where the virus changes odd bytes on disk or in memory, alters keystrokes at random, or messes around with the display.
  • Heavy destruction - the virus can cause the destruction of hard or floppy disks by low-level format, or data loss by wiping out a PC's File Allocation Table (FAT).
  • A new generation of viruses have a payload of Network Exploitation, use the Internet to copy themselves, and are more like "worms" than viruses. The notorious Melissa virus, which spread to a large number of computers in 1999, worked by infecting Microsoft Word97 documents then using Microsoft Outlook email software to email itself as an attachment to 50 people chosen from the infected user's email address book.

Getting Infected

Here are some of the ways of getting infected by a virus. Good A/V counter-measures start by recognizing the risk of infection from each source and taking appropriate steps in prevention.

  • The commonest cause of infection is shared floppy disks, but archive tapes and CD-ROMs can also be infected.
  • Any form of pirate software or warez, either downloaded from the Internet or BBSs, purchased or swapped with other warez traders.
  • Freeware or shareware software from a bulletin board, sometimes even when it appears to be from a trusted source.
  • Freeware or shareware from sources on the Internet, even when it appears to be from a trusted source.
  • Any form of email attachments, either programs or documents, are now suspect.


Virus Protection

Preventing viruses from attacking your system is a mixture of commonsense reasoning with some down-to-earth practical precautions, mixed with the use of one or more anti-virus packages to routinely check your system for infection. The level of protection you decide upon will depend on how much you would feel the loss of data if you were infected, and how much time you would spend cleaning up after the infection. A business user with many PCs and business-critical data at stake will be prepared to spend far more on A/V protection than the average home user, because the sums at risk are so much greater. Using appropriate anti-virus protection is at least as important in preventing catastrophic data loss as the backups you make routinely. (You *do* make backups, don't you?)

Commonsense Precautions


  • Never use pirate software or warez - not only is it illegal, but you don't know where it's been, or what might be lurking in there.
  • Always scan all freeware and shareware before use, even when it comes from what appears to be a reputable source.
  • Always scan all Internet downloads before installing and running, even when they appear to be from a reliable archive site.
  • Ensure that you scan all floppy disks you are given before use. This includes shared disks, pre-formatted blank disks and even distribution disks with original software on. Write-protect disks when not in use to prevent accidental infection.
  • Never run programs attached to email before scanning, even when you are sure they come from a trusted source. Save them and scan them before running or installing them.
  • Always scan any document attached to email before opening, or save the attachment and turn off macro features in the program you are using before opening it.
  • CD-ROMs and CD-RW disks should be scanned if your software allows it, but you will not be able to disinfect if you find a virus.
  • Make sure that you always have an updated signature file for your A/V package. This will ensure optimal A/V protection with signature-based A/V software.
  • Use more than one A/V package if you can, as there is a tendency for A/V packages to detect some viruses and miss others. Using multiple packages increases your chance of detecting something nasty before the infection spreads.
  • Make sure that you back up your data regularly and that you can restore successfully. Ensure that you have a virus-free boot disk to boot from in case of infection, and that you also have virus-free disks containing any tools or device drivers you need to recover your data and rebuild your system.

Using an Anti-Virus Package

If you haven't got an anti-virus package already, then you should. There are many around, both free and commercial. Try F-Prot if you need a free virus package, or get hold of free evaluation copies of commercial products such as Symantec's Norton Anti-Virus, McAfee's VirusScan, or ThunderByte and then buy the one you prefer. If you are protecting corporate data, you need to look at some of the disk control mechanisms available such as Reflex Magnetic's DiskNet, and also scan incoming email using a product such as MimeSweeper. There are many alternative products on the market, and you need to assess your degree of risk before evaluating the products to find one that suits you.

Once you have your anti-virus package, make sure that your machine is virus-free *before* installing the package, and then make sure that the signature file is always up to date. Some packages will automatically attach to the Internet at periodic intervals to download the latest signature file, but if you have read this far in the book you might have your own ideas about the wisdom of that, and would prefer to download the signature file yourself.



Writing Viruses

This section deals with writing viruses, but the reader isn't going to find a general tutorial here, nor will are there any great tips on writing a "killer" virus. As a hacker I don't condone the writing or spreading of viruses, but I have respect for the knowledge, technical skills and level of coding ability needed. What I hope is that by the time anyone who tries to code viruses gets to be *really* good at it, they will have realized that there are more technically challenging problems outside the area of virus development that are both more socially acceptable and better financially rewarded.

Assembling the Tools

If anyone wants to learn how to write a virus, they had better start by "assembling", pun intended, their tools. Here is a list of things someone will need to begin writing viruses:

  • A computer (*doh*), because it is hard to write programs without one!
  • A programming language of some kind, most probably assembly language, not just because viruses are written mostly in assembly language, but also because the novice virus writer will find most source code and tutorials will assume they are using assembly language.
  • A list of the opcodes or assembly mnemonics of the processor which are being targeted. Don't assume that, just because all the books of programming list 126 opcodes for a chip, that means there *are* just 126 opcodes. Some chips have "undocumented" opcodes that don't work right or have weird side effects. The venerable Motorola 6502 chip used in early Apple computers had an undocumented opcode whose mnemonic was HCF - Halt and Catch Fire - because it hosed the CPU.
  • A disassembler which will turn machine code into human-readable assembly language mnemonics. This will enable the novice virus writer to turn any live viruses they capture back into a computer program that they can read and understand.
  • A decent machine code debugger. SoftIce seems to be the favourite for PCs, but it depends on the platform that the virus is being written for.
  • Large and copious amounts of anti-virus software, both to protect themselve and to examine for clues on how to evade detection.

In addition to the basic tools a wannabe virus writer might need to acquire some of the following from the Internet.

Virus Source Code

Anyone can find virus source code in assembly or other languages very easily on the Internet. Once they have the source code, they can read it and understand how that virus works, or can re-assemble it and get a working virus. That's the theory, but a lot of the so-called virus "source" code kicking around the web isn't, and telling the difference between the two isn't easy unless the novice virus writer is already an expert in assembly language. For example, look at this snippet which purports to be from the STONED virus - the part that checks for infection and then infects the computer if not already infected.




PUSH CS
POP DS
MOV SI,200H
MOV DI,0
LODSW
CMP AX,[DI]
JNZ HIDEHD ;Hide real boot sector in hard drive.
LODSW
CMP AX,[DI+2]
JNZ HIDEHD ;Hide real boot sector in hard drive.

Table 10.1: Assembly language fragment of STONED virus which would infect the hard drive of a computer when run


It looks really impressive, doesn't it? Reading through the assembly source code of the STONED virus, which took me less than five minutes to find on the Internet, it looked *real* enough to me. But to someone who's not a full-time assembly language hacker, the code could have been spurious nonsense, designed to send wannabe virus writers down a blind alley. How am I going to find out whether this is real source code or not? The only way of being sure is to feed the assembly language code into an assembler and turn it into an executable binary of machine code. Once anyone has the binary, they can either compare it with a virus from the "wild" or run it and see if it infects their disks.

Virus Writing Tutorials

There are a lot of virus writing tutorials on the Internet, and anyone learning about viruses really wants to find a tutorial that deals with the platform they are coding for, as any example code can be used to get them started. Otherwise, tutorials in any other languages are good for giving a novice virus writer new ideas and concepts if they can follow them.

Some of the tutorials deal with basic concepts, such as the Over Writing virus, which reproduces itself by overwriting the first parts of a program with itself, and carries a destructive payload that kicks in the first time the program is run. Other tutorials deal in depth with stealth viruses which move to escape detection, armoured viruses which have been specifically designed to evade detection by some of the most popular anti-virus software, and polymorphic viruses that use self-encryption on each new generation to prevent their viral signature being detected.

Virus Creation Packages and Mutation Engines

All software writers use tools, and virus writers are no exception. The two most popular tools are "virus creation packages" and "polymorphic mutation engines". These tools are written by the active virus-writing community, and have only one purpose: to enable writers to code viruses quickly, easily and with advanced capabilities.

Polymorphic Mutation Engines

A polymorphic mutation engine is computer code that allows a virus writer to encrypt viruses to prevent them showing a viral signature. The most famous of these is the Mutation Engine written by the Bulgarian Dark Avenger, but virus writers could also run into TridenT Polymorphic Engine, Visible Mutation Engine and many others. Most of these packages are program modules that can be included in other programs to give them the ability to produce polymorphic viruses. By using these packages and including the code into viruses they are writing, novice writers can give even very simple viruses polymorphic capability, enabling them to escape detection.

Virus Creation Packages

Some virus writers have been clever enough to write "virus creation packages" which can generate virus code for users who can't write their own. One such, the sophisticated Virus Creation Lab, offers a full menu-driven virus creation kit, but others such as Virus Construction Set only offer the user a chance to create a pre-canned virus with their own message in it. Viruses that come from creation packages like these will rarely be as sophisticated as viruses written by hand, because virus writing is advancing so quickly that not all virus types can ever be included in a single package. The packages might be of some use to a novice virus writer who wishes to study the code produced, but real virus writers will still prefer to cut their code the old way, and see the creation package user as a script kiddy capable only of running software other smarter hackers have written.

Once again, any systems administrator should always keep an eye out for any of the tools used by Virus writers in case they should appear on the systems they administer. Systems administrators should be aware of activity going on their systems so that they can spot virus source code, tutorials or virus contruction tools before the novice virus writer has got very far. If a systems administrator finds any of these items on a their servers, then a little chat with the user owning those tools would be helpful in determining whether they were present due to natural curiosity or any malicious intent.



The Virus Community

Like every part of the computer community, the virus writers have their own community of mailing and discussion lists, web sites and BBSs. The virus writing community is more hidden and covert than most hacking communities because virus writers have more to lose than most hackers, so what anyone will find on the Internet is just the tip of the iceberg, with 90 per cent of virus writing buried deep underground for fear of exposure and prosecution.

Virus groups such as Phalken/Skism, Kefrens, Team Necrosis and phVX write tutorials and ezines, trade viruses, source code, tools, and make them all available on ftp and web sites for anyone with an interest in virus writing to download. Some of the ezines for the virus-writing community include 40hex magazine, Infected Voice, 29A, * magazine and Crypt Newsletter. If anyone wants to get accepted into the virus community, they must make sure they can code really well and then read the section in the next chapter about getting into the warez community, but trade viruses instead of warez. Hopefully by the time they've learnt to code well enough, they'll have become more interested in something more technically challenging and useful than writing viruses.

Prev 01 02 03 04 05 06 07 08 09 10 11 12 13 14 Next
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.