--==< Retro the easy way. >==--
By MidNyte, February 2000
What is a Retro-virus?
-------------------------
A Retro-virus is any virus that attacks antivirus programs, whether
generically or just specific programs. It is generally used to disable or fool
one or more of the popular antivirus programs. For instance, a certain virus
will detect if a certain on-access scanner is in memory, and will issue the
correct call to shut it down if it is. Another will patch the resident part of
the scanner that decides whether to scan a file or not and makes it decide not
to in all cases. These are very useful functions, but if you're not of the
ability to be able to work out these methods for yourself, you are left with
the choice of: leaving retro-functions out of your virus, using other peoples
routines (which are therefor not new) or trying something different. That is
what this tutorial is about, a few simple ideas that will give basic
retro-functionality without the need to be too far advanced in coding. All you
need is some basic anti-emulation skills.
What's the theory?
---------------------
So how do we get Retro without learning it all? Basically we find ways to
annoy the user so much that he does the job of disabling the antivirus program
for us. If we slow him down when he scans he will probably eventually only
scan overnight, giving us a day to spread. If we make the program crash he
probably won't bother scanning it again, he'll just add it to the ignore list.
(It's not that uncommon to find a file that can't be scanned without crashing
on a Microsoft machine :)
How do we implement it?
--------------------------
You remember reading that a good emulator will save it's place when it
finds a decision-based jump? That way, if the code does a check of something
and then quits if the condition is met, the emulator can just go back and
pretend the condition wasn't met and see what it can find down the other
branch of the program. This is to defeat the technique of quitting when
finding an emulator. How about we stop that? How about we do our
anti-emulation bit and then test it, but if we're being emulated instead of
just quitting, we crash the program? Or better still, if we're on a pentium,
why not just hang the machine? It's what the 'foof' bug is there for :) If the
machine hangs, the antivirus program has no chance to return to the jump and
try the other branch and the user will probably not bother scanning it again.
If he does, the same thing will happen again and again, the user will never
get a complete scan. Here's a rough guide to the code needed, assuming that
you have in place a suitable emulation-detection routine:
cmp ax,028h ;our test for emulation
je not_emulated ;jump if equal
db 0F0h,00Fh,0C7h,0C8h ;this will hang most pentium machines, it's
;known as the 'foof bug' for obvious reasons.
not_emulated: ;here we are safe from the AV program
How many end users are going to restart the computer and try scanning that
file again when the last time it hung the computer? In the Microsoft age of
idiot-friendly operating systems, not many. If they don't know what's going on
and the machine hangs, they just won't do it again. If they do once, they
won't twice. Take the virus hoax emails that constantly do the rounds, most
people know better to respond and forward the mail, but the fact that they
carry on spreading shows just how many idiots there are out there who are
capable (just about) of using a computer. These are the people who will not
scan your file but simply add it to the ignore list, leaving it to go about
it's business.
Another method is the time wasted method. Again it's down to annoying the
user so much they don't bother scanning. If you can go round enough loops when
you find emulation that the scanner takes minutes just to scan one file, the
scanner will probably only be run overnight and taken off constant background
monitoring. That gives you a day to spread, and spread un-noticed.
Contact
----------
Comments/questions/suggestions/bug reports/etc. are welcomed as always, as
long as it is kept reasonable.
- MidNyte
As always, I welcome ANY feedback, good or bad, as long as it is reasonable.
| midnyte01@excite.com | www.coderz.org/midnyte | www.shadowvx.com/midnyte |