fAMINE's VX Homepage
///// August 24th, 2009 /////
Well, almost two months since my last entry, I've decided to add another: I had intended to do this sooner but
there simply hasn't been enough interesting news in my virtual life lately to make it worthwhile. I spent most of
July on vacation, and since getting back I've allocated most of my computer time to finishing my Win32.Kurast
virus, which I started writing almost 4 months ago. I'm fairly confident that I will have it finished and debugged
within the next few weeks, however some larger and more complex aspects of the project I have had to simply
abandon, due to lack of motivation (working on the same piece of code for months on end can do this). At this
point I would like to produce a fully-functional copy of the virus, and move on to a new project.
Having long since finished the internal metamorphism engine for this virus, I have been struggling with writing
a very small, optimized, and yet easily morphable and simplistic infection routine. One of the more difficult
challenges for this virus was the ability to relocate itself accross multiple segments (code branching to other
code in other cavities) but I ran into several problems here. Perhaps the biggest of these problems is that due
to the way I coded the relocation functions for this virus (I used a very unusual but entirely original method)
I cannot change the size of a Jxx displacement (8bit not big enough? make it 32bit, or vice versa). It is somewhat
difficult to explain, but it boils down to this: the virus has no way of knowing if a displacement is too big or too
small until the relocation phase, where my engine looks back over its recorded changes in instruction length
and modifies all Jxx/Calls that are effected accordingly. The obvious problem is that the virus would have to relocate
after relocatiing a Jxx inside the relocation phase... which may then have to be relocated yet again, and again.
This basically meant that I had to use 32bit displacements universally for all Jxx instructions... which is where I hit
my second big problem: there is no such thing as an inter-segment Jcc instruction. After writing macros to fix both
of these problems, the code size grew by almost 1KB, and I felt as if my original vision for this virus was simply
flawed, and would need a lot more effort to correct and realize properly.
Overall I'm disappointed at not being able to finish this virus in the way I first envisioned it, but I'm happy to be
finishing a large virus project, perhaps the first code that I can ever truly say I am "proud" of.
I'm hoping that the metamorphism, EPO, and epic payload of this virus make up for its poor infection routine.
///// June 29th, 2009 /////
After some procrastination, I went ahead and wrote a program to collect cavity statistics for Windows systems.
The results that I am publiishing here represent culmulative data collected on two of my personal machines
running under Windows XP. I am currently in the process of collecting these same statistics on a much broader
range of Windows machines, however I am still unsure of when these statistics will be meshed and completed.
In any case, the idea here is to give a cavity virus "in the wild" a good idea of its chances of survival, based
upon its size:
Cavity scanner results:
In Windows system directories (SFC protected executables):
Average number of cavities: 2
Average size of code cavity: 402
Average (combined) size of other cavities: 603
In Program Files directory (regularly executed applications):
Average number of cavities: 4
Average size of code cavity: 748
Average (combined) size of other cavities: 1256
A closer look at the logs shows that a significant majority of common user programs, such as games,
software such as Adobe (Flash, Acrobat, Photoshop) and Microsoft Word/Works, Open Office,
Internet Explorer, Java, and even Windows Media Player contain executables that consistently carry a section
allignment of 4096 bytes. This is important because nearly all of these programs are installed on Windows
systems by default. A 4096 allignment means many potential KB of cavity space, and an almost garunteed infection,
or even double-infection for even a bulky cavity virus.
Conclusively, Windows system executables contain a solid average of about 1KB of cavity space.
Program files, on the other hand, carry an average cavity space of around 2KB, and can potentially
carry a cavity as large as almost 20KB. A complex cavity virus will consistently have a high
chance of infecting commonly executed files on an average Windows XP OS.
///// June 24th, 2009 /////
My Metamorphic code engine SPECTRE is very close to being completed in its beta form. Here
are some screenshots of generations one, two, and three of my Win32.Kurast virus, which
implements SPECTRE to mutate itself when it spreads.
///// June 24th, 2009 /////
Here is a simple non-fractioned cavity virus I wrote recently for Windows systems. It's
very small and optimized (355 bytes without the payload) but the interesting news ends
there. In any case, one more win32 assembler virus for the bin: Win32.Pestilence.
///// June 23rd, 2009 /////
Greetings and welcome to my homepage: here I will be posting articles and source codes
relating to computer viruses, code mutation, and similar topics in time to come. Huge
thanks go to VXHeavens for hosting my page.
fAMlNE [at] yahoo [dot] com