РусскийEnglishУкраїнськаDeutschEspañolFrançaisItalianoPolski

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Donate Forum

Remote Polymorphism and Customized Viruses

freeon
DoomRiderz #1
April 2007

[Back to index] [Comments (1)]

0. Introduction
1. Finding specific requirements and making correct assumptions.
2. Using Communication and polymorphism.
3. Conclusion

0) Introduction

This article is a theoretical article more or less that is based on a set of concepts that are polymorphism and communication and combing these two concepts into a more advanced technique. The idea came to me when I was working on a new program, I was trying to understand the global workflow of a program from creation to use.

Basic Steps:

1. An idea is conceived with a purpose.
2. The idea is turned into a set of assumptions/requirements.
3. The developer creates the code based on the assumptions and requirements.
4. The program is finished and is implemented into a system and executed.

For every virus and worm there is a purpose which the author wants it to serve. Since the virus/worm is bound to a set of requirements it's illogical to concieve that it will be able to be as effective as it could be. For example a skype worm assumes that the system has skype installed. A prepender virus assumes that it will be able to find executables with write permissions to infect. Now this is fine if you want your virus/worm to spread to only those mediums but if these assumptions are false the virus/worm doesn't stand a chance.

So now we have a couple different problems.

1. How and where is the virus/worm supposed to get and know what the requirements are for each system
2. How is the virus/worm supposed to be able retrieve and communicate specific information based on the system in order to make a virus/worm won't fail.
3. How is the virus/worm supposed to be able to morph itself to something that is specific to the requirements.

1) Finding specific requirements and making correct assumptions.

Requirement:

A requirement is something wanted or needed in order for something to continue.

Assumption:

a fact or statement (as a proposition, axiom, postulate, or notion) taken for granted.

So we know what a requirement and an assumption are. The main goal though however is to make the correct requirements and assumptions for our virus/worm for a specific system.

Finding these are easy. Most of us have done them before in our viruses/worms. In most cases we do it by checking if something exists. For example we check directory paths,registry entries,chat clients. Below is a list of obvious requirements for most viruses/worms.

• email clients (outlook,thunderbird,evolution)
• instant messaging (skype,irc,aim,msn,yahoo)
• p2p (Ares,Kazza,limewire)
• running services (http,ftp,ssh)
• internet connection type (dial up, cable, vpn)
• network shared folders (\\computer\$c)
• computer paths and drives (C:\,hda)
• usernames and user permissions
• archiving programs (zip,rar)
• system information (o.s. version, hard drive size, runtime env.)
• antivirus information (norton,fpe etc..)
• firewall information

Now what we see now are virus/worms out there that cater to a hole bunch of different software. They try and pack network spreading, p2p, email spreading all into one program. This has several drawbacks for example to name a few

1. file size increases
2. chance of error is increased.
3. more constants are used.
4. ability for antivirus to detect is much easier.

The idea is to try and pack so much in it that won't fail. Now we are going to take the opposite approach we are going to make a customized virus/worm based off the system itself the idea of polymorphism with an interesting twist.

2) Using Communication and polymorphism..

Now previously we talked about how information is gathered and can be used to make a customized virus. Now we can go more in depth more.

First we start with our virus/worm we will call it BOB. Consider BOB as the creator, GOD, whatever. BOB creates 2 programs we will call one Tommy and another called Emily. Each program is generated with random variable names, body moving, etc.. to keep being detected.

	---------	-------
	|	|=======|tommy|
	| BOB	|	-------
	|	|=======|emily|
	---------	-------

BOB's purpose:

1. Create tommy and emily and make sure their code is different each time they are created.
2. Upon system start BOB will start tommy and emily to make sure they are running.
3. If tommy or emily is deleted he will create a new varient to replace the one that was lost.
4. Makes sure he's not deleted from autorun.
5. Based on system information program tommy to spread to other systems and collect information.

Tommy's Purpose:

Tommy is the hunter and gatherer. His main purpose is to get off the system. and get onto another system. Once he's on another system and excuted he collects and gathers information on the new system and sends it to Emily.

1. spread to other systems with specific options coded from BOB
2. once executed on another system.
   1. check for another BOB, if another BOB varient is not found then
      1. collect information on the system
         • communication mediums
         • system information
      2. send information to emily
         • if cant connect
           • try ip address of previous infected system
           • loop and keep trying
           • scan ip ranges for emily to find a infected system.
      3. recieve code from emily
      4. compile code, if code compiles correctly with no errors:
         1. execute generated executable (BOB)
            1. if launch is successful
               1. terminate, goto BOB process and start over. else goto step 2) and try again

Emily's Purpose:

Emily is to remain on the system. She is going to act as the reciever and creator much like a female in real world :) . She basically will listen for information, decide based on that information what options to build code for and send the code back to tommy which is on the new system

1. Listen for incoming connections, if connection is made
   1. recieve information for new system
   2. based on information build code to buid a new customized BOB.
      • change variable names
      • if av is on the system put in code to disable av at startup
      • body moving to make sure that code is executed in different places
      • logic changes
      • change loop types
      • include ip and information of the infected host it's running on
      • decide which startup method to do
      • autorun registry
      • installation path and registry name to check
   3. send code back to tommy on the new system.
   4. end communication and resume listening.

Now you might be saying this is great but why do I need all these programs I can program all this in one program and Yes you could but the idea is that one program that acts as a poly engine which creates a specific virus (Emily) for the computer it's going to run on another advantage is that you keep everything small and portable. Tommy will be generated very small and has a higher probablity of not failing, and BOB has the ability to make sure that his children are working correctly which is good preventative measures.

3) Conclusion

Although this concept may seem a little to abstract and far fetched it solves problems to bloated viruses, it makes our virus/worms more accurate in completing their purpose, it makes it harder for antivirus to detect all the varients that our poly engines can create, and it adds protection and prevenative measures. I hope this text makes some sense and you can take something from it and use it. Thanks for reading!

[Back to index] [Comments (1)]