VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
Black Wolf «Virus in C» (83946)
GriYo «EPO: Entry-Point Obscuring» (17292)
S. King, P. Chen, Y. Wang, C. Verbowski, H. Wang, J. Lorch «SubVirt: Implementing malware with virtual machines» (16560)
M. Rieback, B. Crispo, A. Tanenbaum «Is Your Cat Infected with a Computer Virus?» (15529)
Z0mbie «"DELAYED CODE" technology (version 1.1)» (15045)

Library: Virus technology

«Polymorphic Compilation (just some crazy thoughts)» 6.94Kb 9431 hits
29a [#8 (2004)
Generally, we speak about "mobile" code (we say just "code"). This means some special look to some snippet of the executable code, when this code is considered as cpu/os/file format - independent; the thing remaining is code itself.
«Noisy Waves: TRNG virus» [SRC] 5.16Kb 5183 hits
Valhalla #3 (2012)
It is uncommon to find viruses which use hardware enhancements. I heard of a virus which uses GPU to decipher its code. At the time I already knew about hh86's work on Intel AES-NI instruction set to assist AES encryption. It is common, however, to associate viruses and microphone devices in espionage. I present here another technique.
Belial, SPTH
«Crazy ToDo list for VXers» [SRC] 12.9Kb 5589 hits
Valhalla #2 (2012)
We present a set of crazy ideas for VXers which came to our minds in the last couple of months. Even it would require a lot of work, realisation of any of these ideas would have a great impact.
«EPO techniques under Win32» 6.4Kb 9231 hits
29a [4full] (2000)
Well, whatsa go? That's the main question. Entrypoint Obscuring techniques, also abrieviated as EPOs, r relatively new but very efficent ways how to make your virus undetectable by existing heuristic scanners. The main idea is: don't modify entrypoint, don't activate virus immediatelly when infected program is executed, dig the "JMP VIRUS" instruction into the center of program. For instance, virus won't be activated when the program will be executed, but when program will call ExitProcess API. Why do we do that? It's very simple. Heuristic scanners can't analyse whole Win32 program (in short words, it's just not possible for existing scanners) and if virus code will be hidden inside the program, heuristic scanners won't be able to reach the virus code and so, virus won't be detected. In my opinion, every modern virus should contain EPO routines. And if the ways of realising EPOs will be random, it would be impossible to clean the virus. Think about it.
Billy Belcebú
«32 bit optimization» [SRC] 13.1Kb 6206 hits
DDT [1] (1999)
Ehrm... Super should do this instead me, anyway, as i'm his pupil, i'm gonna write here what i have learnt in the time while i am inside Win32 coding world. I will guide this tutorial through local optimization rather than structural optimization, because this is up to you and your style (for example, personally i'm *VERY* paranoid about the stack and delta offset calculations, as you could see in my codes, specially in Win95.Garaipena). This article is full of my own ideas and of advices that Super gave to me in Valencian meetings. He's probably the best optimizer in VX world ever. No lie. I won't discuss here how to optimize to the max as he does. No. I only wan't to make you see the most obvious optimizations that could be done when coding for Win32, for example. I won't comment the very obvious optimization tricks, already explained in my Virus Writing Guide for MS-DOS.
«Harder to detect (theory)» 11.02Kb 5243 hits
DDT [1] (1999)
Make your viruses harder to be detected: that's the objective of this little tute. There're some techinques that are very necessary to implement, such polymorphism and stealth. Without them, we are lost. So we need them as a base weapon for remain undetected. With stealth i mean full stealth, and with polymorphism i'm talking about a good engine.
Black Wolf
«Virus in C» 10.44Kb 83946 hits
Another possibility with high-level languages, however, is a source-code virus. This kind of virus is quite rare (to the best of my knowledge) but could be very effective.
Mike Bond, George Danezis
«A Pact with the Devil» 37.99Kb 10278 hits
Proceedings of the 2006 workshop on New security paradigms, pp. 77-82 (2006)
We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and blackmail of computer users, are effective mechanisms for malware to survive and entrench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.
«Communicating Viruses» 5.39Kb 11118 hits
Viruses do already communicate. They may f.ex communicate with themself or with a computer. Ex monologue: What's the address of my variable anastasia? Ex dialogue: What's the PID of miriam.dll? What if viruses could communicate with each other? How should they do it? What should they communicate about? The weather?
Dark Angel
«Code Optimisation, A Beginner's Guide» 6.19Kb 12545 hits
40hex [9] (1992)
When writing a virus, size is a primary concern. A bloated virus carrying unnecessary baggage will run slower than its optimised counterpart and eat up more disk space.
«Capture the desktop - scan .LNK files for victims» [SRC] 24.6Kb 9180 hits
29a [#8 (2004)
Some people have a clean desktop other people have the total choas in the front of them. I speak about "Windows Shortcut Files" aka .LNK files. The shortcuts to applications, documents and other files. Most of the computer noobs use the desktop and the shortcuts very often, why not, the installation programs ask always to create a desktop shortcut. So this is a good way to find victims to infect (eg PE EXE files), if the shortcut file (.lnk) knows where the linked application or document is, we know it too (or must scan the .lnk file to know it).
«Some stealth idea's» [SRC] 7.75Kb 9144 hits
Ready Rangers Liberation Front [6] (2005)
In this article I want to give you some thoughts i had. It's somethin like stealth, but nothin to do like macro stealth or EPO ;). It's about how to hide the own process, how to hide a entry in the registry and how to store files that the user (the dumb one) can't see it. It's all theoretical, I have all source's working here, but I want that you think by yourself ;). It's all possible... So let's go, hide our "bad" program.
«Using the .NET runtime compiler for file infection» [SRC] 13.98Kb 8466 hits
Electrical Ordered Freedom #1 (2006)
Hello and welcome to my second article on .NET and C#. Again I got bored of programming in C++. So, this is again a sidestep in the easy and simple world of .NET programming. In this tutorial I describe how to infect executables by using the .NET runtime compiler. Also I provide a workin source code with comments and ideas/hints how to make a real virus with this technique.
«Crawling - A unique spreading technique» [SRC] 15.29Kb 11439 hits
DoomRiderz #1 (2007)
This article is the basis for talking about a possibly overlooked effective spreading technique. We often think of spreading our worms/viruses based on what a user will use to communicate with other humans. This usually takes the form of email, IRC or any Instant Message application, p2p, exploit scanning. Now each one of these techinques are usually enough to propagate our worm to another host.
«Remote Polymorphism and Customized Viruses» 8.17Kb 10233 hits
DoomRiderz #1 (2007)
This article is a theoretical article more or less that is based on a set of concepts that are polymorphism and communication and combing these two concepts into a more advanced technique. The idea came to me when I was working on a new program, I was trying to understand the global workflow of a program from creation to use.
«EPO: Entry-Point Obscuring» 16.43Kb 17292 hits
29a [4full] (2000)
[...] The virus can overwrite the first instruction (the one pointed by the entry-point field in file header) with a jump or call to itself [...]
Nick Haflinger
«Virus Spreading - Fast Or Slow?» 3.79Kb 8550 hits
40hex [2] (1991)
One of the questions while writing your virus is how quickly you want it to spread. The easy answer is "As fast as possible" but this is not always the best answer. If a virus moves slowly, it will take much longer before somebody notices hard drive space disappearing, he/she will notice fewer changes to the file dates, and all other symptoms will be lessened. However, this does provide longer for anti-virus people (pronounced Scum, with a capital S) to discover the virus. This issue ties directly into the issue of activation, short or long. Since the issues are virtually identical, I will cover both together, because they are so closely tied.
«Inversing a random numbers» [TeX] [SRC] 7.21Kb 14106 hits
Virus Writing Bulletin [1] (2011)
It is desireable feature for a polymorphic virus to avoid linear memory access during decryption. In 2000 The Mental Driller proposed an algorithm, known as PRIDE [1] which could easily produce a large number of permutations. In this paper I would present another technique to randomize the memory access within decryption loop, based on the linear and inversive congruential random numbers generators which properties are well characterized.
«BTX encryption» [SRC] 4.02Kb 9999 hits
Virus Writing Bulletin [1] (2011)
This instruction test in bit base: the bit specified by offset. Carry flag is set according to test, if bit was 0 then CF = 0 else CF = 1. The bit is then set to 1. This means that we can use BTS to set every bit individually from each virus value. You can use it to set random bit to complete a bit string:
«Debug Assisted Decoding» [SRC] 6.64Kb 4839 hits
Valhalla #3 (2012)
This is an old project I had. I worked on it one night a year ago but did not work on it any further. Source code was lost. But now I have a new one. This is also a remake of W32/POSEY (Peter Ferrie called it W32/Tussie, see Virus Bulletin, August 2012). I have no idea why they change the name to my code, but I call this one W32/Atlas. It is my first virus to implement debugging techniques.
«Infect Using CFF Explorer Scripting» [SRC] 8.61Kb 5636 hits
Valhalla #3 (2012)
There is a tool, CFF Explorer, it is my favorite. I saw myself in a dream writing this very same article, with no intro. So, I knew to make my first virus using this tool. I call it W32.CFFE.
«Infecting PE files with Java Bytecode» [SRC] 6.11Kb 5866 hits
Valhalla #4 (2013)
Java Bytecode is the instruction set from the Java Virtual Machine. We all know that Java is primary language to compile its source code to Java Bytecode. But there are other languages that also produce Java Bytecode (for example, Scala, Clojure, Groovy) and use the Java Virtual Machine.The binary file produced that contains the code that is run by the virtual machine is the Class file. Recently I learned how can you use the virtual machine from native programs (in Java they call "native" those files that belong to a operating system). Since there is no Java virus to infect PE32 executable files, I thought to make a low-level one. ;)
«Inline JScript For x86 Cryptography» [SRC] 5.25Kb 4970 hits
Valhalla #3 (2012)
I have written a lot of script viruses, and even more machine code viruses. In Valhalla 1, I wrote a JScript that used the .NET Framework to get obfuscated and compiled into an executable file. It was the first time I put JScript in binary file. However this time I present a new and different technique. This is my first W32 virus to have inline JScript code using it for cryptography. I call it W32/Unit00. You get the best of both worlds. ;)
«Java Class infection from PE32 files» [SRC] 6.25Kb 5368 hits
Valhalla #4 (2013)
This is my second virus to target the Java platform (Java.Sojourner was the first one), and this is my first file infector for Java classes. It is a direct action infector of Class files in current directory. A new method containing the dropper code is inserted in the Class. It uses a new EPO technique. It is the world's first W32 virus to infect Class files.
«The Masquerader» [SRC] 3.85Kb 6707 hits
Valhalla #1 (2011)
For long time I wanted to use a MMX decryption engine. MMX was introduced by Intel earlier, and it has lots of complex instructions. Then AMD introduced few more instructions for it. Which I forgot in the time. And then some of them went for SSE by Intel little later. However, for this virus I didn't employed any of those complex shuffling, packing, or logic instructions. I only wanted one: MASKMOVQ.The interesting about this instruction is that it moves to memory a 32/64-bit value conditionally. It takes two operands, source which holds value to move. Second operand is mask, the mask specifies which byte of the source must move to memory. If most significant bit of each byte is on (in mask), then byte source is moved to memory (memory pointer is always in EDI/RDI), if off then nothing.
hh86, SPTH
«The flag of virtual space: Nonstandard Code Recreation» [SRC] 8.79Kb 4861 hits
Valhalla #2 (2012)
We consider non-standard ways to reconstruct the information of the code.
«Multi-Platform Viruses Made Easy - A Case Study» 9.96Kb 7777 hits
Valhalla #4 (2013)
This article is written to give the reader an insight to different methods and examples of cross-platform viruses, and hopefully an insight on how easy it can be using the 'CAPZLOQ TEKNIQ/Clapzok model' used by the author of this model. I am not saying that the other cross-platform viruses aren't great work, I simply believe this model is the simplest and easiest, thus far.Although there are many cross-platform viruses out there, such as binary/executable infecters, script viruses and macro viruses - this article will focus soley on binary/executable infectors.
«A few ideas for viruses» 9.61Kb 10408 hits
Coderz [1] (2000)
These are difficult times for us, virus writers. No, I don't mean the cops, society or the press. I mean the process of writing a virus. Yes, there are tons of materials about this subject and quite some people who can help, but that's usually by a technical problems. What if you want to do something radically new? It's actually not so easy coz everything has already been done: polymorphic macroviruses, access infection, LINUX-viruses. You can realize some parts of the virus in a never-seen-before way, but these parts are mainly only some solutions to some x technical problems. But you want to do something new and interesting, something like the spying virus from CodeBreakers or the payload of CIH. Maybe this article will help you.
Samuel King, Peter Chen, Yi-Min Wang, Chad Verbowski, Helen Wang, Jacob Lorch
«SubVirt: Implementing malware with virtual machines» 64.14Kb 16560 hits
Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits.We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat.
William Mahoney, Craig Pokorny
«Do-It-Yourself Guide to Cell Phone Malware» 18.06Kb 12125 hits
IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.1, pp.248-252 (2009)
The authors present recent research they have conducted to determine the simplicity of constructing malicious code for cell phones. The results are quite surprising, due to the straight-forwardness of the programming interface and the availability of tools. Our paper recounts the results of a simplistic search for off-the-shelf code which can be utilized for the creation of malicious software for cell phones. Our search yielded a self-replicating phone virus which we simulated in a contained environment.
«Writing disassembler» [SRC] 19.71Kb 11971 hits
Disassembler engine it's some procedure that take some pointer to assembled code (for example it takes it from some exe file from .text (.code) section. Then it disassembles it to some user-friendly structures. Normally assembled instructions have different length and it's hard (or impossible) to manipulate them without disassembling.
«EPO - entrypoint obscuring» [SRC] 10.32Kb 5633 hits
Matrix Zine [2] (2000)
EPO is next of many ways to fuck AVs (at least a litle). The point is, that the entrypoint in PE header will not be overwritten by jump to virus body. This jump must be set somewhere in the 'CODE' section, in the jam of instructions after entrypoint. Problem is, we cant write our jump anywhere we can, coz we could fit in the 'middle' of instruction. Well, the 'we could' expression is not good, better is 'we will probably allways' fit in some instruction. So, we have to find address which wont destroy instruction. There's several ways of EPO now. I'll describe some.
«Emulation: Transposition of Control (From Anti-Virus to Virus)» [SRC] 9Kb 5245 hits
Valhalla #2 (2012)
In the last few years, sandboxing and emulation have become vital for anti-virus detection mechanisms. By a rather shaky definition, emulation is composed of two different execution environments, one of which has a control over the other. AV emulators generally have two separated CPUs and thread contexts, despite running on only one thread.It is possible to harness the power of emulation for the purpose of securing a virus payload (or body) code. Emulation can also be used to increase the complexity of reverse engineering (especially debugging). An obvious red flag would be common decryption loops: once control is passed to the payload, it becomes easier for the AV to perform analysis on the decrypted image. Hence, it also becomes possible to reduce heuristic analysis through the use of an emulator.win32.evenstar utilizes a prototype x86 pseudo-emulator. The virus body is encrypted instruction by instruction using a basic xor algorithm, although it is certainly possible to install a more sophisticated encryption scheme.
Andreas Moser, Christopher Kruegel, Engin Kirda
«Limits of Static Analysis for Malware Detection» [TeX] 55.71Kb 11062 hits
Malicious code is an increasingly important problem that threatens the security of computer systems. The traditional line of defense against malware is composed of malware detectors such as virus and spyware scanners. Unfortunately, both researchers and malware authors have demonstrated that these scanners, which use pattern matching to identify malware, can be easily evaded by simple code transformations. To address this shortcoming, more powerful malware detectors have been proposed. These tools rely on semantic signatures and employ static analysis techniques such as model checking and theorem proving to perform detection. While it has been shown that these systems are highly effective in identifying current malware, it is less clear how successful they would be against adversaries that take into account the novel detection mechanisms.The goal of this paper is to explore the limits of static analysis for the detection of malicious code. To this end, we present a binary obfuscation scheme that relies on the idea of opaque constants, which are primitives that allow us to load a constant into a register such that an analysis tool cannot determine its value. Based on opaque constants, we build obfuscation transformations that obscure program control flow, disguise access to local and global variables, and interrupt tracking of values held in processor registers. Using our proposed obfuscation approach, we were able to show that advanced semantics-based malware detectors can be evaded. Moreover, our opaque constant primitive can be applied in a way such that is provably hard to analyze for any static code analyzer. This demonstrates that static analysis techniques alone might no longer be sufficient to identify malware
«Assembly language or HLL?» 6.93Kb 8970 hits
*-zine (Asterix) [2] (1999)
If we can handle such a complexe target as PE files are we are facing the sad fact we can infect files on the Intel platform but we can never get outside this platform. Rare exception from this axiom is virus Esperanto (by Mr. Sandman published in 29A Nr. 2) which is the first of its kind, capable of speading on various platforms and processors. Glory goes to Mr. Sandman but unfortunately, this approach cannot be used for larger projects. Whole Esperanto's solution is based on presence of two parts - one for intel processors, the other for Macs, practically doubling the size of necessary code. It doesn't seem to be the ideal solution, let's image the 50 kB viral code for three processors and we well land somewhere around 150 kb maxivirus.
«Polymorphic file virus BEETLE» [SRC] 11.33Kb 8271 hits
Inception #1 (EN) (2013)
Detailed description of Beetle virus.
«Infecting JAR-Files using the JavaCompiler Class» [SRC] 5.45Kb 5821 hits
Valhalla #3 (2012)
So I was playing around with the JavaCompiler class [3], trying to write a polymorphic code and I wasn't able to get it running because you need to write the source code in a string and reassemble it every time containing its own code again and every time I got another error while compiling. Maybe I will get it running someday. But that gave me the idea of a new way to infect JAR files.
Melanie Rieback, Bruno Crispo, Andrew Tanenbaum
«Is Your Cat Infected with a Computer Virus?» [SRC] 45.92Kb 15529 hits
Proc. 4th IEEE Intl. Conf. on Pervasive Computing and Communications. (PerCom 2006), Pisa, Italy, March 2006. (2006)
RFID systems as a whole are often treated with suspicion, but the input data received from individual RFID tags is implicitly trusted. RFID attacks are currently conceived as properly formatted but fake RFID data; however no one expects an RFID tag to send a SQL injection attack or a buffer overflow. This paper is meant to serve as a warning that data from RFID tags can be used to exploit back-end software systems. RFID middleware writers must therefore build appropriate checks (bounds checking, special character filtering, etc..), to prevent RFID middleware from suf- fering all of the well-known vulnerabilities experienced by the Internet. Furthermore, as a proof of concept, this paper presents the first self-replicating RFID virus. This virus uses RFID tags as a vector to compromise backend RFID middleware systems, via a SQL injection attack.
roy g biv
«EPOlution: The Evolution of Entry Point Obscuring» [SRC] 5.49Kb 9516 hits
Ready Rangers Liberation Front [7] (2006)
Entry Point Obscuring techniques have been developing for a long time already, since even the days of DOS and 16-bit Windows. We have seen code tracing using interrupt 1, changing of relocation items, call/jmp replacement, and stack frame replacement.
«GPGPU using OpenGL» 4.01Kb 4959 hits
Valhalla #3 (2012)
GPGPU stands for General Purpose Graphics Processing Unit. It means to do non-video calculations using the video card hardware. We want to do that because video card hardware runs very fast and operations can be done in the background. It is also super anti-emulation environment.
«The Hiew Plugin framework» 3.74Kb 10549 hits
Many people know about Hiew. It is great tool for viewing and editing files. It supports arithmetic operations and has an assembler, so it can be used for all kinds of reverse-engineering, unpacking, decrypting, etc. In case that was not enough functionality, it also supports plugins.
«More Ins and Outs of JunkMail» [SRC] 9.08Kb 7656 hits
Ready Rangers Liberation Front [7] (2005)
Do you remember W32.Junkmail? It was publised in 29A#7/Articles/29A-7.009. It brought to you some new techniques for e-mail speading. Now there is W32.Junkmail.B, which takes those techniques even further.
«Register Initialising Using Only Arithmetic Instructions» [SRC] 6.42Kb 7532 hits
Ready Rangers Liberation Front [7] (2006)
Probably all polymorphic engines use explicit register initialising. It means that anyone can see the start of the decryptor because of these instructions. We can try to hide the decryptor by using lots of fake routines and similar tricks, but we can't completely avoid this problem. Or can we?
«Virtual Code» 6.29Kb 5519 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2007)
This is an idea that I had after I read about the Locreate in Uninformed #6 journal. There, the author describes about relocation data being used to alter the in-memory image. We have seen this before, where a virus uses relocation data to decrypt itself. The author talks about packer but it is really cryptor. There are some interesting things in the article, but it was not very special for me. So, my idea is to remove all code from a section, and use relocation data to restore it. Since the section is now only in virtual memory, I call it virtual code. It seems that IDA does not support multiple relocations being applied to the same location, so it cannot handle my files. :)
«Preserving Infections» 17.25Kb 10280 hits
Insane Reality Magazine [8] (1996)
In IR magazine issue #7 I presented an article named `Post Discovery Stratagies'. This article discussed measures that could be taken to protect your virus from analysis by AV researches, once it had been discovered. i.e. firstly, Pre-Discovery Stratagies (stealth) are used to reduce chances of the virus being discovered. Secondly, once the virus is discovered, Post-Discovery Stratagies (slow-polymorphy, anti-bait code, etc) are used to make it more difficult for the AV to write a program that can detect the virus. This article is the next stage - Now the virus can be detected, how can we stop them getting rid of it?This document will be divided into two sections - one discussing preserving file infections, and one discussing preserving boot infections.
«Code Mutations via Behaviour Analysis» [SRC] 21.47Kb 9290 hits
Virus Writing Bulletin [1] (2011)
The basic idea is: The file analyses the behaviour of its own code and compares it with the behaviour of a randomly generated code. If the behaviour is the same, the original file-code will be substituted by the new random code.
«Hashes for Encryption» [SRC] 9.62Kb 9589 hits
Electrical Ordered Freedom #1 (2007)
A hash function (or hash algorithm) is a way of creating a small digital "fingerprint" from any kind of data. You can neighter find the original fingerprinted string nor create a new string with the same checksum (without a great effort). Beside of rainbow-lists, bruteforce is the only way to find out what the checksum stands for. Bruteforce uses more time, the longer the fingerprinted data is. If hash functions will be used in viruses for encryption, antivirus programms would have to use a bruteforce attack to find the real virus code. As bruteforce requires much time, and less scanning time is essential for antivirus-programs, hash-encryption might be a useful weapon against antivirus programs.
«New era of bootsectorviruses #1: FAT12 IMG infection at Disks» [SRC] 17.06Kb 11961 hits
Ready Rangers Liberation Front [6] (2005)
Bootsector viruses were the first form of computerviruses. They were most widespread from the beginning of computerviruses until December 1995 (according to VirusBulletin). But then, Macroviruses (CAP, ColdApe, ...), Scriptviruses (Kak, LoveLetter, ...) and finally Win32 viruses (Sircam, Klez, Mydoom, Netsky, ...) were even more widespread, and the production of bootsectorviruses decreased to nearly zero. A reason for that could be, that it's damn hard (if not impossible) writing a bootsectorvirus, which stays in memory while the OS (Windows) loads. How did the old bootsector viruses work? When booting from an infected Disk, such a virus first infects the MBR (Master Boot Record) of the HD and the bootsector of the first partition. Then it stays in memory, let the OS load processing, and hooks (most times?) INT 0x21 for checking Disk access. OK, and what the hell will be the different between the old style of bootsector infectors and my once? My idea is to infect the Images of Disks/HDs/CD-ROMs. For that we don't need the INT 0x21, because we use our own File System driver (in this article here FAT12). For writing our own File System driver it's of course nessecary to fully understand how the system works. For my first article about new bootsectorviruses I'm using FAT12, because it's the most easy of all as far as I know. As FAT12 is just used for DISK, the article is just about .IMG file infection. IMG files are 1:1 images of Disks. As you may know, I wanted to infect CD-ROM Bootsectors, but that did not work with Disks, because ISO or NRI files are at least 2MB as far as I know. Anyway, let's start with FAT12 IMG bootsector infectors, next time let's move to CD-ROMs, ok? :D
«New era of bootsectorviruses #2: El Torito ISO infection at FAT32» [SRC] 19.01Kb 11080 hits
Ready Rangers Liberation Front [6] (2005)
This second tutorial about bootsectorviruses is about a very unusual topic: CD-ROM bootsector infection. How could we infect a bootsector of a CD-ROM? Via infecting bootable Images. The bootable CD-ROM images are called El Torito ISO-9660. This standart is very common, and used in many programs like Ahead Nero Burning ROM. El Torito ISOs are spread via the internet zB via Emule (Knoppix, Windows Installation CD-ROM, ...). Before reading this tutorial, it would be of some value to read the first article about this topic as I will not repeat too much. Well, let's start!
«C to assembly, language point of view» 6.13Kb 11031 hits
Xine [5]
Many of you think c is useless for viruswriter. Many poeple wich start vxing handle better c language than assembly one. But the true reason where C is locked for virus is the dependency of the compiler, wich block some special manipulation. But the use of a C compiler is not totally senseless. If the optimization is not perfect, it can build a code very proach and similar to the assembly one, if you follow some rules. Of course, you will loose a few size, but you will gain by stability, portability, and finally by coding much fastly your nice littles routines, that you may customize once in assembly.
The Mental Driller
«Formulas for Random Number Generators» [SRC] 13.24Kb 12980 hits
Matrix Zine [3] (2001)
When a polymorphic engine is done, we need a function to generate random numbers, but not always all the number generation routines are well done, because sometimes the results fall in a value loop that always return a value very near to the last one, or a numeric sequence easily predictable, which can make that our polymorphic engine generates not very polymorphic code.
«Several things to learn more (knowledge and code snippets)» [SRC] 10.51Kb 10326 hits
29a [6] (2002)
Guess what! Microsoft has bugs in the Kernel!! (oh, really????). Have you ever wonder why your polymorphic engine works fine and your virus not sometimes and what it's failing is the call to GetModuleHandle()? Well, one of the reasons can be the #@&$! bug that I realized to be even in Win2k: the direction flag (usually set to 1 with STD or cleared with CLD). Be sure that when you call to GetModuleHandle the flag is clear! This care must be special if we are coding polymorphic viruses (since it's a standard garbage instruction). What I wonder is WHY the programmers at Micro$oft relied at this fact when using LODS?/CMPS?/etc. (block instructions). Just test it: call GetModuleHandle passing "kernel32.dll" but first make STD. Exception for sure! And not an exception in our code, but in the kernel!
Tiberio Degano
«Easy To Infect Hard to Detect» [SRC] 24.82Kb 12408 hits
Decepticons #1 (2009)
This article taking about EPO. Many VXers don't care so much with EPO even (as I think) it's the most strong idea in the world of virus writing. The benefit of EPO that it doesn't have an One-Click-detect technique to detect it. The polymorphic engines become an easy thing for all emulators and also metamorphic. The truth that you should know that polymorphic engines now become useless against emulators.
«Theory Of Better File Virus Distribution (a study in new ideas?)» 10.79Kb 9657 hits
Jeffrey Walton
«Protection Schemes Based on Virus Survival Techniques» 88.04Kb 12318 hits (2007)
This article will examine the evolution of virus code as documented by Peter Szor in his book The Art Of Computer Virus Research And Defense [3], and apply what is learned in the context of Protection Schemes. Certain areas of virus research such as Basic Self-Protection Strategies (Chapter 6) and Advanced Code Evolution Techniques and Computer Virus Generator Kits (Chapter 7) provide a windfall of techniques. Other areas such as Malicious Code Environments (Chapter 3) provide additional methods; while areas such as Classification of Infection Strategies (Chapter 4) offers insight into data hiding. In addition, the article will address some of the issues presented by the x86 architecture and Operating System.
«Using Skype for VX» [SRC] 3.04Kb 12269 hits
DoomRiderz #1 (2007)
Skype is a very popular VoIP client, you can talk with all the world with few money and in every moment ( you need only a PC + skype ). This tutorial will explain you how to use the classical IM component of this program. The challenge is to create a full working VoIP worm :)
«VirtualBox's Virtual Disks Infection» [SRC] 23.4Kb 11288 hits
Electrical Ordered Freedom #2 (EOF-DR-RRLF) (2008)
The usage of virtualization technology is increasing more and more nowadays, mainly because of it's safe test environment and ability to run another system without the use of multi-boot. In this article we are going to speak about VirtualBox ( virtual disks infection. Let's go!
«"DELAYED CODE" technology (version 1.1)» 11.28Kb 15045 hits
Top Device Online [10] (2000)
Let we wrote a virus. Avers will create antiviral code to detect it, and after some time period all infected computers will be cured. This article describes another technology of prolonging this time period.
«About undetectable viruses» [TeX] 6.2Kb 4854 hits
29a [6] (2002)
Lets consider time of detecting a virus in some executable file.First, time depends on a set of possible variants of virus body. The more possible variants there are in the virus body, the more time needed to iterate them while checking files.This way is the simplest one, and it was choosen by viruses, when they morphed into crypt-, polymorphic-, permutating- and metamorphic- ones.
«Code transformation and finite automatons» 22.32Kb 11900 hits
«Disassemblers within viruses» 14.61Kb 11458 hits
One of such things is disassembler. It can be used everywhere, and wherever it used, especially in viruses, it gives good effect - mostly all good infection- and morphing- related technologies are based on disassembling.Code analysis and parsing it into single instructions can be done by means of sequential calls to length disassembler. Such disassembler is used in permutation and code integration.
«Infecting ISO CD images» 10.24Kb 6552 hits
29a [6] (2002)
Era of the computer virus began from information exchange via diskettes. After some time the most part of this exchange has moved into networking. A bit later cd-roms became widely spreaded. There even appeared cd-related scenes, and today cd burning technology is available mostly to all. And now its time to our move.
«Opcode Frequency Statistics» 8.82Kb 12094 hits
Here are the results of the program, which calculates frequences of the PE EXE/DLL opcode usage (x86 32-bit code).
«Permutation conditions» 10.11Kb 11210 hits
Here i'm trying to define conditions, when it is possible to change order of some consecutive x86 instructions and instruction blocks, i.e. swap them, but keep program working the same.
«Pervert world wide» 2.64Kb 11053 hits
29a [#8 (2004)
Almost all trojans and viruses are detected using simple signatures. Which means that simple crc is calculated on the entire file, or on some parts of the code being checked. Using simple length disassembler and some simple rules, it is possible to analyze an arbitrary executable file and change some instructions in it, so that it will run the same as before, but file's checksum will be changed.
«Polymorphic Games» [SRC] 7.91Kb 12205 hits
«Solving Plain Strings Problem In HLL» 13.43Kb 11315 hits
29a [7] (2004)
It has been already told to you, that all hll creatures contains substrings such as *.vbs, RCPT TO:<%s>, sometimes even wsock32.dll and many others. Old rotten idea is that all code of that kind can be detected as a virus or trojan, and it will remain detectable until you listen to my truth.
«Virus engines: common recomendations (3rd edition)» 14.38Kb 12043 hits
Virus engines are very similar to C/C++ classes (objects), and has many identical properties. These both substances are directed to modularity. The only difference is that C++ class has larger interface part while virus engine is oriented to implementation.Today virus engines are on the same step as programs was many years ago, when OOP was only introduced. And now is time to change.This text was written with a single goal: to denote characterictics of virus engine, which will make it handy and useful.
«Join us now and share the malware...» [SRC] 49.75Kb 11056 hits
29a [7] (2004)
In this article we'll talk about the possibilities of infection of source code files, the precedents that have been in this subject and the future developments that could happen.The text will be enclosed with examples in C, as "proofs of concept" of the explained details. Besides, virus development techniques for source code through other ways will be presented, from a less practical point of view and showing the main steps for its programming.
38 authors, 69 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka