Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
[Previous] [Index] [Next]

File Splitting Engine

Author: Second Part To Hell

From article "Over-File Splitting"

1) The idea

Well, I've told you that an AV searchs in every file of the HD if there is a virus. But what would be, if the virus would not be in one file? What would be if the virus would be in 1000 or more files? You may think: "Shit, what the hell are you talking about?" OK, let's say anybody's computer gets infected by a virus/worm. Many files get infected and the user recognizes that something smells fishy. (S)He updates the AV program, scanns all files, all infected files become clean. Is anything over now? No, it is not, because the virus/worm, when running the first time splitted itself in 1000 parts, and every part is a own file with the length of ~4-8 byte. This files (which have random names) became saved in a directory. The files alone can not harm anybody, but together they can. Together? The virus/worm also made a file, which joins all files. This file, which runs every at restart (registry,autostart,...) become executed now, and the computer will be reinfected again. Can you now imagine how our virus/worm uses this technique and why may be real successful? Just read on...

2) How to split?

This is most important for the technique: The more parts you have for your virus/worm, the less the chance, that an AV program could detect it. Why? Because a 4 byte scan-string would not be enough for detecting a virus. If such a small scan-string would be used, the AV would definitivly have alot of false-positives (detecting uninfected files). It is also important to split your files randomly. Not always the same way. And to split the files in random length parts, not always i.e. 5 byte. If the program is a virus, it does not matter if the you also split the hostcode. And about the header of a file: It is no problem to also split the header into parts. Now let me show you a primitive graphic, how i mean this:

REAL-FILE-INFECTED-BY-A-VIRUS-USING-THE-OVER-FILE-SPLITTING-TECHNIQUE

This could be:

      1: RE              1: REA
      2: AL-             2: L-FIL
      3: FILE-           3: E-INF
      4: INF             4: ECT
      5: ECTE            5: ED
      6: D-B             6: -BY-
      7: Y-A-            7: A-VI
      8: VIR             8: RUS-
      9: US-US           9: USIN
     10: ING-           10: G-TH
     11: THE-           11: E-OVE
     12: OVER-F         12: R-FI
     13: ILE            13: LE-SP
     14: -SPLI          14: LI
     15: TTING          15: TT
     16: -TECH          16: ING
     17: NIQ            17: -TE
     18: UE             18: CHN
                        19: IQU
                        20: E

Now let's imagine, that every small part of the file has a random name. And one more: Let's imagine, every part could be in any directory at the Harddisk. Or even on another partition. That does not matter, you just have to save the name for the joining-process.


Comments
Download

 FilenameSizeDescriptionDate 
splitt.zip4522FSEJun 2005MD5 sum 9107245ef1ec30c1a19b3a666d0e373b


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua