Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses

Gaara - Virus for - by Bania, Piotr

Virus for -

Bania, Piotr
Show all viruses by this author

2007-05-21

Comments
Download gaara.zip (6168 bytes) or browse online

Author's notes

First of all this little piece of code was done _only_ for fun and as an proof of concept code. When i was writting this thing, i thought it would be the first world's calculator virus, but one guy contacted me and it seems it is the second one. Although it seems it is still the FIRST WORLD'S resident/entry point obscuring calculator virus :) This code was written in couple of days (each hour each day), it took me few hours to learn main things about Motorolla 68K assembly. I wasnt reviewing the code for optimization purposes, so well it should be heavily unoptimized at all. Now lets take a look of Gaara briefing:

Name: ti89/ti89i.Gaara

Tested on: TI89 Titanium HW3 AMS 3.10; (maybe other calcs are also suitable - dunno)

Size: 501 bytes

Features:

Residency

When i was coding this little thingie i thought it would be fun if i could make this one resident. There are two main ways of making the code resident here. Lets assume we want to take over some ROMCALL. This could be done in two scenarios:

  1. change the ROMCALL jump table offset and then change the offset of specific ROMCALL
  2. modify the offset of specific ROMCALL

Of course as for first look, the second one looks more easier and effective. But the problem is the ROMCALL jump table resides in FlashROM which is write-protected (there exist some protection scheme, which disables the writting to this memory region). Although as i showed in the other document "flashrom_protection.asm" this protection can be disabled anyway. Of course the next bad thing about this method is that you can't just simply write to FlashROM etc. etc. But the main reason i have choosen the first method is "stability" itself.

The first method bad point is that it needs to allocate enough memory to handle all the ROMCALL offsets so its about ~6200 bytes of additonal heap memory which we need to reserve.

Our infection procedure, is executed when any program tries to execute SymFindNext function, via using the ROMCALL jump table offsets. The SymFindNext function finds the next symbol entry in the VAT table, if found symbol is infectable the virus proceeds with the infection process.

Entry Point Obscuring

Well the idea behind this idea is not to execute the virus directly from the entrypoint of the host. So here's the main idea about this one. It seems that TI-GCC generates a const EPILOG (just like mov esp,ebp/pop ebp/ret by C compilers on the x86 platforms.)

Here's the EPILOG looks as follows:

 	unlk    a6		 :  4E 5e
 	rts		         :  4E 75

As you can see, we have 4 bytes here, which means it is enough to make some BRA/BSR execution flow - so that's what suits us. I have decided to use BRA here, since it doesn't mess with the stack and we are able to return directly to the host by executing the overwritten instructions.

Well, here the first EPILOG found will be overwritten, and if its not found the virus will not execute at all. Anyway this process can be more extened for example the found EPILOG can be overwritted based on some random numbers. Moreover you can even make your own disassembler and then you are free to change any suitable instruction you want, but even if we consider the size of this thing i have better things to do then writting it :)

Payload

If the random number obtained from the programmable timer is equal to 77h, it will clear the calculator screen and display "t89.Gaara" string.

Last words

I hope you learnt something by reviewing this code. Of course the dectection of this one should be pretty easy since even though it uses some basic EPO, the body of the virus is constans, and it leaves the standalone marker, so its damn easy recognizable. Who knows maybe i left it specially :)

So it seems that's all, and now for you all i will sing some song from my beloved Naruto series :)

dakara daiji na mono wa itsumo
katachi no nai mono dake
te ni iretemo nakushitemo
kizukanumama

sousa kanashimi wo yasashisa ni
jibun rashisa wo chikara ni
kiminara kitto yareru shinjite ite
mou ikkai mou ikkai
mou ikkai mou iikai?

ENDOFTRANSSMISION-NO-JUTSU!


By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org