Threat Research & Response Blog (Back to herm1t's home)
...it might be because you weren't meant to.
Last year, the EOF virus-writing group decided to release a virus zine with the help of DoomRiderz and rRlf. Well, here is how that turned out: rRlf backed out of the project at the last minute and then folded, and DoomRiderz folded shortly after the zine was released. The zine itself contained some buggy contributions, and the majority of them were extremely primitive. The only new techniques came from the oldest of the virus writers. One of those techniques was an unusual use of a CPU instruction, and the others were file-format tricks. They were certainly techniques that we weren't expecting to see, but nothing that our engines couldn't handle already.
There were some other interesting samples, too, though the reasons for their being interesting are varied. It was mostly because we identified numerous bugs in each sample (see, for example, Win32/Harumf). One of them was interesting for the extent in which it attempted to be anti-heuristic (Win/Zekneol). One of them was interesting because it was a collection of old routines (Win/Satevis). None of them were a problem for our engines, though.
It's been more than a year since I started describing these samples in the Virus Bulletin journal. I've almost finished with the set, and perhaps just in time to start a new one: it seems that the EOF is at it again, only this time with a different group. VirusTech is a Russian group that announced the joint venture, but then went completely silent on the subject. Who knows if they will release anything this year?
As far as the proof-of-concept authors saving the virus scene, that didn't happen, either.
The virus writer known as herm1t did his thing with the file format tricks, but the virus code is still easy to reach and easy to scan. Of course, this wasn't the purpose of the demonstration (contrast that with his earlier Linux/Crimea virus family, whose code was not easy to reach, and which clearly was the purpose of the demonstration). We had two variants of a virus that overwrites the ".note.ABI-tag" section, four variants of a virus that overwrites (in different ways) the ".hash" section, a virus that adjusts the segment alignment, and a virus that overwrites the Procedure Linkage Table. It seems that he has run out of things to do with the file, at least for now.
These viruses are especially interesting because they are exploiting aspects of a file format that has no equivalent in Windows. It also shows that Linux and other Unix-based platforms (you know which ones I mean) are not immune to viruses.
After almost an entire year of silence, the virus writer known as roy g biv returned to the scene with... some text files. His two new techniques, "Subtle SEH" and "Heaven's Gate" are certainly new and different, but also a coding dead-end. While the subtle registering of SEH might fool a human, these days it's all about the emulator, and the emulator is not fooled. Heaven's Gate is even less of a problem, in a sense - it is using a gate to jump from a 32-bit environment into a 64-bit environment, assuming that the processor and operating system support it. I suppose that eventually we will see a virus that uses the technique, but if our emulator decides to not support that, then it simply won't run. This situation is much like the use of SSE4.2 instructions that I described in The Power Of SSE. Oh, I mustn't forget to mention the virus for ODBGScript that is apparently by him, but I'm sure that the question on everyone's lips is - is it really him? Okay, maybe not everyone's lips. At least some people will be asking "Do I care?" Most recently was the release of a Hiew plugin virus for Hiew. It infects the file that Hiew is examining.
SPTH is also back after his retro detour of DOS virus material, and this time it's polymorphic fun with linear algebra. Of course, it doesn't matter how variable the polymorphic part is, if the rest of it is constant, and that's what we have here. A huge, enormous, gigantic, colossal constant decryptor, followed by a huge, enormous, gigantic, colossal* polymorphic representation of the body. The only reason that it's polymorphic is because it's all text. It's a script virus. Keeping it simple is just one step away from retiring again. We're happy about that development.
One other development is from one of the newer members (Dark Prophet). He has apparently written a polymorphic, anti-heuristic, and anti-emulating virus that... well, I'll get to it eventually, but a quick glance has already shown me one serious bug. I've even received a request to describe it. How nice. I hope that it's because they think that I'll do a good job with it.
So that's the news in brief.
