Anti-Bait Techniques - By Dark-D0G

Goat Pointers/Introduction

For beginners: Goat, aka bait, files are very short files, which are created by 100s, sometimes even 1000s by AVs. Then the AVs run the virus which they are testing in the same environment/place where the goat files are. The virus will infects all the files and then AVs will search those infected goats for scan strings, and other stuff. This is the first weapon of AVs against viruses. When they receive a sample virus which is probably 99% an old virus or a slight modification of an old virus, they run this "goat test" on them. This "goat test" is a very quick way of finding out what your virus can and cant do. So a cure for your virus will come out quickly. Now if the AV can't decide by looking at the goats after infection the actions of the virus, he has to debug it. This will take him a while. Especially if the virus implements debugging tricks (Use soft-ice debug tricks, i heard a LOT of AVs use Soft-Ice as their debugger), and the size of your code is 20 or 30 KB. Of course polymorphism/metamorphism would also help but that is off the subject.

Here a couple of pointers about goat files:

1) They can be any format (exe, com, etc...). If an AV suspects/checks that your virus infects a certain file type, AVs create a bunch of goat files on the fly of the same extension.

2) Goat files as PE file do not have much/many:
A) API Imports - maybe only ExitProcess and GetModuleHandle and couple of other once like this.
B) API Exports - none. maybe some high-tech baits are created to make it look like they are PE files with exports.
C) Resources - No bait files have menus, msgboxes, etc.

3) Goat files are generally the same size. This is for a bunch of reasons. One of which is, so that the AV can easily tell if the virus's size is variable or not.

Simple Methods

I've has some ideas about how to avoid infecting bait (aka goat) files. These can easily be implemented in your virus. Well here are a couple of simple ways to avoid infection of bait files:

A) Dont Infect files with 0,1,2,3,4,5,6,7,8,9 in their file name. This is usually how bait files are named (Ex: file001.exe, file002.exe). You wont find too many programs named Adobe1.exe or Netscape04.exe.
B) Dont Infect files that have todays's date. First of all get todays date. Then check this with the date of the file. This is self-explanatory. You might have to do some realigning if you just read the date stamp from the PE file, rather than using GetFileTime API. This is because the date stamp is not like m/d/y its something like seconds from year 1990. (I am not sure about this. I might we wrong).
C) Dont Infect files which are less than 8KB. Most programs today are well over 8KB big. By avoiding these small files, your infection capability might decrease by .0001%.
D) Dont infect files which have the same size as the last one you have infected. To do this first save the file size of the file you have infected. Now the next file you are about to infect: check it's size if its the same. If its equal then go to the payload or something. There will be rarely two programs with the same exact size. You can make this procedure to check the 2nd and the 3rd last file's size that you have infected. This is a big punch to the AV.
E) Dont infect files whose first 4 or 5 letters of the file name match with the filename of the last file you have infected. This is again on the principle that bait files are constructed as follows:
Bait001.exe
Bait002.exe
Bait003.exe

Again this mechanism can cause your infection rate to go down a very slight amount, but AVs will be fucked over this for a long time.

F) Dont infect files who's first opcode is a call. This is because the call is probably to ExitProcess API. This is what mostly a bait file consists of: NOPs, INT3s, and at the end CALL ExitProcess.

G) Dont infect file who's first 2 - 3 opcodes are NOPs (090h). Also do not infect file who's first 2 - 3 opcodes are INT3s (0CCh).

H) Save the last file's date you have infected. Now the next file you are infection, check this date with last file(s). If the two files were created during the same minute, or even a minute apart, dont infect them. Its a goat.

. Advanced Methods

Bait Fucker Engine. I was thinking of this once, and i still might make such an engine. What is does is it check for the above conditions (A - H) if any of them are true then it takes the size of the virus and write an equal amount of *random* data to the file, which is supposably a bait file. This would be a very good thing, except that we have to be very careful which conditions from the above we are checking. This engine can be used with conditions:

D - Try finding two files in the current directory to the next directory that have the same size.

F - Definitely you wont find a program whose sole purpose is to ExitProcess

G - Same explanation as F.

H - Try finding two files which were created exactly on the same minute on the same date.

It would be even better if we could get a compressed version of an old virus whose size is about the size of your virus. Now if the find any of those conditions true, we make the Bait Fucker Engine write an old virus to the bait files. Then the AV will think that they found just a new strain/modification of an old virus.

Another effective method against bait files is to check which APIs the goat imports. If the only API is ExitProcess, then its probably a bait file, or a first generation of a virus. :)

Random infection is also a good process. This can be used any part of the virus: the mutation, payload, etc. Juse get a random value and test it for a certain number(s). You have to pick a decent ratio. Say 1:20 (decimal). So lets say you got a value 0 - 255. Just "and" it with 011111b and compare if its greater than 20. If not check if its equal to the constant value (your key).

Anyway im sure you understand what im talkin about. So the bottom like is make an infection rountine, which, once every 1 in 20 (in my case) times does not infect a file it finds. You can also create a counter and increment it each time a file is infected. If the counter reaches a certain number dont infect the file you currently found and zero out the counter.

One final thing i thought of, concerns PE files. First of all find the executable code section. Now pick a random value, oh lets say somewhere from 1 to 300 (decimal). Now use this random value as a relative memory address from the beggining of the section to get some bytes. (about 8 bytes or so). Now check if these are all NOPs, INT3h, ZEROS, or even if all the bytes are equal. If this is true, its a bait. Even if its not a bait, it must be a weird file cause i dont know of any files that have this.

I hope you have understood and will implement some of these techniques in your creatures.