VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Minimize
Bookmark

Viral code insertion

Robert Slade
http://www.textfiles.com/virus/funpiv2.cvp
October 1991

[Back to index] [Comments (0)]

There are four ways to attach code to an existing program: overwrite existing program code, add code to the beginning of the program, add code to the end of the program and not add code to the existing program.

Overwriting viral programs are a very simplistic answer to the problem of how to add code to an existing program without changing the file size. By simply overlaying code which is already on the disk, the original size remains unchanged. There are a few problems with this approach.

The first is the problem of how to get the virus "called" when the infected program is run. If the code is just inserted anywhere, it may not be in a part of the program that gets used every time the program is run. (Every programmer is aware of the Pareto Principle's application here: 20 percent of the code does 80 percent of the work. Some code never gets called at all.) It is possible, by an analysis of the code of the target program, to find an "entry point" which is used extensively. It is also possible, and a lot easier, to place a jump at the beginning of the program which points to the viral code.

The second problem is much more difficult to deal with. If the virus code overwrites existing portions of the program code, how do you know the loss of that program code is not fatal to the target program? Analysis of this type, on the original code, would be very difficult indeed. "Successful" overwriting viri tend to be short, and to look for extensive strings of NUL characters to replace. (The NUL characters tend to be used to "reserve" stack space, and thus are not vital to the program.) Even if the original code is not vital to the program, it may, if replaced, cause the program to exhibit strange behaviours, and thus lead to detection of the viral infection.

Thus, while overwriting viri solve the problem of file size, they bring with them some inherent problems which appear, at this time, to severely limit their effectiveness "in the wild". To this date, while many overwriting viri have been written, none have enjoyed great "success", or become a widespread and major problem.

(The Zen-like nature of the opening paragraph will be explained in future columns.)

copyright Robert M. Slade, 1991 FUNPIV2.CVP 911006

deenesitfrplruua