Viral encryption

Murdering Thug thug at phantom.com
Thu Feb 11 08:55:04 PST 1993




As Mr. Ferguson pointed out, polymorphic viruses are making their way into the
DOS world.  This is a problem in the short term, but not in the long term
because people will be changing to memory-protected & file-permission based
operating systems like NT, OS/2 and Unix, where it is very difficult for
most kinds of virus to spread.

I myself am very familiar with the virus underground, so for those who are
not, let me explain the two newest and most deadly virus techniques which
are being seen in the DOS world.

The first is something called "Stealth" viruses.  Stealth viruses imbed
themselves into DOS and intercept disk read calls from applications. If
those read system calls are reading non .EXE or .COM files, then they are
processed normally.  However when an application such as virus scanning
program is reading in .COM and .EXE files (in order to scan them for virus
code), the stealth code in DOS intercepts this and returns to the application
what the .EXE or .COM file would look like if it wasn't infected by the
stealth virus.  Thus, all virus checking programs can be decieved in this
manner.  There are steps to get around this, like booting off of a
write-protected floppy disk (with a clean copy of DOS on it) and running
the virus checking program directly from that floppy.  But people seldom
do that, so the stealth technology is a worthwhile one for virus creators
to pursue.

The second is called "Polymorphic" viruses.  These are viruses which
contain a tiny encryption/decryption engine.  The great thing about
polymorphic viruses is that they encrypt themselves with a different key
each time they replicate (make a new copy of themselves).  The small 
amount of virus bootstrap code which is not encrypted is changed in each
replication by dispursing random NOP's throughout the virus boostrap code.
Thus each sample of polymorphic virus looks completely different to
virus checking programs.  The virus checking programs cannot use
"signature" byte strings to detect polymorphic viruses.

I have seen something called D.A.M.E., also known as Dark Avenger
Mutation Engine.  This is a freeware polymorphic library/kernel/toolkit
which allows anyone to take an ordinary virus and wrap it in a polymorphic
shell.  Thus each new copy of the virus will look completely different
as it replicates.  D.A.M.E. is a great toolkit for those who want to
release new viruses but don't have the skills to write a virus from
scratch.  DAME works very well with Turbo Assembler and MASM.
I believe that DAME II will be coming out sometime this spring. At
least that is what the author has promised.  Among the new features
will be more powerful encryption, stealth capabilities, and compatibility
with Stacker and DR DOS compressed file systems.  I have read that the
author of DAME and DAME II will be coming out with a Virus Construction
Set, which will allow point-n-click building of new viruses using
object oriented techniques.  It works sort of like a Mr. Potatohead,
you point and click on the parts/modules you want and it builds it for
you.  You select the replication method, stealth capability,
polymorphism, and payload module (there are several payloads, varying
from playing music and showing graphics, to printing a text message on
screan, to complete wipe out of the HD). The really wonderful thing
is that you will be able to build your own modules and link them into
the virus.  I am sure a flourishing of third-party modules will occur.

With the VCS, a 9 year old can build a competely new virus just by
pointing, clicking, and dragging, popping up windows and choosing options.

My oh my, aren't we in for fun times ahead...


Thug 








More information about the cypherpunks-legacy mailing list