                                                      ﾜﾛﾛﾛﾛﾛﾜ ﾜﾛﾛﾛﾛﾛﾜ ﾜﾛﾛﾛﾛﾛﾜ
      ﾚﾄ Fuckin' AVs in Win32 enviroment ﾄｿ           ﾛﾛﾛ ﾛﾛﾛ ﾛﾛﾛ ﾛﾛﾛ ﾛﾛﾛ ﾛﾛﾛ
      ｳ                 by                ｳ            ﾜﾜﾜﾛﾛﾟ ﾟﾛﾛﾛﾛﾛﾛ ﾛﾛﾛﾛﾛﾛﾛ
      ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄ Benny / 29A ﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ           ﾛﾛﾛﾜﾜﾜﾜ ﾜﾜﾜﾜﾛﾛﾛ ﾛﾛﾛ ﾛﾛﾛ
                                                      ﾛﾛﾛﾛﾛﾛﾛ ﾛﾛﾛﾛﾛﾛﾟ ﾛﾛﾛ ﾛﾛﾛ


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 1. Disclamer ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 The followin' document is an education purpose only. Author isn't
 responsible for any misuse of the things written in this document.


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 2. Foreword ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Nowadays, when we r able to infect any Win32 executable file, when heuristic
 scanners r better and better and when AVs r able to find 100% of all known
 viruses, it is very important to make our virus harder to detect by AVs and
 unnoticable by user. What technologies should I use? This article is all
 about them, but do not expect any code here. Everything written and described
 here is 100% theoretical...


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 3. Introduction ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 There r many ways, how to hide virus and make it able to survive in the wild.
 Nowadays viruses uses these techniques:

        -       Polymorphism
        -       Metamorphism (will be very discussed theme in near future)
        -       Stealthin'
        -       Anti-Bait
        -       Anti-Heuristix
        -       Anti-Debug

 All these techniques, their positives and negatives, r discussed bellow.


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 4. Polymorphism - hi-tech of 80's/90's ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Every good virus uses this technique (Win98.HPS, Win95.Inca, Win32/WM.Cocaine,
 my best virus Win98.BeGemot, etc). It's one of many ways, how to hide virus
 in infected file. Polymorphism means, that every new generation of virus is
 encrypted by another encryption/decryption key and/or aritmetical/logical
 intruction and decryptor has another code than in previous generation. The
 only way, how to detect polymorphic virus is heuristicaly. AV scanner won't
 find it, becoz there ain't string, that matches at all virus generations.
 Heuristic scanner will try to trace decryptor, so decrypt virus body and then
 will call scanner, which will scan decrypted code for string, that it knows.
 "Another decryptor" means, that decryptor will decrypt encrypted code by same
 way, but usin' different opcodes. Example: U can increment register by INC,
 ADD SHORT +value, ADD NEAR +value, SUB SHORT -value, SUB NEAR -value etc...
 If AVers will want to catch our virus, they will infect thousands of baits
 and catch a scan string. That scan string will use scanner to scan decrypted
 code. Our virus is found! Let's make job to AVerz harder. Solution is slow
 polymorphism. If we use only one decryptor shape for session, AVerz will have
 to reboot their computer many times to see all engines abilities and so to
 get scan string. And if AVerz won't infect enough files, they will get scan
 string, that will work only for some virus generations and next generation,
 that will have wholy another decryptor won't be detected. Yeah, yeah, that's
 cruel X-D.
 But what will happen, if AVs will make enough files and get right scan
 string? Heuristic scanner will leave decryptor to decrypt virus body and
 scanner will find virus usin' scan string. What then? Last thing, how can
 u make harder to detect your virus by poly-engine is makin' your poly
 poly-layer. It means, that decryptor won't be one, but two, three and more.
 It will be harder to decrypt too many layers, nevertheless new heuristic
 scanners r able to work with poly-layer polymorphic engines. What then?


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 5. Metamorphism - new technology of the fate ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Metamorhism is the solution. Metamorhism (as I think) is the perfect
 technology to fuck all AVs. Since polymorphic engine will create only
 variable decryptor, metamorphic engine will create variable whole code.
 This ain't easy to code. This ain't hard to code tho. I think, it's one of
 the hardest things on virus codin'. If u wanna code some meta-engine, u will
 have to calculate all possible fails, u will have to be very patient and be
 very smart, otherwise u won't ever finish it. In metamorphism is the future.
 Every generation of virus will have another shape and the only one solution
 will be heuristic analysis. But not analysis of these days. That analysis
 must have at least a little inteligency. But, that's another story...


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 6. Stealthin' - I'm not here ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Stealth is way, how to hide virus presency. Semi-stealth viruses hides file
 size only, so users won't detect any changes - file has still same length.
 That's nice, but how many users r watchin' file sizes? Minimum. Win95.Zerg
 came with thing well known from D0S, full stealthin'. Program is fully
 disinfected on open and infected on close, so user nor AVs will detect any
 modifications.
 It worx perfect, but only on Win95 machines by hookin' IFSMGR. On WinNT not.
 There is one little problem. Files and all kernel objects r closin' by common
 CloseHandle API. Problem is that we can't check, if the handle handles file
 or not. I was thinkin' about GetFileType API, that can tell us, what type of
 file it is. If we used invalid handle, API quits with error. Well, we could
 check by this if it is file or not and infect it. I haven't tried it yet, but
 I think it should work fine. If u will experiment with it, let me know. Thnx.
 However, stealth mechanism seems as very good technique to hide our virus.
 In Win95/98/NT/32 enviroments, AV won't detect virus, if virus will be in
 memory, and AV won't be able to use any ANTI-STEALTH techniques tho. It will
 seem, that all files r clean. That's great, ain't it?


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 7. Anti-Bait - Why da fuck it can't be infected? ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Baits r mostly silly do-nothing programs and the only one purpose of their
 existency is to be infected by virus. That program can be easily analysed,
 easier than winword.exe, for example. And becoz we wanna make job to AVs as
 hard as possible, we r tryin' to not infect those shitty programs. Baits r
 usualy named as 00000000.EXE, 00000001.EXE, 00000002.EXE, etc. The first
 advice is don't infect files with digits in its name. But take care! Many
 normal programs has digits in its name, such as winrar95.exe or wincmd32.exe.
 So, if u don't wanna infect baits, but wanna infect standard applications,
 check, if filename contains digits at all 4, 6 or 8 positions. How easy...X-D


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 8. Anti-Heuristix - This proggy is OK ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Heuristic emulator, what da fuck is that? Emulator is program, that simulates
 execution of opcodes. If it will find something suspicious, flag will be set.
 If there r many flags set, program is probably infected by virus. And becoz
 heuristic analysis was at least perfect idea, we have to fight against it.
 Anti-Heuristix is a strong weapon. Every virus should contain several trix
 to fuck some AVs. Perfect trick, how to fuck many AVs is to use SEH and make
 some GP faults. I think, none of all AVs has 100%-ly solved this "problem".
 Every AV will hang on that. Next trick is usin' of undocumented/Pentium+/MMX
 opcodes. Many of these opcodes aren't emulated, so if emulators will try to
 emulate it, it will get invalid opcode and won't continue emulatin' next
 opcodes (or will emulate it, but with wrong results). Next, more kewl idea
 is to use threads or fibers. Emulator will emulate code, but won't reach
 important (virus) code, that will be executed in another thread/fiber.
 There r many ways, how to make your virus heuristic-proof. Just open one
 article from any VX-zine and read.
 

 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 9. Anti-Debug - Let's fuck AVerz ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 Debuggers r made to debug programs. Logicaly. But becoz viriis r computer
 programs, AVerz r usin' to analyse our viruses debuggers tho. That ain't
 good. Fortunately, there r many ways how to check for debug presency (and
 then do something really baaaaad X-D).
 First way is the most legal. Use Win98/NT IsDebuggerPresent API. This API
 will say u, if aplication level debugger is present or not. Next trick is
 usin' SEH. TD32 will continue executin' code until it will reach any
 breakpoint. If stupid AVer won't set any breakpoint, whole virus will be
 executed X-D. Easier way, how to fuck debugger is to jump INTO the
 instructions. If AVer won't carefuly trace code, he could encounter something
 really strange and weird...8-). And again, there r many tutes describin'
 this, just find one and read it...


 ﾚﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄｿ
 ｳ 10. Closin' ｳ
 ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ

 That's all for this time. I hope u understood everything described above.
 If not, u know, where u can find me.


                                                    ﾚﾄﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍﾍｻ
                                                    ｳ  Benny / 29A,  1999 ｺ
                                                    ﾀﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾄﾙ