40Hex Issue 10 Volume 3 Number 1 File 001 The following is a cursory examination of virus construction toolkits. While hardly comprehensive, it includes the basic elements of each toolkit described. For further information, consult appendix A of the Phalcon/Skism Gư code generator. --------------------------------------------------------------------------- VIRUS CONSTRUCTION KITS, Revision 2.0 13 February 1993 Virus construction kits are computer programs which allow people with little or no programming experience to produce new variants of computer viruses. Two popular methods are used in virus construction kits. The first uses a menu driven user interface where the user is lead through a series of menus where he 'designs' the replication method, infection criteria and payload (what the virus does when it activates). The second method uses a skeleton configuration file (ASCII file in which virus configurations are placed) and running a 'generator' to produce the virus. There is an important factor to consider. First generation virus construction kits only produce assembled or compiled viruses without source code. Second generation kits produce virus source code (sometimes even commented) that can be changed and assembled by the user. The danger in second generation kits is that someone with very limited programming experience can potentially produce a new computer virus without knowing anything about the internal workings of a virus. I would like to stress that because virus construction kits to date use a fair amount of constant code (instructions), they pose no threat to standard virus detection techniques. However, should future kits make use of mutation engine principles, this situation could change. The following are descriptions of virus construction kits to date. This is a factual description as the author has access to all of the kits listed below : GENVIR GENVIR was the first attempt to release a virus construction kit for profit. It is a first generation virus construction kit which a menu-driven interface. GENVIR is a French program written in 1990 by J.Struss of Lochwiller, France. It is a 'Crippleware' program that lets you go through all the motions of creating a virus, but stops short of the compilation stage. To receive a working copy, one must license the software for a fee of 120 Frances. The latest version is 1.0 and it is believed that GENVIR was never released as a functional virus construction kit. VCS (Virus Construction Set) VCS is a first generation virus kit written in 1991 by a German group called VDV (Verband Deutscher Virenliebhaber). VCS is a primitive program that requires a text file of maximum 512 bytes length and incorporates this text into a simple .COM file virus infector. After a specified number of replications, the virus will display the text message and delete AUTOEXEC.BAT and CONFIG.SYS. The latest release is version 1.0. The program text is in German,although there is a hacked version in English. VCL (Virus Construction Laboratory) VCL is a complex, second generation, menu driven virus construction kit written in 1992 by Nowhere Man and [NuKE] WaReZ. It allows multiple, user selectable modules to be incorporated into the virus, together with the option of creating commented ASM (assembler) source code files that can be manually modified. The danger with this option is that a virus writer can create the virus kernel (without knowing much about the internal workings of viruses) using VCL and then add his own,custom code into the virus.The latest release is version 1.0. PS-MPC (Phalcon / Skism - Mass Produced Code Generator) PS-MPC is a second generation virus construction kit, written by Dark Angel in July 1992. It is based heavily on the VCL virus construction kit. It was distributed including source code in the C language. Although it is not menu driven, (it uses a user definable skeleton configuration file to produce viruses) it creates more compact,neater commented ASM source code than VCL does. Two versions exist,the first being version 0.90beta released together with 40Hex (an underground electronic magazine) on 7 July 1992, and version 0.91beta released on 17 August 1992. According to the history file in this release, the following as been added to the second release : a) rudimentary memory resident viruses may be created, b) improved optimization of code, c) fixed minor quirks and d) got rid of "unsigned char" requirement. IVP (Instant Virus Production Kit) IVP is a second generation virus construction kit, written in 1992 by Admiral Bailey a member of the YAM (Youngsters Against McAfee) underground group. According to the documentation, it was written in Turbo Pascal version 7.0. IVP uses a skeleton configuration approach and produces commented source code. It was the following features : a) .EXE and .COM file infection, b) Trojan support, c) Directory changing, d) encryption, e) error handling, f) COMMAND.COM infection, g) overwriting option and h) random nop generator. The latest release is version 1.0. G2 (G Squared) G2 is a second generation virus construction kit, written in 1993 by Dark Angel of the Phalcon/Skism underground group.(Dark Angel is also the author of the PS-MPC virus construction kit). This kit makes use of the skeleton configuration approach and produces commented source code. According to Dark Angel's documentation, G2 is not a modification of the Phalcon/Skism PS-MPC kit, but a complete rewrite. It differs from other virus construction kits in that it produces easily upgradable and semi-polymorphic routines. The latest release is version 0.70beta, dated January 1, 1993. Oliver Steudler, DYNAMIC SOLUTIONS Authorized McAfee Associates Anti Virus Agent Mail : P.O.Box 4397, Cape Town, 8000, South Africa Internet : Oliver.Steudler@f110.n7102.z5.fidonet.ORG or 100075.0200@compuserve.COM Fidonet : 5:7102/110 CompuServe : 100075,0200 Phone : +27 (21) 24-9504 (GMT +2) Fax : +27 (21) 26-1911 BBS: : +27 (21) 24-2208 [1200-14,400 bps] --------------------------------------------------------------------------- Virus construction tools are cropping up at the rate of one roughly every two months. Additionally, new polymorphic "engines" such as the MtE, TPE, etc. are begining to emerge. But how real is the threat from viruses generated with such tools and has this threat been exaggerated by the media? The discussion will center on the so-called "second generation" toolkits. Perhaps the most prolific of these is Nowhere Man's VCL. It has the most attractive interface of all the recent virus development tools and allows for a variety of activation routines; something which has been conspicuously absent from the Phalcon/Skism code generators. However, VCL is also perhaps the least dangerous of all the toolkits, hampered by the dependance upon only one encryption/decryption routine and single, constant code base. YAM's IVP ameliorates the problem, albeit in a highly limited and somewhat useless fashion, with the random NOP placement. Of course, its code is based heavily upon the PS-MPC, which is also nonrandom, so it, too, is hampered. The PS-MPC, as mentioned earlier, has but a single code base. In short, these three toolkits are of limited utility in terms of creating nonscannable viruses "out of the box." The generated code typically needs to be modified for the viruses to be unscannable. So perhaps the solution lies in relying not upon a single code base, but multiple code bases and allowing for random (not the same as haphazard) placement of individual lines of code. This is the approach of Gư. Gư allows for multiple code packages which accomplish a certain goal. The program selects one of the packages for inclusion in a given virus. In this manner, variability may be ensured. Gư further allows for the order of statements to be scrambled in the source file. However, all Gư viruses share the same structure as well as having certain bits of code in common. So, while an improvement, it is hardly the final step in the evolution of virus creation toolkits. Gư could become much more powerful with multiple virus structures as well as improved code packages. The article above suggested that the toolkits would be much more powerful should they incorporate "mutation engine principles." In other words, the toolkits should be able to mutate the generated code. The IVP currently uses such an approach, albeit only with simple NOPs liberally scattered in the decryption and delta offset calculation routines. Such code, however, should not be a goal of the authors of such toolkits. It is simply not appropriate for a virus creator to function in such a manner. A virus toolkit which simply spews out the same code in various forms is merely an overblown hack generator. Toolkits exist as _aids_ in writing a virus, not as replacements. Surely including such mutation routines would result in larger viruses as well as illegible code. A novice utilising the toolkit would not be able to learn from such unoptimised code. Tight code which doesn't sacrifice legibility should always be the goal of virus generators. Another aid in writing viruses is the "encryptor-in-a-box," a product such as MtE or TPE. Such modules allow all viruses to incorporate polymorphic routines. Yet how dangerous are such polymorphers? As they currently exist, they pose very little threat. Scanners have adapted not only to catch current MtE-using viruses reliably, but also to find new viruses which use decryptors created with MtE. Certainly the TPE and any new polymorphic routines will meet the same fate. Constant revisions of these engines, while being temporary solutions, remain just that: temporary. Once the anti-virus industry receives a copy of the new version, the engine is once again useless. The virus community should look beyond such "easy fixes" as virus creation toolkits and polymorphic "engines." The simplest way to get a nonscannable virus is to write it yourself. Not only is there the benefit of satisfaction with the work, but you gain expertise and intimate understanding of both viruses and the operating system. Such knowledge comes only with writing several viruses on your own. The best way for a beginner to learn how to write viruses is to figure it out on his own _without_ any examples. Once a virus has been written in this manner, then it is appropriate to look at current virus samples to find out the various tried and true techniques. But polymorphic engines are difficult to write, the novice virus writer protests; using MtE will vastly improve the virus. Rubbish. Firstly, it is a fact that scanners will be able to detect the virus, be it encrypted with a simple XOR loop or with MtE. Writing your own encryption will be far better in terms of learning. Secondly, polymorphic engines are _not_ terribly difficult to create. A few hours of thinking will be sufficient to lay down the framework of a polymorphic engine. An additional few days is enough for coding. Even the MtE and TPE, while requiring bit-level knowledge of the opcodes, could have been written by a person with only a few years of experience programming assembly. The advantages of writing your own polymorphic engine are obvious; anti-virus developers will have to spend much time (and space in their products) analysing and developing scanners for each individual engine; and simply adding a few extra garbling instructions should be sufficient to throw these scanners off in a future virus. So what purpose do these tools serve? The ultimate aim of those producing the virus creation tools should be not to enable people to go around creating new, unscannable viruses and trashing every hard drive in the world, but to allow novices to break into the field of virus writing. It is not difficult to write a virus, but these tools certainly ease the initial pain. Polymorphic engines are useful as examples for your own polymorphic routines. I encourage all novice programmers to pick up a copy of Phalcon/Skism's Gư and VCL, the two most prolific code generation toolkits. Run them a few times with various parameters and analyse the code carefully. Print out the code and look it over. The basic principles of virus creation will be apparent after some inspection. Learn from it and then sit down and write your own virus from scratch. Dark Angel Phalcon/Skism 1993