METALOGIC
PART ONE - MAIN THOUGHTS ABOUT METALOGIC
WARNING: My English sucks ;)))
This idea is to make a multi-decryptor polymorphic engine and
use it wisely. I invented it some months ago, but there is
still no code - I'm too busy now. And possibly there will be
no source code of this engine from me, so maybe you guys will
try to do it, huh? ;)
It's too bad, but I don't have neither patience, nor talent to
code such things as some great coderz of all times ;)))) But I
don't give up, and today I decided to send some information to
Coderz.net, just to tell many people about idea of Metal0gic -
powerful viral technology, possibly useful for non-virus
programs as anti-patch module.
Okay now. Let's remember some school ;)
Do you remember the theory of Boolean operations?
Just look:
Possible main operations:
NOT - N()
AND - *
OR - +
Main theorems:
A+1=1
A+N(A)=1
A*1=A
A*N(A)=0
A*A=A
A+A=A
N(A+B)=N(A)*N(B) - by de Morgan
N(A*B)=N(A)+N(B) - by de Morgan
Using thiese main theorems we can make a logical function
unlimited BIG, same as convert big function into small one.
Using boolean operations as main crypt/decrypt operations for
virus, we can make unlimited number of decryptors!!!
Example (A - crypted message, B - key, C - decrypted message):
A xor B = C
We can make such converions:
A xor B = A*N(B) + B*N(A)
A=A*A=(D+N(D))*D*N(D)+A*A and so on, and so on... Same with B.
This is an example of what we will have after:
((D+N(D))*D*N(D)+A*A)*N((H+N(H))*H*N(H)+B*B)+((H+N(H))*H*N(H)+
+B*B)*N(((D+N(D))*D*N(D)+A*A)) = C
Only imagine that it's same to A xor B = C ;)
Okay now, if decryptor becomes big enough (>=100 bytes for
example),then we just delete it, generate a new key and
encrypt piece of body with new algorythm, then we create new
small decryptor. In each next generation it will become bigger
until it grows enough so we can delete it and create new one.
But all body must not be crypted with the same algorythm! No,
we must divide body into some parts (3 to 10 for example) and
only then encrypt each of it with the unique algorythm. Then,
to increase protection, we mix encrypted body with decryptor
and victim code, and wait for enemy to lauch infected file ;)
PART TWO - CASCADE METALOGIC
The point of cascade metal0gic is to make viral body from one
small piece of information, using constants and decryptors.
For example we have 8 bits, and we need to generate DWORD.
Example:
first 8 bits - 10111111
DWORD - 10111001 01110101 00001101 01100010
code:
;-------
mov al,byte ptr [firstbyte]
and al,10111001 ;first byte of dword is generated
mov byte ptr [__dwrd],al
xor al,11001100 ;second byte is generated from first byte
mov byte ptr [__dwrd+1],al
xor al,01111000 ;third byte is generated from second
mov byte ptr [__dwrd+2],al
xor al,01101111 ;last byte generated
mov byte ptr [__dwrd+4],al
;-------
So the next information block is generated from the previous
one.
We can simply use OR and AND functions together if we don't
like XOR too much ;)
Of course, there is no need for us to crypt and decrypt each
byte - we can crypt and decrypt massives of 256,512,etc bytes
using cycles.
If with all other blocks Metal0gic also will be armed with
nice analyzer, it could even compress the infected files
crypting it's body and infected code into one compressed
crypted massive!
BTW, possibly there is no reason to use Metal0gic without such
analyzer, because it's size in this way could be VERY big.
PART THREE - PROTECTION OF METALOGIC
Comparing with MetaPHOR model, Metal0gic can be easily
detected by looking how much logical operations used in
executable module, and also how much constants in it.
But it's a very simple way to overcome it.In old times I found
simple but interesting anti-heuristic code - in some I/O ports
value is constant for all times, but no emulators can see
that.They will have to emulate da whole machine to detect such
things heh! So, some code that uses pseudo-constants (constant
values of I/O ports, constant memory values that CAN be
changed theoretically, but the chance for that is about
0.001%) can not be perfectly emulated, and a virus with such
code cannot be detected by heuristic methods.
So, it's strongly recommended that Metal0gic must be used with
other types of protection.
PART FOUR - LIMIT METALOGIC
Oh, this can be written only by old math teacher ;)
The point - decryptor is crypted body. Yes, decryptor decrypts
itself!
HOW TO DO IT:
First of all,we must remember that decryptor and crypted viral
body are both just massives of binary digits. Changing them in
some pre-calculated ways may help us to make them equal.
We can use the LIMIT funtion (ex. limit of decrytor value when
difference between it and crypted body goes to zero), if it
exists (if not, we must make new key/crypted message/
/decryptor)
Look for Calculus Analysis books for more information.
This thing makes possible to optimize virus both by size and
by speed.
Nice :)))
PART FIVE - SOME MORE IDEAS
I'm not sure, but as I remember no viruses yet used the
registry (except of wormz, maybe), so if we put some main
decryptor keys into it (and encrypt file's insides with them),
it could be possible way to fuck AVers up. Who knows, can AV
software read from registry (or another file) dirung cure
process? I think yes, but I'm sure that NOT EVERY soft can do
it.
ALWAYS ALWAYS ALWAYS remember about mental part of the attack.
For example, if one of the models listed above will be TOO
slow (enough to detect it without problems) we should just use
the AVers weapon against them.
Example: "Warning! The system has detected a virus. Click
'Next' to remove it, but remember that Anti-Viral
Module cannot be used with another anti-virus programs, so be
sure that there is no other anti-virus software (AVP, Dr. Web,
Norton AntiVirus...) is loaded at this moment."
Of course,user will click Next and virus will show status bar.
User thinks that it shows time interval, but really it shows
the number of infected files ;)
The best way in this case is to make virus messages same to
messages of another popular software (like Internet Explorer,
or even defragmenter tool! ;)))
Another example - use the CULT: "Knock Knock Neo... The matrix
has you, now you must fuck up the matrix! Do U wish to do it
now?"
Or politics: "Do U like ?" Until user thinks,
virus spreads ;)
And the last one:
I think it would be useful for many people if I'll show some
randomize generator algorythms (they're useful not only in my
idea, but in any viral program):
1. GetTickCount API: nice way - you'll get tick count and can
use it as random digit.
2. BIOS (possibly unable to use under NT, works with bugs even
under 9x):
push ds
push 40h
pop ds
mov eax,dword ptr ds:006ch
pop ds
;in EAX - BIOS interrupt tick counter.
3. And some more math generators (formulas only).
Congruent method:
X(n+1)=(AX(n)+C) mod M
X - massive of random digits
n - number of digit
A=2^L+1 where L>=2
C>0, C mod 2<>0, M=2^P, where P >=2
Additive method:
X(n+1)=(X(n-h)+X(n-k)) mod M
Recommended values:
X(n+1)=(X(n-24)+X(n-55))mod M
n>=55, M=2^L
In this case period will be: (2^55-1)
Okay, that's all for now...
Greets goes to all alive and active CUG people.
Best wishez,
ME
Back
to index