/-----------------------------\ | Xine - issue #2 - Phile 008 | \-----------------------------/ A short intro to network virus spreading --------------------------------------------> by Kernel Panik Hello All, this is short overview about the network spreading methods used by Homer. First of all have a look at the article about its construction in general. Then keep in mind that Homer is only a demostration of what can be done .... there are plenty of unexplored possibilites. Note the following two points: * the easiness of adding network capabilites to Homer comes from the fact that it is a user level virus. I just cannot imagine how working with winsockets in assembler looks like. I think it would be also very difficult to use the winsock library from a VXD. It is possible to use a special VXD service to call normal windows api, but currently I haven't any idea about how to get windows messages from there. So consider to add a payload with a C winsock aware program in your next windows virii, * with the use of the api hooking technique I explained in the cited above you can see what network services are in use. For example Homer hooks gethostbyname and its non-blocking counterpart to get hostnames. Now just two words about socket programming under windows. I grew up under Unix and I found winsocket rather messy. You must always use non-blocking function (those starting with WSA or by setting the right attributes of the socket with WSAAsyncSelect) otherwise the system will be blocked for long times due slow response speed of the net. So you must get the notification of what the winsock subsytem is doing. Finally this implies that your application must have a callback procedure where the messages are sent. Have a look to any text on windows internet programming or refer to the Homer source for more info. What Homer does is uploading himself via ftp in the incoming direcotry of the host that the user tries to connect (or better for which he asks the resolver for hostname->IP translation). This is rather difficult because the File Transfer Protocol is rather wired. You must first open a control connection to the server and send commands. Then you must open a socket on the local machine waiting for the server to conect back (this is the data port) and then you can send data. Now your finished your job and you can close the sockets you need. See the apropiate RFC for more details about FTP or other Internet protocols. This is only the beginning of network aware viruses. Here are some other ideas I think are rather easy to implement: * you can send viruses in mail or newsgroups: they can be interpreted by some rather silly programs (like FreeAgent or Microsoft Exchange) if you tag them with the right mime type or make them seem like files that gets interpreted (for example winword documets). * you can improve ftp upload, by making virus pack itself in a zip (store only, no compression for simplicity) with other stuff he got, for example, from the victim's hard disk ..... this should be also very funny. * it should be also very interesting to use windows specific network techniques like network DDE and RPC. So you see there are plenty of new realms to explore and conquere :-) I hope Homer is tou you at least an incentive for further work!