

                                             ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
                                             ³ Xine - issue #5 - Phile 100 ³
                                             ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ







                           Full stealth essay
                    is it dead with 32 bit platforms?



 Hi, dear  readers. Here follows another article that reminds you how all the
 Win32 platforms are fucking  us. Ok, here  follows the shit of the article i
 have written about this matter. It's a bit short  and lame, but hey, i don't
 want to annoy you, it's  about  one idea  i have, and to fill 500 lines with
 shit is not a "moral" act, so with 100 lines is enough ;)

 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
 ³ Introduction - What's full stealth? ³
 ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

 Sigh, don't you know what is the full stealth technique? Ok, then you missed
 the DOS age, or  you  re  simply  too  lame  for  read this tute ;) The full
 stealth technique was one of the most interesting ones in virus writing, and
 they were focused to hide to  the  user  the presence of a virus. So, if the
 user opens an infected file and  the virus  was resident, the user would see
 an uninfected  copy of the program, exactly  as it was before the infection.
 It was also good as  an anti-av technique. You don't need to know more about
 it, and i don't want to annoy you, and waste  bytes talking about old school
 methods. 

 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
 ³ Is it viable under Win32 enviroments? ³
 ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

 Yes and no. The "yes" is because there is  a full stealth  virus  out there,
 called Zerg (sigh, this virus remembers me something...). AVPVE said that it
 was really buggy, but it was  full stealth indeed. The problem  of the virus
 (well, not problem at all, just a problem in general) is the fact that it is
 a Ring-0 virus, and as you should know (even an amoeba knows) that it's only
 for Win95 and  Win98 platforms (via the  security hole of the IDT and such).
 Well, i  said "it's not a problem at all", because  there  are  many  Ring-0
 viruses very widespread, as CIH is. But as i am always looking to the future
 i've seen it clear: Ring-0  viruses, aswell  as  DOS  virus, are dead. Don't
 misunderstand me,  nowadays  they aren't,  but  they have counted days. From
 Win2000 in advance, you  must say "good bye" to  the   real mode (for MS-DOS
 viruses fuck up) and to the holes for jump to Ring-0 (for the Ring-0 viruses
 fuck up). So, Ring-0 full stealth is  dead, and  this makes  us to be at the
 starting  position (where there was the VLAD honoured member Quantum when he
 made Bizatch), without a fucking idea of how to make it.

 We had an advance with  Ring-0 full stealth, and that  was the fact that any
 API uses the FSD  functions for access  files, and if we "blind" them there,
 thay have no chance for fuck us. But as  Ring-0 is dead, we  have to  search
 for other solutions.

 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
 ³ A possible (but not effective at all) solution ³
 ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

 I was  thinking in  an approach a'la K32 (nIgr0's method) of  patching APIs,
 but  as  that doesn't work in NT (because that doesn't  let in  any  way  to
 manipulate memory outside the own process), so  i  had  to think about other
 ways. Then, i  remembered  some  thing  that one  of  my superior-beings, as
 Ypsilon is, taught me  about  Remote  Threads. Just think  about it: you are
 able to create a thread to another process that isn't your own,and i thought
 about  the  possibility  of  hook (via the  per-process method) all the file
 handling APIs, thus being able to blind them to the infected file. But still
 we have many problems with it, such as:

        a) we can't know all the APIs about file  handling, just because  any
           good coder could do his own using the File System functions direc-
           tly via windoze drivers.
        b) it would provoke a lot  of errors, uncompatibilities hardly evita-
           ble (ie mapping, etc)
        c) it wouldn't solve at all  the whole  problem, just because the  AV
           could easily write ways for avoid our annoying

 It could be made, it could be interesting, but it couldn't be the definitive
 solution to the problem.

 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
 ³ Final words ³
 ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

 By reading  this article, you realized that there  is no  fucking  solution,
 the full stealth as we know is dead. I don't like to  be too  much pesimist,
 but it's the  fucking truth. One  possible  solution is to achieve Ring-0 in
 WinNT/2k, but as it would  be surely  an exploit, the next SP (service pack)
 would fix it. Dead way. Sigh.

 Fuck, there's no chance, we'll be forced to make a WDM virus,and this is not
 a good idea...

 API level is a shit, it's limited, and we can't avoid that. We can so marve-
 lous things with it, but full  stealth is dead then. So, if the time doesn't
 say the opposite (i hope it will!) the full stealth is dead.

 - The boy you loved is the man that you fear -              (Marilyn Manson)

 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
 (c) Billy Belcebu/IKX [15/12/99]        "i'm not a terrorist. i'm an artist"

 þ  URL  þ www.billybelcebu.org - www.beautifulpeople.cjb.net
 þ EMAIL þ billy_belcebu@mixmail.com - billy_belcebu@ikx4ever.org
 þ  IRC  þ irc-hispano #virus, undernet #virus #ikx