ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Xine - issue #5 - Phile 108 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ I dunno how the idea I had could make anything more easy that it is for now, but I find it quite funny and interestin to deepen. For now, some of you (sorry billy =]) are going to think ring0 is dead, and even if I don't work on that topic now, I think it's still meaning power on crimo$oft stuff, even if it cannot be reached with a standar EXE... The stuph I'm talking about is quite derived from multi-parties virus, and I made it when I wondered on how to infect BMP and MP3 and .... it werks =) (I renamed this text, cuz "TXT infection" don't sound that serious =P) Now, lets explain, the virus is divided in several levels, and each levels has its particularities and way of work. For explaination, lemme give you an example of what could be done. ------------------------------------------- 1st level: executable : An infected PE phile should in fact only change a VXD, not by infecting him, but only by changing some bytes in it, only put a small function in it that is called every times VxD is launched. 2nd level: VxD : The function in the VxD is, in fact, a hook on "open-file"... I remember that all philes are opened even to see the icon that is in here, so each philes seen in the right panel of the explorer will be opened while browsing. That hook will, when phile is opened, search for a signature in it. That signature could be sumthin like a CRC or anything you like, try to align it so that the infected puter don't spend 5 minutes on each phile viewed in the explorer. When signature is found, you read some header, load some code (from phile) and execute it. 3rd level: any phile : Here become stuph, you can put in this file all whatever you like, but there are the main points: -infect all EXE so that they got the "VxD changing" feature -put in all BMP, MP3, HTML and all what u like the signature and your code. ------------------------------------------- GENERALisation: Here, the split EXE/VxD is done fer ring0, but noone are essential, the most important split is executable/data philes. You could even split it more, the purpose is that, in Executables philes, the code to execute is the smalest as possible. Notice also that VxD changing feature could be in any executable stuph (macros?). ------------------------------------------- Some ANALYSIS: weak points: -it's obvious, spreading is quite slow -the signature can be easily found by an AV (stealth?), or could even already be in an uninfected phile, but it's quite rare. gewd points: -The part in VxD can be, if well coded, as small as 100h bytes (even least) so that it can be integrated in all small holes of VxD (cuz they have, like PE); I mean this could be easy to hide it quite "perfectly". -Idem for the PE part -To spread a new virus, you just have to change yahoo's banner =) ------------------------------------------- SO, it's a very slowly spreaded kind of virus, but if well done, can be very stable, there are ways to make EXEs un-disinfecable. Also, once a computer is infected, you will be able to make him run quite anything only by givin him for example an "infected" HTML, easy if you give the user a page to see. ------------------------------------------- Notes: 1st - That text was written by n0ph on the 18-04-00 1:09, for IKX, for XINE5. 2nd - tell me how my ideas are lame at n0ph@ikx4ever.org 3rd - That's all folks!