Insane Reality issue #8 - (c)opyright 1996 Immortal Riot/Genesis - REALITY.010

Article: Anti-Bait Techniques
Author: Rajaat [IRG]

% Anti-Bait Techniques by Rajaat [IRG] %
________________________________________

Yet another cool article from Rajaat. I can not but help and stress how 
important Anti-Bait techniques can be. This is not just true for DOS viruses
but Win95 ones aswell. The AV had it easy during DOS's reign - lets make
their life hell in Win95!

- _Sepultura_

=============================================================================

  % Measures against goat file creation % - by Rajaat

  What do you think what happens if your virus gets discovered by the AV
  community? They will try to discover what your virus infects, and what
  it doesn't infect. They want to know how deep the level of
  polymorphism goes and they want your virus in a clean bait file. To
  get your virus to infect a goat file, they will create a set of
  standard files. The last thing you want to experience is the fact that
  your virus gets isolated so easily. That's why you have to avoid these
  goat files.

  Avoiding goat files has quite a few advantages:

  ù It's not so easy to get a sample
  ù It's difficult to create multiple samples to analyse polymorphic
    viruses
  ù They can't infect a numbered file to add in their collection if
    there is a variant of the virus already
  ù They must debug the virus to see what kind of files it infects, and
    that's just the thing they try to avoid

  In the above points, you can see that anti-goat tricks targets the
  researchers directly, instead of the end user. This is an important
  target, because if a researcher has a clean sample of your virus, it's
  doomed.

  % How to avoid goat files? %

  Now, what can you do to avoid goat files? There are several ways to
  restrain your virus from infecting goat files. I will list some tricks
  here that can be used. Please note that this list is not complete and
  there are many more tricks, but these listed here will do great to a
  certain level.

  ù Avoid antivirus programs
        Because antivirus programs contain a selfcheck, these files
        must be avoided at all costs, unless you made a stealth virus
        that can trick the selfcheck. This anti-goat trick is targetted
        at end users, because they use antivirus software more than the
        researchers that are developing it.
  ù Avoid files with numbers in the filename
        Goat files that are created for polymorphic viruses often have a
        sequential number increase, to make many different infected
        files in order to test what possibilities a polymorphic virus
        can create.
  ù Avoid files with a recent date/time stamp
        Often goat files are created just before they will infected. If
        you avoid files with a date that is very recent, you can avoid
        a lot of goat files.
  ù Avoid files that are very short
        Researchers want their goat files to be as small as possible, in
        order to take up less disk space. Infect only bigger files, so
        they must have a huge harddisk to store the samples.
  ù Avoid files that are a certain length
        If researchers make goat files, they often take a "clean" size,
        like 100, 500, 1000, 2000, 5000, 10000 etc. bytes. There aren't
        many programs of that size, so better avoid these.
  ù Avoid infecting many files in a short time
        Keep a counter in your virus that keeps track of how many
        seconds ago it did infect a file. It's obvious that someone
        tries to infect goat files if there are many executions in a
        very short time. Use that counter to slow the infection of
        files.
  ù Don't infect files on logical devices
        Restrain from infecting on ramdisks. It's almost sure a
        researcher made a ramdrive in order to infect quickly some goat
        files.
  ù Infect only programs on a diskdrive
        This means that a researcher needs stacks of disks to generate
        enough samples.
  ù Avoid infecting files with a long array of the same bytes
        Many goat files have the same sequence of instructions or bytes,
        to fill it up to a certain length. If you avoid these files they
        have to make files with trash in it.
  ù Avoid infecting files that use INT 20h
        To make goat files as simple as possible, researchers often use
        the obsolete INT 20h instruction to return to DOS. No decent
        program uses this anymore, so avoid these files.
  ù Avoid infecting files that contain no normal COM/EXE code in their
    program start
        If you are smart, check if there is regular COM/EXE style coding
        in the file. This means you should avoid files that only prints
        a message and terminates. A program without conditional jumps in
        it is very likely to be a goat file. You can see this like a
        virus using heuristics.
  ù Avoid infecting files that contain a self check mechanism
        As with avoiding antivirus programs, you virus should have a
        list of files to avoid that use selfchecking methods, or your
        virus must be stealth enough to trick it.
  ù Avoid infecting EXE files with very few relocation items
        If an EXE file doesn't have many relocation items, you can be
        almost sure that it is a goat file, or the program is so short
        that it also could have been a COM file instead.
  ù Make your virus a slow infector
        It's a pain to get enough samples from a slow infector, because
        a researcher has got to copy every goat he has made.
  ù Make your virus polymorphic
        This forces a researcher to make many samples of your virus, in
        order to test their virus scanner. Combined with other anti-goat
        techniques this will make your virus hard to analyse.
  ù Make your virus a slow polymorpher
        If your virus uses the system date for some randomization, some
        scanners will miss your virus after a while, because they didn't
        count on some structure you build in your virus. Best is to make
        the first few instructions of your virus (not the decryptor)
        also polymorphic. This escapes the attention of the researchers.
  ù Infect files that have PASCAL or C structures
        Researchers don't use PASCAL or C files as goats, because there
        is too many trash code in them to clearly see the virus and
        disassemble it. The minimum size of these files are also very
        large and makes them not suitable for goat use.
  ù Infect files that are packed with PKLITE, LZEXE or DIET
        Researcher don't use packed files as goats, because of the same
        reason they don't use PASCAL or C files.
  ù Implement correlating abilities in your virus
        This is the most difficult possibility to include in your virus.
        Check if there are programs that bear many similarities between
        eachother. Let the virus build a table of common characteristics
        and if a file correlates with one in your database, don't infect
        the file. Be aware that you have to exclude packed executables
        (PKLITE files do correlate), PASCAL and C files (all TURBO
        PASCAL executables start with a serie of far calls), and other
        types of files that could not be goat files, but share common
	code.