


        updating through irc                              25-3-01   :lw!ikx:



        there are enough things to update your virus: downloading plugins
        for your advanced poly engine (?), adding extra functionality to your
        code (babylonia,etc.)... well the internet helped us a lot, erh?

        you can update using: www (babylonia), ftp (no clue), news (hybris),
        irc, and maybe more, or your self made protocol..

        the disadventages of the first ones, www & ftp, are this: often a
        specific server, and a specific file; easy to remove (attack your app).
        irc & news updaters are harder to stop; lot of channels / lot of
        news groups/messages.

        in this document i'll cover irc updating.


        first some ideas, then the tech stuff.

        your virus need to join a channel to find other viruses to talk with.
        (or even talking with you). what kind of channel do we pick? your 
        own, hardcoded one? i guess such channel can be blocked. But what
        if you make your 'bots' join #lotofpeople here? then it will make
        many people angry if the irc ops close that channel. your virus need
        everything to be random (name, ident) (no bans) but also not too
        random, what if 100 5xI2Sk87, s93cSo2S join? so you can create some
        good looking random nick generator. like creating multiple characters
        in once that belong to each other 'be' 'na' 'we' whatever, its up
        to you, but not too random. and maybe some 1 or 2 numbers on the end
        (lame newbie age style). well, if your bots join a 'public' channel,
        they need to recognize each other. if they msg random nicks with
        your recognition mark 'LW!l33tv1r.v.100' it won't be stealth ;)

        so lets do this: the nick of all bots contain some paddin character
        as checksum. seems ok to me, no?

        but hey, i have to cover something else too: calculating the crc32
        of the current date, and joining #crc32convertedtohex... or what
        ever. this method is hard to stop, since they (irc ops) has to disable
        365 channels, and they has to calculate all the posibilities. but
        it has a disadventage too; what if the pc date doesn't match? well you
        can else add some daytime server connecting shit... lot of work?


        well, you might now have an idea which channel you are gonna join,
        now think about the protocol.


        well, your app joins, and it says to the #chan something like:

        YourID-v.1.00

        or, if you joined a public #chatroom, it msg's to the other apps
        (nick recognizing?) its version.

        other apps lookup their own version, and if they have the highest
        one they msg it to the channel. then other apps lookup it too, etc.

        then they will wait after, lets say, 10 seconds if nobody else is
        gonna say that they are better, and then the lower version connect
        the highest one(s) (/dns).
      
        yeah, how do we actually update?
        
        we can:

        bin2hex/base64/etc the code     (size,much work)
        dcc                  (do you wanna be compatible with irc clients?!;)
        rawconnect                      (yeah!)

        why not, erh? we let our irc connecting app listen at a certain port
        (666 what ever) for connections. then all kinds of lame lowerversions
        connect to that port and download the newest version.

        well i guess this tells good the idea, ?


        ok, now some tech stuff (not all)

        no win32asm source here, sorry, its an article.

        0. start listening thread at choosen port for friends
        
        1. connect irc -> see the irc ref

        on irc you need to stay connected, the server pings you every xxx
        seconds/minutes, and you have to reply, with a pong. just if you
        receive a ping, replace the 'i' with a 'o' and send the buffer back.

        (btw, if you are testing, install a IRC server on your own pc/network)
        
        2. now we join the choosen channel.

        3. find our friends or the main channel (depends on the way you do)
           and msg our friends the version.

        4. just wait if a friend tells you his version.

        your listening thread will do the rest of all the stuff for you!




        and some other ideas:

        - use irc not for real updating, but for telling the url of the data

        - don't listen on a hardcoded port, but pass the port # over IRC

        - updating is attackable by modules that destroy/stop your app. use
          a kind of signing, using RSA or the crypto functions from windows.

        - add not only update functions, but also control functions and if
          you do that: a echo back to irc server function is enough for you
          if you wanna play with your childeren.


        well use your imagnation. i didn't include here win32asm snippets,
        because there is enough to find about winsocks & irc on internet
        (w32asm.cjb.net) and other magazines (xine,other mtx's,29a)

        good luck! 


        :lifewire / ikx -          lifewire@mail.ru           - ikx.cjb.net: