-=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 ----------- Great Debate : Infection Theory )=- -=( ---------------------------------------------------------------------- )=- -=( 0 : Contents --------------------------------------------------------- )=- 0 : Contents 1 : Introduction 2 : Active vs Passive 3 : Devils Advocate 4 : Mass vs Targeted 5 : Devils Advocate 6 : Conclusion -=( 1 : Introduction ----------------------------------------------------- )=- For years, VXers have debated the merits of slow vs fast infectors, memory resident vs direct infectors, and many other different viral infection methods and strategies. This article would like to propose several new ways of looking at viruses, which lead to some new infection ideas. As befitting a "Great Debate", the ideas were run past some of the members of Feathered Serpents to play Devils Advocate and to get a second opinion. After countless emails and tens of hours of IRC "debate" and three rewrites, we highly advise that other virus groups not follow in these footsteps and try for similar articles. -=( 2 : Active vs Passive ------------------------------------------------ )=- What is the main purpose of a virus? Obviously, it's to spread. While it may be interesting to watch as a virus infect one file after another on a computer, one of the things that makes a virus most interesting is it's ability to get from one computer system to another. Typically how a virus has done this upto now, is to infect as many files as possible on a system. The virus then basically waits. Waits for a user who takes it and either sends it to somebody via email, floppy disk or whatever. How well does this system work? Well, if one is to gauge success of this method of infect and wait by number of computers infected, then we see clearly that viruses have lost their place to worms. The question immediate comes to mind: "why are worms more effective at spreading than viruses?" The best reason I can come up with is that worms are active in their own propagation - or what I'll call Active Infectors. Viruses usually are more passive and rely on users to spread them - hence Passive infectors. If you think about it, there really is no reason why viruses should play second fiddle to worms. They can do everything worms can do, and due to the fact that they are not stand alone binaries, they are much harder to detect and clean. A fast spreading active polymorphic or metamorphic virus could circle the globe before scanners could reliably pick it up. Now, that said, one of the nicest things about viruses is their stealthiness. I am of the opinion that stealth should not be compromised for infection. Thus, I do not like the idea of viruses which would email themselves with the "click virus.jpg.exe for a good time" messages. Subtly is important. So, to review, here are some of the ways that an active infector could spread: : infect all removable media (GetDriveType API - DRIVE_REMOVABLE) : infect all network drives (GetDriveType API - DRIVE_REMOTE) : use exploits and security holes to upload the virus (preferably to dirs which autorun files like C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP) : email (either new email, or add attachments to existing email) : upload to ftp : IRC /dcc send scripts : infect shared directories of popular servers like HTTP, FTP, P2P, IRC fservs, or files 'd by .html files. : infect all files accessed by any program with an internet connection One would have to point out that infection over the internet is much more effective than infecting floppies of course. The most effective method has proven to be using exploits of course (Code Red has proven that), but those are often difficult to get a hold of before patches are widely available. Most of the list is self explanatory. The last two are worth a second look. These methods do not result in immediate spreading, but they employing the method maximizes chances that someone gets an infected file from the infected computer. The astute observer will notice that the last point covers all cases of the point above it. This leads to an interesting infection technique... Notice that all HTTP, FTP, P2P, and any other kind of server shares two properties. First, they use the internet. That means it is a pretty good bet that they import WSOCK32.DLL. Second, they have to Find and/or Open Files before they can send anything anywhere. This means that hooking the CreateFile, FileFirstFile, FindNextFile APIs to a routine that infects the the files, then all files which are sent to anyone using that program will be infected. I believe that it is important for the long term survival to viruses to start more widely adopting active infection techniques. The fact that viruses are perceived to be less effective than worms, and even VBS or JS, probably drains coders from into these other areas, hence shrinking the pool of future virus writers. -=( 3 : Devils Advocate -------------------------------------------------- )=- I can understand the interest in active infection, but it is a technology that doesn't solve any problems, it only creates them. A virus will never be smart or subtle enough to decide how it should escape a host and reach another. Self initiated acts unrelated to user actions arouses immediate suspicion, both in technology indicators and people themselves. Code Red was a good example, it was a bright burning light of active infection for a few days before it aroused so much interest that antivirus software obliterated any chance it ever had of infiltrating high security installations (and staying there undetected). To take our example further, the same behaviour is seen time and time again in Tierra where a virus will become so succesful that it outproduces the hosts and forces itself to near extinction. Now think of biological viruses, which live longer? Something active like Ebola, or passive like Herpes? -=( 4 : Mass vs Targeted ------------------------------------------------- )=- Another way to look at viruses stems from the question: "Once the virus is on the system, what should it do now?" Most would answer this with "to infect any suitable files it can, of course". That is Mass Infection. Introducing "Targeted Infection", the alternative approach. Targeted infection can be thought of as trying to only infect the files that have a chance of escaping the system or will aid the virus in this. Afterall, if there are 175 file on the computer, is there a need to infect all of them? I mean, is there really a need to fill up a user's Harddrive with 175 copies of the virus when there is a realistic chance of passing along maybe only 40 of those files to anyone else? I just can't see the warez trade of C:\WINDOWS\SYSTEM\sucatreg.exe as too abundant - what is that file anyways? Oh well, nevermind... With each of the additional 135 files, not only do you use up diskspace, and clock cycles, by infecting them, but you also stand a increased risk of either corrupting some file or running into a file with a self-check, thereby calling attention to your virus which would surely lead to an early demise. And if you're concerned about running often enough, you can always infect the popular programs too. Working under the assumption that infection the most files possible is not necessarily a good idea, you have to target which files you wish to infect - thus the name "Targeted infection". The important question remains - which files are the ones that need to be infected? There are 2 aspects to exactly which files should be infected. The first is that only files which are capable of leaving a system should be infected. That happens to overlap with the types of files described in the active infector section. It also includes files which would help keep the virus alive and active on the host system - files that are run often, and preferably every time at startup. Probably the best and most overlooked way to infect all popular files on a system is to utilize the registry. A simple scan of applications associated with most file-types (HKEY_CLASSES_ROOT) will reveal almost all of the often used applications on a system, and infecting anything auto-run on startup will keep a virus active on every bootup. The second aspect to which files should be infected is applicable to both Mass and Targeted classifications. It deals with which file types should be infected. People have long ago stopped sharing their files by zipping up directories and sending it off to a user. These days, you download a zip file from a webpage, decompress it, then run an install program. In fact, it is often very hard to get a program working without the install program - we all know the mess installs like to make by dropping needed dlls into random directories and fiddling with your registry. This means it's often futile to zip up a directory containing a program an sending it to a friend. People do often keep copies of these original packages which include install files, "just in case" of an accident and the need for a re-install arises. It is this copy of the archive that they'd most likely pass on to others. That also means that a virus could be rampant on their system and have infected the program, but the person who gets the archive has nothing to worry about as they get a clean copy. Thus, in the interest of fairness :-P, it is necessary to start infecting archives. To infect, say a zip file, it will either be necessary to have some minimal knowledge of the file format and write a compressor/decompressor, or use the available compressor on the system. If you choose the easy way out and decide to try an find winzip on the system, then you can locate the directory you need by parsing the open command associates with .zip files in the registry and using WinZip. After being able to compress/view/decompress - in short use - the archives of your choice, you have one of 2 choices. Create a fake install.exe or setup.exe program (that calls the old one if present), or simply decompress all exe files in the archive, infect them, then update the archive. Beware of some of the larger setup.exe - they often get quite large and decompressing then is sometimes a slow process. Time is proving that ideas in viruses have to be re-examined. Viruses of the future will have to adapt. I think the most important part of that is for all viruses to infect archives. Polymorphic Active Infectors that infect archives are probably what will prove to be the best way for a virus to spread in the coming years. -=( 5 : Devils Advocate -------------------------------------------------- )=- I agree to Targetted Infection in whatever aspect avoids infecting bait files but purposely excluding other files just because they probably will not leave the system in a warez package, is bad for business. For polymorphic and metamorphic viruses, every copy of the virus is an extra chance of survival because of the less-than-perfect detection methods used by some scanners. Also, zip files are fairly common, but how many end users really understand what they are or how to use them? A large majority of non-warez programs downloadable from the internet come in self-extracting archives rather than straight files, and so viruses relying on this brand of Targetted Infection are probably going to go hungry. -=( 6 : Conclusion ------------------------------------------------------- )=- Viruses are no longer spreading as well as they used to. Things like worms and mass mailers are taking center stage. Since asm viruses are a lot more advanced code than 20 of so lines of VBS of JS, it is rather silly that they are not more effective at spreading then them. It might be time to re-examine some of the old ways of infection, and determine if they are still effective in the world today. If this debate made you think about that, then it has done it's job. -=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=- -=( ---------------------------------------------------------------------- )=-