_________ SWAT MAGAZINE ISSUE THIRTY ONE JULY 2000 __________ / \___________________________________________/ \ / Virus Writing Ethics and Terminology \ / by EXE-Gency \ ----------------------------------------------------------------------- - - - = = = [ Virus Writing Ethics and Terminology by EXE-Gency ] = = = - - - - - - = = = [ exegency@hotmail.com ] = = = - - - This article was written by request of Chicane (c.h.r.i.s@btinternet.com) because he wanted to hear my personnel reasons for writing viruses and opinons on such things as artifical intelligence/life with relation to viruses. There are tons of texts about virus ethics floating around on the internet (mainly because its easier to write an article on ethics than it is to actually code a virus.) Anyway, if you're not interested in hearing my reasons and opinons on viruses then skip straight to the second section of this text that explains some basic Virus Terminology ========== Contents ========== þ Why write computer viruses? þ Are computer viruses Artificial Intelligence/Life? þ Opinions on destructive payloads ============================= Why write computer viruses? ============================= Just about every virus programmer in the world has their own reason for decieding to write viruses and these people can be divided into two different sections. The first section is made up of people that can already program in a virus oriententated language (usually Assembly or a variant of Visual Basic) and then decided to code viruses after becoming accidently infected with one. These people are usually interested in viruses because they already understand the complexity of operating systems and programming languages and are prepared for the challenges that await virus programmers. The second type is made up of people that can't program when they decided they want to be a virus programmer. This may be because they have come in contact with a computer virus or perhaps because they have read a virus related zine or seen a film featuring a virus. (The excellent 'Hackers' film, perhaps? :) The number of people I have met who claim to be virus writers simply because they have added destructive payloads to other people's virus or simply because they have an idea of a 'cool virus payload' is huge. Thats not to say that all people that want to write viruses 'because they are cool' are stupid and never get further than overwriting .COM infectors or altering other people's work, but this is the case with many such wannabies. This is simply because their motivations for writing viruses are usually all wrong; they want to write viruses to impress their friends or to cause destruction. Their lack of dedication often prevents them from progressing very far in the virus world. Technically, their exists a third catagory of virus programmers that make their decision due to miscellaneous reasons. These include programmers that write purely for 'political' reasons. Examples of such programmers existed in the former USSR and whose creations contained anti-communist or anti-capitalist slogans and essays. These people see viruses as both a challenge and as a mode of transport for their political opinons. Although I personnally have nothing against people that use viruses to convey political opinions, I have my doubts whether the message is ever conveyed sucessfully. When an infected program is run and the payload produces the message 'Leagalise Canabis' or 'Promote Communism', will the user actually be affected by the political/social message or will they simply consider the writer to be an anarchist with invalid political opinions? Personally I fall somewhere between the three types of virus programmer. I could already program in a couple on non-virus programming languages (QBasic and Pascal as apposed to Assembly or Visual Basic) before I came in contact with a virus zine and decided to write viruses. Obviously this means that I fall prodominantly into the second catagory of programmer that made their decision made on the fact that writing viruses 'would be cool'. Although this was my major motivator to begin with, I have since begun to appreciate the challenges that face developing computer viruses and that the process of defeating a particular aspect of an anti-virus program or operating system is far more exciting than trashing a harddisk. ==================================================== Are computer viruses Artificial Intelligence/Life? ==================================================== In the above section I detailed the three main reasons that people have for writing viruses but some people claim to have an 'interest' (as opposed to actually coding) in computer viruses because they consider them to have a link with Artificial Intelligence (AI) or Artifical Life (AL.) Firstly, are computer viruses Artificially Intelligent? In my opinion they are obviously not. A computer system or program that is classified as 'intelligent' should be able to exhibit the characteristics of intelligence. See below for the technical definition of 'intelligence': (http://www.dictionary.com/cgi-bin/dict.pl?term=intelligence) Intelligence in`tel`li`gence (n-tl-jns) n. Abbr. int., I The capacity to acquire and apply knowledge. The faculty of thought and reason. Superior powers of mind. See Synonyms at mind. Theology. An intelligent, incorporeal being, especially an angel. Intelligence. Christian Science. The primal, eternal quality of God. Information; news. See Synonyms at news. From the above definition of intelligence, it should be clear that most computer viruses do not exhibit the qualities required to be classified as intelligent. Although viruses can exhibit the ability to apply knowledge, this is simply achieved by a single list of computer instructions. Computer viruses are currently incapable for doing anything that they are not specifically programmed to do so. Another aspect of intelligence (one which I personnally think is the most important quality) is the ability of an intelligent lifeform to learn from its mistakes and alter its future course of action accordingly. Once again, computer viruses fall far short of this quality as they are only capable of doing the specific tasks and methods detailed in its source code. A number of virus programmers have sucessfully written viruses which are able to obtain updates and advancements on their own code, by automatically connecting to a website upton connection to the internet. Whilst this kind of virus may be considered to be 'evolving', it is not doing so by its own admission. Perhaps a virus that is truely capable of evolution will exist some time in the future, but for now, it is little more than science fiction. Whilst the argument of wether computer viruses exhibit the qualities of artificial intelligence is (in my opinion) a relatively straight-forward one, deciding wether they can be classed as artificial life is a little more complicated. Most examples of computer generated life, are simply simulation programs that show how a lifeform replicates, mates or kills. Such simulations are designed to show how a pseudo-population survives under certain contitions (often a set number of predators, food resources etc.) Computer viruses could easily be classed as artificial life, this is not a particularly spectactular feat. Whilst they are a simulation of replicating life, they are obviously not alive, nor posess consousness or display signs of intelligence. ================================== Opinions on destructive payloads ================================== Probably the most common points with regard to virus writing ethics, is the subject of destructive payloads. Firstly I will examine the 'scientific' reasons (as opposed to the ethical reasons) for not including destructive payloads in viruses. The most obvious problem with destructive viruses is their ability to make the virus itself extinct. A virus that wipes the harddisk or BIOS on a particular date, will often cause the user to reformat their harddisk (often un-necessarily) and reinstall their operating system and program files. The user will probably be up-and-running within a few hours or days whereas the virus will now be extinct from the machine. (The obvious exception to this rule would be if the user restored their harddisk with previously infected files. Bearing-in-mind that much large software is shipped on CD (read-only media) the likelyhood of re-infection is relatively low.) If however, the virus had been non-destructive, there is every chance that virus could remain on the machine for months (or in some cases even years) before being detected and removed. The ethical justification for writing harmless viruses is extremely obvious. Destroying people's data indiscriminantly purely for fun causes nothing but discomfort for computer users and give the virus writer a bad name. Is writing a virus with a harddisk trashing routine anymore intelligent or require anymore programming talent than using a WinNuke or other DoS (Denial of Service) program? Also, if you study the documentation that ships with each and every anti-virus software package you will see lashings of comments like 'viruses are dangerous', 'viruses are destructive' and so on. Whilst some viruses do contain destructive payloads, many good (technically profficient) programmers choose not to include harddisk trashing routines. Adding destructive payloads does little more than fill the pockets of anti-virus companies. With destructive viruses causing a media frenzy, the anti-virus companies can simply pump-up the paranoia and reap the users money. ----------------------------------------------------------------------------- This second section of this textfile details some of the most common terms in the virus and anti-virus world. Another UK virus writer called Ruzz from the Shadow Virus group wrote a similar text recently, but in my opinion it did not contain many terms that I consider relevant to the virus scene. ========== Contents ========== þ Anti-Debugging þ Anti-Heuristic þ Assembly þ Assembler þ Boot Sector Infector þ Companion þ Delta Offset þ Dropper þ Encrypted þ File Infector þ Header þ Heuristic þ High Level Language þ HTML (Hyper Text Markup Language) þ IRC (Internet Relay Chat) þ Low Level Language þ Macro þ Master Boot Record Infector þ Metamorphic þ Multipartite þ Multi-Platform þ Over-Writing þ Parasitic þ Payload þ Polymorphic þ Run-Time þ Scan String þ Spawning þ Stealth þ Trojan þ TSR (Terminate and Stay Resident) þ Updateable þ VDAT (Virus Database) þ Virus þ Virus Generator þ Win32Asm þ Worm ================ Anti-Debugging ================ Anti-debugging techniques are simply those that are designed to make viruses more difficult to disassemble and debug. This makes them more difficult to detect by heuristic scanners and awkward for anti-virus members to study the code. ================ Anti-Heuristic ================ A heuristic virus scanner is one that applies a set of rules to each file scanned in order to attempt to verify wether it is infected or not. Typical heuristic scanners will search for code that appears to calculate a delta offset. Heuristic scanners were designed to detect polymorphic viruses that could not be detected by normal scan string methods. ===== API ===== APIs (Application Programming Interface) are functions built into windows 95, 98, 2000 and NT operating systems. Examples of API include those for opening files, sending data across the internet etc. ========== Assembly ========== Assembly is a low level programming language and a common choice for virus writers to use. The language provides direct access to the operating system and computer hardware whilst being extremely small, efficient, fast and nimble. =========== Assembler =========== An assembler is simply a program that is used to convert a source code written in Assembly into an exectuable file, much in the same way that a compiler is used for converting source codes written in high level languages into an executable format. Typical assemblers include Borland's Turbo Assembler, Microsofts Macro Assembler, A86 and NASM. ====================== Boot Sector Infector ====================== A boot sector infector is simply a virus that installs itself on the boot program of a disk. When this disk is booted from, the virus will be executed where it shall remain resident (TSR) and infect other disks that are read from or written to. The main advantage or boot sector viruses compared to macro and file infector viruses is that they can go resident before anti-virus software does. Boot sector viruses are also often capable of infecting master boot records. =========== Companion =========== A companion virus is one that does not actually 'infect' a file, but instead companions it. This simply means that it places itself in the original position of an executable file. When a user attempts to run the original file, the virus spreads to infect more files before executing the file that it originally companions. ============== Delta Offset ============== When a file infecting virus adds its code to an executable program, the offset (address) of various pieces of data will change. For example, if the original offset of a particular piece of data is normally at offset 500h but the virus is appended to a file that is 1000h bytes long, then the new offset of the data will be 1500h. The delta offset is simply the entry point of the appended virus so it can be calculated by analysing the IP (Instruction Pointer) register. However, because it is not possible to simply 'mov' the IP into another register, it must be obtained by use of the 'call' instruction: ------------------------------ call GetDelta GetDelta: pop bp sub bp, offset GetDelta ------------------------------ The above code calls a procedure immediately after it (causing the Flags, CS and IP registers being pushed to the stack) before popping the IP into BP. This offset of 'GetDelta' is then subtracted from the value in BP to obtain the delta offset. This value can then be used for obtaining the true offset of pieces of data: ------------------------------ lea dx, [bp + Data] ------------------------------ The code used to obtain the delta offset is commonly used by virus programmers and therefore triggers many heuristic scanners. ========= Dropper ========= A dropper program is one that has been deliberately infected with a virus in order to distribute it. Dropper programs are then uploaded to Bulletin Board Systems, web sites or distributed via other means so that visiters that download and execute the program will become infected with the virus. =========== Encrypted =========== An encrypted virus is one that encodes some of its body to prevent easy disassembling of the code. By using a varying encryption key, each generation of the virus will contain a virus body that 'looks' different. However, for the encrypted body to be decrypted, a non-encrypted decrypted at the start of the virus must be executed, and this section of code will not change. Because the decryption routine does not change with each generation, a scan string of this section of code, could be used by anti-virus programs to detect the virus. To overcome this, polymorphic viruses were created. =============== File Infector =============== A file infecting virus, is one which infects computer files. (Usually .EXE, .COM, .BAT, .HLP, .CAB etc.) This is apposed to boot sector, master boot record or macro viruses. ======== Header ======== A header is a section of code contained at the top of the file to specifiy the file's layout and configuration. .EXE files under DOS and windows contain a header which must be altered for sucessful infection and put back to its original settings for the original host program to be executed without error. =========== Heuristic =========== Heuristic virus scanners were invented to thwart polymorphic viruses which could not be detected by a scan string. A heuristic virus scanner analyses an executable file and makes a judgement on wether it contain code that might be a computer virus. Files that contain code for calculating the delta offset or analysing the first two bytes of a .EXE file's header for the characters 'MZ' would trigger many heuristic scanners. ===================== High Level Language ===================== A high level language is a programming language were a single programming instruction translates to a number of machine code instructions. High level languages such as Pascal, C and Visual Basic are debateably easier to program in than the low level language Assembly but do also make it more difficult to interact directly with the operating system. For this reason, it is difficult to write viruses that are (for example) polymorphic. =================================== HTML (Hyper Text Markup Language) =================================== HTML is a scripting programming language that is used for displaying documents on the world-wide-web. Although viruses cannot be written in HTML, HTML documents can contain short virus scripts written in Visual Basic Script (VBS) or JavaScript. Upon opening an infected HTML document, the virus script is executed and can search and infect other HTML files. Some programmers have written virus droppers in HTML (VBS/JS) so that viruses and trojans can be dropped from from websites. =========================== IRC (Internet Relay Chat) =========================== IRC is an internet chatting program which allows groups of users to converge in chat room to discuss or chat. Many IRC clients (including mIRC and Pirch) support a scripting language which allows you manage IRC more easily. However, it is also possible to create IRC scripts that automatically send copies of a virus to other users that join or leave the same room as an infected user. ==================== Low Level Language ==================== A low level language is one that closely mimics machine code. See assembly for more details. ======= Macro ======= A macro is a short program written in a dialect of MS-Visual Basic that can be embedded into a microsoft office documents (word (.DOC), excel (.EXL) and access (.DB) files can all contain macros.) Viruses written in VB can be installed in Microsoft office documents and executed upon opening the file. At this point, the virus can infect other office documents that are opened. ============================= Master Boot Record Infector ============================= A Master Boot Record (MBR) is effectively the harddisk equivalent to a boot sector on a floppy disk. ============= Metamorphic ============= A metamorphic virus is one that can change its shape by substituting existing instructions for different ones that do the same thing. This means that a virus can avoid scan-string anti-virus scans without inserting junk instructions between existing ones. For example, the instruction: mov ax, 100h ; Move 100h into AX register ...could be replaced with: xor ax, ax ; (set AX to zero) add ax, 100h ; Add 100h to AX A fully metamorphic virus would be able to exchange all instrucions in its body (not just the decrypter.) Such a virus has not to-my-knowledge been created. ============== Multipartite ============== A multipartite virus is one that can infect both files and boot sectors/ master boot records. ================ Multi-Platform ================ A multiplatform virus is one that can infect files on different operating systems. The most obvious examples of multiplatform viruses are macro viruses which can infect office documents running on Windows or Macintosh computers. ============== Over-Writing ============== An overwriting virus is one which copies itself over the top of programs during the infection process. Because the original program is destroyed and will never run properly again, overwriting viruses are extremely rare in the wild. =========== Parasitic =========== A parasitic virus is one which does not overwrite files that it infects. Because the original program will execute as normal after the virus has, parasitic viruses have a far greater chance of spreading. ========= Payload ========= A payload is a section of code contained within some viruses, which only gets executed on a particular date or because of some other condition. Some viruses contain destructive payloads which wipe the harddisk or delete files on a specific data, whilst some programmers choose to include graphical payloads or no payloads at all in their creations. ============= Polymorphic ============= Polymorphic viruses were created to combat anti-virus programs which used scan strings to detect viruses. Polymorphic viruses are those which alter the decryption routine at the top virus, to prevent anti-virus programs from being able to detect it by making a scan string. The most obvious method of achieving this is to insert a number of junk instructions between the real ones of the decrypter. Because the junk instructions will have no effect on the actual decrypter, the virus body will still be deciphered correctly, although each generation of the virus will have a different 'looking' decrypter. To combat polymorphic viruses, heuristic virus scanners were created. ========== Run-Time ========== A run-time virus is one which searches and infects files upon the immediate execution of the host program. Once files have been infected, the virus runs the original host program. The main problem of run-time viruses, is that they often only have access to a small number of files, whereas TSR viruses have access to all files that are executed after the virus. ============= Scan String ============= A scan string is a section of unique bytes which only appear in a specific virus. Old virus scanners used these to detect viruses before the invention of polymorphics. ========== Spawning ========== See companion virus. ========= Stealth ========= Stealth techniques are those which viruses adopt to make themselves less detectable. The most obvious run-time stealth techniques are restoring file time/data stamps and attributes, whilst TSR viruses can disinfect files when anti-virus programs open infected files. ======== Trojan ======== A trojan is any program which appears to do one thing whilst secretly doing another. Trojans can create backdoors, log passwords or even drop viruses. However, they are not technically viruses themselves, because they do not infect executable files. =================================== TSR (Terminate and Stay Resident) =================================== A TSR virus is one which continues to run in the background after its initial execution (as opposed to a run-time virus which only infects files immediately after its host program's execution.) The main advantage of TSR viruses, is their ability to infect all files (or disks if the virus is a boot sector or master boot record infector) that are opened or executed whilst the virus is in memory. ============ Updateable ============ An updateable virus is one that can up-grade itself so that it can become more advanced or avoid existing detection. Such viruses must have internet capabilities and connect to the authors website from which to download up-grades. ======================= VDAT (Virus Database) ======================= VDAT is a comprehensive database of writers, groups, sites, interviews and articles regarding computer viruses. The database is published by Citarix and is downloadable from http://www.vdat.cjb.net. ======= Virus ======= A virus is an executable piece of code which, upon execution, adds itself to the code of other executables. Any kind of media which contains executable code which is not read-only, can be infected. This includes programs, boot sectors, master boot records, and other formats. ================= Virus Generator ================= A virus generator is a program which is capable of either mass producing virus source/binary code or can create specific virus to the user's specifications. ========== Win32Asm ========== Win32Asm is the 'dialect' of the assembly programming language which runs on Windows 95/98/2000 or NT. ====== Worm ====== A worm is a piece of code which can replicate without infecting. Examples of worms include the 'LoveBug' which did not actually add itself to the executable code of programs. ----------------------------------------------------------------------------- Questions, comments etc. to exegency@hotmail.com Greets to all the usual peeps I know: SWAT, Oblivion, AS, shadowvx etc.