The Algorithm of Virus Operation

Close the manual on the PE format, because you won't need it for the moment. The method of insertion considered here is as follows : The virus creates an additional stream within the target file, copies the main file body to it, and overwrites the original file body with the shellcode that passes control to the main body. Such a virus will operate only under Windows NT/2000/XP and only on NTFS disks. For FAT partitions, the original contents of the infected files will be lost, and that's a catastrophe. The same will happen if the file is archived with ZIP or any other compressing utility that doesn't support streams. WinRAR provides support for streams ” when you are archiving files, do not forget to go to the Advanced tab of the Archive name and parameters window and set the Save file streams checkbox if you want to save streams (Fig. 22.2).

image from book
Figure 22.2: WinRAR is capable of archiving streams

There is another problem: Windows locks access to all currently opened files, so if the virus attempts to insert itself into explorer.exe or firefox.exe it will inevitably fail. From the virus's point of view, that's too bad. However, cunning virus will find a way out. The locked file cannot be opened, but it can be renamed . For example, the virus might take explorer.exe and rename it shutdown. Then the virus creates a new file, names it explorer.exe, places the virus body into the main stream of the newly-created file, and copies the original contents of explorer.exe into an additional stream. After the next system start-up, the explorer.exe file created by the virus will take control, and it will be possible to delete the shutdown file. It is possible to leave the shutdown file; however, it might attract the attention of a vigilant user of an antivirus monitor.

Now it is time to explain the problem with antiviral monitors . Insertion into the file is only half of the job, and not the most difficult half. Virus writer must also figure out how to neutralize various antiviral scanners and monitors. Nothing can be simpler. It is enough to block the file immediately after start-up and maintain it in this condition during the entire session until the reboot. Antivirus software will be unable to open the file and, consequently, will be unable to detect its modification. This locking can be carried out using various approaches ” from calling the CreateFile function with the reset dwSharedMode flag to the LockFile/LockFileEx functions. More detailed information on this topic can be found in the plat-form SDK.

The main error of most viruses is that, having inserted their body into a file, they humbly wait until antivirus software opens the file and, having detected their presence, removes them. Nevertheless, contemporary hard disks are huge and scanning them takes considerable time, often several hours. Antivirus scanners check one file at a time. This means that if the virus leads a nomadic life, migrating from file to file, its chances of detection drop rapidly .

The lab virus considered in this chapter inserts its body into the file, waits 30 seconds, and then removes its body from the file and immediately inserts it into another one. The shorter wait, the higher the probability it will remain unnoticed by antivirus software. However, disk activity will become considerably more intense . Regular blinking of the disk activity LED without any visible cause must immediately alert experienced users; therefore, the virus must behave more cunningly. For example, it is possible to monitor the disk activity and carry out infection only when some file is accessed. It is not difficult to write a program that would carry out this task. An example of such a utility is File Monitor by Mark Russinovich ( http://www.sysinternals.com ), which is supplied with the source code.



Shellcoder's Programming Uncovered
Shellcoders Programming Uncovered (Uncovered series)
ISBN: 193176946X
EAN: 2147483647
Year: 2003
Pages: 164

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net