VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum
Top 5 articles
P. Ferrie, P. Ször «Zmist Opportunities» (15834)
P. Ferrie «Crimea river» (15784)
P. Ferrie «Heads or tails?» (14585)
P. Ferrie «Can you spare a seg?» (14340)
P. Ferrie «Making a hash of things» (14218)

Library: Analysis of the particular viruses

«Analysis of the "Offensive Polymorphic Engine v2"» [SRC] 6.01Kb 12262 hits
Each layer decryptor begins by using PUSH EBP/MOV EBP,ESP to build a fake stack-frame. It is fake because stack-pointer is not moved forward to alloc space and there is no LEAVE or POP EBP, but there is RET that is reached depending on if the encrypted data can be moved or not. There are instructions to access the stack using the base-pointer to get values but not to write as memory access, for example: mov [ebp], randval/reg32.
Marco Balduzzi
«How the virus "Remote Shell Trojan" (RST) works» 6.42Kb 11763 hits
This paper introduces the concept of malicious software, spending more words on virus threats. Later it focuses on the "Remote Shell Trojan" virus, a well-known GNU/Linux code which spread across on all Internet in September 2001.
Vesselin Bontchev
«Veni, Vidi, Vicis?» [SRC] 12.68Kb 10323 hits
Virus Bulletin, Oct 1997, pp. 10-11 (1997)
Vicis is a polymorphic macro virus... that is the very least that can be said about it-and it is a major understatement. Polymorphism in DOS viruses is usually achieved by encrypting most of the virus body and prepending a randomly generated decryptor to it. The same idea has been tried in the macro virus world as well (e.g., in the Slow virus [Qin97]). However, WordBasic is a slow language, not very suitable for character manipulation, so the encryption/decryption process is always slow-which makes such a virus very noticeable. WordBasic is much more suitable for string manipulation, however. Furthermore, WordBasic is a syntactically simple language. All these properties make it easy to implement a different kind of polymorphism-polymorphism not based on encryption. The basic idea was described by Dr. Fred Cohen several years ago, but this is the first time we see it properly implemented in a computer virus.
Igor Daniloff
«Anarchy in the USSR» 13.47Kb 12535 hits
The Anarchy family, first seen in 1994, was named after a string in its code and a reference to an anarchist musical ensemble from Omsk. In the West, aliases include GrOb. Unto, and Vivat.
«Fighting Talk» 15.79Kb 13101 hits
A while ago I was emailed a number of complex polymorphic viruses by a mathematics student at Moscow State University. The family was later named RDA.Fighter, after the virus writer's own phrase 'Random Decoding Algorithm'.
«Protected Mode Supervisor?» [SRC] 15.92Kb 10484 hits
Virus Bulletin (1998)
With the emergence of 286, and later 32-bit i386 processors, came protected (or virtual) operation mode. Thus far, virus authors have not successfully harnessed protected mode.
Peter Ferrie
«$$$_+$$+$$__+_$+$$_$+$$$_+$$_$» [SRC] 19.43Kb 9984 hits
Virus Bulletin, February 2011, pp. 4-7 (2011)
Imagine a JavaScript encoding method that produces files that contain no alphanumeric characters, only symbols such as ‘$’, ‘_’, and ‘+’. It would be difficult to imagine how it could possibly work, but unfortunately one such encoder exists. It is called ‘JJEncode’. A demonstration version is freely available from the author’s website, and has already been used in malware. This article provides a detailed description of how it works.
«'Holey' virus, Batman!» 13.34Kb 8437 hits
Virus Bulletin, September 2011, page 4-6 (2011)
Some might think that all of the entrypoints in Portable Executable (PE) files are known – but they would be wrong. As we saw with the W32/Deelae family [1], a table that has been overlooked for more than a decade can be redirected to run code in an unexpected manner. Now, a table that was used in Windows on the Itanium platform also exists on the x64 platform, and (surprise!) it can be misused too. The W64/Holey virus shows us how.
«Ani-hilate this week» [SRC] 9.74Kb 11274 hits
Virus Bulletin, 4 May 2007, pp.4-5 (2007)
[...] The time between the announcement of a vulnerability and the exploitation of that vulnerability continues to shrink. This is especially true when the vulnerability in question is a stack overflow, since it requires very little skill to exploit. The recent ANI vulnerability is a prime example. Before we get into that, let's find out a little more about ANI files in general. [...]
«As above, sobelow» [SRC] 12.23Kb 7085 hits
Virus Bulletin, December 2011, pp. 9-11 (2011)
In June 2009, an interesting article describing ‘Heaven’s Gate’ appeared on a popular VX website. This is an undocumented feature used by the 32-bit Windows environment when running on 64-bit versions of Windows, which allows for the transition between 32-bit and 64-bit code. In August 2011, we saw the first virus to make use of it: W32/W64.Sobelow.
«Attack of the Clones» 9.91Kb 11640 hits
Virus Bulletin, September 2002, pp.4-5 (2002)
Once again, old ideas have been given a new lease of life on the Windows platform. The idea used by W32/Gemini is, perhaps, all the more interesting because it came not from the era of MS-DOS and its variants, but from an operating system that existed a decade earlier. The author of Gemini has produced a series of `one-of-a-kind' viruses; whatever the motive behind it, this is another in the collection of unusual techniques.
«Cain and Abul» 9.93Kb 11655 hits
Virus Bulletin, 4 Febryary 2007, pp.4-5 (2007)
[...] As the decline in file-infecting viruses continues, it is perhaps fitting that the newest virus for the 64-bit platform, W64/Abul, is less advanced than the one that came before it. Despite this, though, Abul implements some new features that make it interesting in its own way. [...]
«Can you spare a seg?» 9.83Kb 14340 hits
Virus Bulletin, July 2009, pp. 4-5 (2009)
Peter Ferrie resumes his series of analyses of viruses contained in the EOF-rRlf-DoomRiderz virus zine (see also VB, September 2008, p.4, VB, October 2008, p.4 and VB, November 2008, p.4).
«Chamber of horrors» 9.75Kb 11249 hits
Virus Bulletin, 6 October 2006, pp.6-7 (2006)
Amongst the glut of viruses that we see every day, sometimes there is one to surprise us. W32/Chamb is one of those: the first virus to infect compiled HTML (CHM) files parasitically.
«Crimea river» 12.26Kb 15784 hits
Virus Bulletin, 4 February 2008, pp.4-6 (2008)
In 2001 we received a virus for Windows that integrated its code with the host code, making it very hard to find. That virus was Zmist (see VB, March 2001, p.6). In 2007, we received a virus that might be considered `Zmist for Linux'. That virus was Crimea.
«Criss-cross» 10.19Kb 9912 hits
Virus Bulletin, 4 November 2005, pp.4-5 (2005)
Cross-infector viruses demonstrate the flexibility of certain file formats. While some of these viruses have clearly been written to maximise their replication potential (e.g. {W32/Linux}/Peelf, which infected 32-bit Windows and Linux files, or the member of the W32/Chiton family that infected both 32-bit and 64-bit Windows files), most seem to have been written simply to show that it can be done. With the release of issue 6 of the RRLF zine in July (published on, we received three new cross-infectors, each for a different set of file formats.
«Deelaed learning» 15.94Kb 12226 hits
Virus Bulletin, November 2010, pp. 8-10 (2010)
Not long ago, a new virus writer appeared, using the name ‘hh86’. Rumour had it that hh86 was female – a rarity in the virus-writing world. There was a flurry of activity from hh86 over a period of about three months, producing a handful of viruses using new techniques, and then... she was gone without a word. The model virus writer perhaps.At first glance, I thought that her first virus (Deelae.A) was simply a copy of a virus created by the virus writer roy g biv. A slightly closer look revealed some novel size optimizations (as well as some opportunities that were missed, and some ‘optimizations’ that are the same size but slower to execute) as well as some differences in style. It’s clear that hh86 was ‘inspired’ by roy g biv’s work. In Hollywood, they’d call that ‘reimagining’.
«Do the macarena» 10.31Kb 11351 hits
Virus Bulletin, January 2007, pp. 4-5 (2007)
On 31 October 2006 we received a sample of the first parasitic infector of Mach-O files, OSX/Macarena. The file had previously been uploaded to a popular VX site. In contrast to OSX/Leap, which relied on a resource fork to contain the virus code, Macarena understands the Mach-O file format sufficiently well to parse the necessary structures correctly and inject its code directly into a file.
«Doin' the eagle rock» 14.07Kb 11393 hits
Virus Bulletin, Mar 2010, pp. 4-6 (2010)
If a file contains no code, can it be executed? Can arithmetic operations be malicious? Here we have a file that contains no code, and no data in any meaningful sense. All it contains is a block of relocation items, and all relocation items do is cause a value to be added to locations in the image. So, nothing but relocation items – and yet it also contains W32/Lerock.
«Flibi night» 11.08Kb 10382 hits
Virus Bulletin, March 2011, page 4-5 (2011)
If we were to consider a computer virus to be a life form, then we could perhaps extend the analogy to include predators such as observant users and anti-malware solutions. We could also consider the need for mutation to produce new behaviours in order to evade predators and survive. The W32/Flibi virus aims to do just that.
«Flibi: Evolution» [SRC] 36.11Kb 8052 hits
Virus Bulletin, May 2011, page 6-15 (2011)
The Flibi virus demonstrated that a virus can carry its own ‘genetic code’ (see VB, March 2011, p.4), and if the codons (the p-code form of the virus), the tRNA (the translator function), or the corresponding amino acids (the native code) are mutated in some way, then interesting behaviours can arise.
«Flibi: Reloaded» 13.92Kb 6054 hits
Virus Bulletin, November 2011, page 12-14 (2011)
A new version of the W32/Flibi virus has been released. It now supports assemble-time or compile-time polymorphism during construction of the first generation translator code. Its parallels with molecular biology have increased with major changes to the replication process: horizontal gene transfer1, codon exchange, the introduction of start and stop codons, and optionally the addition of introns.
«Flying solo» 9.88Kb 13928 hits
Virus Bulletin, September 2009, pp. 4-5 (2009)
The term `pilot' in the sense of a television programme can be likened to a proof-of-concept for a proposed series. A `pilot' in the sense of computer viruses might be an appropriate term for a technique that could become common in the future. At least, that's one conclusion that might be drawn from the virus whose author named it `Pilot'. (In fact, the virus author named it `PiLoT', intending to refer to the PLT, as explained below.)
«Frankie say relax» 13.26Kb 11310 hits
Virus Bulletin, August 2011, page 4-6 (2011)
When a virus infects a file, it usually needs to know its loading address so that it can access its variables. This is done most commonly by using a ‘delta offset’. There are two main types of delta offset: one is the difference between the location where the virus is currently loaded and the original location where the virus was loaded when it was created; the other is the difference between the location of the variable and the start of the virus code. One alternative method is to append relocation items to the host relocation table (if one exists), so that the addresses in the virus code are updated appropriately by the operating system itself. However, touching the host relocation table can be a complex task, depending on the file format and its location within the file. Another alternative is to carry a relocation table in the virus body and use that to update the addresses to constant values during the infection phase. This is the method that is used by Linux/Relax.A. Linux/Relax.B uses the same method, but in this case the relocation table is generated dynamically.
«Gatt got your tongue?» 9.73Kb 10673 hits
Virus Bulletin, September 2006, pp.4-5 (2006)
As operating systems have become more secure (or at least less insecure), virus writers have started to attack applications instead. One of the most popular tools for an anti-virus researcher is the Interactive Disassembler (IDA), and its IDC scripting language has become the latest target, thanks to W32/Gatt.
«Got [Mac]root?» 7.67Kb 10850 hits
Virus Bulletin, July 2005, pp. 4-5 (2005)
There is a long history of rootkits on Unix-based platforms, such as Unix itself, Linux, BSD, etc. No doubt to the surprise of some in the Macintosh community, the MacOS X platform now has one too. We call it OSX/Weapox. It is written by someone who calls himself `nemo'.
«Heads or tails?» 7.34Kb 14585 hits
Virus Bulletin, September 2009, pp. 4-5 (2009)
The `flip-side' to the section replacement technique described last month (see VB, August 2009, p.4) is the segment alignment technique. This technique is used by a virus which was named `Coin' by its author, and is described here.
«Hidan and dangerous» 9.54Kb 10974 hits
Virus Bulletin, March 2007, pp.4-5 (2007)
One of the things that almost all anti-malware researchers have in common is a copy of Interactive DisAssembler (IDA). It is perhaps the best tool we have for disassembling files, since it is capable of so many important things: it displays the file more or less as it really appears in memory, applying relocations, and resolving imports. IDA can follow all of the code paths and note all of the data references, comment the API parameters, and even determine the stack parameters.Since some people have custom requirements, IDA also supports a plug-in interface. Plug-ins can do many things and control many of IDA's actions - including directing it to infect files.Enter the latest member of the ever-growing W32/Chiton family. The author of the virus calls this one `W32/Hidan'.
«How dumaru?» 27.21Kb 11919 hits
Virus Bulletin, March 2004, pp.4-9 (2004)
Take the SMTP client engine from W32/Mimail (see VB, September 2003, p.4), add some primitive social engineering in the email and some alternative-stream support from W2K/Stream (see VB, October 2000, p.6). Share the code freely so that others can add some backdoor capabilities and disable and/or remove other features. The resulting mess could be the W32/Dumaru family.While Dumaru is classified as a virus family, the only variants that infect files are .A, .B, .D, .J, .Q and .T. Variants .F, .O, .S, .U and .AA do not even replicate, since their email replication code is disabled; these are simply backdoor programs.
«If Svar is the answer...» 8.54Kb 4934 hits
Virus Bulletin, February 2012, pp. 4-5 (2012)
The Intel MMX instruction set is full of instructions whose usefulness might not be immediately clear to anyone who does not work with graphics. However, it’s not just the graphic designers who can do interesting things with them. Virus writers are finding ways to (ab)use some of the instructions, too. This time, we have W32/Svar, and another way to encode.
«It's a bird, it's a plane, it's Fooperman» 18.43Kb 10386 hits
Virus Bulletin, Jan 2010, pp. 4-7 (2010)
It is sometimes said that one man’s trash is another man’s treasure. In this case, we might say ‘one man’s data is another man’s code’. What we have here is a virus that uses the FPU to magically transform a block of data into executable code, but the secret is in the details of W32/Fooper.
«Leaps and Bounds» [SRC] 11.69Kb 11149 hits
Virus Bulletin, 4 December 2006, pp.4-6 (2006)
Imagine you're a virus writer, someone who specialises in one-of-a-kind viruses, and you want to do something really new and different. You want it to be entrypoint-obscuring, using a technique that no one has used before. You want a polymorphic decryptor, one that appears to be deceptively simple. Of course, you also want a 32-bit and a 64-bit version. What would it look like? The answer is W32/Bounds and W64/Bounds!AMD64.
«Let them eat brioche» 6.79Kb 10179 hits
Virus Bulletin, November 2004, pp.6-7 (2004)
In 2003 I wrote: `A virus using the manual reconstruction technique seems unlikely, since the underlying structures in .NET are extremely complex and contain many interdependencies' (see VB, April 2003, p.5). However, in 2004 we received one that did it: MSIL/Impanate.Written by the virus writer known as `roy g biv', a specialist in proof-of-concept viruses (most recently, the first 64-bit viruses on the Win64 platform: W64/Rugrat on IA64, [see VB, June 2004, p.4] and W64/Shruggle on AMD64), Impanate is the first known parasitic, entry point obscuring appender for the .NET platform.
«Lions and Tigraas» 5.44Kb 5771 hits
Virus Bulletin, July 2007, page 4 (2007)
If we were to consider a computer virus to be a life form, then we could perhaps extend the analogy to include predators such as observant users and anti-malware solutions. We could also consider the need for mutation to produce new behaviours in order to evade predators and survive. The W32/Flibi virus aims to do just that.
«Look at that escargot» 6.61Kb 10419 hits
Virus Bulletin, December 2004, pp.4-5 (2004)
In 2003 I wrote `A recompiling virus like W95/Anxiety, but without needing the source code, combined with an inserting virus like W95/ZMist, but without rebuilding the file manually ... The beast is unleashed' (see VB, April 2003, p.5). Now, hot on the heels of MSIL/Impanate (see VB, November 2004, p.6), which introduced inserting viruses for the .NET platform, comes MSIL/Gastropod, which brings the full set of techniques one step closer.
«Magisterium Abraxas» 10.87Kb 13930 hits
Virus Bulletin, May 2001, pp. 6-7 (2001)
[email protected] is a polymorphically encrypted, entry point-obscuring, anti-heuristic, anti-debugging, memory resident, parasitic infector of Portable Executable .EXE and .SCR files. It can replicate across local area networks, and it has mass-mailing capabilities (using its own SMTP engine), some highly destructive payloads, an interesting visual effect and a number of bugs.
«Making a hash of things» 10.53Kb 14218 hits
Virus Bulletin, August 2009, pp. 4-5 (2009)
File format tricks abound in ELF files. One of these was described in last month’s issue of Virus Bulletin (see VB, July 2009, p.4). In that trick, a particular section of the file was overwritten by virus code. A variation of that technique is described here.
«The missing LNK» 14.34Kb 11905 hits
Virus Bulletin, Sep 2010, pp. 4-6 (2010)
LNK files are everywhere in Windows, so ubiquitous that they are rarely even recognized for what they are: complex structures containing pointers to Portable Executable files and, ultimately, executable code.Some of the icons that appear in the Control Panel are visible because of LNK files. Many of the entries in the Start Menu and on the Desktop are LNK files. In most cases, the LNK references a file, and specifies an icon to display. When an application is used to view the LNK file, such as browsing a folder using Windows Explorer, the Windows shell parses the format and determines what to display. LNKs are not limited to just files, though. They can be shortcuts to drives such as a shared network location or a floppy disk (as used by the ‘Send To’ menu, for example). The ‘Recent File List’ in Microsoft Office 2007 applications is composed of LNK files.Overall, LNK files do not pose a direct threat. Of course, some LNK files can point to malicious executables that run when the LNK file is clicked, and some LNK files can point to harmless files and yet still perform malicious actions (such as when the command prompt is executed, but given the instructions to delete some files). Some LNK files can themselves be malicious by virtue of their contents (such as the self-executing LNK file virus from several years ago, where the LNK file carried an actual Portable Executable file, and executed it in a rather roundabout fashion). Then there are the LNK files produced by W32/Stuxnet, which allow the execution of arbitrary code without the need for any user interaction (other than browsing to a folder that contains such a file, with some further clarification below).
«Not worthy» 4.81Kb 9796 hits
Virus Bulletin, February 2006, p.4 (2006)
The members of the RRLF virus-writing group were very proud when they released the first viruses for Microsoft Shell (see VB, November 2005, p.4), believing that these were the first viruses on the Vista platform. Of course, they were wrong: those are Microsoft Shell viruses, not Vista viruses. Then Microsoft announced that it would no longer be shipping Microsoft Shell with the first release of Vista in any case.So what did the group do? They tried again. The second attempt at the `first' Vista virus is called Idonus. However, this is not a Vista virus either - it's an MSIL virus. Give it up, guys.
«Not ‘Mifeve’-ourite thing» 30.24Kb 4576 hits
Virus Bulletin, March 2012, pp. 4-5 (2012)
MATLAB is probably not the first platform that comes to mind when talking about viruses (despite a proof of concept having appeared in 2006 (Bontchev, V. Math baloney: yet another first. Virus Bulletin, June 2006, p.4.)). However, with its vast collection of mathematical functions it lends itself to all kinds of problem-solving mischief, as we can see in the MLS/Mifeve virus.
«Prescription Medicine» 22.41Kb 9932 hits
Virus Bulletin, Nov 2009, pp. 4-7 (2009)
People often ask how we choose the names for viruses. In this case, it might seem as if it's in the same way as pharmaceutical companies choose their product names. Zekneol - chemical or virus? In this case, it's a Windows virus: W32/Zekneol.
«Prophet and loss» 15Kb 10660 hits
Virus Bulletin, September 2008, pp. 4-6 (2008)
«Raised hacklez» 19.22Kb 10689 hits
Virus Bulletin, July 2002, pp.8-11 (2002)
When W32/Klez first appeared, it seemed like just another mass mailer of little note, but its later variants have spread so widely and rapidly that the Klez family has generated more interest. At the time of writing, there are 12 known variants of Klez. Despite the speed with which anti-virus developers released detection updates, despite the fact that some anti-virus products detected the later variants even before they were released, and despite its destructive payload, Klez remains a problem that shows no sign of being resolved in the near future.
«The road less truvelled» 9.7Kb 10331 hits
Virus Bulletin, July 2008, pp. 4-5 (2008)
Everything old is new again - at least for some virus writers.By the addition of a relocation table, Vista executables can be configured to use a dynamic image base. That essentially turns them into executable DLLs. Now a virus has come along that has made a `breakthrough' by infecting these executables - at least it would be a breakthrough if it weren't for the fact that relocatable executables have been supported since Windows 2000 (ASLR in 1999!), and we have seen plenty of viruses that can infect DLLs. What's more, applications can have different image bases even without a relocation table, which from the virus's point of view amounts to the same thing. There is no need for a virus to carry absolute addresses - the alternative is a technique called `relative addressing'.
«Sleep-Inducing» 10.92Kb 10374 hits
Virus Bulletin, April 2003, pp. 5-6 (2003)
[email protected] is another creation from Benny the virus-writer. Its name is derived from the word ‘serotonin’, which is a chemical found in the brain that has been linked to the onset of sleep, among other things. If anyone is wondering whether, this time, Benny has released a bug-free virus... the answer is no. Serot is plagued by programming errors that almost disable it, however some of its capabilities are worth describing, in case another virus appears with these bugs fixed.Serot uses a ‘plug-in’ architecture – which was very successful in W95/Hybris. However, the plug-ins in Serot are almost completely self-contained, even carrying their own buffers if the buffers are ‘small’ enough, resulting in an enormous collection, and much redundancy in the code.
«Sobig, sobigger, sobiggest» 27.32Kb 9279 hits
Virus Bulletin, october 2003, pp. 5-10 (2003)
W32/Sobig is big, its code is bad, and its style is ugly. In the absence of correct information, there has been speculation and wrong information in abundance. Let us restrict ourselves to the facts.
«Something smells fishy» 5.15Kb 9362 hits
Virus Bulletin, November 2007, pp. 7 (2007)
Multi-platform malware is nothing new. In 1999 we saw the W32/W97M infector Coke and W32/HLP infectors SK and Babylonia. In 2000 we saw W32/HLP infectors Dream and Pluma; in 2001 we saw W32/Linux infector Peelf, followed by Simile in 2002 and Bi in 2006. In 2003 and 2004 we saw W32/W64 infectors MSIL/Impanate and Chiton. Three new multi-platform scripting viruses were seen in 2005 (see VB, November 2005, p.4) – and of course, there was the Morris worm in 1988.
«This sig doesn't run» 10.74Kb 5800 hits
Virus Bulletin, January 2012, pp. 4-5 (2012)
Some virus writers like to brag about themselves or their creations. Sometimes the bragging is done via the virus author’s choice of name for the virus. Of course, it’s rare that the content justifies the bragging, since lots of viruses contain bugs. Here we have the ultimate combination of bragging and bugs. The author of the virus gave it the name ‘Sigrún’, which is Old Norse for ‘victory rune’. However, there is no victory because the virus does not work (the reason why will not be described here). Just in case the bug is fixed, let’s call it W64/Svafa, because ‘Sváfa’ is the previous incarnation of Sigrún, and the name is thought to derive from the word for ‘sleep-maker’, which seems appropriate.
«Time machine» 11.18Kb 10239 hits
Virus Bulletin, January 2005, pp.4-6 (2005)
It is commonly reported that the first known full stealth file-infecting virus was Frodo, in 1989. In fact, that is true only for the IBM PC world. The Commodore 64 world had been infected three years earlier by what was perhaps truly the first full stealth file-infecting virus: C64/BHP.A (not to be confused with the boot-sector virus for the Atari, also known as BHP).All of the descriptions of BHP that were published at the time were inaccurate, some of them even giving incorrect descriptions of how the infection worked. This article takes a look at what it really did.
«Tumours and polips» 23.51Kb 10644 hits
Virus Bulletin, Jul 2006, pp. 4-8 (2006)
It seems that we have reached the stage where a parasitic virus has become a novelty. That might explain why the W32/Polip virus caught us by surprise recently - we didn't expect to see one, and we certainly didn't expect to see anything of such apparent complexity. However, looks can be deceiving.The virus author chose the name `Polipos', which is the Spanish word for polyp, a non-malignant growth. Perhaps the virus author wanted to suggest that the virus was harmless.While the virus certainly was written carefully, its author was not careful enough. The virus author favoured function over form, so the code is far from optimised, but it works well enough.
«Twinkle, twinkle little star» 17.93Kb 11791 hits
Virus Bulletin, Dec 2009, pp. 4-7 (2009)
Sometimes a virus gets it completely wrong (see VB, October 2008, p.4). Sometimes a virus gets it mostly ‘right’, but sometimes that’s only because the virus in question is a collection of routines taken from other viruses which got it mostly right. That is exactly what we have here, in W32/Satevis.The virus begins by determining its location in memory. This makes it compatible with Address Space Layout Randomization (ASLR), though the technique has existed for far longer than ASLR. However, instead of using the common call-pop technique to determine the location, the virus uses a call, but then uses an indirect read from the stack via a string instruction. In the past, this kind of alternative method would have avoided some heuristic detections, but these days the call-pop method is so common in non-malicious code that this obfuscated method might be considered suspicious. In any case, there are few anti-malware engines now that would rely on such a weak detection method.
«Un combate con el Kerñado» 9.75Kb 9520 hits
Virus Bulletin, August 2002, pp.8-9 (2002)
W32/Elkern could be considered the `little brother' of W32/Klez. Even though Klez carries the Elkern virus and runs it on the machines that Klez infects, it is Klez that has received all the attention. Little mention is ever made of Elkern, and some of the details of its behaviour have remained unexplained. They are described here.There are three variants of Elkern. The first, which is 3326 bytes long, is carried by Klez variants A to D, F and G; the second Elkern variant, which is 3587 bytes long, is carried by Klez.E, and the third, which is 4926 bytes long, is carried by Klez variants H to L.
«Unexpected Resutls [sic]» 9.33Kb 10789 hits
Virus Bulletin, June 2002, pp.4-5 (2002)
In early 2000, while studying the latest release of the Portable Executable format documentation from Microsoft, I noticed the word `callback' in a section describing data initialization. The section was called `Thread Local Storage (TLS)'; in previous revisions of the documentation I had disregarded it, considering it uninteresting, but this time it had my full attention.Where there are callbacks, there is executable code and where there is executable code, there may be viruses. However, it was a further two years before the appearance, in 2002, of the first virus that is aware of Thread Local Storage: W32/Chiton.
«You've got M(1**)a(D)i(L+K)l» 10.38Kb 9393 hits
Virus Bulletin, November 2002, pp.10-11 (2002)
Encryption techniques have evolved over the years, from simple bit-flipping, through polymorphism, to metamorphism, and combinations of these have been used as well (for example, see VB, May 2002, p.4). All of these techniques have one thing in common: they are applied to the virus body. The alternative is to apply them to the thing that contains the virus body. This variant of the Chiton family, which the virus author calls W32/Junkmail, is one of those.
«You've got more M(1**)A(D)I(L+K)L» 9.82Kb 9567 hits
Virus Bulletin, June 2003, pp.6-7 (2003)
Another day, another exploit is disclosed. A little over two months later, a virus using the exploit is discovered. It seems that some virus writers do read NTBugtraq. There is a new member of the W32/Chiton family. The author of the virus calls this one `W32/JunkHTMaiL', a variation of the name of the virus upon which it is based - W32/Junkmail (see VB, November 2002, p.10) - perhaps to draw attention to the self-executing HTML exploit which this virus uses to launch itself from email.When JunkHTMaiL is started for the first time, it decompresses and drops a standalone executable file that contains only the virus code, using a `fixed' (taking into account the variable name of the Windows directory) filename and directory.As with the other viruses in the family, this virus is aware of the techniques that are used against viruses that drop files, and will work around all of the countermeasures: if a file exists already, then its read-only attribute (if any) will be removed, and the file will be deleted. If a directory exists instead, then it will be renamed to a random name. The structure of the dropped file is the same as that used by W32/Junkmail. If the standalone copy is not running already, then the virus will run it now. The name of the dropped file is `ExpIorer.exe'. Depending on the font, the uppercase `i' may resemble a lowercase `L', making the viral process difficult to identify in the task list.
Peter Ferrie, Frédéric Perriot
«Looking a Bagift-Horse in the Mouth» 10.73Kb 9729 hits
Virus Bulletin, March 2003, pp.4-5 (2003)
[...] W32/Bagif is a polymorphically encrypted, entry point-obscuring, anti-heuristic, memory resident, parasitic infector of Windows Portable Executable files that are not DLLs. It replicates across mapped drives and shared directories on local area networks, and it appears to be based on the code of several existing viruses. In the same way that the author of W95/Bistro had his signature changed in the copy of the virus that was released, it is very likely that the author of W32/Bagif is not the one named in the code. [...]
«Mostly harmless» 16.23Kb 10752 hits
Virus Bulletin, Aug 2004, pp. 5-8 (2004)
The LSASS vulnerability of Microsoft security bulletin MS04-011 affects Windows 2000 and XP, the two most widespread Microsoft operating systems today. It is a stack overflow, hence easily and reliably exploitable - and eEye was kind enough to provide the world with thorough documentation of the possible exploitation vectors.Following in the path of previous high-profile vulnerabilities, the LSASS bug was quickly targeted by proof-of-concept exploits, themselves reused in worms including W32/Sasser.A. Despite the publicity that surrounded Sasser due to its immediate success following its appearance (30 April 2004), this was not the first worm to make use of the vulnerability: some LSASS-exploiting Gaobot variants had surfaced about a week earlier. However, it was the automated infection of new systems that was the decisive factor in making Sasser more widespread.
«Paradise lost» 12.48Kb 11487 hits
Virus Bulletin, April 2005, pp.4-6 (2005)
Eight months ago, Peter Ferrie and Péter Ször asked at the end of their article on SymbOS/Cabir: `What will be next? A mass mailer using MMS?' (see VB, August 2004, p.4). The answer was yes, that is what came next.SymbOS/Commwarrior.A is the first worm to use MMS (Multimedia Messaging Service) technology to spread on cellular phones. Following in the footsteps of Cabir, it also replicates using Bluetooth, though with some improvements in its implementation. This double-pronged approach to replication makes Commwarrior a more likely candidate to be seen in the wild - although, at the time of writing, no such reports have been received.As with Cabir, Commwarrior replicates only on Nokia Series 60-compatible devices.
«To catch Efish» [SRC] 11.1Kb 10295 hits
Virus Bulletin, October 2004, pp.4-6 (2004)
W32/Efish, a member of the W32/Chiton family, contains in its source code (released as part of 29A magazine) a reference to the television program The Six Million Dollar Man. The virus author wanted to call the virus EfishNC ("efficiency"), and referred to it as "Better, Stronger, Faster" (this virus author is not known for humility - in 1994 (s)he named a virus Hianmyt ["high and mighty"]). While the code is indeed better, stronger and faster than comparable viruses, it does have weaknesses. Symantec has not received any wild samples of Efish, although the .A variant was published as early as 2002. This suggests that these viruses have not left zoo collections, despite their aggressive infection strategy.
«The wormpipe strikes back» 19.09Kb 10035 hits
Virus Bulletin, April 2004, pp. 4-7 (2004)
It took less than six months before W32/Welchia (see VB, October 2003, p.10) returned to plague us. The new version has been upgraded to attack different worms and exploit more vulnerabilities. Once again, the author of the worm intended to make a `good' worm, disregarding the master's warning: `A Jedi uses the Force for knowledge and defence, never for attack.'
Peter Ferrie, Frédéric Perriot, Péter Ször
«Blast off!» 8.87Kb 12186 hits
Virus Bulletin, September 2003, pp.10-11 (2003)
On 11 August 2003 - the same day it was completed - a 6176-byte-long UPX-compressed bug started to invade the world using a recent vulnerability described in Microsoft's MS03-26 security bulletin. Even Windows Server 2003 was affected by this vulnerability. Patches were made available by Microsoft, but on this occasion there was only a short delay between the announcement of the vulnerability and the appearance of the worm that exploited it.Users of Windows XP had a chance to get the patch applied automatically via Windows Automatic Updates. However, the same cannot be said for the Windows 2000 platforms, where users would need to pay closer attention to the update procedures.
«Chiba witty blues» 10.26Kb 11347 hits
Virus Bulletin, May 2004, pp. 9-10 (2004)
W32/Witty is a UDP-based worm employing a vulnerability in ISS security products, such as the BlackICE firewall, to spread. More specifically, Witty uses a stack buffer overflow in the code that parses ICQ v5 packets.
«Striking Similarities» 11.64Kb 11231 hits
Virus Bulletin, May 2002, pp. 4-6 (2002)
W32/Simile is the latest ‘product’ of the developments in metamorphic virus code. The virus was released in the most recent 29A #6 issue in early March 2002.The virus was written by the virus writer who calls himself ‘The Mental Driller’. Some of his previous viruses, such as W95/Drill (which used the Tuareg polymorphic engine), have proved very challenging to detect.W32/Simile moves yet another step up the scale of complexity. The source code of the virus is approximately 14,000 lines of assembly code. About 90% of the virus code is taken up by the metamorphic engine itself, which is extremely powerful.The virus was named ‘MetaPHOR’ by its author, which stands for ‘Metamorphic Permutating High-Obfuscating Reassembler’.The first generation virus code is about 32 KB and there are three known variants of the virus in circulation. Samples of the original variant which was released in the 29A issue have been received by certain anti-virus companies from some major corporations in Spain, indicating a minor outbreak.W32/Simile is highly obfuscated and challenging to understand. The virus attacks disassembling, debugging and emulation techniques, as well as standard evaluation-based techniques for virus analysis. In common with many other complex viruses, Simile uses EPO techniques.
«Worm wars» 15.57Kb 10156 hits
Virus Bulletin, October 2003, pp. 10-13 (2003)
Around 1966 Robert Morris Sr., the future NSA chief scientist, decided to create a new game environment with two of his friends, Victor Vyssotsky and Dennis Ritchie. They coded it for the PDP-1 at Bell Labs, and named their game ‘Darwin’. Later ‘Darwin’ became ‘Core War’, a computer game played to this day by many programmers and mathematicians as well as hackers.The object of the game is to kill your opponents’ programs by overwriting them. The original game is played between two programs written in the Redcode language, a form of assembly language. The warrior programs run in the core of a virtual machine called MARS (Memory Array Redcode Simulator). The fight between the warrior programs was referred to as Core Wars.Well, the world used to be a better place with the fights between genies in a bottle. Who let the worms out?
Peter Ferrie, Heather Shannon
«It's zell(d)ome the one you expect» 22.71Kb 9785 hits
Virus Bulletin, May 2005, pp. 7-11 (2005)
It was a Tuesday and it was sunny outside, but I was inside waiting for my email client to finish retrieving messages. It was stuck on one mail that had a huge attachment: a sample of W32/Zellome.W32/Zellome arrives as an email attachment. It seems to exist only to demonstrate its polymorphic engine, since the worm component is messy and platform-dependent.
Peter Ferrie, Péter Ször
«64-bit rugrats» [SRC] 12.65Kb 11899 hits
Virus Bulletin, Jul 2004, pp. 4-6 (2004)
On 26 May 2004, we received the first known virus for the 64-bit Windows operating system on the Intel Itanium platform. We decided to call it W64/Rugrat.3344.A.Just like some of its predecessors (specifically W32/Chiton - see VB, June 2002, p.4), Rugrat is aware of Thread Local Storage, helping it to make the first successful tip toe towards painless infection of Windows DLLs - at least in the .B variant of the virus.
«Bad Transfer» 12.15Kb 11923 hits
Virus Bulletin, February 2002, pp.8-10 (2007)
[...] So what happened to Badtrans? Why did it become so widespread all of a sudden? The original variant was in the wild from April 2001 and did not attract much attention, even though it was reported to the WildList. [...]
«Cabirn fever» 6.44Kb 11279 hits
Virus Bulletin, August 2004, pp.4-5 (2004)
It has been a long time coming, but in June 2004 the first worm arrived that spreads from mobile phone to mobile phone: SymbOS/Cabir. Fortunately, due to the fact that the worm uses a specific user-interface component, it is restricted to Series 60-based mobile phones.
«SirCamstantial Evidence» 13.54Kb 9258 hits
Virus Bulletin, September 2001, pp. 8-10 (2001)
Although SirCam made a name for itself sending out random files and personal documents from infected PCs, not all of the information that spread with Win32/SirCam was spread by the worm itself. Almost as soon as updated descriptions of SirCam were posted to Web sites, selected texts from these descriptions appeared on other sites, complete with identical spelling errors and inaccuracies.Evidently the emerging complexity of new 32-bit worms is proving a tough challenge for every one of us in this business: if ExploreZip was boring and difficult to analyse, SirCam was a major pain. SirCam's author tried to make sure that the analysis would not be straightforward. The worm is written in a high-level language, but all the string constants (including its email message) are encrypted in such a way that it took a little while to decrypt completely (at least for some of us).
«Zmist Opportunities» 11.45Kb 15834 hits
Virus Bulletin, Mar 2001, pp. 6-7 (2001)
At VB2000 in Florida, IBM's Dave Chess and Steve White demonstrated their research findings on 'Undetectable Computer Viruses'. Early this year, the Russian virus writer Zombie released his 'Total Zombification' magazine complete with a set of articles and viruses of his own. Ominously, one of the articles in the magazine was titled 'Undetectable Virus Technology'.Zombie has already demonstrated his set of polymorphic and metamorphic virus-writing skills. His viruses have been distributed for years in source format and other virus writers have modified them to create new variants. Certainly this will be the case again with Zombie's latest creation - W95/Zmist.Many of us will not have seen a virus approaching this complexity for a few years. We could easily call Zmist one of the most complex binary viruses ever written. W95/SK, One_Half, ACG, and a few others come to mind in comparison. Zmist is a little bit of everything: it is an entry point obscuring virus that is metamorphic. Moreover, the virus randomly uses an additional polymorphic decryptor.This virus supports a unique new technique: code integration. The Mistfall engine contained in it is capable of decompiling Portable Executable files to its smallest elements, requiring 32 MB of memory. Zmist will insert itself into the code: it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. This is something never seen before in previous viruses.Zmist occasionally inserts jump instructions after every single instruction of the code section, each of which will point to the next instruction. Amazingly, these horribly modified applications will still run as before, just like the infected executables do, from generation to generation. In fact, we did not see a single crash during the test replications. Nobody expected this to work, not even Zombie. However, it is not foolproof - it takes some time for a human to find the virus in infected files. Due to its extreme camouflage Zmist is clearly the perfect anti-heuristics virus.
Sarah Gordon
«The worm has turned» 14.96Kb 5975 hits
Virus Bulletin, August 1998, pp.10-12 (1998)
Since then, worms have come and gone without much fuss. There have been some isolated outbreaks, but generally the machine population susceptible to each worm has been sufficiently small and diverse to diffuse the problem. However, the conditions have become increasingly favourable to the creation of a new, viable worm. Enter Admw0rm, a worm capable of spreading from one Linux to another, utilizing a hole in the Berkeley Internet Name Domain server, BIND.
Peter Kálnai
«Linux Trojan “Hand of Thief” ungloved» 9.42Kb 6688 hits
AVAST blog (2014)
A new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed Hand of Thief. The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering a victim’s computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring.
Andrew Kovalev, Konstantin Otrashkevich, Evgeny Sidorov
«Mayhem - a hidden threat for *nix web servers» 35.79Kb 4814 hits
Virus Bulletin, Jul 2014 (2014)
Andrew Kovalev and colleagues describe ‘Mayhem’ – a new kind of malware for *nix web servers that has the functions of a traditional Windows bot, but which can act under restricted privileges in the system.
Andrew Kovalev, Konstantin Otrashkevich, Evgeny Sidorov, Andrew Rassokhin
«Effusion - a new sophisticated injector for Nginx web servers» 27.3Kb 4585 hits
Virus Bulletin, Jan 2014, pp.21-27 (2014)
At VB2013 Evgeny Sidorov spoke about three modern approaches used by attackers to embed malicious code into HTTP responses. One such approach was the use of web-server modules for malware distribution. Here, Evgeny and his colleagues describe ‘Effusion’ – a new piece of malware that uses malicious modules for an Nginx web server, and which was used in a massive infection campaign in the third quarter of 2013.
Jorge Lodos, Jesús Villabrille, Edgar Guadis
«Hard Disk Woes» [SRC] 13.83Kb 7403 hits
Virus Bulletin, October 2011, pp. 8-11 (2011)
It is uncommon these days to find malware whose sole purpose is to cause damage, but W32.VRBAT does just that (and only that) В– using ATA disk security to render hard disks useless. Jorge Lordos and colleagues have the details.
Adrian Marinescu
«ACG in the Hole» 10.85Kb 12342 hits
Virus Bulletin, Jul 1999, pp.8-9 (1999)
The MtE mutation engine was something quite new in virus programming, and led to important changes. Since then, polymorphism has been one of the ways virus writers have chosen to protect their creations from scanning engines. The development of code emulators and good cryptoanalytic algorithms resulted in anti-virus products needing slight changes and/or updates in order to detect most of the new polymorphic viruses. Furthermore, there were a few cases of polymorphic viruses that could not be detected at all for a long time; Zhengxi (see VB, April 1996, p.8) and Uruguay (December 1992, p.12) are good examples.All polymorphic engines were based on the same idea: maintain the virus body in an encrypted form, using a variable key/algorithm, and generate a polymorphic code that decrypts the rest of the body and executes it. Some of the first viruses not based on this idea were the members of the Ply family. Ply is not encrypted, but there are no parts constant enough to extract a reliable signature.Using a slightly modified idea, the TMC family managed to become in the wild. TMC had many small constant parts, linked with jumps. That made algorithmic detection easy to write for this virus, but the door was now open. These kinds of virus were the first ones that could not be exactly identified, raising big problems regarding their disinfection.Then the ZCME family used the same idea, mixing the code in a 16 KB buffer. The only weakness was that algorithmic routines still worked, because there were a lot of constant small pieces that could be used for detection. Last year, a new kind of virus came up. Called Lexotran, it was able to generate different looking forms, with the same result. The idea was to keep the mixing engine in encrypted form - the mixing engine itself processed the virus body during infection before creating new and highly variable shapes of itself. The drawback was that the mixing engine was linearly encrypted with 8-bit keys. That could be used to write a detection algorithm to search for the encrypted part in the virus body.The author of the ACG family understood this disadvantage and developed a new idea - what if the encrypted body is not stored in one piece, but in more scrambled pieces spread through the entire virus image? The ACG family is not a dangerous one, but the polymorphic engine is well written and very stable. The main problem with it is that its engine could easily be used in other viruses, far more dangerous ones. Also, the idea can be successfully applied to Windows viruses, potentially making this kind of virus a big problem in the future.
«The Viral Darwinism of W32.Evol» [SRC] 58.69Kb 6866 hits
OpenRCE (2006)
The W32.Evol virus was discovered around July 2000. Its name is derived from a string found in the virus, but much more can be implied from the name. Up until then, most of the viruses were using Polymorphic engines in order to hide themselves from Anti-Virus scanners. The engine would encrypt the virus with a different key on every generation, and would generate a small, variant decryptor that would consist of different operations but remain functionally equivalent. This technique was beginning to wear out as AV scanners would trace virus-decryption until it was decrypted in memory, visible and clear.
Edward Wilding
«The Violator Virus - Burger’s Continuing Legacy» 11.91Kb 5812 hits
Virus Bulletin, April 1991, pp. 22-23 (1991)
The technical competence of virus writers varies considerably, from abysmally poor to reasonably proficient but this is not usually a consideration which affects the actual functioning of virus code (apart, of course, from programming bugs).Over a period of time, a researcher will develop a “feel” for the style and structure of particular viruses and may even be able to link apparently dissimilar programs and reasonably ascribe them to the same original author. Such stylistic analyses have little value to computer users but they may become extremely useful as computer misuse legislation is adopted worldwide and law enforcement agencies begin to home in on the criminals responsible for the problem.One of the most obvious links discovered to date concerns the origins of the Violator virus and it highlights the undoubted advantages of detailed disassembly of virus code over the faster (but less effective) sparse analysis technique. Before examining the conclusions of a stylistic analysis, I will first describe Violator.
17 authors, 78 titles
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka