Copy Link
Add to Bookmark
Report
40Hex Issue 10 File 001
40Hex Issue 10 Volume 3 Number 1 File 001
The following is a cursory examination of virus construction toolkits.
While hardly comprehensive, it includes the basic elements of each
toolkit described. For further information, consult appendix A of
the Phalcon/Skism Gý code generator.
---------------------------------------------------------------------------
VIRUS CONSTRUCTION KITS, Revision 2.0 13 February 1993
Virus construction kits are computer programs which allow people
with little or no programming experience to produce new variants of
computer viruses.
Two popular methods are used in virus construction kits. The first
uses a menu driven user interface where the user is lead through a
series of menus where he 'designs' the replication method, infection
criteria and payload (what the virus does when it activates). The
second method uses a skeleton configuration file (ASCII file in
which virus configurations are placed) and running a 'generator' to
produce the virus.
There is an important factor to consider. First generation virus
construction kits only produce assembled or compiled viruses without
source code. Second generation kits produce virus source code
(sometimes even commented) that can be changed and assembled by the
user. The danger in second generation kits is that someone with very
limited programming experience can potentially produce a new
computer virus without knowing anything about the internal workings
of a virus.
I would like to stress that because virus construction kits to date
use a fair amount of constant code (instructions), they pose no
threat to standard virus detection techniques. However, should
future kits make use of mutation engine principles, this situation
could change.
The following are descriptions of virus construction kits to date.
This is a factual description as the author has access to all of the
kits listed below :
GENVIR
GENVIR was the first attempt to release a virus construction kit for
profit. It is a first generation virus construction kit which a
menu-driven interface. GENVIR is a French program written in 1990 by
J.Struss of Lochwiller, France. It is a 'Crippleware' program that
lets you go through all the motions of creating a virus, but stops
short of the compilation stage. To receive a working copy, one must
license the software for a fee of 120 Frances. The latest version is
1.0 and it is believed that GENVIR was never released as a functional
virus construction kit.
VCS (Virus Construction Set)
VCS is a first generation virus kit written in 1991 by a German group
called VDV (Verband Deutscher Virenliebhaber). VCS is a primitive
program that requires a text file of maximum 512 bytes length and
incorporates this text into a simple .COM file virus infector. After
a specified number of replications, the virus will display the text
message and delete AUTOEXEC.BAT and CONFIG.SYS. The latest release is
version 1.0. The program text is in German,although there is a hacked
version in English.
VCL (Virus Construction Laboratory)
VCL is a complex, second generation, menu driven virus construction
kit written in 1992 by Nowhere Man and [NuKE] WaReZ. It allows
multiple, user selectable modules to be incorporated into the virus,
together with the option of creating commented ASM (assembler) source
code files that can be manually modified. The danger with this option
is that a virus writer can create the virus kernel (without knowing
much about the internal workings of viruses) using VCL and then add
his own,custom code into the virus.The latest release is version 1.0.
PS-MPC (Phalcon / Skism - Mass Produced Code Generator)
PS-MPC is a second generation virus construction kit, written by Dark
Angel in July 1992. It is based heavily on the VCL virus construction
kit. It was distributed including source code in the C language.
Although it is not menu driven, (it uses a user definable skeleton
configuration file to produce viruses) it creates more compact,neater
commented ASM source code than VCL does. Two versions exist,the first
being version 0.90beta released together with 40Hex (an underground
electronic magazine) on 7 July 1992, and version 0.91beta released on
17 August 1992. According to the history file in this release, the
following as been added to the second release : a) rudimentary memory
resident viruses may be created, b) improved optimization of code,
c) fixed minor quirks and d) got rid of "unsigned char" requirement.
IVP (Instant Virus Production Kit)
IVP is a second generation virus construction kit, written in 1992 by
Admiral Bailey a member of the YAM (Youngsters Against McAfee)
underground group. According to the documentation, it was written in
Turbo Pascal version 7.0. IVP uses a skeleton configuration approach
and produces commented source code. It was the following features :
a) .EXE and .COM file infection, b) Trojan support, c) Directory
changing, d) encryption, e) error handling, f) COMMAND.COM infection,
g) overwriting option and h) random nop generator. The latest release
is version 1.0.
G2 (G Squared)
G2 is a second generation virus construction kit, written in 1993 by
Dark Angel of the Phalcon/Skism underground group.(Dark Angel is also
the author of the PS-MPC virus construction kit). This kit makes use
of the skeleton configuration approach and produces commented source
code. According to Dark Angel's documentation, G2 is not a
modification of the Phalcon/Skism PS-MPC kit, but a complete rewrite.
It differs from other virus construction kits in that it produces
easily upgradable and semi-polymorphic routines. The latest release
is version 0.70beta, dated January 1, 1993.
Oliver Steudler, DYNAMIC SOLUTIONS
Authorized McAfee Associates Anti Virus Agent
Mail : P.O.Box 4397, Cape Town, 8000, South Africa
Internet : Oliver.Steudler@f110.n7102.z5.fidonet.ORG
or 100075.0200@compuserve.COM
Fidonet : 5:7102/110
CompuServe : 100075,0200
Phone : +27 (21) 24-9504 (GMT +2)
Fax : +27 (21) 26-1911
BBS: : +27 (21) 24-2208 [1200-14,400 bps]
---------------------------------------------------------------------------
Virus construction tools are cropping up at the rate of one roughly every
two months. Additionally, new polymorphic "engines" such as the MtE, TPE,
etc. are begining to emerge. But how real is the threat from viruses
generated with such tools and has this threat been exaggerated by the
media?
The discussion will center on the so-called "second generation" toolkits.
Perhaps the most prolific of these is Nowhere Man's VCL. It has the most
attractive interface of all the recent virus development tools and allows for
a variety of activation routines; something which has been conspicuously
absent from the Phalcon/Skism code generators. However, VCL is also perhaps
the least dangerous of all the toolkits, hampered by the dependance upon only
one encryption/decryption routine and single, constant code base. YAM's IVP
ameliorates the problem, albeit in a highly limited and somewhat useless
fashion, with the random NOP placement. Of course, its code is based heavily
upon the PS-MPC, which is also nonrandom, so it, too, is hampered. The
PS-MPC, as mentioned earlier, has but a single code base. In short, these
three toolkits are of limited utility in terms of creating nonscannable
viruses "out of the box." The generated code typically needs to be modified
for the viruses to be unscannable.
So perhaps the solution lies in relying not upon a single code base, but
multiple code bases and allowing for random (not the same as haphazard)
placement of individual lines of code. This is the approach of Gý. Gý
allows for multiple code packages which accomplish a certain goal. The
program selects one of the packages for inclusion in a given virus. In
this manner, variability may be ensured. Gý further allows for the order
of statements to be scrambled in the source file. However, all Gý viruses
share the same structure as well as having certain bits of code in common.
So, while an improvement, it is hardly the final step in the evolution of
virus creation toolkits. Gý could become much more powerful with multiple
virus structures as well as improved code packages.
The article above suggested that the toolkits would be much more powerful
should they incorporate "mutation engine principles." In other words, the
toolkits should be able to mutate the generated code. The IVP currently
uses such an approach, albeit only with simple NOPs liberally scattered in the
decryption and delta offset calculation routines. Such code, however, should
not be a goal of the authors of such toolkits. It is simply not appropriate
for a virus creator to function in such a manner. A virus toolkit which
simply spews out the same code in various forms is merely an overblown hack
generator. Toolkits exist as _aids_ in writing a virus, not as replacements.
Surely including such mutation routines would result in larger viruses as well
as illegible code. A novice utilising the toolkit would not be able to learn
from such unoptimised code. Tight code which doesn't sacrifice legibility
should always be the goal of virus generators.
Another aid in writing viruses is the "encryptor-in-a-box," a product such
as MtE or TPE. Such modules allow all viruses to incorporate polymorphic
routines. Yet how dangerous are such polymorphers? As they currently exist,
they pose very little threat. Scanners have adapted not only to catch current
MtE-using viruses reliably, but also to find new viruses which use decryptors
created with MtE. Certainly the TPE and any new polymorphic routines will meet
the same fate. Constant revisions of these engines, while being temporary
solutions, remain just that: temporary. Once the anti-virus industry receives
a copy of the new version, the engine is once again useless.
The virus community should look beyond such "easy fixes" as virus creation
toolkits and polymorphic "engines." The simplest way to get a nonscannable
virus is to write it yourself. Not only is there the benefit of satisfaction
with the work, but you gain expertise and intimate understanding of both
viruses and the operating system. Such knowledge comes only with writing
several viruses on your own. The best way for a beginner to learn how to
write viruses is to figure it out on his own _without_ any examples. Once a
virus has been written in this manner, then it is appropriate to look at
current virus samples to find out the various tried and true techniques.
But polymorphic engines are difficult to write, the novice virus writer
protests; using MtE will vastly improve the virus. Rubbish. Firstly, it is
a fact that scanners will be able to detect the virus, be it encrypted with a
simple XOR loop or with MtE. Writing your own encryption will be far better
in terms of learning. Secondly, polymorphic engines are _not_ terribly
difficult to create. A few hours of thinking will be sufficient to lay down
the framework of a polymorphic engine. An additional few days is enough for
coding. Even the MtE and TPE, while requiring bit-level knowledge of the
opcodes, could have been written by a person with only a few years of
experience programming assembly. The advantages of writing your own
polymorphic engine are obvious; anti-virus developers will have to spend much
time (and space in their products) analysing and developing scanners for each
individual engine; and simply adding a few extra garbling instructions should
be sufficient to throw these scanners off in a future virus.
So what purpose do these tools serve? The ultimate aim of those producing the
virus creation tools should be not to enable people to go around creating new,
unscannable viruses and trashing every hard drive in the world, but to allow
novices to break into the field of virus writing. It is not difficult to
write a virus, but these tools certainly ease the initial pain. Polymorphic
engines are useful as examples for your own polymorphic routines.
I encourage all novice programmers to pick up a copy of Phalcon/Skism's Gý and
VCL, the two most prolific code generation toolkits. Run them a few times with
various parameters and analyse the code carefully. Print out the code and look
it over. The basic principles of virus creation will be apparent after some
inspection. Learn from it and then sit down and write your own virus from
scratch.
Dark Angel
Phalcon/Skism 1993