THE Black Book of Computer Viruses Mark Ludwig GianT The Giant Black Book of Computer Viruses Ludwig WARNING This book contains complete source code for live computer viruses which could be extremely dangerous in the hands of incompetent persons. You can be held legally liable for the misuse of these viruses. Do not attempt to execute any of the code in this book unless you are well versed in systems programming for personal computers, and you are working on a carefully controlled and isolated computer system. Do not put these viruses on any computer without the owner's consent. "Many people seem all too ready to give up their God-given rights with respect to what they can own, to what they can know, and to what they can do for the sake of their own personal and financial security Those who cower in fear, those who run for security have no future. No investor ever got rich by hiding his wealth in safe investments. No battle was ever won through mere retreat. No nation has ever become great by putting its citizens eyes' out. So put such foolishness aside and come explore this fascinating new world with me." From The Giant Black Book Dr.Ludwigisbackinblack! ISBN0-929408-33-0,232pages,$16.95 Inthisbrandnewbook,Dr.Ludwigexploresthefascinatingworldofemailvirusesinawaynobody elsedares!Hereyouwilllearnabouthowthesevirusesworkandwhattheycanandcannotdofroma veteranhackerandvirusresearcher.Whysettleforthevaguegeneralitiesofotherbookswhenyou canhavepageafterpageofcarefullyexplainedcodeandafascinatingvarietyoflivevirusesto experimentwithonyourowncomputerorcheckyourantivirussoftwarewith?Inthisbookyou'll learnthebasicsofvirusesthatreproducethroughemail,andthengoontoexplorehowantivirus programscatcht hemandhowwileyvirusesevadetheantivirusprograms.You'lllearnabout polymorphicandevolvingviruses.You'lllearnhowvirusewritersuseexploits-bugsinprograms likeOutlookExpress-togettheircodetoexecutewithoutyourconsent.You'lllearnaboutlogic bombsandthesocialengineeringsideofviruses-notthesocialengineeringofoldtimehackers,but thetriedandtruescientificmethodbehindturningareplicatingprogramintoavirusthatinfects millionsofcomputers.YetDr.Ludwigdoesn'tstophere.Hefacesthesoberingpossibilitiesofemail virusesthatliejus taroundthecorner virusesthatcouldliterallychangethehistoryofthehuman race,forbetterorworse.Admittedlythiswouldbeadangerousbookinthewronghands.Yetitwould bemoredangerousifitdidn'tgetintotherighthands.Thenextmajorvirusattackcouldseemillions ofcomputerswipedcleaninamatterofhours.Withthisbook,you'llhaveafightingchancetospot thetroublecomingandavoidit,whilethemultitudesthataredependentonacannedprogramtokeep themoutoftroublewillgettakenout.Inshort,thisisanutterlyfascinatingbook.You'llneverlookat computerv irusesthesamewayagainafterreadingit. ISBN0-929408-34-9,464pages$34.95 Theworldofhackingchangescontinuously.Yesterday'shacksaretoday'srustylocksthatno longerwork.Thesecurityguysareconstantlyfixingholes,andthehackersareconstantly changingtheirtricks.Thisnewfourtheditionofthe-justreleasedinDecember, 2001-willkeepyouuptodateontheworldofhacking.It'sclassicMeinelatherbest,leadingyou throughthetunnelsandbackdoorsoftheinternetthatisaccessibletothebeginner,yet entertainingandeducationaltotheadvancedhacker.Withmajornewsectionsonexploringand hackingwebsites,andhackerwar,andupdates tocoverthelatestWindowsoperatingsystems, theisbiggerandbetterthanever! HappyHacker HappyHacker Orderfromwww.ameaglepubs.comtoday! The GIANT Black Book of Computer Viruses by Mark Ludwig American Eagle Publications, Inc. Post Office Box 1507 Show Low, Arizona 85901 —1995— (c) 1995 Mark A. Ludwig Front cover artwork (c) 1995 Mark Forrer All rights reserved. No portion of this publication may be repro- duced in any manner without the express written permission of the publisher. Table of Contents Introduction 1 Computer Virus Basics 13 Part I: Self Reproduction The Simplest COM Infector 17 Companion Viruses 39 Parasitic COM Infectors: Part I 51 Parasitic COM Infectors: Part II 69 A Memory-Resident Virus 87 Infecting EXE Files 99 Advanced Memory Residence Techniques 113 An Introduction to Boot Sector Viruses 131 The Most Successful Boot Sector Virus 153 Advanced Boot Sector Techniques 171 Multi-Partite Viruses 193 Infecting Device Drivers 213 Windows Viruses 229 An OS/2 Virus 261 UNIX Viruses 281 Source Code Viruses 291 Many New Techniques 319 Part II: Anti-Anti-Virus Techniques How a Virus Detector Works 325 Stealth for Boot Sector Viruses 351 Stealth Techniques for File Infectors 367 Protected Mode Stealth 391 Polymorphic Viruses 425 Retaliating Viruses 467 Advanced Anti-Virus Techniques 487 Genetic Viruses 509 Who Will Win? 521 Part III: Payloads for Viruses Destructive Code 535 A Viral Unix Security Breach 561 Operating System Secrets and Covert Channels 569 A Good Virus 591 Appendix A: Interrupt Service Routine Reference 645 Appendix B: Resources 660 Index 663 And God saw that it was good. And God blessed them, saying “Be fruitful and multiply, fill the earth and subdue it.” Genesis 1:21,22 Introduction This book will simply and plainly teach you how to write computer viruses. It is not one of those all too common books that decry viruses and call for secrecy about the technology they em- ploy, while curiously giving you just enough technical details about viruses so you don’t feel like you’ve been cheated. Rather, this book is technical and to the point. Here you will find complete sources for plug-and-play viruses, as well as enough technical knowledge to become a proficient cutting-edge virus programmer or anti-virus programmer. Now I am certain this book will be offensive to some people. Publication of so-called “inside information” always provokes the ire of those who try to control that information. Though it is not my intention to offend, I know that in the course of informing many I will offend some. In another age, this elitist mentality would be derided as a relic of monarchism. Today, though, many people seem all too ready to give up their God-given rights with respect to what they can own, to what they can know, and to what they can do for the sake of their personal and financial security. This is plainly the mentality of a slave, and it is rampant everywhere I look. I suspect that only the sting of a whip will bring this perverse love affair with slavery to an end. I, for one, will defend freedom, and specifically the freedom to learn technical information about computer viruses. As I see it, there are three reasons for making this kind of information public: 1. It can help people defend against malevolent viruses. 2. Viruses are of great interest for military purposes in an informa- tion-driven world. 3. They allow people to explore useful technology and artificial life for themselves. Let’s discuss each of these three points in detail . . . . Defense Against Viruses The standard paradigm for defending against viruses is to buy an anti-virus product and let it catch viruses for you. For the average user who has a few application programs to write letters and balance his checkbook, that is probably perfectly adequate. There are, however, times when it simply is not. In a company which has a large number of computers, one is bound to run across less well-known viruses, or even new viruses. Although there are perhaps 100 viruses which are responsible for 98% of all virus infections, rarer varieties do occasionally show up, and sometimes you are lucky enough to be attacked by something entirely new. In an environment with lots of computers, the prob- ability of running into a virus which your anti-virus program can’t handle easily is obviously higher than for a single user who rarely changes his software configuration. Firstly, there will always be viruses which anti-virus programs cannot detect. There is often a very long delay between when a virus is created and when an anti-virus developer incorporates proper detection and removal procedures into his software. I learned this only too well when I wrote The Little Black Book of Computer Viruses. That book included four new viruses, but only one anti-vi- rus developer picked up on those viruses in the first six months after publication. Most did not pick up on them until after a full year in print, and some still don’t detect these viruses. The reason is simply that a book was outside their normal channels for acquiring viruses. Typically anti-virus vendors frequent underground BBS’s, trade among each other, and depend on their customers for viruses. Any virus that doesn’t come through those channels may escape their notice for years. If a published virus can evade most for more than a year, what about a private release? Next, just because an anti-virus program is going to help you identify a virus doesn’t mean it will give you a lot of help getting rid of it. Especially with the less common varieties, you might find that the cure is worse than the virus itself. For example, your “cure” might simply delete all the EXE files on your disk, or rename them to VXE, etc. In the end, any competent professional must realize that solid technical knowledge is the foundation for all viral defense. In some situations it is advisable to rely on another party for that technical knowledge, but not always. There are many instances in which a failure of data integrity could cost people their lives, or could cost large sums of money, or could cause pandemonium. In these situations, waiting for a third party to analyze some new virus and send someone to your site to help you is out of the question. You have to be able to handle a threat when it comes-and this requires detailed technical knowledge. Finally, even if you intend to rely heavily on a commercial anti-virus program for protection, solid technical knowledge will make it possible to conduct an informal evaluation of that product. I have been appalled at how poor some published anti-virus product reviews have been. For example, PC Magazine’s reviews in the March 16, 1993 issue 1 put Central Point Anti-Virus in the Number One slot despite the fact that this product could not even complete analysis of a fairly standard test suite of viruses (it hung the machine) 2 and despite the fact that this product has some glaring security holes which were known both by virus writers and the anti- viral community at the time, 3 and despite the fact that the person in charge of those reviews was specifically notified of the problem. With a bit of technical knowledge and the proper tools, you can conduct your own review to find out just what you can and cannot expect form an anti-virus program. 1 R. Raskin and M. Kabay, “Keeping up your guard”, PC Magazine, March 16, 1993, p. 209. 2 Virus Bulletin, January, 1994, p. 14. 3 The Crypt Newsletter, No. 8. [...]... because it just hastens the entropic death of the universe 8 The Giant Black Book of Computer Viruses I say all of this not because I have a bone to pick with ecologists Rather I want to apply the same reasoning to the world of computer viruses As long as one uses only financial criteria to evaluate the worth of a computer program, viruses can only be seen as a menace What do they do besides damage... the Tax Break, has actually been proposed, and it may exist 6 The Giant Black Book of Computer Viruses Computational Exploration Put quite simply, computer viruses are fascinating They do something that’s just not supposed to happen in a computer The idea that a computer could somehow “come alive” and become quite autonomous from man was the science fiction of the 19 50’s and 19 60’s However, with computer. .. escape There are some very nasty non-resident 22 The Giant Black Book of Computer Viruses COM infectors floating around in the underground They are nasty because they contain nasty logic bombs, though, and not because they take the art of virus programming to new highs There are three major types of COM infecting viruses which we will discuss in detail in the next few chapters They are called: 1 Overwriting... contains the most significant bits of the address, and an offset register, which contains the least significant bits The segment register points to a 16 byte block of memory, and the offset register tells how many bytes to add to the start of the 16 byte block to locate the desired byte in memory For example, if the ds register is set to 12 75 Hex and the bx register is set to 457 Hex, then the physical... handler) 16 22 Reserved 2C 2 Segment of DOS environment 2E 34 Reserved 50 3 Int 21H / RETF instruction 53 9 Reserved 5C 16 File Control Block 1 6C 20 File Control Block 2 80 12 8 10 0 - Default DTA (command line at startup) Beginning of COM program 26 The Giant Black Book of Computer Viruses offset 10 0H DOS also creates a Program Segment Prefix, or PSP, in memory from offset 0 to 0FFH (See Figure 3 .1) The. .. of good reasons why fiat creation can’t occur In the world of bits and bytes, many of these philosophical conundrums just disappear (The fiat creation of computer viruses 6 Please refer to my other book, Computer Viruses, Artificial Life and Evolution, for a detailed discussion of these matters Introduction 7 occurs all the time, and it doesn’t ruffle anyone’s philosophical feathers.) In view of these... the end of it It won’t get very far Not so, the computer virus, because it attaches itself to otherwise useful programs The computer user will execute these programs in the normal course of using the computer, and the virus will get executed with them In this way, viruses have gained viability on a world-wide scale Actually, the term computer virus is a misnomer It was coined by Fred Cohen in his 19 85... address of the byte ds:[bx] is 12 75H x 10 H = 12 750H + 457H ————— 12 BA7H No offset should ever have to be larger than 15 , but one normally uses values up to the full 64 kilobyte range of the offset register This leads to the possibility of writing a single physical address in several different ways For example, setting ds = 12 BA Hex and bx = 7 would produce the same physical address 12 BA7 Hex as in the. .. in the next few chapters They are called: 1 Overwriting viruses 2 Companion viruses 3 Parasitic viruses If you can understand these three simple types of viruses, you will already understand the majority of viruses being written today Most of them are one of these three types and nothing more Before we dig into how the simplest of these viruses, the overwriting virus works, let’s take an in-depth look... has two FAT’s, which are identical copies of each other The second is a backup, in case the first gets corrupted On the other hand, a disk may have many directories One directory, known as the root directory, is present on every disk, but the root may have multiple subdirectories, nested one inside of another to 30 The Giant Black Book of Computer Viruses The Directory Entry 0 Byte 0FH A File Name . THE Black Book of Computer Viruses Mark Ludwig GianT The Giant Black Book of Computer Viruses Ludwig WARNING This book contains complete source code for live computer viruses which. Sector Virus 15 3 Advanced Boot Sector Techniques 17 1 Multi-Partite Viruses 19 3 Infecting Device Drivers 213 Windows Viruses 229 An OS/2 Virus 2 61 UNIX Viruses 2 81 Source Code Viruses 2 91 Many New. far. Not so, the computer virus, because it attaches itself to otherwise useful programs. The computer user will execute these programs in the normal course of using the computer, and the virus