The little black book of computer viruses.pdf

  1. Follow the Author
  2. Mark Ludwig - Wikipedia
  3. Mark Ludwig
  4. The Giant Black Book of Computer Viruses (2nd Ed.)

The Little Black Book of Computer Viruses has seen five good years in print. In those five years it has opened a door to seriously ask the question whether it is. only too well when I wrote The Little Black Book of Computer. Viruses. That book included four new viruses, but only one anti-vi- rus developer picked up on. I learned this only too well when I wrote The Little Black Book of Computer Viruses. That book included four new viruses, but only one anti- vi- rus developer .

Language:English, Spanish, Dutch
Genre:Academic & Education
Published (Last):19.11.2015
Distribution:Free* [*Sign up for free]
Uploaded by: MELBA

53662 downloads 177660 Views 10.78MB PDF Size Report

The Little Black Book Of Computer Viruses.pdf

The Little Blsch Birch nf Computer Viruses Electronic Edition The Little Black Book of Computer Viruses Volume One: The Basic Technology By Mark A. Ludwig. This repository contains reference material & links for people willing to learn Ethical Hacking - Github-Classroom-Cybros/Ethical-Hacking. Contribute to razekmaiden/eBook-1 development by creating an account on GitHub.

Will become the of the 21st for viruses, e a virus to r, and the. Copyright , by Mark A. Ludwig All rights reserved. No portion of this book or the accompanying companion disk may be reproduced in any manner without the express written permission of the publisher and the author. ISBN 1 2 3 4 5 6 7 8 9 10 11 12 13 14 And God saw that it was good. Table of Contents Preface to the Second Edition 1.

Note that. COM—to a new name. The other basic strategy. In Figure 4. It can then execute the companion EXE file. The virus lives in the hidden file HOST1. There are two very important things a companion virus must accomplish: It must be capable of spreading or infecting other files. Archive Normal. ESpawn must reduce the amount of memory it takes for itself.

Directory with infected HOST1. Archive Fig. In a COM program the stack is always initialized to be at the top of the code segment. Executing the Host Before ESpawn infects other programs. Archive Hidden. This host program exists as a separate file on disk.

Before executing the host. ESpawn only needs a few hundred bytes for stack. First the stack must be moved. Virus Directory of C: Directory with uninfected HOST1. For all intents and purposes. Function 4AH. Offset Size bytes Description 0 2 2 4 6 4 10 4 14 4 18 4 Segment of environment string. EXEC function control block. Fig 4. This parameter block is illustrated in Figure 4.

This is accomplished by changing sp.

Follow the Author

Pointer to command line typically at offset 80H in the PSP of the calling program. To call this function properly. Companion Viruses 41 is safe to move it down to just above the end of the code. In particular. See Appendix A.

Other values let DOS just load. ESpawn is designed to infect every COM program file it can find in the current directory as soon as it is executed. The code to do all this is pretty simple: Functions 4EH and 4FH.

DOS loads and executes the host without any further fuss. The search routine looks like this now: Interrupt 21H. So before performing a search.

Where is this DTA though? When DOS starts a program. Because the host program has already executed. In such a situation. Companion Viruses 43 Notice that we have a call to a separate infection procedure now. There is one further step which ESpawn must take to work properly. This is easily accomplished with Function 1AH. ESpawn must restore the DTA. The default location ds: This makes disinfecting ESpawn harder. File Infection Once ESpawn has found a file to infect. As such it mattered but little that the parameters passed to the program were also destroyed.

ESpawn just makes a copy of itself with the name of the original host. ESpawn creates a file with the original name of the host. DOS file create function. To infect a program. DOS file write fctn. To rename the host. COM file name.

The host can be renamed to that. Exercises The next five exercises will lead the reader through the necessary steps to create a beneficial companion virus which secures all the programs in a directory with a password without which they cannot be executed.

One could. This works fine for COM files. Modify ESpawn so it will infect only files in a specific directory of your choice. Companion Viruses 45 Variations on a Theme There are a wide variety of strategies possible in writing companion viruses. This is a fine example of a very simple. DOS Interrupt 21H. Yet there need not be any relationship between the name of the virus executable and the host it executes. Function 5AH will create a file with a completely random name.

Add a routine to ESpawn which will demand a password before executing the host. Add routines to encrypt both the password and the host name in all copies of the virus which are written to disk. Make the virus rename the files it infects. You can hard-code the required password. Why does this usually work? What might stop it from working? Viruses which put themselves at the start of a program must read the entire host program in from disk and write it back out again.

There are two different methods of writing a parasitic COM infector. One approach is to put the virus at the beginning of the host. A virus which takes up a huge chunk. Both approaches face obstacles which must be overcome to make such a virus work.

This type of virus. Viruses which reside at the end of a file only have to write their own code to disk. Viruses that reside after the host tend to be a bit simpler in construction. It may modify the stack. To understand this. See Figure 5. Because viruses stored at the end of files move around. They always execute at the same offset in memory.

If it infects a COM file that is H bytes long. It may allocate or free memory. This virus can jump directories. Any parasitic virus which tries to patch itself into some internal part of the host. It may go memory resident. So be careful if you experiment with it!

Non-destructive viruses which infect COM files generally must execute before the host. It may overwrite the virus with data. Then if it goes and infects a H byte file. It can get away from you. In case you read that last sentence too quickly.

Since a COM program always starts execution from offset H which corresponds to the beginning of a file a parasitic virus must modify the beginning of any file it infects. Once the host has control.

Timid-II is more aggressive than Timid. Then the call is coded as E8 A4 That is called relative addressing. All near and short jumps work this way. The problem with absolute addressing. If this type of a construct is used in a virus that changes offsets.

As soon as the virus moves to any offset but where it was originally compiled. Instead it may point to uninitialized data. The typical way to do this is to figure out what offset the code is actually executing at. Any virus located at the end of a COM program must deal with this difficulty by addressing data indirectly. Then you access data by using that register in combination with an absolute offset. To get at data.

The result in di will then be the difference between the compiled and the run-time values. Our virus uses this technique too. Another important method for avoiding absolute data in relocating code is to store temporary data in a stack frame.

To create a stack frame. This works simply because a call pushes an absolute return address onto the stack. Yet the value subtracted from di will be the compile time value. A Parasitic COM Infector 51 loads di with a relocation value which can be used to access data indirectly.

This technique is almost universal in ordinary programs which create temporary data for the use of a single subroutine when it is executing. Timid-II makes use of both of these techniques to overcome the difficulties of relocating code. To address data on the stack frame. When the program is done with the data. The stack itself remains functional because anything pushed onto it goes below this data area.

To solve this problem. To do that. These relocation techniques are important. The File Search Routine Timid-II is designed to infect up to ten files each time it executes and that can be changed to any value up to That is. Infect another? Operation of the search routine. No No COM? Max depth? In this manner.

Every other kind of file is ignored. When the DOS search routine returns. Timid-II limits the depth of the directory tree search to at most two. Since a computer with a large hard disk can contain thousands of subdirectories and tens of thousands of files. This search will reveal all subdirectories as well as all ordinary files.

To avoid having to do a double search. As written. If it is a directory. A near jump is represented in machine language with the byte E9 Hex. Even searching directories two deep from the root is probably too much. The Timid-II virus always uses a near jump to gain control when the program starts. Since a short jump only has a range of bytes. It must have a way of telling whether a file has been infected even when it does start with E9. In a program infected by the Timid-II virus.

The near jump allows a range of 64 kilobytes. The virus cannot assume that a file has been infected just because it starts with an E9. Looking for E9 Hex is not enough though. Thus it can always be used to jump from the beginning of a COM file to the virus. It must go further. If it is anything else. There are two kinds of jump instructions which might be encountered in a COM file. Thus the virus may encounter files which start with an E9 Hex even though they have never been infected.

Many COM files are designed so the first instruction is a jump to begin with. If the file is too big. It will infect everything else. But how big is too big? Timid-II must be careful not to infect a file that is too big. The simplest scheme is to just set them to some fixed value. PSP Size. One final check is necessary. Leaving H bytes for stack ought to be enough.

Timid Size. The virus would execute properly. The chances of this occurring are so small. One way to make this test simple and yet very reliable is to change a couple more bytes than necessary at the beginning of the host program.

The near jump will require three bytes. Starting with DOS 6. In this case that is the start of the virus. Set cx: Since the first thing the virus must do is place its code at the end of the COM file it is attacking. One might think programs with this bizarre quirk are fairly rare. To use Function 40H one must set ds: To do so. This is easy. That way. If they are.

That would probably result in a system hang. Such is not the case. Note that there must be two separate areas in the virus to store five bytes of startup code. This contains the first five bytes of the file it is actually attached to. They need only be written out to disk in the proper location. To write the first five bytes of the file under attack. To find that location. This byte needs to be the original file size of the host program.

E9 Hex: The first byte is a near jump instruction. Executing the Host Once the virus has done its work. We must also subtract 3 from this number because the relative jump is always referenced to the current instruction pointer.

The return instruction offers the quickest way to transfer control to an absolute offset from an unknown location. To remedy this. How does this cut down on the maximum time required to search? Add code to limit the search to at most files. Rewrite Timid-II so that it determines whether a file is infected by testing this distance. The Timid-II virus can take a long time to search for files to infect if there are lots of directories and files on a large hard disk. Design a virus that inserts itself before the host in a file.

Although this distance changes with each new infection. This will greatly extend the range of the search without making any given search take too long. It could instead examine the distance of the jump in the second and third bytes of the file.

If you experimented with Timid-II at all in the last chapter. They may not infect any programs directly when they are first executed. The reasons for this are fairly easy to see: This slowdown. No fancy code is needed to do it. All of the most prolific viruses which have escaped and run amok in the wild are memory resident. The most famous example of such a virus is the Jerusalem. One of the simplest techniques.

There are. The Sequin Virus The Sequin virus. Once the virus sets itself up in a memory hole. There are several basic techniques which a file-infecting virus can use to go resident without tripping alarms.

Figure 6. Function 31H. This forces viruses which operate in such a manner to go through the added gymnastics of reloading a second instance of the host and executing it. Both of these calls just tell DOS to terminate that program. For this reason. To go resident. The most obvious technique is to simply use the DOS services designed for that. These techniques work just fine in an environment in which no one suspects a virus.

There are two basic ones. Uninterrupted Interrupts Addison-Wesley. The code it leaves in memory must do something— and to do something it must execute at some point in time. A virus can hook either type of interrupt. When the processor encounters the int 21H instruction. Let us examine the process of how an interrupt works to better understand this process.

In order to gain control of the processor in the future. In contrast.

Mark Ludwig - Wikipedia

The generates a hardware interrupt signal for the 80x A hardware interrupt is normally invoked by something in hardware. There are two types of interrupts: The 80x86 calls an Interrupt Service Routine which retrieves the keystroke from the and puts it in main system memory. The code setting up bp here just gets the absolute start of the virus. To make this interrupt hook work properly. An interrupt vector is just a segment and offset which points somewhere in memory.

Generally speaking. Software interrupts are used for many important system services. For this process to do something valuable.

Hooking an interrupt vector in this manner is fairly simple. This vector is stored at segment 0. A Memory-Resident Virus 67 diately following the int 21H instruction.

It differs in that it pushes the flags onto the stack. This code is called an interrupt hook because it still allows the original interrupt handler to do all of the usual processing—it just adds something to it. Therefore they are continually being called by all kinds of programs and by DOS itself.

Sequin also checks for an EXE file. The code before the jump instruction. Sequin writes itself to the end of the file. Sequin hooks Function 3DH. If the file can be infected. The mov ah. This is the code the virus uses to detect itself. In theory. To check if Sequin is already there. This entire process takes place inside the viral int 21H handler before DOS even gets control to open the file in the usual manner.

If Sequin did overwrite a vector that was in use. Since it overwrites interrupt vectors. This is just one way a virus plays on anti-virus technology to frustrate it and make an otherwise beneficial tool into something harmful. This would essentially cause a 4-byte mutation of Sequin which at best would slightly impair it.

There would be no proper interrupt handler at that location. By hooking the File Open function. A scanner opens every program file to read it and check it for viruses. A Memory-Resident Virus 69 and then writes the mov ah. It is practically impossible to tell if a vector is in use or not by examining its contents.

In this way the virus just sits there in memory infecting every COM file that is opened by any program for any reason. The Pitfalls of Sequin While Sequin is very infectious and fairly fool proof. This completes the infection process. Notice how the size of the file you copied changes. Both the source file and the destination file will be larger. Sequin exhibits some interesting behavior in a Windows 95 DOS window.

A virus could hide in some of the unused RAM between K and 1 megabyte. Develop a strategy to find memory in this region that is unused.

Testing Sequin To test Sequin. If you load it. This will make the virus infect programs when they are run. Change a few bytes and see if anything goes wrong. Can you write a virus to hide there?

Neither of these scenarios are very desirable for a successful virus. Using Debug. Yet other programs actually seem to cause the Interrupt 21H handler to execute. ASM The viruses we have discussed so far are fairly simple. The virus must be capable of manipulating the EXE file structure properly in order to infect a program.

IntruderB is non-resident and it does not jump directories. Since they only infected COM files. To be truly viable in the wild. When loading an EXE file. Because EXE files can be multi-segmented.

DOS makes no a priori assumptions about the. In the load module. Note that a COM program requires none of these calisthenics since it contains no segment references. The Relocation Pointer Table would contain a vector After that. The meaning of each byte in the header is explained in Table 7. When DOS loads the program. The segment at the start of the load module contains a far call to the second segment. All of this information is stored in the EXE file itself.

DOS will then add H to the word in that location. Then it would take the relocation pointer Imagine an EXE file with two segments. Address Assembly Language Machine Code Figure 7. This header has two parts to it.

DOS just has to set the segment registers all to one value before passing control to the program. This is in addition to the image of the program stored in the file. If enough memory is not available. The last page may only be partially filled. Initial ss This contains the initial value of the stack segment relative to the start of the code in the EXE file.

If they are anything else. The header is always a multiple of 16 bytes in length. This is relocated by DOS when the file is loaded. DOS will return an error when it tries to load the program. Page Count The number of byte pages in the file. Often this checksum is used for nothing. This will require a routine similar to that in Timid-II. Intruder-B will have its very own code. Overlay Number The resident. This is relocated by DOS at load time.

The Intruder-B virus will attach itself to the end of an EXE program and gain control when the program first starts. Overlays will have different values stored here. If the file is an odd number of bytes long. This can be done in a whole variety of ways. Initial cs Initial value of the code segment relative to the start of the code in the EXE file.

Initial ip The initial value for the instruction pointer. It would crash as soon as it finds a program where those assumptions are violated. Reloc Tbl Offset Offset of the start of the relocation table from the start of the file. A universal EXE virus cannot make any assumptions about how those segments are set up by the host program. Adding pointers to the relocation pointer table brings up an important question. To add pointers to the relocation pointer table. Since the EXE Header must be a multiple of 16 bytes in size.

That memory would have been free space before the virus had infected the program. A load module can be hundreds of kilobytes long. We will have to put two pointers to these segment references in the relocation pointer table. As soon as the virus started making calls or pushing data onto the stack. Infecting EXE Files 75 was initialized with. There are pros and cons for both possibilities. Structure of an EXE File.

To set up segments for the virus. Loading an EXE into memory. Suppose the main virus routine looks something like this: Extend the size of the load module until it is an even multiple of 16 bytes.

Write the virus code currently executing to the end of the EXE file being attacked.

Mark Ludwig

Add two relocation pointers at the end of the Relocation Pointer Table in the EXE file on disk the location of these pointers is calculated from the header. Write the initial value of ss: Read the EXE Header in the host program. Write the initial value of cs: There are five criteria for determining whether an EXE file can be infected: All the initial segment values must be calculated from the size of the load module which is being infected.

This is determined by a simple calculation from values stored in the EXE header. The host must have enough room in its relocation pointer table for two more pointers. The Overlay Number must be zero. These EXE files. The virus must not have already infected the file. While the Initial ip value could be H for an uninfected file. If it is at offset 40H or more.

Recalculate the size of the infected EXE file. It must open the file in question and determine whether it can be infected and make sure it has not already been infected. Write the new EXE Header back out to disk. This is determined by the Initial ip field in the EXE header. This value is always H for an Intruder-B infected program. The rest of the registers are not initialized by DOS. Passing Control to the Host The final step the virus must take is to pass control to the host program without dropping the ball.

Modify the Intruder-B to add relocation table pointers to the host when necessary. If Initial ip was zero for Intruder-B. To avoid taking too long to infect a large file. Modify Intruder-B so it will only infect host programs that have at least 3 segments and 25 relocation vectors.

If an invalid identifier i. Infecting EXE Files 79 chances of it are fairly slim. Except for these. Since the host may need to access parameters which are stored there. Write a virus that infects COM files by turning them into EXE files where the host occupies one segment and the virus occupies another segment. This causes the virus to avoid simple EXE programs that are commonly used as decoy files to catch viruses when anti-virus types are studying them.

As such. We already discussed setting up cs: Memory managers can extend this chain above K as well. DOS allocates memory in blocks. It does not require any specialized. This approach is perhaps the most powerful and flexible way for a virus to insert itself in memory. It is a virus that can infect most of the files in your computer in a few hours of normal use. In other words. Function 31H which are certain to be watched by anti-virus monitors. The Yellow Worm virus. There are two types of MCBs.

It is detailed in Table 8. The new segment will coincide with the start of a new MCB. The Z block is simply the end of the chain. To walk the MCB chain. This process is repeated until one encounters a Z-block. Undocumented DOS. This is the segment of the first Memory Control Block in the system. M blocks fill the rest of the chain. Function 52H. Code to walk the chain looks like this: The address of the List of Lists is obtained in es: Addison Wesley. DOS will almost certainly crash.

This size does not include the MCB itself. The Memory Control Block. Before the Yellow Worm takes the Z block. If done properly. What it does is divide the Z block—provided it is suitable—into an M and a Z block. The virus takes over the Z block and gives the new M block to the original owner of the Z block. A virus can install itself in memory in a number of creative ways by manipulating the MCBs.

If the MCB structure is fouled up. Table 9. The rest it leaves free for other programs to use. System Halted. Since the PSP. Once the Yellow Worm has made room for itself in memory. Since the Worm starts executing at offset 0 from the host. The trouble with this approach is that it left the virus unable to infect about half of all EXE files.

If something else controls the Z block a highly unlikely event. The Yellow Worm circumvents this limitation by performing the relocation of ss and cs itself. That makes the virus active. As you will recall. That way it avoids having to deal with relocating offsets.

Then the copy of the Yellow Worm in memory passes control back to the host. Any time that DOS loads a program from the command prompt. Operation of the Yellow Worm. Function 4BH. Before long. Write the initial values of ss: Windows 95 causes the Yellow Worm to behave in other interesting ways as well. This quirky behavior can actually be a benefit for the virus.

The Giant Black Book of Computer Viruses (2nd Ed.)

The Windows development team at Microsoft became aware of this problem with the Yellow Worm and graciously fixed Windows 95 so that the Worm will live right through the Windows 95 startup and be alive and active in every DOS box started up under Windows When that DOS box is closed.

An Advanced Resident Virus 87 because of the validity checks it makes when splitting the Z-block of memory. Windows Compatibility Making a small Z block of memory at the end of DOS memory is not a normal way for a program to go resident. Such is exactly the case for Windows 3. BAT file must be searched to find the executable.

COM will start to executed. Function 4BH to execute a file. Because of this. If Windows has an exact path for the file. Windows gives control to DOS. As a result. I recommend you follow a strict set of procedures. Next go into a DOS box. Prepare two directories with the worm and a few test EXE files to infect.

Make note of the sizes of files in the directory. Just such a situation occurred with the first edition of this book. It is now active in memory. The fact that Yellow Worm will appear to be non-viral in such a situation under Windows could help it escape from being recognized as a virus. If it does. Testing the Virus The Yellow Worm is very infective. The anti-virus developers tested it in DOS and decided it was not a virus.

Make sure those test files are nowhere else in your path by trying to execute them from the root directory by just typing their names. To test the Yellow Worm. Once in the DOS box. The Yellow Worm there was designed to run only in a Windows 3. Reboot your computer to get the new path to take effect. With thousands of new viruses every year. If the virus detects itself in memory. That keeps your virus undetected much longer than it would be if it worked without Windows. An Advanced Resident Virus 89 by typing their full path name.

Function 31H Terminate and Stay Resident call. Yet most DOS programs are run under Windows now. This dumb little trick is quite valuable to incorporate into any DOS-based virus now a days.

If Windows is installed. Notice that FILE1 just got larger. The main problems you must face are a self-detection and b executing the host.

Write a virus which breaks up the current memory block. If one writes a boot sector virus with sufficiently sophisticated anti-detection routines. This chapter will take a look at two of the simplest boot sector viruses just to introduce you to the boot sector.

ASM The boot sector virus can be the simplest or the most sophisticated of all computer viruses. In the next three chapters we will examine several different boot sector viruses. On the one hand. The following chapters will dig into the details of two models for boot sector viruses which have proven extremely successful in the wild. When a PC is first turned on. The most familiar part of this startup code is the memory test. This table provides essential entry points interrupt vectors so all programs loaded later can access the BIOS services.

It works like this: But which disk? Where on that disk? What does it look like? How big is it? How should it be loaded and executed? If the BIOS knew the answers to all of these questions.

Since the operation of a boot sector is hidden from the eyes of a casual user.. Typically this code will perform several functions necessary to get the computer up and running properly. The startup code will also set up an interrupt table in the lowest bytes of memory.

A machine set up with CPM an old. The boot sector provides a valuable intermediate step in the process of loading the operating system. That would be a problem. Once these various housekeeping chores are done. Once the first sector the boot sector has been read into memory.

DOS cannot be loaded from that disk. When a normal DOS boot sector executes. These hidden files must be the first two files on a disk in order for the boot sector to work properly. Sector 1 into memory at location MS-DOS 6. Where that larger file is depends on the operating system. An Introduction to Boot Sector Viruses 93 remains ignorant of the operating system you wish to use.

If they are anywhere else. In the world of DOS. From this point on. Since a sector is normally only bytes long. Head 0. Computing, especially penetration and security moves at the speed of light, so most books on it are outdated at publication, they frequently steal from what's already freely available on the internet, and nearly all of them are gimmicky and devoid of substance.

This book is horribly outdated, but not lacking in substance, especially if you're familiar with assembly language or just interested in the history of computer virii. This book is easily the best and most truthful thing I've read regarding hacking since the old cDc BBS files. The good: Assembly code, lots of it. Oh, dear lord, this thing is a treasure trove of some truly ingenious code, the kind you honestly won't find in print very easily.

It's also one of the better resources to track the evolution in the methodologies of programming virii and the history of virii. It's really a fairly unique piece of history since so-called "white-hat" hackers and overzealous persons have tried and for the most part succeeded in removing all traces of virus source code from the net. Even the evolution of virus paylaods has changed dramatically, as has motive. Fascinating, IMO. The bad: Most of the code is horribly outdated modern virii are rarely written in assembly , and very little is relevant anymore as a lot of the exploits are DOS related.

The book assumes you know assembly. If you don't, you won't learn it here. I don't really see that as a disadvantage, but 15 years ago, everyone knew assembly language, now it seems no one bothers to learn it anymore, so it's worth mentioning. Highly Recommended for its somewhat limited audience, which presumably consists of security specialists, assembly code aficionados, nontraditional programmers, and historians of science.

This book is a classic exposition on the programming of computer viruses. Although a bit outdated, it is free to download from the publisher's website [ See all 8 reviews. There's a problem loading this menu right now. Learn more about site Prime. Get fast, free shipping with site Prime. Back to top. Get to Know Us.

site Payment Products. English Choose a language for shopping. site Music Stream millions of songs. site Advertising Find, attract, and engage customers. site Drive Cloud storage from site.

Alexa Actionable Analytics for the Web. siteGlobal Ship Orders Internationally. site Inspire Digital Educational Resources. site Rapids Fun stories for kids on the go. site Restaurants Food delivery from local restaurants.

ComiXology Thousands of Digital Comics. DPReview Digital Photography. East Dane Designer Men's Fashion. Shopbop Designer Fashion Brands.

Deals and Shenanigans. PillPack Pharmacy Simplified. site Renewed Refurbished products with a warranty.

Related Posts:

Copyright © 2019 All rights reserved.