Virus Scanners Exposed (Spring, 1992) ------------------------------------- By Dr. Delam In 1989, virus expert John McAfee reported there being a whopping 52 known computer viruses in existence for the IBM computer. Lacking the most recent figures to date, it could be estimated at well over 300 known to the public, and probably a couple hundred more known to traders and collectors. Projections for the increasing trend are indefinite, but it is evident that the current popular methods of stopping viruses are grossly ineffective. The following text provides some insight into just a few methods that could be used in a virus that current virus protection wouldn't catch. When most viruses replicate, they try not to reinfect any programs. A marker will be left behind to signify an infection. One of the easiest places to leave a marker is in the file s directory entry. Of the marking methods, the 62-second trick is most popular. When a file is saved, it's given a time and date. The time is saved in hours, minutes, and seconds. But the seconds do not appear in directory listings. Because of this fact, and the fact that the second's value may be set to 62, it's a great way for a virus to identify an infection. Two more areas of interest in directory entries are the attribute byte and the 10 reserved bytes, neither of which have been used by viruses as markers. The attribute byte consists of six used bytes, for read-only, archive, volume label, directory, hidden, and system. The two unused bits cannot be used effectively. If either is set high, the ATTRIB command will not be able to perform changes on that file. The 10 reserved bytes however, can be changed without any adverse effects that I have noticed. They are normally set to zeros. One other marking method is to leave an identification within the virus, and scan for that before each infection. This is not only time consuming, but it leaves the virus scanners something to detect, and is impossible for use with random encrypting code. Note: If you are not familiar with the ATTRIB command, type "ATTRIB *.*" to see the current attributes of each file in a directory. For a cheap thrill, go to the local Radio Shack, get into DOS, and use EDLIN to modify AUTOEXEC.BAT. Be creative if ANSI.SYS is loaded in CONFIG.SYS, you might want to add the line "PROMPT $E[=1hEat ME!." Then type "ATTRIB +R AUTOEXEC.BAT." It's harmless fun, and it will effectively annoy the salespeople because they won't be able to delete or change AUTOEXEC.BAT. Virus size can become a critical factor in programming. An easy way to reduce size is to place some of the code in a common location and load it in during execution. An overlooked area, again, is the directories. If the root directory's capacity is 112 entries (number is found in the boot sector), using the 10 reserved bytes would give you 1120 undisturbed bytes in a great location, free from scanners. Subdirectories provide an even better amount of free space...the number of entries for subdirectories is unlimited, and furthermore, a subdirectory doesn't show its size in directory listings. A generous amount of empty entries could be provided to a subdirectory, after which a full virus could reside. The only other places that would be considered undisturbed, safe hiding spots would be in the DOS directory as a pseudo file like GRAPHICS.SYS, which doesn't really exist, but may be overlooked, or assuming the name of a useless file like 12345.678 file. The ideas presented were original, and may give a small feel for how insecure computers are and how far behind the times virus researchers using the old scan string technique really are. At the head of the pack for those researchers who are still scanning is McAfee Associates in California. McAfee Associates use a somewhat desultory method of catching viruses. A new virus infects someone, they then send a copy to McAfee, and McAfee looks for a sequence of bytes common within the virus (the scan string). A few more come out and McAfee puts out the new version of Scan - yippy! "Hmmmmm, McAfee foils me again; they have a scan string to my virus!" It didn't take much thinking on the part of virus writers and connoisseurs to figure out the solution just change the scan string in the virus itself, and voilą: the virus is no longer scannable! The obvious was too obvious though - McAfee made sourcing Scan to find the scan strings near impossible. Scan works by encrypting the program it is scanning, and comparing it to an encrypted scan string, like when comparing a dictionary to a DES password file. This was done to Scan wouldn't detect itself. Picking apart Scan seemed to be more bother than what it was worth, as how any security should work. "Bahahah, they missed something!" is probably something like what Flash Force was thinking when he pioneered the way around the encryption. Flash Force called my board and told me what he was working on. He found that all the scan strings were 10 bytes in length, so he made a program called "Antiscan" to fragment a known virus into hundreds of little 10-byte files. Sure enough, Scan pointed out the 10-byte file containing the scan string. McAfee caught on that new viruses were coming out that were actually old ones with a few bytes mixed around, just enough to evade Scan. Their response was to make some new scan strings of varying lengths, and allow for a wild card where the strings varied slightly. It's obvious McAfee didn't know what was really going on or they would have checked the length of the program they were scanning, and made a percentage match to warn of near matches. (It would be fun to see how they would cope with a virus that randomly exposes scan strings of other viruses. You have to wonder if Clean would obliterate the program it was trying to save.) The problem McAfee posed was easily remedied. I used Flash Force's idea and made a program that forced Scan to look at two files at a time, working much faster than AntiScan. Take the first half of the bytes in the virus and make one file. Take the second half of the bytes and make another. Now shell to Scan and make it look at the files. If Scan finds nothing in either half, the scan string must be broken between the two halves, so center on that section and reduce the resulting file's size, still centering, until Scan can't detect the string. If Scan had found the string in one of the original halves, the program would make two more files from that half, etc. Finally a resulting file that can t be halved or reduced while centered upon is produced. From that point the program fragments like AntiScan and Scan will point out the scan string it looks for, all inside of a couple minutes or less. I visited with Mark Washburn, writer of the V2P series of research viruses, and of a protection program known as Secure. I found Mark to be a pretty kewl guy, and we got into discussing phreaking, which he had no previous experience with. He wouldn't be labeled a hacker by today's standards, but I think you'll see that much of what he does parallels that of one. Mark saw a way to circumvent virus scanners altogether. Just write a program that encrypts itself 100 percent and varies the encryption from infection to infection! Most programmers would say, "Yeah, but the part that decrypts the virus would have to be executable, therefore it can't be encrypted, and the scanner would pick that up!" Not if you figure out an algorithm to make thousands of decryptors that all perform identical... which is what he did. In his latest V2P7 virus, only 2 bytes stay constant, the two required to form a loop. How many programs do you suppose have loops in them!? He scares the hell out of McAfee while showing them the fault in their programs. They've never listened. I had to wonder who Mark gives copies of his research viruses to. He only made two copies of V2P6, and one of them went to McAfee. He didn't believe me when I told him I had a copy of V2P6, so I had to show him. To say the least, he was shocked. Trusting that he only gave a copy to McAfee would mean one of two things: either McAfee has warped staff, or someone gained higher access on McAfee's board (if McAfee was stupid enough to put their copy of V2P6 anywhere near their BBS computer). Either way they lack security. Though the V2P viruses are unscannable, Mark made sure he had a way to protect against it. His Secure program is a shareware virus protection that watches over reads and writes to executable files, vital sectors, and memory. It effectively stops new and old viruses as well as trojans, bombs, and replicators. Probably the only ways around it are to use direct control of the drives, which is too much bulk for a virus; remove Secure from memory; or have the virus rename the file it is infecting to a filename without an executable extension, and then replace the original name. To date, no virus uses any of these methods to avoid detection, because not enough people are using Secure to worry about it. McAfee has gained popularity only because it is easy to obtain a recent version via their BBS, and the average computer user isn't smart enough to understand the mechanics of virus protection and the quintessence of hampering all activity resembling a virus before its propagation. If it weren't for people like Mark, who test the security of computers and the integrity and validity of software, cyberspace might just as well be ruled by the sadistic and vindictive. Durum et durum non faciunt murum!