Download ComputerViruses-Evolution-KSAJ and more Study notes Advanced Computer Programming in PDF only on Docsity!
COMPUTER VIRUSES: The Technology and
Evolution of an Artificial Life Form
Written by: Karsten Johansson, 1994
NOTE:
This document was written before the advent of Internet worms and trojans. It probably contains more information about the pre-commercial internet virus scene than any other singular source, and thus I have opted to make it available to the Internet as a historical reference. There are a couple of unfinished sections, but maybe if there is enough interest, I may be convinced to finish this and update it to reflect the current state of the malware industry, and update the Artificial Life stuff since so much has happened there since 1994. Permission is granted to use this information in any legitimate manner as long as (1) my copyright is maintained, (2) you give me credit for all material used, and (3) you send an email to ksaj@penetrationtest.com so I know where and how my research and writing is being used. There is no copy restriction on this document for reading or distribution, but (4) under no circumstances is sale or profit directly from my work permitted without my implicit authorization. (5) If distributed, this document must remain in its entirety, and shall not be altered from the original PDF file distributed at http://www.penetrationtest.com. Publishers interested in this manuscript or any of my other works may contact me at the same email address.
Table of Contents
COMPUTER VIRUSES: The Technology and
Evolution of an Artificial Life Form
Written by: Karsten Johansson ©1994 Karsten Johansson
This book is dedicated to Alan Mathison Turing, who inspired a whole new way to look at life. Thanks to: Jackie Lavelle; Memory Lapse; Lucifer Messiah (AS, Canada); Data Disruptor (RABID/YAM); Volatile RAM (AS, Sweden); Patti Hoffman; Christopher Langton; Bob Janesack (Safety Net); Steven Warden (Safety Net); Cap'n Crunch; Darryl Burke, David Stang (NCSA); Phalcon, ProTurbo (RABID); Mentor Brain; Steven Levy; Cyberpunk; X4Crumb (AS, Canada); Robert Adams (Akitavision); Charles Taylor; Steen Rasmussen; Dennis Ho; Transition House. Special Thanks to: Ian Young for suggesting this book in the first place; Steeve Iwanow, for his art and endless support; Steeve's parents for putting up with me during the times I used their dining room as my research office; my mother Pauline; George Talusan for his assistance and ideas; Rob VanHooren for getting me interested in the darker side of computing way back in grade 9.
Introduction
'The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead lined room with armed guards - and even then I have my doubts' -- Eugene H. Spafford
Several years ago, an acquaintance of mine phoned me after watching his computer report:
Your PC is now STONED!! LEGALIZE MARIJUANA Though computer viruses were still very much a mystery to the few who had even heard of them, I was fortunate enough to have read an article about them earlier. In an excited rush, I grabbed a DOS setup disk and took a cab to his apartment.
After reinstalling DOS, I found myself with a handful of infected diskettes. Still the computer occassionally indicated it was "stoned" when the system was booted. We had failed.
After several months of hacking at the virus, we had the Stoned boot sector contained in a file on a diskette, and a working disassembly of its code. By this time, I
The truth about computer viruses is probably surrounded by more political red tape than any other development in recent history; Most people are shocked to learn that a handful of scientists are using and designing beneficial virus-related functions and technology.
What are computer viruses? What do they do? Where do they come from? What is the risk of being infected? Are viruses malicious? Do they have any positive uses - and if so, what are they? How do you get rid of a malicious virus when you find one? More importantly, how do you avoid unwanted infection?
COMPUTER VIRUSES: The Technology and Evolution of an Artificial Life Form promises to answer these and many other questions, lifting the shroud of secrecy and revealing the real world of computer viruses. It is intended for everyone who owns, or is planning to own a PC computer system. Whether your computer is used at work or at home, this book incorporates both technical and non-technical material about computer viruses, as well as their effects on the victim.
This book is also devised to educate its readers about available virus scanning technology. As the writer has no product affiliation, the characteristics of computer virus scanners and their functions are presented impartially. There is considerable information on the detection and
removal of viral infections, and most importantly, advice promoting a virus-free environment.
Sections are devoted to the history of computer viruses, the testimonies of several known virus authors and researchers, the history of virus scanning, and virus myths. One section reports on the false sense of security marketed by most of the scanning products presently available.
For the computer addict, there are sections detailing the computer virus from a low-level point of view. Included are source code for a number of distinct study-viruses, plus several source code examples demonstrating the incredible technologies exploited in computer viruses. This easily lends itself to a study in Artificial Life and the related domain of Synthetic Psychology. Many people are unaware that scientist and hobbyists direct their attention towards these and similar living devices.
This book conforms to the same conventions assumed by most other computer texts:
- Numbers followed by an h are hexadecimal numbers.
- Numbers followed by a b are binary numbers.
- Numbers with no letter following are standard base 10 numbers, except in the following case found only when discussing memory locations: SSSS:OOOO where SSSS refers to code segment, and OOOO refers to code offset. These numbers are hexadecimal.
- The term "ASM" refers to Assembly Language.
- ASM files are source code files written in Assembly Language.
- The term "DOS" includes MSDOS, PCDOS, and in most cases, DRDOS.
- The terms viri , virii , vira , etc are completely unfounded, and therefore will not be used. All scientists, doctors, standard and medical dictionaries agree: the plural of virus is viruses. These other “words” are just minor linguistic annoyances that we can do without.
- A host is a file containing virus code.
- A victim is a file targeted for infection. A successful infection causes the victim to become a host, which can then attack and infect more victims.
Computer Viruses: The Technology and Evolution of an Artificial Life Form has been written as a reference document and guide, useful for any project involving computer viruses, Synthetic Psychology, and Artificial Life.
Several appendices are included, as well as a glossary of Computer Virus, Artificial Life, and Synthetic Psychology related terms.
Before we begin our journey with the first step, I would like to welcome you to the bleeding edge of technology.
In 1989, John McAfee, well known for his ViruScan and Clean-Up products, is more direct in asserting: "A virus is a computer program created to infect other programs with copies of itself. It has the ability to clone itself, so that it can multiply, constantly seeking new host environments" 3 Today, both will have modified their views. Not all of today's computer viruses inject themselves into their victims, nor is cloning mandatory, as is assumed in the above definitions.
An example of a virus which does not actually inject its code into the victim is the Creeping Death virus from Bulgaria. Instead, this virus places a copy of itself in a protected area on the disk, and redirects all file execution calls to the virus code first, before running the requested file. Each infected disk will have only one copy of the virus code. Because it actually infects the FAT (File Allocation Table), and not the files themselves, it is termed a Directory Infector. This type of virus is detailed in chapter 5.
Another virus which does not inject code into its host is the Insufficient Memory virus. This virus infects only .EXE files by copying itself into a similarly named .COM file. For this reason, it is called a Companion Virus.
(^3) McAfee, J. and Haynes, C., Computer Viruses, Worms, Data Diddlers, Killer Programs, and Other Threats to Your System, pp. 1, St. Martin's Press, 1989
Companion viruses cause no change in their victim .EXE's, and as a result can be very difficult to detect.
Companion viruses abuse the DOS method of organizing executable files. If a .COM file shares the same name as an .EXE file, only the .COM file is executed; the .EXE file is completely ignored, unless it is called from the .COM file. Companion viruses are especially difficult to scan for if their code is in hidden file format. Despite this, they are the easiest to disinfect without causing damage to existing files.
Moreover, not all viruses need to clone themselves. A fairly recent example of a virus that doesn't clone itself is the Pogue virus. It uses what has been christened the MuTating Engine (MTE) , created by Mad Maniac and the Dark Avenger from Bulgaria.
The MTE is a Polymorphic Encryption routine which modifies itself upon each infection. This engine is so complex that only three bytes remain constant with each infection. The Lezbo virus, featured in chapter 6, contains a more advanced version of such an encryption engine.
The virus authors have been working very hard to combat the anti-virus industry, and in doing so, have changed the definition of a virus many times over.
Recently, several underground groups began creating utilities which could spawn new viruses, or create usable source codes using configuration information provided by the program user. These virus construction utilities make virus creation increasingly uncomplicated. Even a complete novice could create viruses, simply by adding the information required by the program. Fortunately there are as yet, no construction utilities written to produce boot sector/partition table viruses.
There are a few known viruses which can infect .COMs, .EXEs, Boot Sectors, and Partition Tables at any given time, although they are quite rare. This type of virus is called multi-partit^5. Other combination infectors do exist.
The rarest of all virus types is the .SYS Infector. This virus type was only recently realized, and developed by virus author Dark Angel, of Phalcon/SKISM. The only virus of its type released at this time is called SYS INF , written by Dark Angel. This virus demonstrated that there are far more types of executable files on a system than one would normally consider.
Burger also maintains that a virus must recognize itself in another file, and avoid re-infection, or it is not
(^5) This term stems from the fact that the virus can infect MULTIple executable file types, and the PARTITion table. Although not a true word, it is used for virus classification.
a genuine virus. 6 However, any program possessing all the characteristics of a computer virus is in fact, a virus, whether or not enough care was taken in its conception to avoid infecting other copies of itself. More accurately, a virus will probably face extinction unless it takes measures to avoid reinfecting files.
The ensuing text explores other programs similar to computer viruses, and explains why they are not viruses. At the end, we will be able to compile our results into a good working definition of a computer virus.
Trojan Horses
Trojan horses are programs devised to appear useful, but containing hidden code meant to damage the system on which they're executed.
There are essentially two types of Trojan horses. The first type directly causes damage as soon as it's run. It may or may not appear to do something useful while running its destructive instructions. A good example would be a program which apparently de-fragments the hard drive when, in fact, it is deleting all the files.
The second type is a program which actually does something useful while it secretly inserts damaging
(^6) Burger, R., Computer Viruses and Data Protection, pp. 10, Abacus, 1991
