[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Encrypting Viruses.... good idea?
-----BEGIN PGP SIGNED MESSAGE-----
>Speaking of cryptostacker and beneficial viruses that encrypt files for you
>in the background, I just got a copy of one in the mail! I think this may
>be of interest to the group, so I am posting.
>I can't seem to find mention of what the fast/casual encryption algorithm
>is. Instead of source code, a hex listing is provided. According to
>further notes, there is a hot-key for toggling floppy encrypt, and another
>hot key to uninstall from the hard drive.
>All the same, if I get a chance this weekend I'll probably try it
Well, good luck with it. I'd personally like to see/do a disassembly
of the _entire_ virus before I would install it - security systems are great
for back doors, and a virus would be GREAT for such. There are a few things
anyone using this program might want to watch for (I have yet to see it,
though I'd be VERY interested in disassembling it.... anyone out there
with a copy that wouldn't mind sending it _ENCRYPTED_ through E-mail?
Full commented disassembly returned to sender ASAP!):
1.) Some anti-virus programs with heuristics are going to have a
cow, most likely - CES, F-PROT, TBSCAN are a few that are likely
(especially VIRSTOP from F-Prot - if I'm wrong, tell me...)
and these are some of the best out there for personal protection
(sorry SCAN & CPAV).
2.) I'd recommend NOT using it if you have a special master boot
record, like Windows NT or some boot-based security systems
or multiple boot choices. There are 9 sectors free at the
beginning of most IBM hard drives, I assume this virus uses
the first sector and 1/more of the others..... if another
program wants to use these as well - I'd bet the virus doesn't
notice until too late.
3.) Watch where the virus puts itself on floppies. If it is larger
than 512 bytes (almost have to be for its functionality) then
there are only three ways I know of to put additional code in:
a.) Mark sectors bad, and place code there.
Problem: DON'T "FIX" BAD SECTORS ON YOUR DISK WITH NORTON!
b.) Use space after root directory entry and FAT to put virus
in, just like the Stoned virus.
Problem: Trashes data if there are more than 80 files in the
root directory. Also sometimes causes other
problems with High-Density disks....
And, if a new format of disk comes out - WATCH OUT!
c.) Format extra tracks on the floppy - these tracks are rarely
very reliable - you might loose information if these
tracks give out, depending on the setup of the virus you
might loose the disk.
d.) This method I haven't seen, but I guess it could happen -
create an actual file and allocate it from the FAT....
this might actually be safe, as long as the virus didn't
let anyone delete it or write over it.
4.) Watch where it locates itself in memory: most likely it will
lower the memory in BIOS before DOS gets loaded (CHKDSK will
inform you that you have <640k low memory rather than the
usual 65536 bytes....) which is generally relatively safe if
the computer has a standard config. It may cause problems
depending on where/how/when it allocates memory, though.
5.) What happens when you bypass Int 13h (which is presumably what
it hooks) and use absolute disk I/O by directly using the
driver? Careful with Norton and other diskfix programs
that _might_ do this at times.....
6.) Don't press 'DISINFECT' from your favorite AV program
without decrypting your disks first...........
My bottome line is this: the virus may be cool, but why a virus?
Viruses may work for attacking things, wiping stuff out, hacking stuff,
whatever (although they always tend to hit more than the intended target,
funny thing about that), but when the only user of a machine WANTS to do
something with their machine, why a virus? I mean, honestly...... although
I must admit, it solves the problem of distribution of software in
the most interesting way - I want to see what happens if a commercial
company writes one of these and COPYRIGHTS it......
"This program may only be used by the original purchaser. Any unauthorized
copying, lending, or any other method of distribution is STRICTLY
PROHIBITED! Violators will be prosecuted to the full extent of the law!
You want I should infect this here hard drive? huh? huh? (Y/n)?"
"BTW - if you're reading this message and did not buy this software, then
we'll be sueing you in two weeks, your modem just dialed our mainframe."
I suppose I may be being a bit judgemental, as I am speaking simply from
the letter quoted above, but still...... it sounds very reminiscent of
Fred Cohen's compression virus.....
My Public Key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----