💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › 40HEX › 40hex006 captured on 2022-06-12 at 10:05:24.
-=-=-=-=-=-=-
40Hex Number 6 Volume 2 Issue 2 File 000
Welcome to 40Hex issue 6. If this is your first time reading an issue of
40 Hex, I welcome you, but recommend that you start with an earlier issue.
This issue will have a Virus Spotlite on Creeping Death(Dir-2). It isn't in
the normal Hex Dump format, and it is fully commented.
- Landfill is temporarily down(again!). This is due to several [NuKEd]
hard drive controllers... we are down but NOT out. Hopefully we should be
up within several weeks of the release of this issue. Hellraiser is still
unable to edit the magazine, hopefully next issue he will be back in
charge.
- I think we must discuss one problem. Recently, we have been verbally
"attacked" by some lamers in the virus scene who like to jerk off on
Fidonet. To clear up the issue at hand, we personally don't use all of
the methods found in the articles. For example, we don't sit around all
day and PKLite infected files and then remove the PKLite header. We let
you people do it. As a matter of fact, we made it a hell of a lot easier
due to this month's article called NoLite. No self-respecting virus
group would do it. Not everyone that reads this magazine is a virus
programmer, but wants to learn. Ya gotta start somewhere. Another person
who has been insulting us on FidoNet is Sara Gordon. I do not know the
whole story behind her hatred, but I know it stems from a phone
conversation between her and Hellraiser. From what I understand, they
disagreed on many topics, and HR may have gotten insulting (I don't
know the whole story)
- Anyone that would like to submit articles feel free to do so, as long as
what you write is not stolen from another source and is of good quality.
If you would like to write articles contact any PHALCON/SKISM member or
upload them to either Digital Warfare or PHUN LINE.
40 Hex Mag Issue 6
April 1992
The Contents
File 000.............................You Are Here
File 001.............................Finding anti-viral programs in memory
File 002.............................Code Concealing: Part I
File 003.............................More Busts and Updates
File 004.............................The NoLite Utility
File 005.............................PHALCON/SKISM Update
File 006.............................Some Dick who wants to bust virus authors
File 007.............................The Kennedy Virus
File 008.............................Cornell students nailed for viruses
File 009.............................The Truth Behind Virus Scanners
File 00A.............................Virus Spotlite-Dir2 Full commented source
File 00B.............................Scan strings, and how to avoid them
File 00C.............................!Virus Contest!
Our Members: Axiom Codex(*)-(Sysop of PHUNLINE)
Count Zero(*)-(Hacker, Amiga Programmer, Master of 150#)
CRoW MeiSTeR(K)-(Sysop of Crow Tech., Goob)
Dark Angel-(Programmer, Master Chef)
DecimatoR(*)-(Sysop of Digital Warfare, Programmer)
Demogorgon-(Hacker, Programmer)
Garbageheap-(Fearless Leader, Sysop of LandFill, Programmer)
Hellraiser-(Fearless Leader, Programmer)
Instigator(*)-(Terry Oakes' butt-buddy, 40 Hex writer)
Joshua Tower-(Electronics, MonkeyWrenching)
Lazarus Long-(Programmer)
Night Crawler-(Courier, Keeper of All Virii)
Orion Rogue-(Rouge?, named us, then laid back, and relied on name)
Paragon Dude-(Macintosh Progammer(lonely))
Renegade(*?)-(Hacker, Macintosh Programmer)
Time Lord(*)-(Sysop of USSR Systems)
(*)-Denotes persons who should avoid bending over for the soap,
and invest in large quantities of KY Jelly.
(K)-Denotes persons who should get KY Jelly anyway.
(*?)-Denotes persons who came too close, and wisely backed off
and also saved a fortune on KY Jelly.
Special Goodbye's to:Piff'(Sorry ya had to quit)
Greets to: Attitude Adjuster, Dekion, Loki, [NuKE], Suicidal Maniac, and our
readers (do we have any?!?!?)
P.S. The transcript of the Alliance mentioned in last issue will NOT be
released in this issue. This issue is just too damned packed to add another
large file. It will be put into 40Hex-7, if we aren't in jail.
-)GHeap
40Hex Number 6 Volume 2 Issue 2 File 001
-------------------------------------------------------------------------------
Memory Resident Anti-Virus Detection
and Removal
-------------------------------------------------------------------------------
Here is a list of ways to see if anti-viral utils are present in memory.
I got the list out of PC interupts, a book by Ralph Brown. Here they are:
F.-DRIVER.SYS (Part of the F-Protect virus package by Fridrik Skulason.)
This program "grabs" the INT 21 monitoring code, if it was not
already taken by another program.
INT 21h, Function 4Bh, Sub Function EEh
AX must = 4BEEh at call, and call returns AX=1234h if F-Prot
sucessfully grabbed INT 21, and AX=2345h if the grab failed.
F-DLOCK.SYS (A HD access restrictor, part of F-Protect Package)
Call INT 2Fh, Funct. 46h, SubFunct 53h
At call, AX must = 4653h, CX=0005h, BX= 0000h
If present in ram, AX will return FFFFh. To uninstall, call
with AX & CX the same as above, but BX= 0001h. AX, ES, & BX
will be destroyed.
F-LOCK.EXE (Part of F-Protect package, looks for "suspicious" activity)
INT 2Fh, Funct 46h, SubFunct. 53h
To call: AX = 4653h, CX=0002h, BX=0000h (installation check)
BX=0001h (uninstall)
BX=0002h (disable v1.08 & below)
BX=0003h (enable v1.08 & below)
Call returns AX=FFFFh if installed ( BX=0000h at call)
AX, BX, and ES destroyed, if uninstalled (BX=0001 at call)
F-POPUP.EXE (Pop up menu for F-Protect)
INT 2Fh, Funct. 46h, SubFunct. 53h
To call: AX=4653h, CX=0004h, BX= 0000h, 0001h or 0002h
(See above - BX same as F-Lock)
Returns: Same as F-LOCK.EXE
F-XCHK.EXE (Prevents execution of any progs which don't have self-checking
code added by F-XLOCK)
INT 2Fh, Funct. 46h, SubFunct 53h
To Call: Registers = same as F-Popup, except CX=0003h, and
BX = 0000h (installation check) or 0001h (uninstall)
Returns: same as F-LOCK, above.
TBSCANX (Resident Virus scanning Util by Frans Veldman)
INT 2Fh, Function CAh, SubFunct 00h
Call: AX=CA01, BX=5442h ("TB")
Returns: AL=00h if not installed, AL=FFh if installed
BX=7462h ("tb") if BX was 5442h during call
INT 2Fh, Function CAh, Subfunction 02h (Set state of TBSCANX)
Call: AX=CA02h, BL = new state (00h=disabled, 01h=enabled)
VDEFEND (Part of PC-tools. Works on v7.0)
INT 21h, Function FAh
To call: AH=FAh, DX=5945h, AL=subfunction (01h to uninstall)
returns: CF set on error, DI = 4559h (?)
DATAMON (PC Tools 7.0 file protection)
INT 2Fh, Funct 62h, Sub Funct 84h
Call: AX=6284h, BX=0000h (for installation check), CX=0000h
Returns: AX=resident code segment, BX & CX = 5555h
Flu Shot, or Virex PC
INT 21h
Call: AX=0ff0fh
Returns if either is installed: AX=101h
If anyone has any more Anti-Viral IDs, post 'em on Digital Warfare and I'll
update this list.
---DecimatoR PHALCON/SKISM
40HEX_6_002 SEGMENT PUBLIC 'code'
ORG 100H
ASSUME CS:CODE,DS:CODE,SS:CODE,ES:CODE
;******************************************************************************
Concealment: Keep Your Code Hidden From Prying Eyes
by Demogorgon/PHALCON/SKISM
Recently, I have been experimenting with a few new programming techniques
that should be of great interest to the virus writing community. It is always
our top priority to keep our code out of the hands of lamers in order to
prevent the dreaded 'text change' and above all, to cause the anti-virus
community as much grief as possible. In order to do this, we must put a great
deal of effort into concealing our code. That is the focus of this article.
This file is divided into two parts. The first part is devoted to developing
'debug resistant' code, and the second part deals with defeating disassemblers.
I will not cover encryption, because methods of encryption are commonly known
and there is really not much further I can go with that. For a complete review
of self encryption methods, take a look at Dark Angel's Funky Virus Writing
Guide (number three, the one that hasn't been released yet.)
Part_I: The debugger is NOT your friend
The basic idea behind writing debug ressistant code is finding a way to
make your code behave differently when it runs under a debugger. With a real
mode debugger, this is simplicity itself. All that is necessary is a little
knowledge of how a debugger works. A debugger, such as debug or TD traces
through a program by setting handlers to int 1 and int 3. These are called
after every instruction is executed. A virus that wishes to avoid being
debugged can simply replace the handlers for these interrupts, and the results
will be just about whatever you want. Here is some code to do this:
eat_debug:
push cs
pop ds
mov dx, offset eat_int
mov ax,2501h
int 21h
mov al,03h
int 21h
... ; rest of code
eat_int: iret
As you can see, this requires minimal space in your code, and is certainly
worth the effort. You can experiment by placing something else at 'eat_int'.
Another commonly used tactic is to disable the keyboard interrupt while certain
parts of the code are being executed. This will surely keep lamers baffled,
though a pro would recognize what was going on immediately. I am sure McAfee's
programmer's scoff at code such as this. Also note that while this will defeat
the average real mode debugger, any protected mode debugger will step through
this as if it weren't there. Playing with interrupts will not help you when
your program will be running in a virtual cpu anyway. One method I found which
will work nicely against td386 is to throw in a hlt instruction. This will
give TD an exception 13 error, and terminate the program. Anyone who is aware
of this will just step over a hlt instruction, so therefore methods must be
used to conceal its presence, or to make it a necessary part of the code. This
will be covered in part II.
Another trick you can play is to call int3 within your program. If
someone tries to run your program under a debugger, it will stop each time int3
is called. It is possible to trace through it, but it will be annoying if
there are many int3's thrown in.
Part_2: Kill your disassembler
No matter how well you mess up debuggers, your program is entirely at the
mercy of a programmer armed with a good disassembler. Unless, of course, you
use techniques that will confuse disassemblers. My favorite method for
baffling them is to create code that overlaps. Overlapping code may seem a
little bit too complicated for most of us at first, but with the knowledge of a
few instruction hex translations, you too can make effective overlapping code
without sacrificing too much code size. Overlapping code can get as complex as
you would like, but this file will only deal with the simplest examples.
eat_sr: mov ax,02EBh
jmp $-2 ; huh?
... ; rest of code
This may confuse you at first, but it is fairly simple. The first instruction
moves a dummy value into ax. The second instruction jmps into the value that
was just moved into ax. '02EB' translates into 'jmp $+2' (remember that words
are stored in reverse). This jump goes past the first jmp, and continues on
with the code. This will probably not be sufficient to defeat a good
disassembler like Sourcer, but it does demonstrate the technique. The problem
with this is that Sourcer may or may not just pick up the code after commenting
out the 'jmp $-2'. It is difficult to predict how Sourcer will respond, and it
usually depends on the bytes that appear directly after the jmp. To severely
baffle Sourcer, it is necessary to do some stranger things. Take a look at
this example.
erp: mov ax,0FE05h
jmp $-2h
add ah,03Bh
... ; rest of code
This code is quite a bit more useful than the previous listing. Let us
simulate what would happen if we were to trace through this code, showing a hex
dump at each step to clarify things.
B8 05 FE EB FC 80 C4 3B mov ax,0FE05h ; ax=FE05h
^^ ^^ ^^
B8 05 FE EB FC 80 C4 3B jmp $-2 ; jmp into '05 FE'
^^ ^^
B8 05 FE EB FC 80 C4 3B add ax,0EBFEh ; 05 is 'add ax'
^^ ^^ ^^
B8 05 FE EB FC 80 C4 3B cld ; a dummy instruction
^^
B8 05 FE EB FC 80 C4 3B add ah,3Bh ; ax=2503h
^^ ^^ ^^
The add ah,03Bh is there simply to put the value 2503h into ax. By adding
five bytes (as opposed to simply using 'mov ax,2503h') this code will confuse
disassemblers pretty well. Even if the instructions are disassembled properly,
the value of ax will not be known, so every int call after this point will not
be commented properly, as long as you never move a value into ax. You can
conceal the value from the disassembler by using 'add ax' or 'sub ax' whenever
possible.
If you examine this closely, you can see that any value can be put into
ax. Two of the values can be changed to whatever you want, namely the FE in
the first line, and the 3B in the last line. It is helpful to debug through
this chunk of code to determine what values should be placed here in order to
make ax what you would like it to be.
Back to the subject of killing debuggers, it is very sneaky to hide
something like a hlt instruction inside another instruction, such as a jmp.
For example, take a look at this:
glurb: mov cx,09EBh
mov ax,0FE05h ;-\
jmp $-2 ; >--this should look familiar to you
add ah,03Bh ;-/
jmp $-10
... ; rest of code
The three lines in the middle are a repeat of the previous example. The
important part of this code is the first line and the 'jmp $-10'. What happens
is, the jmp goes back into the 'mov cx' instruction. The '09EB' translates
into 'jmp $+9'. This lands in the '$-10' part of the first jmp. The $-10 just
happens to be stored as 0F4h, the hlt instruction. By making the hlt part of
another instruction, it is not visible when it is being traced through by
td386. It is also not possible to remove it without altering the code.
The purpose of this article is not to supply code to be thrown into your
own programs. The purpose is to get you to think about new ways to avoid
having your code looked at and modified by others. The most important thing is
to be original. It is pointless for you to simply duplicate this code, because
anyone else who has read this file will already know what you are trying to do.
code ENDS
END concealment
40Hex Number 6 Volume 2 Issue 2 File 003
Well, there have been plenty of busts in 1992 so here is the run down
to the best of my knowledge for anyone who is interested:
Asphi: Busted by MCI on January 20 for hacking on 476's. Had to pay $2700 for
the phone calls he made. From what I found out MCI Wants to nail him to
the wall. Charges include: Unlawful use of a computer, Credit Card
Fraud, Theft of Services, Criminal Conspiracy and some more I can't
think of, 10 or so total. And of course they took his system. He is
going to have a trial, but a date has not yet been set.
Axiom Codex: Billed $2000 for equal access codes.
Cold Steel: Billed $40.00 for 476's
Count Zero: Yet another that got nailed for 476's. Billed $86.63 and had to
tell his parents.
Deathblade: Billed $100 for 476's.
Dekion: Also nailed for 476's. Not sure if he will be charged. Billed
somewhere between $100 - $1000.
Genghas Khan: Nailed for CBI and for 733's. Not sure about what will happen
to him, but I heared from his friend that he is really screwed.
Instigator: I got nailed in the 476 ring too. They took my system but gave
it back. I got billed for $1970.17. I got charged with 1 count
of Theft of services. They dropped the other 8 charges. I am
going to be on informal probation for a short period.
Marauder: Raided last year by GBI, they took his computer equipment and
never gave it back. They finally decided to charge him with
some misdemeanors.
Netrunner: Billed $100 for 476's.
Terminal: Arrested same time as Genghas Kahnvict. He is NOT a minor...
VenoM: 476's again. Billed $75.00 and had to tell his parents.