💾 Archived View for spam.works › mirrors › textfiles › virus › funpiv2.cvp captured on 2023-06-16 at 21:02:42.
-=-=-=-=-=-=-
FUNPIV2.CVP 911006
Viral code insertion
There are four ways to attach code to an existing program:
overwrite existing program code, add code to the beginning of the
program, add code to the end of the program and not add code to the
existing program.
Overwriting viral programs are a very simplistic answer to the
problem of how to add code to an existing program without changing
the file size. By simply overlaying code which is already on the
disk, the original size remains unchanged. There are a few
problems with this approach.
The first is the problem of how to get the virus "called" when the
infected program is run. If the code is just inserted anywhere, it
may not be in a part of the program that gets used every time the
program is run. (Every programmer is aware of the Pareto
Principle's application here: 20 percent of the code does 80
percent of the work. Some code never gets called at all.) It is
possible, by an analysis of the code of the target program, to find
an "entry point" which is used extensively. It is also possible,
and a lot easier, to place a jump at the beginning of the program
which points to the viral code.
The second problem is much more difficult to deal with. If the
virus code overwrites existing portions of the program code, how do
you know the loss of that program code is not fatal to the target
program? Analysis of this type, on the original code, would be
very difficult indeed. "Successful" overwriting viri tend to be
short, and to look for extensive strings of NUL characters to
replace. (The NUL characters tend to be used to "reserve" stack
space, and thus are not vital to the program.) Even if the
original code is not vital to the program, it may, if replaced,
cause the program to exhibit strange behaviours, and thus lead to
detection of the viral infection.
Thus, while overwriting viri solve the problem of file size, they
bring with them some inherent problems which appear, at this time,
to severely limit their effectiveness "in the wild". To this date,
while many overwriting viri have been written, none have enjoyed
great "success", or become a widespread and major problem.
(The Zen-like nature of the opening paragraph will be explained in
future columns.)
copyright Robert M. Slade, 1991 FUNPIV2.CVP 911006