REACCIONES DEL CLORO CON EL AGUA

New viruses are appearing with code which is self-protecting, self-encrypting, self­ modifying and self-correcting. This makes discovery and removal increasingly hard for the user, and indeed the anti-virus software programmer. One virus programmer stated the following about his virus MOTHERFISH or WHALE :

".... the Motherfish is not just a virus, it is a virtual living, breathing entity that is capable of teaching itself its pursuers techniques and then increasing its code level

sophistication as its environment becomes increasingly hostile..," [26]

These claims are largely exaggerated but they clearly indicate the arrogance and pride that the programmer has for his creation. It should be noted however that as yet there is no scanning program which is capable of identifying this virus, giving considerable concern to the anti-virus software developers.

Below are descriptions of techniques which have appeared in the more recent viruses :

[1] Self-Encryption

Viruses are appearing which have a pseudo-random encryption routine [26.27]

so that each new copy of the virus would consist of an entirely different series of bytes. This makes the code unrecognisable. Such viruses have been coined "Armoured" viruses.

Obviously the decryption routine would have to be present for the virus to be decrypted before execution, and this routine could not itself be encrypted. Other techniques deal with this problem, but even without them encryption complicates disassembly and analysis for the anti-virus software developers.

[2] Self-Modifying code

Viruses such as the 1260 [28] (named after its size in bytes) use self-encryption and they also make the decryption routine self-modifying such that the largest sequence of unchanging bytes is 3. This makes searching for recognisable patterns impossible. This type of virus is often referred to as a 'Chameleon' virus.

[3] Self-Correcting code

Viruses such as the VACSINA HI (Bulgarian for vaccine) have, incorporated within them, self-correcting Hamming code such that any alteration to the virus

of up to 16 bytes will have no effect as the virus will 'repair' itself [22], This ‘A

reduces the probability of mutations appearing due to hacking by second parties.

[4] Clandestine Memory Allocation

Viruses of the 'parasitic-resident' type require a copy of themselves to remain in memory. New viruses are appearing which avoid the obvious methods of doing this so that they are more difficult to detect [22]. Examples include :

[i] EDDIE n M directly manipulates the memory control blocks. [ii] 666 [20] (The Number of The Beast virus) uses the first DOS disk

[5] Surviving the High Level Format

Boot sector viruses such as the NEW ZEALAND B?! are not destroyed by the DOS FORMAT instruction. In order to remove this virus one must do a low level format of the disk in question. This format process overwrites the Master Boot Sector which contains the virus.

[6] Surviving a Warm Boot

The JOSHI virus re-vectors the INT 9H DOS software interrupt to trap the <ctrl><alt><del> (warm boot) key sequence to ensure that it manages to remain intact during the subsequent boot sequence.

[7] The Anti-Virus Virus

The YANKEE virus 129] contains code to search for the viruses ITALIAN 19] and CASCADE 19]. On finding either of these, YANKEE will remove it : Write a virus to catch a virus!

The programmer's reason for this insertion seems to be to remove older generation viruses which are 'clogging' up the system and replace them with a new 'improved' one. As virus infection spreads this may prove to be a required feature of a virus : they will be so prolific that they literally have to fight each other for control.

[8] The Anti- Anti-Virus Virus

As mentioned previously the 2000 byte variant of the DARK AVENGER virus 1^1 specifically targets Anti-Virus software produced by a software developer in Bulgaria 122]_ This may be only the beginning : viruses could be designed to disable, by-pass or destroy such software. A war has been waged between virus writers and the anti-virus software writers and there is no reason to suppose the virus writers won't play dirty!

[9] Multi-Partite Viruses

Viruses are appearing which are able to spread by infecting both the boot sector and program files This type of virus, if loaded into memory from an infected boot sector, will infect programs as they are executed. If, however, the virus is activated by the execution of an infected program then it checks if the virus is already active in memory. If it is not then the virus firstly installs itself into memory and then attempts infection of the boot sector. The FLIP MS-DOS virus 130] is an example of this type.

[10] Random Insertion Virus

It is expected that viruses will either append themselves to the beginning or to the end of a file it is infecting. An IBM virus exists which chooses a pseudo­ random point, by using the machine's timer, as an offset within the file to place its code. This makes scanning particularly, difficult as the offset for the

[11 j No increase in Filesize after Infection

One problem the virus writer had to solve in order to avoid his virus from being detected was that a virus requires disk space to store its code. This space must be safe from overwriting by the operating system and yet not appear obvious by examination of the directory entries 1221. in general virus writers attempted to keep their viruses as small as possible to reduce the likelihood of detection but this was not sufficient against checking by anti-virus programs.

The '666 - Number of the Beast' MS-DOS virus l^O] manages to attach itself to a .COM file with no increase in length whatsoever. It does this by finding files which are between 512 bytes and 64K bytes long with at least one free sector between the end of the file and the end of the last allocated sector. The reason this is possible is that, under MS-DOS, all disk space is allocated in multiples of fixed quanta known as clusters. These clusters are a whole number of sectors, the number depending on the size of disk or disk partition. Sectors themselves are 512 bytes in length, although this value is theoretically variable. For example if a file is 300 bytes long and the cluster size for the disk is 2 sectors then the file occupies 2 sectors on disk even though the latter part of the first sector and the whole of the second sector are empty. Thus any user or anti­ virus program will fail to detect the virus unless the actual content of files is inspected. The cluster size is dependent on the size of disk partition : the larger the partition the greater the cluster size. Therefore the larger the partition, the greater the number of files there will be which do not occupy their full allocation of space and can be infected. Also, with increased cluster size, small files will leave larger areas of unused space allowing larger viruses to make use of this method.

[12] 'Stealth'Techniques

As anti-virus programs became more sophisticated and more abundant, some virus writers retaliated with viruses which went to considerable length to evade detection and the result is the 'stealth' virus [io,26]^

A virus can often be detected by viewing the contents of the infected file. Memory resident viruses have found a way around this problem. If a virus is resident in memory then it can intercept a request to view an infected sector and replace it with a request to elsewhere where the virus has carefully saved the original uninfected sector.

An example of this is the 4K Virus another MS-DOS 'new generation’ virus, which intercepts the INT 21 function 14H (sequential read), function 21H (random record read) and function 27H (random block read). If the request corresponds to a read request from the start of an infected füe where the virus is stored, then the virus returns the original contents as they were before infection. The Read function (3FH) operates in much the same way : the virus disinfects the file as it is read thus it appears unmodified. The Write function (40H) is also altered so that when writing to an infected file it is disinfected, only to be re-infected on Closing. This virus also uses an alternative method to avoid the sizes of infected files changing and alerting the user. This method works only when the virus is memory resident : all functions which return the file size, such as function 23H (File size), function 1IH (find first matching file) and function 4EH (find first), have their file size decremented by 4K, the size of the virus. Also function 40H (Lseek) is intercepted so that when a program seeks to the end of an infected file, the reported value of the file pointer is decremented by 4k.

The MS-DOS boot sector virus JOSHI ^6] also adopts these techniques. It intercepts any attempts to read, write or verify the Master Boot Sector and redirects tliem to the original uninfected version.

To summarise, if you are infected by a stealth virus then it may circumvent many of the Anti-Virus products available today. As the data within a file, once read into memory, will be identical whether the disk version is infected or not, many programs will fail to identify the viruses presence. If the system is booted from a virus free system then, as the virus will not be resident in memory many of the stealth features will not be active and detection is more likely.

[13] Disabling User Alerts

Another way to prevent Anti-virus programs from informing the user of a virus is implemented in the 666 virus f20] ; it re-vectors the INT 24H which is the Fatal Error Handler. The result of this is that any error reporting is disabled. The virus may then attempt to infect a floppy disk, for example, and should no disk be present, the user would not be informed of the attempt, unless the hardware disk activity light was noticed.

[14] Inter-Vims Co-operation

Viruses exist which contain knowledge of other viruses and their mutual existence may trigger certain co-operation between the two H2], For example the ANTHRAX virus (MS-DOS), a boot sector virus, leaves an extra copy of itself on the last track of the infected disk. If the disk is subsequently disinfected and later infected with the 2100 Bulgarian vims (MS-DOS), then this vims will detect the extra copy of ANTHRAX and reactivate the dormant code causing the re-infection of the boot sector.

[15] Generation Code

The WHALE vim s creates new generations of itself. It does this by scrambling the order of the subroutines within itself and changing both the encryption ’lock' and ’key'. It thus creates a new version of itself, entirely dissimilar to the parent, which it places in the file being infected.

1.5 : VIRUS CASE EXAMPLES

Every major computer manufacturer in the U.S.A. admit their machines have sustained attacks. Most of them have publicly stated that these attacks have been successful and that no solution currently exists Examples include :