Pop quiz. What do all of these viruses have in common?
- Shrug (2001)
- OU812 (2001)
- Chthon (2002)
- EfishNC (2002)
- Gemini (2002)
- EfishNC.B (2002)
- JunkMail (2002)
- Pretext (2002)
- EfishNC.C (2002)
- Conscrypt (2003)
- Croissant (2003)
- JunkHTMail (2003)
- Shrug!IA64 (2004)
- Shrug!AMD64 (2004)
- Shrug!IA32/AMD64 (2004)
- Macaroni (2005)
- Macaroni.B (2005)
- Macaroni.C (2005)
- ACDC (2005)
- Charm (2005)
- JunkMail.B (2005)
- Hidan (2005)
- Screed (2006)
- Starbucks (2006)
- Boundary!IA32 (2006)
- Boundary!AMD64 (2006)
- Idiotic (2006)
- MachoMan!IA32 (2006)
- MachoMan!PPC (2006)
- Stutter (2007)
Apparently, they are all written by the same person, a virus writerwho goes by the name of roy g biv. (Please note that the names aboveare the names given by the virus writer.) The question, though, is howlikely is it that they were all written by the same person? Given thatalmost every one of them is also a "first of" something, and they cover17 different platforms on four different CPUs in nine differentprogramming languages. Interestingly, most of the techniques have notbeen used ever again by anyone. I won't give more than briefdescriptions of them here – detailed descriptions of the moreinteresting ones can be found at http://pferrie.tripod.com .
Shrug was the first virus to use the Thread Local Storage callbackmechanism to execute code. This technique is now in use by runtimewrappers such as ExeCryptor. It was written in x86 assembler.
OU812 was the first virus to use the Visual Basic language executions to execute code. It was written in x86 assembler.
Chthon was the first virus that is a Windows native executable. It was written in x86 assembler.
EfishNC was an entrypoint-obscuring virus that used a substitutioncipher to encrypt itself. It was extremely difficult to detect withgood performance. It was written in x86 assembler.
Gemini was the first virus for Windows that used a worker process toprevent its own termination. This technique is very common now, thoughit exists more commonly in the form of an injected thread. It waswritten in x86 assembler.
EfishNC.B was a polymorphic version of EfishNC, making it even harder to detect than the original EfishNC.
JunkMail was the first virus that used polymorphic MIME headers. Itwas able to bypass many gateway scanners because the attachment wasoften not immediately visible. This technique was used later by theW32/Electron family. It was written in x86 assembler.
Pretext was the first set of script viruses for Windows thatprepended themselves to data files and were able to spread from thosedata files. Traditionally, virus writers used EXE files for this, suchas W32/Apove. However, the use of a script in this case allowed thevirus writer to insert a comment describing how to resurrect the viruson clean systems. One version was written in VBScript, the other inJScript.
EfishNC.C was the first virus to use a homophonic substitutioncipher to encrypt itself. It was even more difficult to detect than theoriginal EfishNC. It was written in x86 assembler.
Conscrypt was the first virus to use a variable skip-codeencryption. This was a significant deviation from other scriptencryption methods, and the highly polymorphic decryptor was difficultto detect without the use of tokenisation. One version was written inVBScript, the other in JScript.
Croissant was the first virus to parasitically infect subroutineswithin MSIL files without relying on the .NET compiler methods. Thiswas quite a technical achievement, since at the time the file formatwas almost entirely undocumented. The virus parsed the file, insertedits code, and updated the necessary structures afterwards. It waswritten in C#.
JunkHTMail was the first virus to make use of the self-executing HTMLexploit, only two months after disclosure. At that time, it wasconsidered a quick response by a malware author. The virus alsoextended the capabilities of the JunkMail polymorphic engine. It waswritten in x86 assembler.
Shrug!IA64 was the first virus that ran natively on the Itanium CPU,and used the same TLS method as the original Shrug. Given the scarcityof Itanium machines at the time, the question remains: how did he doit? An emulator, perhaps? We'll probably never know. It was written inIA64 assembler. The Itanium assembler is quite unlike any other, andthe virus code is extremely optimised. It would have taken a long timeto write.
Shrug!AMD64 was the first virus that ran natively on the AMD64/EM64TCPU, and used the same TLS method as the original Shrug. It appearedeven before the retail AMD64/EM64T Windows platform was released. Itwas written in x64 assembler.
Shrug!IA32/AMD64 was the first virus that could cross-infect Windowsfiles on the IA32 and AMD64/EM64T CPUs. It was more than a combinationof the original Shrug and the AMD64/EM64T version, since each part caninfect files for either CPU. It was written in a combination of x86 andx86-64 assembler.
Macaroni was the first virus to infect both Office applications andscripts using the same code. It was also the first virus to supportthat many Office applications. The .A and .B variants were written inVBScript. One version of the .C variant was written in VBScript, theother in JScript.
ACDC was the first virus to achieve cross-platform execution ofVBScript and JScript. Of course there are other cross-platform viruses,usually of the BAT/xx type, since the BAT parser is so forgiving aboutunrecognised content. To combine two types of scripts, though, wasconsidered very unlikely - the thing that we considered the most likelyto appear was one that appeared to be in one format but was actuallythe other, requiring access to the filename in order to know which itwas (the problem being that some virus testers rename the files). Itwas written in a combination of VBScript and JScript.
Charm was the first virus to parasitically infect CHM files. It was written in x86 assembler.
JunkMail.B took the polymorphism introduced by JunkMail to a new level. It was written in x86 assembler.
Hidan was the first virus that is an IDA plug-in. It was written in x86 assembler.
Screed was the first virus to use the Microsoft Script Encoder todynamically produce polymorphic code. One version was written inVBScript, the other in JScript.
Starbucks was the first virus for the StarOffice platform. The firstattempt for that platform - SB/Stardust, written by Necronomicon –displayed syntax errors when executed and could not run at all. It waswritten in StarOffice Basic.
Boundary was the first polymorphic virus that ran natively on theAMD64/EM64T CPU. It used a new EPO method. It was written in x86-64assembler.
Idiotic was the first single-component virus that is an IDC script. It was written in IDC script.
MachoMan!IA32 was the first virus that parasitically infected MacOSX x86-format files properly (not using forks). It was written in x86assembler.
MachoMan!PPC was the first virus that parasitically infected Mac OSXPPC-format files properly (not using forks). It was written in PPCassembler.
Stutter was the first virus for Windows that used block polymorphism at the instruction level. It was written in x86 assembler.
Wow, that's a lot. Now anyone familiar with the random numbergenerator that these viruses use – the Mersenne Twister – knows that ituses self-modifying code. For that reason, the virus can only be placedinto a writable section, or it must allocate memory on its own. Howthen to explain the bug in Stutter, that neither sets the writable bitin the section header, nor allocates its own memory? If the virusinfects a file whose last section is read-only, the virus will simplycrash during its initialisation phase. That's evidence in favour ofmultiple people, unless we suppose that someone had a temporary brainmalfunction.
So it seems that this virus writer is perhaps similar to the DreadPirate Roberts who was actually a series of people – when one personwanted to retire, another was secretly chosen to become the new pirate,continue the name, and give the impression of immortality.
I suppose that we'll never know for sure. The big problem for me isthat every time this virus writer touches a new platform, it seems thatI have to buy a new machine, and I'm running out of space under mydesk. So roy, you've done enough, now you can stop.