Author Topic: Virus Development  (Read 35373 times)

0 Members and 1 Guest are viewing this topic.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Virus Development
« on: September 15, 2005, 08:05:05 pm »
Alright, please, nobody lock/trash/delete/distroy this topic. For those of you who know me, I would never do anything like this (except to a test box of mine, which has nothing to lose anyhow), and the only ones who would want to do this would end up owning themselves before they can do it to anyone else.



The first method of "owning" a computer is very simple. When you start a computer, it goes through the POST (power on self test), detects your floppy drive, RAM ammount (often checking it for errors), CD Drives, hard drives, etc. After that, the BIOS will begin the BIOS boot sequence (call it what you want, thats not the official name (unless I'm lucky)), which is usually something along these lines.
1) Floppy Disk
2) CD Drive(s) (Dells have this after hard disks, press F12 to be given the boot menu)
3) Hard disks



The most simple (IMO) virus that can be written is simply making an MS-DOS startup disk and sticking it in your floppy drive (or a friends (or a non-friends)). Most of the world would have no clue whats going on when they see a DOS prompt. They'll probably hear their floppy drive though, they're pretty loud. Ineffictive, unfun.

Another variant of this method is to to make an MS-DOS bootdisk, and have a simple QB program on it, something allong these lines.
Code: [Select]
10 'Placeholder
20 Goto 10
Configure an autoexec.bat file to start your program (it must be compiled). This will require the QB runtime files, but they can fit on a floppy disk, so its no problem. This will print absolutely nothing to their screen (it will, but it'll disapear quickly). Good way to make a friend (or enemy) think they fried something, asuming they didn't hear their drive.



This is where it gets serious. The above two will cause you no damage no matter how badly you screw it up (ok, theres a limit, but I think we're all above that). The below uses x86 ASM, about as low as you can get (no pun intended, =p).

The simplist ASM virus you can make is a empty bootloader. You'll need a few tools, namely NASM and PARTCOPY (both free). You'll also need a plain-text editor (I suggest UltraEdit-32, but notepad works) to write your code in. Basically, you're fooling the computer to think you've written an operating system (or someone else has), and you want it loaded.
Code: [Select]
[bits 16]
start:
jmp $



Anyhow, thats all for now. Comment, add, correct, etc.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #1 on: September 15, 2005, 08:08:42 pm »
All of your "virii" require floppy disks, and they don't do anything.
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #2 on: September 15, 2005, 08:27:24 pm »
Mm, sounds like the beginnings of a boot-sector virus.  Those are ancient, and rarely used anymore since Windows NT+ won't load if there is something else loaded. 


Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #3 on: September 15, 2005, 08:32:50 pm »
Quote
All of your "virii" require floppy disks
No they don't. partcopy that ASM one to your hard disk. It'll work nicely.

Quote
and they don't do anything.
Again, partcopy that to your hard disk, and when you finally get back, tell me that again. =p
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #4 on: September 15, 2005, 08:33:37 pm »
Quote
Mm, sounds like the beginnings of a boot-sector virus.
Yup.

Quote
and rarely used anymore since Windows NT+ won't load if there is something else loaded.
Exactly. =)
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #5 on: September 15, 2005, 08:48:50 pm »
Quote
Mm, sounds like the beginnings of a boot-sector virus.
Yup.

Quote
and rarely used anymore since Windows NT+ won't load if there is something else loaded.
Exactly. =)

Want to have a little fun a la zorm, that has the same effect as all your code? Delete file in C:\WINDOWS\system32\ called lsass.exe and reboot.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #6 on: September 15, 2005, 08:53:18 pm »
Quote
and rarely used anymore since Windows NT+ won't load if there is something else loaded.
Exactly. =)
Quote

Then an "addition" for you would be, "totally useless"?

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #7 on: September 15, 2005, 09:07:32 pm »
A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.
And like a fool I believed myself, and thought I was somebody else...

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #8 on: September 15, 2005, 09:20:55 pm »
A perfect virus (in my mind) would flash your BIOS, thus rendering your computer useless.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #9 on: September 15, 2005, 09:21:32 pm »
A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

I was half expecting you to describe the steps to installing Linux :p
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #10 on: September 15, 2005, 11:09:42 pm »
A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

I was half expecting you to describe the steps to installing Linux :p

Actually, it sounds more like he's talking about installing Windows. 

Linux prompts you to overwrite the boot record, and recommends not to.  And Linux is rarely a part in ddosing, that tends to be Windows too. 


Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #11 on: September 15, 2005, 11:17:31 pm »
One of the funniest virus' I've heard of is the Stoner virus. (I think its an OLDy)

A funny virus would download and install a distro of linux, and remove windows. :P
And like a fool I believed myself, and thought I was somebody else...

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #12 on: September 15, 2005, 11:19:39 pm »
A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

I was half expecting you to describe the steps to installing Linux :p

Actually, it sounds more like he's talking about installing Windows.

Linux prompts you to overwrite the boot record, and recommends not to. And Linux is rarely a part in ddosing, that tends to be Windows too.



I know, halfway through his description, though, it seemed like he was going to recommend installing Linux. Guess it didn't turn out that way.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #13 on: September 15, 2005, 11:23:55 pm »
One of the funniest virus' I've heard of is the Stoner virus. (I think its an OLDy)

A funny virus would download and install a distro of linux, and remove windows. :P

The funniest virus (well, worm) in my opinion (and I have a sick sense of humour) is W32/Witty

Why? For a couple reasons:
- It attacked a firewall, specifically, BlackIce
- The worm's data contained the string, " (^.^)      insert witty message here      (^.^)"
- It would write random crap to the harddrive, making the computer unusable.  I thought that was pretty funny!

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #14 on: September 15, 2005, 11:34:32 pm »
Ouch!
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #15 on: September 15, 2005, 11:55:18 pm »
I like the trojan that encrypted files and charged cash for the decryption. Any Asian kid can put "^_^_^__^_^_^" in a file and be 'witty'.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #16 on: September 16, 2005, 12:00:49 am »
I like the trojan that encrypted files and charged cash for the decryption. Any Asian kid can put "^_^_^__^_^_^" in a file and be 'witty'.

But they don't all exploit a program designed to protect you!

It's all of those reasons together that make it fun :)

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #17 on: September 16, 2005, 12:03:00 am »
Quote
I like the trojan that encrypted files and charged cash for the decryption. Any Asian kid can put "^_^_^__^_^_^" in a file and be 'witty'.
I'd sue him, it works the other way arround. =p

On a side note, guys, I'd apreciate it if you discussed virus development, instead of laughing at funny ones (by no means am I saying that isn't funny).
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #18 on: September 16, 2005, 09:12:05 am »
Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #19 on: September 16, 2005, 02:52:29 pm »
Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.
Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":
Quote
A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #20 on: September 16, 2005, 10:54:07 pm »
Well, I don't know if it qualifies as a program, but this infects your bootsector. =) (the latter examples, I mean)
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline RoMi

  • x86
  • Hero Member
  • *****
  • Posts: 502
  • gg no re
    • View Profile
Re: Virus Development
« Reply #21 on: September 16, 2005, 10:57:41 pm »
Manual Override virus is the funniest, it stopped all the fans on your comp and made it calculate pi.
-RoMi

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #22 on: September 16, 2005, 11:56:05 pm »
Manual Override virus is the funniest, it stopped all the fans on your comp and made it calculate pi.

I've seen some malicious trojans that overclocked the cpu to the max and have heard stories about it burning holes in the motherboard.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #23 on: September 17, 2005, 12:12:16 am »
Those sound like fun.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #24 on: September 17, 2005, 09:04:51 am »
Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.
Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":
Quote
A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.
Still a falling under the definition of a trojan nonetheless.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #25 on: September 17, 2005, 10:38:00 am »
Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.
Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":
Quote
A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.
Still a falling under the definition of a trojan nonetheless.
But they aren't "trojans" in general, which is what you said.  And they aren't easier to detect; in fact, by the definition of a Trojan, they're harder to detect. 

Joe - you don't "infect" anything, you just overwrite.  There's a difference.

Romi/Quik - eww, user accounts shouldn't even had access to do that kind of thing, and there's a good reason :)

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #26 on: September 17, 2005, 11:17:20 am »
Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.
Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":
Quote
A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.
Still a falling under the definition of a trojan nonetheless.
But they aren't "trojans" in general, which is what you said.  And they aren't easier to detect; in fact, by the definition of a Trojan, they're harder to detect. 

Joe - you don't "infect" anything, you just overwrite.  There's a difference.

Romi/Quik - eww, user accounts shouldn't even had access to do that kind of thing, and there's a good reason :)
A remote control trojan would however, because it's obviously sending out packets, if you turn off anything else that is needs to connect to the internet to work, you can easily find out. Now if you'd answer my AIMs that would be great.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #27 on: September 17, 2005, 01:10:59 pm »
A remote control trojan would however, because it's obviously sending out packets, if you turn off anything else that is needs to connect to the internet to work, you can easily find out. Now if you'd answer my AIMs that would be great.

It's not "remote control trojan", the class of trojans is named "Remote Access Trojan", or "RAT". 

I don't understand what you mean by the next sentence.  I know of very few trojans or viruses (yes, viruses, virii isn't a proper word) that turn off your internet connection since they're usually trying to stay hidden. 

When I got your message you were offline so I closed the Window.  Plus, I haven't answered anybody this morning, I've spent all morning going to the store, eating breakfast, fixing my aunt's computer, helping my mom paint a room, and helping my stepdad clean the swimming pool.  I'm not exactly sitting here waiting for messages. 


Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #28 on: September 17, 2005, 01:49:06 pm »
A remote control trojan would however, because it's obviously sending out packets, if you turn off anything else that is needs to connect to the internet to work, you can easily find out. Now if you'd answer my AIMs that would be great.

It's not "remote control trojan", the class of trojans is named "Remote Access Trojan", or "RAT". 

I don't understand what you mean by the next sentence.  I know of very few trojans or viruses (yes, viruses, virii isn't a proper word) that turn off your internet connection since they're usually trying to stay hidden. 

When I got your message you were offline so I closed the Window.  Plus, I haven't answered anybody this morning, I've spent all morning going to the store, eating breakfast, fixing my aunt's computer, helping my mom paint a room, and helping my stepdad clean the swimming pool.  I'm not exactly sitting here waiting for messages. 


You also never answer any other message I send you.

And, for the remote access trojan thing, it's very easy to tell, as seen in the link below.

http://screend-productions.net/packsk.gif

If you run a packet sniffer throughout the night, with every other program that needs to connect/has the ability to connect to the internet to work (i.e. Steam, AIM, MSN, Firefox, whatever), you can tell if you do have something sending out information about your computer on a regular basis, because chances are it's going to do it atleast once every so and so number of hours, and if it wants to send anything, there's going to be another IP involved, which a good packet sniffer will pick up. (Note: I never said ever it'll get rid of the trojan (remote access, don't get technical on this iago) it'll just give you some way of knowing you have one.)
« Last Edit: September 17, 2005, 02:11:52 pm by Scr33n0r »

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #29 on: September 17, 2005, 02:15:02 pm »
That's a lot of work for trying to justify an ignorant mistake, Screenor.  Maybe you should just accept iago's right? O_o

Offline Ergot

  • 吴立峰 ^_^ !
  • x86
  • Hero Member
  • *****
  • Posts: 3724
  • I steal bandwidth. p_o
    • View Profile
Re: Virus Development
« Reply #30 on: September 17, 2005, 02:26:20 pm »
Nice job filtering the Screen Names. You do know that his Screen Name is on the tab right?
Who gives a damn? I fuck sheep all the time.
And yes, male both ends.  There are a couple lesbians that need a two-ended dildo...My router just refuses to wear a strap-on.
(05:55:03) JoE ThE oDD: omfg good job i got a boner thinkin bout them chinese bitches
(17:54:15) Sidoh: I love cosmetology

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #31 on: September 17, 2005, 03:01:54 pm »
Who actually leaves a packetsniffer running overnight?  I mean, besides me (I have Snort running 24/7 to detect stuff like that) :P

Also, what happens if the trojan developer was smart and tunneled it over a known protocol? Like, what if they mimic AIM or MSN or HTTP or Steam or something else that you consider safe?  What happens if it tunnels commants over, say, ICMP? (Sure, the numbers will go up on the ICMP list, but if you look at them it'll look like somebody is pinging you). 

There is at least one backdoor that is controlled by ping packets.  I forget what it's called, but it's pretty cool. 

What about failed connections? Failed connections can also be used to control a program.  There's another backdoor for Linux (a proof of concept) that does communication through SYN and RST pairs, so to a packetlogger it looks like a series of failed connections, or a portscan.  There aren't even any data packets passed, the data is encoded in packet headers.  There are lots of ways to hide :)

What about one that connects to IRC, then idles until it gets a command?  You won't see packets unless it's being actively controlled, so you won't see it happening unless it's actively being used.  That's another one you won't pick up unless you leave a packetsniffer running 24/7. 

Yes, some remote access programs can be found by packetlogging, but that's not always the case. 

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #32 on: September 17, 2005, 03:22:47 pm »
Who actually leaves a packetsniffer running overnight?  I mean, besides me (I have Snort running 24/7 to detect stuff like that) :P

Also, what happens if the trojan developer was smart and tunneled it over a known protocol? Like, what if they mimic AIM or MSN or HTTP or Steam or something else that you consider safe?  What happens if it tunnels commants over, say, ICMP? (Sure, the numbers will go up on the ICMP list, but if you look at them it'll look like somebody is pinging you). 

There is at least one backdoor that is controlled by ping packets.  I forget what it's called, but it's pretty cool. 

What about failed connections? Failed connections can also be used to control a program.  There's another backdoor for Linux (a proof of concept) that does communication through SYN and RST pairs, so to a packetlogger it looks like a series of failed connections, or a portscan.  There aren't even any data packets passed, the data is encoded in packet headers.  There are lots of ways to hide :)

What about one that connects to IRC, then idles until it gets a command?  You won't see packets unless it's being actively controlled, so you won't see it happening unless it's actively being used.  That's another one you won't pick up unless you leave a packetsniffer running 24/7. 

Yes, some remote access programs can be found by packetlogging, but that's not always the case. 

Owned?  Mmhm.

Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #33 on: September 17, 2005, 06:08:29 pm »
that isnt a virus... a virus needs to reproduce itself and distribute itself.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #34 on: September 17, 2005, 06:47:51 pm »
that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #35 on: September 17, 2005, 08:41:21 pm »
Nice job filtering the Screen Names. You do know that his Screen Name is on the tab right?
If you don't have anything to say intelligent, or atleast that would contribute to the topic, don't reply.

I realized I didn't while I was uploading the file, and I had thought I posted in my post I was just too lazy to go back and remove it. If you're mature enough, you wont message him anyway, he WILL tell me you did.

And iago: I do, if that's not that much to for you to except. :P

My idea of a fun virus:

Description:
This file is similar to the "BOOM" program, except it is about 200% better in terms of actually doing stuff instead of looking cool. Plus it ain't no joke. This is what is called a .vbs virus, which means, contrast to what most ppl think of a virus, it isn't an .exe but works the same way - just invisible. The reason vbs is good is because you can mask it as other files (which i have done for you). You can set it to look like a txt file, and even open and display text as though it was a text file...except you have been infected with the virus. This is extremely helpful because the person doesn't know they've been infected. I have a list of the things that it does once infected:
1.Displays messagebox saying "n0 EscApE".
2.Copies, and recopies itself to the system root.
3.Activiates anti-delete by making the computer think its a system file.
4.Randomly will display the messagebox.
5.Will save fake explicit photos and text on the A: and C: disk drives.
6.It will secretly attach itself to an email, then invisibly send itself to every single person on the vicims' email directory.
7.Loops for the next victim, then on, and on, and on...

(Not idea, to be technical, I have this file, I just don't go and give it to people.)
« Last Edit: September 17, 2005, 08:43:43 pm by Scr33n0r »

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #36 on: September 17, 2005, 09:09:00 pm »
Ghey! :p

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #37 on: September 17, 2005, 10:00:38 pm »
And iago: I do, if that's not that much to for you to except. :P
You do what?  My post was rather lengthy with many suggestions..

Quote
My idea of a fun virus:

Description:
This file is similar to the "BOOM" program, except it is about 200% better in terms of actually doing stuff instead of looking cool. Plus it ain't no joke. This is what is called a .vbs virus, which means, contrast to what most ppl think of a virus, it isn't an .exe but works the same way - just invisible. The reason vbs is good is because you can mask it as other files (which i have done for you). You can set it to look like a txt file, and even open and display text as though it was a text file...except you have been infected with the virus. This is extremely helpful because the person doesn't know they've been infected. I have a list of the things that it does once infected:
1.Displays messagebox saying "n0 EscApE".
2.Copies, and recopies itself to the system root.
3.Activiates anti-delete by making the computer think its a system file.
4.Randomly will display the messagebox.
5.Will save fake explicit photos and text on the A: and C: disk drives.
6.It will secretly attach itself to an email, then invisibly send itself to every single person on the vicims' email directory.
7.Loops for the next victim, then on, and on, and on...

(Not idea, to be technical, I have this file, I just don't go and give it to people.)
That's boring, that's been done so many time for so many different viruses that it's just boring. 

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #38 on: September 17, 2005, 11:55:12 pm »
And iago: I do, if that's not that much to for you to except. :P
You do what?  My post was rather lengthy with many suggestions..

Quote
My idea of a fun virus:

Description:
This file is similar to the "BOOM" program, except it is about 200% better in terms of actually doing stuff instead of looking cool. Plus it ain't no joke. This is what is called a .vbs virus, which means, contrast to what most ppl think of a virus, it isn't an .exe but works the same way - just invisible. The reason vbs is good is because you can mask it as other files (which i have done for you). You can set it to look like a txt file, and even open and display text as though it was a text file...except you have been infected with the virus. This is extremely helpful because the person doesn't know they've been infected. I have a list of the things that it does once infected:
1.Displays messagebox saying "n0 EscApE".
2.Copies, and recopies itself to the system root.
3.Activiates anti-delete by making the computer think its a system file.
4.Randomly will display the messagebox.
5.Will save fake explicit photos and text on the A: and C: disk drives.
6.It will secretly attach itself to an email, then invisibly send itself to every single person on the vicims' email directory.
7.Loops for the next victim, then on, and on, and on...

(Not idea, to be technical, I have this file, I just don't go and give it to people.)
That's boring, that's been done so many time for so many different viruses that it's just boring. 

Er, run a packet sniffer.* Just I do it maybe once a week, because if I logged that much, I'd be out of HDD space in no time.

Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #39 on: September 18, 2005, 04:27:59 am »
that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

i didnt read all the posts.. i skimmed the first 2 or whatever and then decided that i would say that.

but a virus would be completely stupid if it wasnt distributed in some way... but i guess ur right that it doesnt need to. it does need to reproduce itself though.
i didnt repeat you knowing that i was repeating you. i also think that any successful virus would need to find a means of distributing itself to be... well... successful
so i guess i can safely say that a virus will reproduce itself & distribute itself.

so this means i wasnt really wrong. i was just being smarter and including a characteristic that basically every virus includes... a way of distributing itself across the interweb.
there's no reason to leave that out.

whitehat scum
« Last Edit: September 18, 2005, 04:38:53 am by c0n »

Offline Krazed

  • x86
  • Hero Member
  • *****
  • Posts: 1822
    • View Profile
Re: Virus Development
« Reply #40 on: September 18, 2005, 07:47:09 am »
You are honestly a fucking moron..
It is good to be good, but it is better to be lucky.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #41 on: September 18, 2005, 10:02:13 am »
that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

i didnt read all the posts.. i skimmed the first 2 or whatever and then decided that i would say that.

but a virus would be completely stupid if it wasnt distributed in some way... but i guess ur right that it doesnt need to. it does need to reproduce itself though.
i didnt repeat you knowing that i was repeating you. i also think that any successful virus would need to find a means of distributing itself to be... well... successful
so i guess i can safely say that a virus will reproduce itself & distribute itself.

so this means i wasnt really wrong. i was just being smarter and including a characteristic that basically every virus includes... a way of distributing itself across the interweb.
there's no reason to leave that out.

whitehat scum

How about, I email it to somebody?  It's not distributing itself.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #42 on: September 18, 2005, 01:25:28 pm »
Quote
whitehat scum

And suddenly c0n loses what little respect I had left for him.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #43 on: September 18, 2005, 04:36:07 pm »
that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

i didnt read all the posts.. i skimmed the first 2 or whatever and then decided that i would say that.

but a virus would be completely stupid if it wasnt distributed in some way... but i guess ur right that it doesnt need to. it does need to reproduce itself though.
i didnt repeat you knowing that i was repeating you. i also think that any successful virus would need to find a means of distributing itself to be... well... successful
so i guess i can safely say that a virus will reproduce itself & distribute itself.

so this means i wasnt really wrong. i was just being smarter and including a characteristic that basically every virus includes... a way of distributing itself across the interweb.
there's no reason to leave that out.

whitehat scum

How about, I email it to somebody?  It's not distributing itself.


read what i said...

i said it doesnt NEED to..
but go ahead and try distributing it yourself and see how many ppl you will infect...
Quote
whitehat scum

And suddenly c0n loses what little respect I had left for him.

your respect means nothing to me... and never did.
ur just some vb coder that codes lame shyt.

You are honestly a fucking moron..

even if i said something intelligent on this forum you would say the same thing.
what you think of me means nothing to me. the only thing you didnt like was the
thing i said about whitehats. h0h0h0...
« Last Edit: September 18, 2005, 04:39:31 pm by c0n »

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #44 on: September 18, 2005, 04:36:57 pm »
but go ahead and try distributing it yourself and see how many ppl you will infect...
That's asside from his point.

Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #45 on: September 18, 2005, 04:40:46 pm »
but go ahead and try distributing it yourself and see how many ppl you will infect...
That's asside from his point.

yes but it was pointless to say it when i clearly agreed with him above

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #46 on: September 18, 2005, 04:42:58 pm »
Hm, am I the only one here who realized..

- c0n can't spell
- c0n failed English eight times in a row in high school, then dropped out when he turned 18
- c0n thinks pr0j3kt m4yh3m isn't a joke (joe.x86labs.org points to my computer. Bite me please)
- c0n is a hopeless idiot
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #47 on: September 18, 2005, 04:44:03 pm »
roofle

Offline d&q

  • Hero Member
  • *****
  • Posts: 1427
  • I'm here.
    • View Profile
    • Site
Re: Virus Development
« Reply #48 on: September 18, 2005, 04:47:06 pm »
Can't we all just get along?  :'(
The writ of the founders must endure.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #49 on: September 18, 2005, 04:49:52 pm »
You suck at blocking out your buddy's name on the taskbar in that gif, screenor. =P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #50 on: September 18, 2005, 04:58:13 pm »
Hm, am I the only one here who realized..

- c0n can't spell
- c0n failed English eight times in a row in high school, then dropped out when he turned 18
- c0n thinks pr0j3kt m4yh3m isn't a joke (joe.x86labs.org points to my computer. Bite me please)
- c0n is a hopeless idiot

dear joe,

- c0n can spell he just doesnt feel the need to on the intarweb
- the internet is not a serious place
- pr0j3kt m4yh3m is not a joke. ur ignorant about it so obviously you would have no idea.
- go leech more asm code for ur pathetic 'operating system'
- stop being a social whore
- i feel the need that i must re-iterate...

pr0j3kt m4yh3m is not a joke. perhaps it seems like a joke because they like to make fun
of the whitehats they own, and it happens to be funny. but ur wrong... its not a joke. if u wanna
get owned, joe, please go talk to people in #w0ah on efnet. oh wait... sorry... i cant give u the key
to that channel. i'd love to but i wont. u call me a hopeless moron but you are the one who leeched
the code for ur lame os. why dont u send an email to aer0@hush.com and talk about how u think
pr0j3kt m4yh3m is a joke. he runs www.dikline.com. tell him about how much of a hopeless kiddie bnet bot coder
you are, and that you think pr0j3kt m4yh3m is a joke. im pretty sure u would soon find out that it isnt.

here... ill start the email for u.

--email--

Dear aer0,

I am Joe, and I am a Battle.net bot coder. I think that
Pr0j3kt M4yh3m is a joke. Hold on, let me look at all the whitehat
ownings for your zine. Wow, your pr0j3kt m4yh3m cell has
owned a lot of whitehats for the dikline ezine. But pr0j3kt
m4yh3m is still a joke, because I am too ignorant to believe that there
are actually people out there that would do harm to poor, innocent,
pussy whitehats out there. It's a joke... a total joke. Please don't own
me, I'm not a whitehat. I just think you're a joke, and everyone
in your cell is a joke. F1sh got busted, but he's a joke, lolol!
Syke is a joke too, because, well, I don't know him! I dont know
anybody affiliated with pr0j3kt m4yh3m, but it is such a joke!
The_uT owned a lot of people and rm'd them, but once again...
a joke! pHC was a joke in 2002. Trust me, I know what I'm talking
about... I'm Joe, and I use my real name as a nick on the interweb!

Sincerely,

Joe[x86] - the ultimate bnet code leecher
--/email--

there you go, joe. alter it if you want... i dont care.

i mean i suppose its pretty fucking hard to type "pr0j3kt m4yh3m"
in google and not see all the websites that pop up about it?
theres even an article about pr0j3kt m4yh3m and whitehat hate crimes
in Wired Magazine.
« Last Edit: September 18, 2005, 05:02:52 pm by c0n »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #51 on: September 18, 2005, 05:04:45 pm »
but a virus would be completely stupid if it wasnt distributed in some way

It's not completely stupid.  Although I know it's a waste of my time, I'll explain why. 

What if I'm trying to break into a business?  They have firewalls anti-virus and IPS and all the toys.  How do I get in? 

Simple! I write a custom virus.  I email it to an employee, with a message customized for the employee in question.  He runs the program, gets infected, and is at my mercy.  Because it's a custom virus, it's not going to get picked up by the anti-virus.  Because it's not distributing itself, it's not going to be detected by other employees. 

Presumably, the virus would give me remote access to his computer.  Say, for example, it infects Internet Explorer so that, as soon as he opens his browser, it also connects to me (since browsers are typically allow(all) in the firewall) and gives me the information I need. 

Since you're a blackhat, you really ought to know the usefulness of a virus that doesn't spread on its own (particularly in terms of evading detection).  I'm surprised you don't. 


Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #52 on: September 18, 2005, 05:09:04 pm »
but a virus would be completely stupid if it wasnt distributed in some way

It's not completely stupid.  Although I know it's a waste of my time, I'll explain why. 

What if I'm trying to break into a business?  They have firewalls anti-virus and IPS and all the toys.  How do I get in? 

Simple! I write a custom virus.  I email it to an employee, with a message customized for the employee in question.  He runs the program, gets infected, and is at my mercy.  Because it's a custom virus, it's not going to get picked up by the anti-virus.  Because it's not distributing itself, it's not going to be detected by other employees. 

Presumably, the virus would give me remote access to his computer.  Say, for example, it infects Internet Explorer so that, as soon as he opens his browser, it also connects to me (since browsers are typically allow(all) in the firewall) and gives me the information I need. 

Since you're a blackhat, you really ought to know the usefulness of a virus that doesn't spread on its own (particularly in terms of evading detection).  I'm surprised you don't. 



ur right about all that, except what i was trying to say is that a virus that does not distribute itself is pretty lame. why waste ur time writing a virus that wont spread itself to own some company when you can just write an exploit and own him (then u dont have to email him or her!)... then hes still at ur mercy. or better yet, write a worm that exploits him and exploits the network... then u have access to the whole network.

im not a blaqhat... i just believe in the blaqhat ideas.
if i cant haq, then i obviously cannot be a blaqhat.

doing what you said though... thats like almost as stupid as using a trojan, except the fact that u wrote it yourself. most employees would probably know better than to download an attachment anyway... unless you use addresses from people they know.

any virus out there wild on the internet has a way of distributing itself (otherwise it wouldnt be out there in the 'wild')... so why not incorporate that into the definition? i'd say ur idea is more of a trojan. trojans do however show up on anti virus programs. but they are still not really viruses in my opinion (my opinion isnt humble though)

joe: when are you going to show evidence of how i supposedly failed english 8 times because i spelled so many things wrong in this topic (which isnt true...). i have never failed an english class... but that doesnt matter, and isnt the topic. i am not some perfect punctuation using person anymore. so stop thinking ur all smart and stuff because you can use it. any 10 year old can use punctuation on the internet... even you. joe, ur such a social whore... even though you suck at being one (which isnt a bad thing)
« Last Edit: September 18, 2005, 05:24:02 pm by c0n »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #53 on: September 18, 2005, 05:23:59 pm »
ur right about all that, except what i was trying to say is that a virus that does not distribute itself is pretty lame. why waste ur time writing a virus that wont spread itself to own some company when you can just write an exploit and own him (then u dont have to email him or her!)... then hes still at ur mercy. or better yet, write a worm that exploits him and exploits the network... then u have access to the whole network.
Because, as I said, it evades detection.  It's easy to notice it spreading, but it's hard to notice it dormant on some specific machine. 

Quote
doing what you said though... thats like almost as stupid as using a trojan, except the fact that u wrote it yourself. most employees would probably know better than to download an attachment anyway... unless you use addresses from people they know.
That's the point of customizing it.  You fake the return address of their boss, and make it look like their boss wrote the email and is asking you to check the program, or something.  It would use their real name and phone number, and look totally authentic.

Quote
any virus out there wild on the internet has a way of distributing itself (otherwise it wouldnt be out there in the 'wild')... so why not incorporate that into the definition? i'd say ur idea is more of a trojan. trojans do however show up on anti virus programs. but they are still not really viruses in my opinion (my opinion isnt humble though)
Any virus in the wild is useless for many purposes, because it's easy to detect.  The POINT of a virus that doesn't spread, as I've been TRYING to tell you, is that it's a targetted attack.  Not all attacks are widespread, the best ones are targetted. 


Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #54 on: September 18, 2005, 05:28:26 pm »
ur right about all that, except what i was trying to say is that a virus that does not distribute itself is pretty lame. why waste ur time writing a virus that wont spread itself to own some company when you can just write an exploit and own him (then u dont have to email him or her!)... then hes still at ur mercy. or better yet, write a worm that exploits him and exploits the network... then u have access to the whole network.
Because, as I said, it evades detection.  It's easy to notice it spreading, but it's hard to notice it dormant on some specific machine. 

Quote
doing what you said though... thats like almost as stupid as using a trojan, except the fact that u wrote it yourself. most employees would probably know better than to download an attachment anyway... unless you use addresses from people they know.
That's the point of customizing it.  You fake the return address of their boss, and make it look like their boss wrote the email and is asking you to check the program, or something.  It would use their real name and phone number, and look totally authentic.

Quote
any virus out there wild on the internet has a way of distributing itself (otherwise it wouldnt be out there in the 'wild')... so why not incorporate that into the definition? i'd say ur idea is more of a trojan. trojans do however show up on anti virus programs. but they are still not really viruses in my opinion (my opinion isnt humble though)
Any virus in the wild is useless for many purposes, because it's easy to detect.  The POINT of a virus that doesn't spread, as I've been TRYING to tell you, is that it's a targetted attack.  Not all attacks are widespread, the best ones are targetted. 



trojans try to evade detection as well. even polymorphic shellcode tries to evade detection, but that doesnt mean its a virus. i guess it takes the characteristic of a virus, but that doesnt make it one. even a script kiddie can try to evade detection. they are viruses that spread, though... if you get what eye mean!

but still, why waste ur time writing a virus to 0wn this poor person in a business? why not just write an exploit? i'd like to hear why you would waste ur time with this, iago. u are afterall a whitehat... (no intended insult this time, i promise)

go ahead and waste ur time writing a virus and sending it to this person though. you could just make it a lot more fun and write an exploit and 0wn the network with that.
« Last Edit: September 18, 2005, 05:38:16 pm by c0n »

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #55 on: September 18, 2005, 05:37:54 pm »
So, you are trying to gain access to a specific computer, and somehow you recieve knowledge of what programs are running, and write up some exploits to one of those programs, since it's so easy to do on call, and then just exploit them knowing only what their email address is. Sounds to me like iago's way is more real-world applicable, '0wning whitehatz via blaqhat exploitz' seems to only exist in your fantasy world.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline c0n

  • Full Member
  • ***
  • Posts: 201
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #56 on: September 18, 2005, 05:41:40 pm »
So, you are trying to gain access to a specific computer, and somehow you recieve knowledge of what programs are running, and write up some exploits to one of those programs, since it's so easy to do on call, and then just exploit them knowing only what their email address is. Sounds to me like iago's way is more real-world applicable, '0wning whitehatz via blaqhat exploitz' seems to only exist in your fantasy world.

yeah i guess anybody would just write an exploit only knowing someones email *sigh*. though you probably know that they are using the company email, so im guessing the domain would be included... so then you could have a little information? yeah ur pretty smart quik. yeah, but, uhhh, exploits only exist in my fantasy world, if you want to believe that. even you, being a whitehat who runs around looking at securityfocus, should know that what you said is not true at all. or maybe you dont... considering you spend time looking at public exploits and not actual private shit that is within possession of individuals who could probably own just about any system they want.
« Last Edit: September 18, 2005, 05:43:44 pm by c0n »

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #57 on: September 18, 2005, 05:48:07 pm »
So, you are trying to gain access to a specific computer, and somehow you recieve knowledge of what programs are running, and write up some exploits to one of those programs, since it's so easy to do on call, and then just exploit them knowing only what their email address is. Sounds to me like iago's way is more real-world applicable, '0wning whitehatz via blaqhat exploitz' seems to only exist in your fantasy world.

yeah i guess anybody would just write an exploit only knowing someones email *sigh*. though you probably know that they are using the company email, so im guessing the domain would be included... so then you could have a little information? yeah ur pretty smart quik. yeah, but, uhhh, exploits only exist in my fantasy world, if you want to believe that. even you, being a whitehat who runs around looking at securityfocus, should know that what you said is not true at all. or maybe you dont... considering you spend time looking at public exploits and not actual private shit that is within possession of individuals who could probably own just about any system they want.

Leave it up to c0n to completely misinterpret what I said. Now, if you're going to try and prove a point by gaining access to a company machine, iago's way would make sense. All you need is a little bit of ingenuity while coding, and the person's company email, and you can effectively gain access undetected. Now, your way, you would need to know what programs they use, and would need to spend some time either A. finding an exploit and coding a way to take advantage of it, or B. Do what you do and just hang around 'blackhats' to hope they give you code.

You seem to act like you monitor my online activities, judging by how you talk about my "running around looking at securityfocus" and "being a whitehat". Try to read posts more carefully, and use your brain to analize what's being told to you.

You're dangerously close to being banned from this server in general. It's getting really old.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #58 on: September 18, 2005, 05:49:21 pm »
And c0n goes from idiot to asshole. I once again move to ban him from the forums.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #59 on: September 18, 2005, 06:16:52 pm »
trojans try to evade detection as well. even polymorphic shellcode tries to evade detection, but that doesnt mean its a virus. i guess it takes the characteristic of a virus, but that doesnt make it one. even a script kiddie can try to evade detection. they are viruses that spread, though... if you get what eye mean!
Polymorphic shellcode isn't designed to evade detection, but it can be used that way.  It's generally used to slip through filters (for example, UTF-8-only, ascii-only, Unicode-only, etc.). 


Quote
but still, why waste ur time writing a virus to 0wn this poor person in a business? why not just write an exploit? i'd like to hear why you would waste ur time with this, iago. u are afterall a whitehat... (no intended insult this time, i promise)
You might not have access to the softwar they're running (maybe it's proprietary?).  IPS systems will often stop exploits, they can often heuristically detect things like overflows.  They should have a firewall in the way with no incoming connections allowed. 

Yes, I'm a white-hat, but I still understand how attackers work.

Quote
go ahead and waste ur time writing a virus and sending it to this person though. you could just make it a lot more fun and write an exploit and 0wn the network with that.
You can't always do that
« Last Edit: September 18, 2005, 06:33:33 pm by iago »

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #60 on: September 18, 2005, 06:46:45 pm »
You suck at blocking out your buddy's name on the taskbar in that gif, screenor. =P
Har, I noticed it before I even uploaded the image, I am just too lazy to go back and fix it. If it had been someone's private screenname I would have done otherwise.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #61 on: September 18, 2005, 09:31:54 pm »
- the internet is not a serious place
- pr0j3kt m4yh3m is not a joke.

That made me chuckle. Contradicting yourself?

i mean i suppose its pretty fucking hard to type "pr0j3kt m4yh3m"
in google and not see all the websites that pop up about it?
theres even an article about pr0j3kt m4yh3m and whitehat hate crimes
in Wired Magazine.

http://www.google.com/search?q=pr0j3kt+m4yh3m+site%3Awired.com returns nothing? :(

I like this site info on pr0j3kt m4yh3m:

Quote
pr0j3kt m4yh3m originated in the third issue of the higly esteemed internet zine ~el8, but was later corrupted into a juvenile IRC channel takeover and a second-rate Phrack imitation by JimJones and the inhabitants of #darknet, who had absolutely nothing to do with the original pr0jekt m4yh3m

:'(

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

That makes you no better than all the other wannabe blackhats out there, who admire the "true" "underground" "el8" "non-disclosure" blackhats that actually exist.
« Last Edit: September 18, 2005, 09:47:39 pm by Newby »
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #62 on: September 18, 2005, 09:55:51 pm »
From my observations, I've come to a conclusion.

The people who assosiate themselves with pr0j3kt m4yh3m are the outcasts of the internet.  They're pissed off that they suck at life, so they're rebelling by telling everyone they're going to hack the world.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #63 on: September 18, 2005, 11:38:52 pm »
EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #64 on: September 18, 2005, 11:43:46 pm »
If Whitehats win, I'll be out of a job.  So let's just keep the combat up.

Sigged!
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #65 on: September 19, 2005, 12:22:52 am »
EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Awesome outlook, iago.  :)

trust

  • Guest
Re: Virus Development
« Reply #66 on: September 19, 2005, 06:35:57 pm »
EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Nerd, for some reason that reminded me of STARWARS@!!~!@!#!@#$!~!@~!@~~~~~~

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Virus Development
« Reply #67 on: September 19, 2005, 09:04:16 pm »
Back onto the orginal topic. I came across an interesting way of 'infecting' a windows machine awhile back however it would still require an exploit to get the code onto the windows machine in the first place.

When you look at most of the evil(to avoid the virus/worm/trojan debate I'll refer to it as evil) code out there for windows now it is all destructive. Destructive in that it crashes the windows machine it is running on so its rather obvious that something bad has happened. What would the impact have been if things like Blaster didn't invoke a crash and restart? I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #68 on: September 19, 2005, 09:34:55 pm »
What would the impact have been if things like Blaster didn't invoke a crash and restart?

It would have been utterly useless. Just a plain worm that did absolutely nothing but spread. No fun whatsoever.

I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.
newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. ??? What could it be?

I had to reformat to get rid of it.

* Newby shrugs.
« Last Edit: September 19, 2005, 09:36:31 pm by Newby »
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #69 on: September 19, 2005, 09:50:54 pm »
It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure. 

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil). 

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible. 

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #70 on: September 19, 2005, 09:54:54 pm »
One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.
And like a fool I believed myself, and thought I was somebody else...

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Virus Development
« Reply #71 on: September 19, 2005, 11:04:46 pm »

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.
newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. ??? What could it be?

I had to reformat to get rid of it.

* Newby shrugs.

How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

Quote from: iago
It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure.

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil).

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible.

Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

Quote from: Blaze
One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.

You should clarify, its not Windows messing with c:\windows\font but Explorer. Also small viruses tend not to be picked up by major antivirus software. I suspect you'd have to infect x many people with x being in the thousands to hundreds of thousands range before they start trying to detect you.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #72 on: September 19, 2005, 11:16:23 pm »
And explorer is a part of windows.

You're probably right about the rate.

When I do a virus scan, I want to scan my files for anything that could be malicious, and if something is found, bring it to my attention.  I know how long this would take but I've got all night to do it.  There is nothing worse then a false sense of security..
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #73 on: September 20, 2005, 12:04:28 am »
Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

Well, there's always the "C:\program.exe" attack vector.  Does that still work?


Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #74 on: September 20, 2005, 01:01:57 am »
How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

Uh, ones that know something is wrong with their system are going to compare ps and /proc. If they don't know about /proc, they don't know much about Linux.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Koga73

  • Newbie
  • *
  • Posts: 19
  • I'm new here!
    • View Profile
Re: Virus Development
« Reply #75 on: September 20, 2005, 03:15:17 pm »
talkin about viruses... well, i read the initial post with the floppy and all, and alot of motherboards now days can update their bios, so if u really wanna fuck up some1s computer (i wouldnt do this), just make an exe that copies some files onto a floppy if one is in the drive, and if it copies successfully, make it reboot. Make one of the files be a fake bios update so itll totally mess up the bios rendering the motherboard pretty much unusable.

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #76 on: September 20, 2005, 03:23:55 pm »
I think that was already stated, or something around that lines.

I wonder if every programmer on this board released worms how fast they would get hunted down... Not that we would do that.
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #77 on: September 20, 2005, 07:32:43 pm »
talkin about viruses... well, i read the initial post with the floppy and all, and alot of motherboards now days can update their bios, so if u really wanna fuck up some1s computer (i wouldnt do this), just make an exe that copies some files onto a floppy if one is in the drive, and if it copies successfully, make it reboot. Make one of the files be a fake bios update so itll totally mess up the bios rendering the motherboard pretty much unusable.

Most motherboards come with a BIOS flash disk, so you can re-load the bios if it gets corrupted.  Of course, that doesn't always work, as my friend found out.  But they gave him a new motherboard, so.. :)

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #78 on: September 20, 2005, 07:53:09 pm »
Comparing BIOS to system software is about impossible, but I'll try anyhow. The Macintosh Classic II (and others?) had System 6(.0.4?) installed in its ROM, so if you ever needed to restore it, you would just restart with some fancy command combo (like how Apple+C = CD, Apple+T = Firewire HD) and drag it from the ROM disk to your HD. Back to BIOS, some mobo's might be like that.

EDIT -
Come to discuss it, where is the BIOS software, for lack of a better term, stored? I always though it lived in the ROM chip.
EDIT2: Perhaps on an EP-ROM chip, so it can be upgraded? But then it'd have to be exposed to UV..
« Last Edit: September 20, 2005, 07:59:55 pm by Joe[e2] »
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: Virus Development
« Reply #79 on: September 20, 2005, 08:07:06 pm »
FYI: ls returning a seg fault is a common symptom of a machine that's been rooted and has a rootkit installed. Often times, comparing ps and /proc isn't necessary.

Also, don't assume that every malicious file will crash the system or even cause strange things like program crashing and memory consumption. If the windows virus or worm needs restart to fully establish and replicate, it would be more effective to wait for manual restart. Same with Linux exploits, it was just an effect of that one exploit which used consume_memory, not all will do this obviously, and it will be alot more tough to detect a compromised system than it was before.

As far as Windows vs. Linux as far as which is easier to mask infection, I'm not going to go into that. Too many things to bring up in that discussion, it makes no sense to argue it till the cows come home.
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #80 on: October 04, 2005, 06:30:11 pm »
Newby, white chick, help me!

Quote
joe@JoeMomma:~ $ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
There are really 84 processes running on my boxen.
joe@JoeMomma:~ $ echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
ps tells me there are 86 processes running. Hmm..
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #81 on: October 05, 2005, 06:35:28 pm »
I'm not entirely sure that that means anything useful. 

Anyway, on the topic of hiding a rootkit, here's a neat article I read a couple days ago:
http://www.phrack.org/phrack/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Virus Development
« Reply #82 on: October 06, 2005, 03:55:16 pm »
how about a virus that can be downloaded and plan itself as a replacement kernel for windows following that it would have full control of the system calls within the systems and could have bad results.

I'm thinking overwriting the harddrive with zero's and going into SMM (System Management Mode) and doing something VERY evil.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #83 on: October 06, 2005, 11:46:25 pm »
how about a virus that can be downloaded and plan itself as a replacement kernel for windows following that it would have full control of the system calls within the systems and could have bad results.

That's what rootkits basically do.  They intercept syscalls.