Virus Development

[Joe]

Alright, please, nobody lock/trash/delete/distroy this topic. For those of you who know me, I would never do anything like this (except to a test box of mine, which has nothing to lose anyhow), and the only ones who would want to do this would end up owning themselves before they can do it to anyone else.


The first method of "owning" a computer is very simple. When you start a computer, it goes through the POST (power on self test), detects your floppy drive, RAM ammount (often checking it for errors), CD Drives, hard drives, etc. After that, the BIOS will begin the BIOS boot sequence (call it what you want, thats not the official name (unless I'm lucky)), which is usually something along these lines.
1) Floppy Disk
2) CD Drive(s) (Dells have this after hard disks, press F12 to be given the boot menu)
3) Hard disks


The most simple (IMO) virus that can be written is simply making an MS-DOS startup disk and sticking it in your floppy drive (or a friends (or a non-friends)). Most of the world would have no clue whats going on when they see a DOS prompt. They'll probably hear their floppy drive though, they're pretty loud. Ineffictive, unfun.

Another variant of this method is to to make an MS-DOS bootdisk, and have a simple QB program on it, something allong these lines.

Code: [Select]

10 'Placeholder
20 Goto 10Configure an autoexec.bat file to start your program (it must be compiled). This will require the QB runtime files, but they can fit on a floppy disk, so its no problem. This will print absolutely nothing to their screen (it will, but it'll disapear quickly). Good way to make a friend (or enemy) think they fried something, asuming they didn't hear their drive.


This is where it gets serious. The above two will cause you no damage no matter how badly you screw it up (ok, theres a limit, but I think we're all above that). The below uses x86 ASM, about as low as you can get (no pun intended, =p).

The simplist ASM virus you can make is a empty bootloader. You'll need a few tools, namely NASM and PARTCOPY (both free). You'll also need a plain-text editor (I suggest UltraEdit-32, but notepad works) to write your code in. Basically, you're fooling the computer to think you've written an operating system (or someone else has), and you want it loaded.

Code: [Select]

[bits 16]
start:
jmp $

Anyhow, thats all for now. Comment, add, correct, etc.

[Blaze]

All of your "virii" require floppy disks, and they don't do anything.

[iago]

Mm, sounds like the beginnings of a boot-sector virus.  Those are ancient, and rarely used anymore since Windows NT+ won't load if there is something else loaded. 

[Joe]

All of your "virii" require floppy disks

No they don't. partcopy that ASM one to your hard disk. It'll work nicely.

and they don't do anything.

Again, partcopy that to your hard disk, and when you finally get back, tell me that again. =p

[Joe]

Mm, sounds like the beginnings of a boot-sector virus.

Yup.

and rarely used anymore since Windows NT+ won't load if there is something else loaded.

Exactly. =)

[Quik]

Mm, sounds like the beginnings of a boot-sector virus.

Yup.

and rarely used anymore since Windows NT+ won't load if there is something else loaded.

Exactly. =)

Want to have a little fun a la zorm, that has the same effect as all your code? Delete file in C:\WINDOWS\system32\ called lsass.exe and reboot.

[iago]

and rarely used anymore since Windows NT+ won't load if there is something else loaded.

Exactly. =)

Then an "addition" for you would be, "totally useless"?

[Blaze]

A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

[Newby]

A perfect virus (in my mind) would flash your BIOS, thus rendering your computer useless.

[Quik]

A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

I was half expecting you to describe the steps to installing Linux :p

[iago]

A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

I was half expecting you to describe the steps to installing Linux :p

Actually, it sounds more like he's talking about installing Windows. 

Linux prompts you to overwrite the boot record, and recommends not to.  And Linux is rarely a part in ddosing, that tends to be Windows too. 

[Blaze]

One of the funniest virus' I've heard of is the Stoner virus. (I think its an OLDy)

A funny virus would download and install a distro of linux, and remove windows.

[Quik]

A virsus that says bye to your master boot record, is a virus I don't want to have.

A perfect virus in my mind would be something that infects your computer, infects every file on your computer, infects BIOS, then runs itself as an operating system and takes remote commands to do anything, including infecting others, ddosing, using as a proxy, ect.

I was half expecting you to describe the steps to installing Linux :p

Actually, it sounds more like he's talking about installing Windows.

Linux prompts you to overwrite the boot record, and recommends not to. And Linux is rarely a part in ddosing, that tends to be Windows too.

I know, halfway through his description, though, it seemed like he was going to recommend installing Linux. Guess it didn't turn out that way.

[iago]

One of the funniest virus' I've heard of is the Stoner virus. (I think its an OLDy)

A funny virus would download and install a distro of linux, and remove windows.

The funniest virus (well, worm) in my opinion (and I have a sick sense of humour) is W32/Witty. 

Why? For a couple reasons:
- It attacked a firewall, specifically, BlackIce
- The worm's data contained the string, " (^.^)      insert witty message here      (^.^)"
- It would write random crap to the harddrive, making the computer unusable.  I thought that was pretty funny!

[Joe]

Ouch!

[Quik]

I like the trojan that encrypted files and charged cash for the decryption. Any Asian kid can put "^_^_^__^_^_^" in a file and be 'witty'.

[iago]

I like the trojan that encrypted files and charged cash for the decryption. Any Asian kid can put "^_^_^__^_^_^" in a file and be 'witty'.

But they don't all exploit a program designed to protect you!

It's all of those reasons together that make it fun

[Joe]

I like the trojan that encrypted files and charged cash for the decryption. Any Asian kid can put "^_^_^__^_^_^" in a file and be 'witty'.

I'd sue him, it works the other way arround. =p

On a side note, guys, I'd apreciate it if you discussed virus development, instead of laughing at funny ones (by no means am I saying that isn't funny).

[Screenor]

Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.

[iago]

Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.

Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":

A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.

[Joe]

Well, I don't know if it qualifies as a program, but this infects your bootsector. =) (the latter examples, I mean)

[RoMi]

Manual Override virus is the funniest, it stopped all the fans on your comp and made it calculate pi.

[Quik]

Manual Override virus is the funniest, it stopped all the fans on your comp and made it calculate pi.

I've seen some malicious trojans that overclocked the cpu to the max and have heard stories about it burning holes in the motherboard.

[Newby]

Those sound like fun.

[Screenor]

Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.

Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":

A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.

Still a falling under the definition of a trojan nonetheless.

[iago]

Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.

Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":

A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.

Still a falling under the definition of a trojan nonetheless.

But they aren't "trojans" in general, which is what you said.  And they aren't easier to detect; in fact, by the definition of a Trojan, they're harder to detect. 

Joe - you don't "infect" anything, you just overwrite.  There's a difference.

Romi/Quik - eww, user accounts shouldn't even had access to do that kind of thing, and there's a good reason

[Screenor]

Trojans are so much more fun then viruses, but sadly easier to detect. Really the only fun I'd have with a "virus" would be if it detected when there was a window opened, and suddenly ended the process, but eh, those sorts of things are fun to do to people you dislike.

Or if it disable's control of the users mouse, that would be a hell of a lot of fun.

Do you know the proper definition of a Trojan?  I think what you're talking about is a remote-access-trojan, which is a subclass of Trojans.  A Trojan, like the Horse, is a program that looks nice but has an evil side.  It sneaks in under the guise of an innocent program, then infects the machine. 

Anyways, I was thinking.  Joe, those aren't viruses.  They're just annoyances.  By definition, a virus infects programs or files already on your computer.  Here is a definition from the "Free On-line Dictionary of Computing":

A program or piece of code written by a cracker that "infects"
one or more other programs by embedding a copy of itself in
them, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too,
thus propagating the "infection". This normally happens
invisibly to the user.

Still a falling under the definition of a trojan nonetheless.

But they aren't "trojans" in general, which is what you said.  And they aren't easier to detect; in fact, by the definition of a Trojan, they're harder to detect. 

Joe - you don't "infect" anything, you just overwrite.  There's a difference.

Romi/Quik - eww, user accounts shouldn't even had access to do that kind of thing, and there's a good reason

A remote control trojan would however, because it's obviously sending out packets, if you turn off anything else that is needs to connect to the internet to work, you can easily find out. Now if you'd answer my AIMs that would be great.

[iago]

A remote control trojan would however, because it's obviously sending out packets, if you turn off anything else that is needs to connect to the internet to work, you can easily find out. Now if you'd answer my AIMs that would be great.

It's not "remote control trojan", the class of trojans is named "Remote Access Trojan", or "RAT". 

I don't understand what you mean by the next sentence.  I know of very few trojans or viruses (yes, viruses, virii isn't a proper word) that turn off your internet connection since they're usually trying to stay hidden. 

When I got your message you were offline so I closed the Window.  Plus, I haven't answered anybody this morning, I've spent all morning going to the store, eating breakfast, fixing my aunt's computer, helping my mom paint a room, and helping my stepdad clean the swimming pool.  I'm not exactly sitting here waiting for messages. 

[Screenor]

A remote control trojan would however, because it's obviously sending out packets, if you turn off anything else that is needs to connect to the internet to work, you can easily find out. Now if you'd answer my AIMs that would be great.

It's not "remote control trojan", the class of trojans is named "Remote Access Trojan", or "RAT". 

I don't understand what you mean by the next sentence.  I know of very few trojans or viruses (yes, viruses, virii isn't a proper word) that turn off your internet connection since they're usually trying to stay hidden. 

When I got your message you were offline so I closed the Window.  Plus, I haven't answered anybody this morning, I've spent all morning going to the store, eating breakfast, fixing my aunt's computer, helping my mom paint a room, and helping my stepdad clean the swimming pool.  I'm not exactly sitting here waiting for messages. 

You also never answer any other message I send you.

And, for the remote access trojan thing, it's very easy to tell, as seen in the link below.

http://screend-productions.net/packsk.gif

If you run a packet sniffer throughout the night, with every other program that needs to connect/has the ability to connect to the internet to work (i.e. Steam, AIM, MSN, Firefox, whatever), you can tell if you do have something sending out information about your computer on a regular basis, because chances are it's going to do it atleast once every so and so number of hours, and if it wants to send anything, there's going to be another IP involved, which a good packet sniffer will pick up. (Note: I never said ever it'll get rid of the trojan (remote access, don't get technical on this iago) it'll just give you some way of knowing you have one.)

[Sidoh]

That's a lot of work for trying to justify an ignorant mistake, Screenor.  Maybe you should just accept iago's right? O_o

[Ergot]

Nice job filtering the Screen Names. You do know that his Screen Name is on the tab right?

[iago]

Who actually leaves a packetsniffer running overnight?  I mean, besides me (I have Snort running 24/7 to detect stuff like that)

Also, what happens if the trojan developer was smart and tunneled it over a known protocol? Like, what if they mimic AIM or MSN or HTTP or Steam or something else that you consider safe?  What happens if it tunnels commants over, say, ICMP? (Sure, the numbers will go up on the ICMP list, but if you look at them it'll look like somebody is pinging you). 

There is at least one backdoor that is controlled by ping packets.  I forget what it's called, but it's pretty cool. 

What about failed connections? Failed connections can also be used to control a program.  There's another backdoor for Linux (a proof of concept) that does communication through SYN and RST pairs, so to a packetlogger it looks like a series of failed connections, or a portscan.  There aren't even any data packets passed, the data is encoded in packet headers.  There are lots of ways to hide

What about one that connects to IRC, then idles until it gets a command?  You won't see packets unless it's being actively controlled, so you won't see it happening unless it's actively being used.  That's another one you won't pick up unless you leave a packetsniffer running 24/7. 

Yes, some remote access programs can be found by packetlogging, but that's not always the case. 

[Sidoh]

Who actually leaves a packetsniffer running overnight?  I mean, besides me (I have Snort running 24/7 to detect stuff like that)

Also, what happens if the trojan developer was smart and tunneled it over a known protocol? Like, what if they mimic AIM or MSN or HTTP or Steam or something else that you consider safe?  What happens if it tunnels commants over, say, ICMP? (Sure, the numbers will go up on the ICMP list, but if you look at them it'll look like somebody is pinging you). 

There is at least one backdoor that is controlled by ping packets.  I forget what it's called, but it's pretty cool. 

What about failed connections? Failed connections can also be used to control a program.  There's another backdoor for Linux (a proof of concept) that does communication through SYN and RST pairs, so to a packetlogger it looks like a series of failed connections, or a portscan.  There aren't even any data packets passed, the data is encoded in packet headers.  There are lots of ways to hide

What about one that connects to IRC, then idles until it gets a command?  You won't see packets unless it's being actively controlled, so you won't see it happening unless it's actively being used.  That's another one you won't pick up unless you leave a packetsniffer running 24/7. 

Yes, some remote access programs can be found by packetlogging, but that's not always the case. 

Owned?  Mmhm.

[c0n]

that isnt a virus... a virus needs to reproduce itself and distribute itself.

[iago]

that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

[Screenor]

Nice job filtering the Screen Names. You do know that his Screen Name is on the tab right?

If you don't have anything to say intelligent, or atleast that would contribute to the topic, don't reply.

I realized I didn't while I was uploading the file, and I had thought I posted in my post I was just too lazy to go back and remove it. If you're mature enough, you wont message him anyway, he WILL tell me you did.

And iago: I do, if that's not that much to for you to except.

My idea of a fun virus:

Description:
This file is similar to the "BOOM" program, except it is about 200% better in terms of actually doing stuff instead of looking cool. Plus it ain't no joke. This is what is called a .vbs virus, which means, contrast to what most ppl think of a virus, it isn't an .exe but works the same way - just invisible. The reason vbs is good is because you can mask it as other files (which i have done for you). You can set it to look like a txt file, and even open and display text as though it was a text file...except you have been infected with the virus. This is extremely helpful because the person doesn't know they've been infected. I have a list of the things that it does once infected:
1.Displays messagebox saying "n0 EscApE".
2.Copies, and recopies itself to the system root.
3.Activiates anti-delete by making the computer think its a system file.
4.Randomly will display the messagebox.
5.Will save fake explicit photos and text on the A: and C: disk drives.
6.It will secretly attach itself to an email, then invisibly send itself to every single person on the vicims' email directory.
7.Loops for the next victim, then on, and on, and on...

(Not idea, to be technical, I have this file, I just don't go and give it to people.)

[Sidoh]

Ghey! :p

[iago]

And iago: I do, if that's not that much to for you to except.

You do what?  My post was rather lengthy with many suggestions..

My idea of a fun virus:

Description:
This file is similar to the "BOOM" program, except it is about 200% better in terms of actually doing stuff instead of looking cool. Plus it ain't no joke. This is what is called a .vbs virus, which means, contrast to what most ppl think of a virus, it isn't an .exe but works the same way - just invisible. The reason vbs is good is because you can mask it as other files (which i have done for you). You can set it to look like a txt file, and even open and display text as though it was a text file...except you have been infected with the virus. This is extremely helpful because the person doesn't know they've been infected. I have a list of the things that it does once infected:
1.Displays messagebox saying "n0 EscApE".
2.Copies, and recopies itself to the system root.
3.Activiates anti-delete by making the computer think its a system file.
4.Randomly will display the messagebox.
5.Will save fake explicit photos and text on the A: and C: disk drives.
6.It will secretly attach itself to an email, then invisibly send itself to every single person on the vicims' email directory.
7.Loops for the next victim, then on, and on, and on...

(Not idea, to be technical, I have this file, I just don't go and give it to people.)

That's boring, that's been done so many time for so many different viruses that it's just boring. 

[Screenor]

And iago: I do, if that's not that much to for you to except.

You do what?  My post was rather lengthy with many suggestions..

My idea of a fun virus:

Description:
This file is similar to the "BOOM" program, except it is about 200% better in terms of actually doing stuff instead of looking cool. Plus it ain't no joke. This is what is called a .vbs virus, which means, contrast to what most ppl think of a virus, it isn't an .exe but works the same way - just invisible. The reason vbs is good is because you can mask it as other files (which i have done for you). You can set it to look like a txt file, and even open and display text as though it was a text file...except you have been infected with the virus. This is extremely helpful because the person doesn't know they've been infected. I have a list of the things that it does once infected:
1.Displays messagebox saying "n0 EscApE".
2.Copies, and recopies itself to the system root.
3.Activiates anti-delete by making the computer think its a system file.
4.Randomly will display the messagebox.
5.Will save fake explicit photos and text on the A: and C: disk drives.
6.It will secretly attach itself to an email, then invisibly send itself to every single person on the vicims' email directory.
7.Loops for the next victim, then on, and on, and on...

(Not idea, to be technical, I have this file, I just don't go and give it to people.)

That's boring, that's been done so many time for so many different viruses that it's just boring. 

Er, run a packet sniffer.* Just I do it maybe once a week, because if I logged that much, I'd be out of HDD space in no time.

[c0n]

that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

i didnt read all the posts.. i skimmed the first 2 or whatever and then decided that i would say that.

but a virus would be completely stupid if it wasnt distributed in some way... but i guess ur right that it doesnt need to. it does need to reproduce itself though.
i didnt repeat you knowing that i was repeating you. i also think that any successful virus would need to find a means of distributing itself to be... well... successful
so i guess i can safely say that a virus will reproduce itself & distribute itself.

so this means i wasnt really wrong. i was just being smarter and including a characteristic that basically every virus includes... a way of distributing itself across the interweb.
there's no reason to leave that out.

_{whitehat scum}

[Krazed]

You are honestly a fucking moron..

[iago]

that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

i didnt read all the posts.. i skimmed the first 2 or whatever and then decided that i would say that.

but a virus would be completely stupid if it wasnt distributed in some way... but i guess ur right that it doesnt need to. it does need to reproduce itself though.
i didnt repeat you knowing that i was repeating you. i also think that any successful virus would need to find a means of distributing itself to be... well... successful
so i guess i can safely say that a virus will reproduce itself & distribute itself.

so this means i wasnt really wrong. i was just being smarter and including a characteristic that basically every virus includes... a way of distributing itself across the interweb.
there's no reason to leave that out.

_{whitehat scum}

How about, I email it to somebody?  It's not distributing itself.

[Joe]

whitehat scum

And suddenly c0n loses what little respect I had left for him.

[c0n]

that isnt a virus... a virus needs to reproduce itself and distribute itself.

That's what I said.  Glad to know you can repeat, while still managing to get it wrong!  A virus doesn't need to distribute itself to be a virus. 

i didnt read all the posts.. i skimmed the first 2 or whatever and then decided that i would say that.

but a virus would be completely stupid if it wasnt distributed in some way... but i guess ur right that it doesnt need to. it does need to reproduce itself though.
i didnt repeat you knowing that i was repeating you. i also think that any successful virus would need to find a means of distributing itself to be... well... successful
so i guess i can safely say that a virus will reproduce itself & distribute itself.

so this means i wasnt really wrong. i was just being smarter and including a characteristic that basically every virus includes... a way of distributing itself across the interweb.
there's no reason to leave that out.

_{whitehat scum}

How about, I email it to somebody?  It's not distributing itself.

read what i said...

i said it doesnt NEED to..
but go ahead and try distributing it yourself and see how many ppl you will infect...

whitehat scum

And suddenly c0n loses what little respect I had left for him.

your respect means nothing to me... and never did.
ur just some vb coder that codes lame shyt.

You are honestly a fucking moron..

even if i said something intelligent on this forum you would say the same thing.
what you think of me means nothing to me. the only thing you didnt like was the
thing i said about whitehats. h0h0h0...

[Sidoh]

but go ahead and try distributing it yourself and see how many ppl you will infect...

That's asside from his point.

[c0n]

but go ahead and try distributing it yourself and see how many ppl you will infect...

That's asside from his point.

yes but it was pointless to say it when i clearly agreed with him above

[Joe]

Hm, am I the only one here who realized..

- c0n can't spell
- c0n failed English eight times in a row in high school, then dropped out when he turned 18
- c0n thinks pr0j3kt m4yh3m isn't a joke (joe.x86labs.org points to my computer. Bite me please)
- c0n is a hopeless idiot

[Sidoh]

roofle

[d&q]

Can't we all just get along? 

[Newby]

You suck at blocking out your buddy's name on the taskbar in that gif, screenor. =P

[c0n]

Hm, am I the only one here who realized..

- c0n can't spell
- c0n failed English eight times in a row in high school, then dropped out when he turned 18
- c0n thinks pr0j3kt m4yh3m isn't a joke (joe.x86labs.org points to my computer. Bite me please)
- c0n is a hopeless idiot

dear joe,

- c0n can spell he just doesnt feel the need to on the intarweb
- the internet is not a serious place
- pr0j3kt m4yh3m is not a joke. ur ignorant about it so obviously you would have no idea.
- go leech more asm code for ur pathetic 'operating system'
- stop being a social whore
- i feel the need that i must re-iterate...

pr0j3kt m4yh3m is not a joke. perhaps it seems like a joke because they like to make fun
of the whitehats they own, and it happens to be funny. but ur wrong... its not a joke. if u wanna
get owned, joe, please go talk to people in #w0ah on efnet. oh wait... sorry... i cant give u the key
to that channel. i'd love to but i wont. u call me a hopeless moron but you are the one who leeched
the code for ur lame os. why dont u send an email to aer0@hush.com and talk about how u think
pr0j3kt m4yh3m is a joke. he runs www.dikline.com. tell him about how much of a hopeless kiddie bnet bot coder
you are, and that you think pr0j3kt m4yh3m is a joke. im pretty sure u would soon find out that it isnt.

here... ill start the email for u.

--email--

Dear aer0,

I am Joe, and I am a Battle.net bot coder. I think that
Pr0j3kt M4yh3m is a joke. Hold on, let me look at all the whitehat
ownings for your zine. Wow, your pr0j3kt m4yh3m cell has
owned a lot of whitehats for the dikline ezine. But pr0j3kt
m4yh3m is still a joke, because I am too ignorant to believe that there
are actually people out there that would do harm to poor, innocent,
pussy whitehats out there. It's a joke... a total joke. Please don't own
me, I'm not a whitehat. I just think you're a joke, and everyone
in your cell is a joke. F1sh got busted, but he's a joke, lolol!
Syke is a joke too, because, well, I don't know him! I dont know
anybody affiliated with pr0j3kt m4yh3m, but it is such a joke!
The_uT owned a lot of people and rm'd them, but once again...
a joke! pHC was a joke in 2002. Trust me, I know what I'm talking
about... I'm Joe, and I use my real name as a nick on the interweb!

Sincerely,

Joe[x86] - the ultimate bnet code leecher
--/email--

there you go, joe. alter it if you want... i dont care.

i mean i suppose its pretty fucking hard to type "pr0j3kt m4yh3m"
in google and not see all the websites that pop up about it?
theres even an article about pr0j3kt m4yh3m and whitehat hate crimes
in Wired Magazine.

[iago]

but a virus would be completely stupid if it wasnt distributed in some way

It's not completely stupid.  Although I know it's a waste of my time, I'll explain why. 

What if I'm trying to break into a business?  They have firewalls anti-virus and IPS and all the toys.  How do I get in? 

Simple! I write a custom virus.  I email it to an employee, with a message customized for the employee in question.  He runs the program, gets infected, and is at my mercy.  Because it's a custom virus, it's not going to get picked up by the anti-virus.  Because it's not distributing itself, it's not going to be detected by other employees. 

Presumably, the virus would give me remote access to his computer.  Say, for example, it infects Internet Explorer so that, as soon as he opens his browser, it also connects to me (since browsers are typically allow(all) in the firewall) and gives me the information I need. 

Since you're a blackhat, you really ought to know the usefulness of a virus that doesn't spread on its own (particularly in terms of evading detection).  I'm surprised you don't. 

[c0n]

but a virus would be completely stupid if it wasnt distributed in some way

It's not completely stupid.  Although I know it's a waste of my time, I'll explain why. 

What if I'm trying to break into a business?  They have firewalls anti-virus and IPS and all the toys.  How do I get in? 

Simple! I write a custom virus.  I email it to an employee, with a message customized for the employee in question.  He runs the program, gets infected, and is at my mercy.  Because it's a custom virus, it's not going to get picked up by the anti-virus.  Because it's not distributing itself, it's not going to be detected by other employees. 

Presumably, the virus would give me remote access to his computer.  Say, for example, it infects Internet Explorer so that, as soon as he opens his browser, it also connects to me (since browsers are typically allow(all) in the firewall) and gives me the information I need. 

Since you're a blackhat, you really ought to know the usefulness of a virus that doesn't spread on its own (particularly in terms of evading detection).  I'm surprised you don't. 

ur right about all that, except what i was trying to say is that a virus that does not distribute itself is pretty lame. why waste ur time writing a virus that wont spread itself to own some company when you can just write an exploit and own him (then u dont have to email him or her!)... then hes still at ur mercy. or better yet, write a worm that exploits him and exploits the network... then u have access to the whole network.

im not a blaqhat... i just believe in the blaqhat ideas.
if i cant haq, then i obviously cannot be a blaqhat.

doing what you said though... thats like almost as stupid as using a trojan, except the fact that u wrote it yourself. most employees would probably know better than to download an attachment anyway... unless you use addresses from people they know.

any virus out there wild on the internet has a way of distributing itself (otherwise it wouldnt be out there in the 'wild')... so why not incorporate that into the definition? i'd say ur idea is more of a trojan. trojans do however show up on anti virus programs. but they are still not really viruses in my opinion (my opinion isnt humble though)

joe: when are you going to show evidence of how i supposedly failed english 8 times because i spelled so many things wrong in this topic (which isnt true...). i have never failed an english class... but that doesnt matter, and isnt the topic. i am not some perfect punctuation using person anymore. so stop thinking ur all smart and stuff because you can use it. any 10 year old can use punctuation on the internet... even you. joe, ur such a social whore... even though you suck at being one (which isnt a bad thing)

[iago]

ur right about all that, except what i was trying to say is that a virus that does not distribute itself is pretty lame. why waste ur time writing a virus that wont spread itself to own some company when you can just write an exploit and own him (then u dont have to email him or her!)... then hes still at ur mercy. or better yet, write a worm that exploits him and exploits the network... then u have access to the whole network.

Because, as I said, it evades detection.  It's easy to notice it spreading, but it's hard to notice it dormant on some specific machine. 

doing what you said though... thats like almost as stupid as using a trojan, except the fact that u wrote it yourself. most employees would probably know better than to download an attachment anyway... unless you use addresses from people they know.

That's the point of customizing it.  You fake the return address of their boss, and make it look like their boss wrote the email and is asking you to check the program, or something.  It would use their real name and phone number, and look totally authentic.

any virus out there wild on the internet has a way of distributing itself (otherwise it wouldnt be out there in the 'wild')... so why not incorporate that into the definition? i'd say ur idea is more of a trojan. trojans do however show up on anti virus programs. but they are still not really viruses in my opinion (my opinion isnt humble though)

Any virus in the wild is useless for many purposes, because it's easy to detect.  The POINT of a virus that doesn't spread, as I've been TRYING to tell you, is that it's a targetted attack.  Not all attacks are widespread, the best ones are targetted. 

[c0n]

ur right about all that, except what i was trying to say is that a virus that does not distribute itself is pretty lame. why waste ur time writing a virus that wont spread itself to own some company when you can just write an exploit and own him (then u dont have to email him or her!)... then hes still at ur mercy. or better yet, write a worm that exploits him and exploits the network... then u have access to the whole network.

Because, as I said, it evades detection.  It's easy to notice it spreading, but it's hard to notice it dormant on some specific machine. 

doing what you said though... thats like almost as stupid as using a trojan, except the fact that u wrote it yourself. most employees would probably know better than to download an attachment anyway... unless you use addresses from people they know.

That's the point of customizing it.  You fake the return address of their boss, and make it look like their boss wrote the email and is asking you to check the program, or something.  It would use their real name and phone number, and look totally authentic.

any virus out there wild on the internet has a way of distributing itself (otherwise it wouldnt be out there in the 'wild')... so why not incorporate that into the definition? i'd say ur idea is more of a trojan. trojans do however show up on anti virus programs. but they are still not really viruses in my opinion (my opinion isnt humble though)

Any virus in the wild is useless for many purposes, because it's easy to detect.  The POINT of a virus that doesn't spread, as I've been TRYING to tell you, is that it's a targetted attack.  Not all attacks are widespread, the best ones are targetted. 

trojans try to evade detection as well. even polymorphic shellcode tries to evade detection, but that doesnt mean its a virus. i guess it takes the characteristic of a virus, but that doesnt make it one. even a script kiddie can try to evade detection. they are viruses that spread, though... if you get what eye mean!

but still, why waste ur time writing a virus to 0wn this poor person in a business? why not just write an exploit? i'd like to hear why you would waste ur time with this, iago. u are afterall a whitehat... (no intended insult this time, i promise)

go ahead and waste ur time writing a virus and sending it to this person though. you could just make it a lot more fun and write an exploit and 0wn the network with that.

[Quik]

So, you are trying to gain access to a specific computer, and somehow you recieve knowledge of what programs are running, and write up some exploits to one of those programs, since it's so easy to do on call, and then just exploit them knowing only what their email address is. Sounds to me like iago's way is more real-world applicable, '0wning whitehatz via blaqhat exploitz' seems to only exist in your fantasy world.

[c0n]

So, you are trying to gain access to a specific computer, and somehow you recieve knowledge of what programs are running, and write up some exploits to one of those programs, since it's so easy to do on call, and then just exploit them knowing only what their email address is. Sounds to me like iago's way is more real-world applicable, '0wning whitehatz via blaqhat exploitz' seems to only exist in your fantasy world.

yeah i guess anybody would just write an exploit only knowing someones email *sigh*. though you probably know that they are using the company email, so im guessing the domain would be included... so then you could have a little information? yeah ur pretty smart quik. yeah, but, uhhh, exploits only exist in my fantasy world, if you want to believe that. even you, being a whitehat who runs around looking at securityfocus, should know that what you said is not true at all. or maybe you dont... considering you spend time looking at public exploits and not actual private shit that is within possession of individuals who could probably own just about any system they want.

[Quik]

So, you are trying to gain access to a specific computer, and somehow you recieve knowledge of what programs are running, and write up some exploits to one of those programs, since it's so easy to do on call, and then just exploit them knowing only what their email address is. Sounds to me like iago's way is more real-world applicable, '0wning whitehatz via blaqhat exploitz' seems to only exist in your fantasy world.

yeah i guess anybody would just write an exploit only knowing someones email *sigh*. though you probably know that they are using the company email, so im guessing the domain would be included... so then you could have a little information? yeah ur pretty smart quik. yeah, but, uhhh, exploits only exist in my fantasy world, if you want to believe that. even you, being a whitehat who runs around looking at securityfocus, should know that what you said is not true at all. or maybe you dont... considering you spend time looking at public exploits and not actual private shit that is within possession of individuals who could probably own just about any system they want.

Leave it up to c0n to completely misinterpret what I said. Now, if you're going to try and prove a point by gaining access to a company machine, iago's way would make sense. All you need is a little bit of ingenuity while coding, and the person's company email, and you can effectively gain access undetected. Now, your way, you would need to know what programs they use, and would need to spend some time either A. finding an exploit and coding a way to take advantage of it, or B. Do what you do and just hang around 'blackhats' to hope they give you code.

You seem to act like you monitor my online activities, judging by how you talk about my "running around looking at securityfocus" and "being a whitehat". Try to read posts more carefully, and use your brain to analize what's being told to you.

You're dangerously close to being banned from this server in general. It's getting really old.

[Joe]

And c0n goes from idiot to asshole. I once again move to ban him from the forums.

[iago]

trojans try to evade detection as well. even polymorphic shellcode tries to evade detection, but that doesnt mean its a virus. i guess it takes the characteristic of a virus, but that doesnt make it one. even a script kiddie can try to evade detection. they are viruses that spread, though... if you get what eye mean!

Polymorphic shellcode isn't designed to evade detection, but it can be used that way.  It's generally used to slip through filters (for example, UTF-8-only, ascii-only, Unicode-only, etc.). 

but still, why waste ur time writing a virus to 0wn this poor person in a business? why not just write an exploit? i'd like to hear why you would waste ur time with this, iago. u are afterall a whitehat... (no intended insult this time, i promise)

You might not have access to the softwar they're running (maybe it's proprietary?).  IPS systems will often stop exploits, they can often heuristically detect things like overflows.  They should have a firewall in the way with no incoming connections allowed. 

Yes, I'm a white-hat, but I still understand how attackers work.

go ahead and waste ur time writing a virus and sending it to this person though. you could just make it a lot more fun and write an exploit and 0wn the network with that.

You can't always do that

[Screenor]

You suck at blocking out your buddy's name on the taskbar in that gif, screenor. =P

Har, I noticed it before I even uploaded the image, I am just too lazy to go back and fix it. If it had been someone's private screenname I would have done otherwise.

[Newby]

- the internet is not a serious place
- pr0j3kt m4yh3m is not a joke.

That made me chuckle. Contradicting yourself?

i mean i suppose its pretty fucking hard to type "pr0j3kt m4yh3m"
in google and not see all the websites that pop up about it?
theres even an article about pr0j3kt m4yh3m and whitehat hate crimes
in Wired Magazine.

http://www.google.com/search?q=pr0j3kt+m4yh3m+site%3Awired.com returns nothing?

I like this site info on pr0j3kt m4yh3m:

pr0j3kt m4yh3m originated in the third issue of the higly esteemed internet zine ~el8, but was later corrupted into a juvenile IRC channel takeover and a second-rate Phrack imitation by JimJones and the inhabitants of #darknet, who had absolutely nothing to do with the original pr0jekt m4yh3m

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

That makes you no better than all the other wannabe blackhats out there, who admire the "true" "underground" "el8" "non-disclosure" blackhats that actually exist.

[Sidoh]

From my observations, I've come to a conclusion.

The people who assosiate themselves with pr0j3kt m4yh3m are the outcasts of the internet.  They're pissed off that they suck at life, so they're rebelling by telling everyone they're going to hack the world.

[iago]

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

[Joe]

If Whitehats win, I'll be out of a job.  So let's just keep the combat up.

Sigged!

[Sidoh]

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Awesome outlook, iago. 

[trust]

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Nerd, for some reason that reminded me of STARWARS@!!~!@!#!@#$!~!@~!@~~~~~~

[zorm]

Back onto the orginal topic. I came across an interesting way of 'infecting' a windows machine awhile back however it would still require an exploit to get the code onto the windows machine in the first place.

When you look at most of the evil(to avoid the virus/worm/trojan debate I'll refer to it as evil) code out there for windows now it is all destructive. Destructive in that it crashes the windows machine it is running on so its rather obvious that something bad has happened. What would the impact have been if things like Blaster didn't invoke a crash and restart? I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.

[Newby]

What would the impact have been if things like Blaster didn't invoke a crash and restart?

It would have been utterly useless. Just a plain worm that did absolutely nothing but spread. No fun whatsoever.

I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.

newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. What could it be?

I had to reformat to get rid of it.

* Newby shrugs.

[iago]

It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure. 

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil). 

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible. 

[Blaze]

One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.

[zorm]

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.

newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. What could it be?

I had to reformat to get rid of it.

* Newby shrugs.

How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure.

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil).

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible.

Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.

You should clarify, its not Windows messing with c:\windows\font but Explorer. Also small viruses tend not to be picked up by major antivirus software. I suspect you'd have to infect x many people with x being in the thousands to hundreds of thousands range before they start trying to detect you.

[Blaze]

And explorer is a part of windows.

You're probably right about the rate.

When I do a virus scan, I want to scan my files for anything that could be malicious, and if something is found, bring it to my attention.  I know how long this would take but I've got all night to do it.  There is nothing worse then a false sense of security..

[iago]

Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

Well, there's always the "C:\program.exe" attack vector.  Does that still work?

[Newby]

How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

Uh, ones that know something is wrong with their system are going to compare ps and /proc. If they don't know about /proc, they don't know much about Linux.

[Koga73]

talkin about viruses... well, i read the initial post with the floppy and all, and alot of motherboards now days can update their bios, so if u really wanna fuck up some1s computer (i wouldnt do this), just make an exe that copies some files onto a floppy if one is in the drive, and if it copies successfully, make it reboot. Make one of the files be a fake bios update so itll totally mess up the bios rendering the motherboard pretty much unusable.

[Blaze]

I think that was already stated, or something around that lines.

I wonder if every programmer on this board released worms how fast they would get hunted down... Not that we would do that.

[iago]

talkin about viruses... well, i read the initial post with the floppy and all, and alot of motherboards now days can update their bios, so if u really wanna fuck up some1s computer (i wouldnt do this), just make an exe that copies some files onto a floppy if one is in the drive, and if it copies successfully, make it reboot. Make one of the files be a fake bios update so itll totally mess up the bios rendering the motherboard pretty much unusable.

Most motherboards come with a BIOS flash disk, so you can re-load the bios if it gets corrupted.  Of course, that doesn't always work, as my friend found out.  But they gave him a new motherboard, so..

[Joe]

Comparing BIOS to system software is about impossible, but I'll try anyhow. The Macintosh Classic II (and others?) had System 6(.0.4?) installed in its ROM, so if you ever needed to restore it, you would just restart with some fancy command combo (like how Apple+C = CD, Apple+T = Firewire HD) and drag it from the ROM disk to your HD. Back to BIOS, some mobo's might be like that.

EDIT -
Come to discuss it, where is the BIOS software, for lack of a better term, stored? I always though it lived in the ROM chip.
EDIT2: Perhaps on an EP-ROM chip, so it can be upgraded? But then it'd have to be exposed to UV..

[Quik]

FYI: ls returning a seg fault is a common symptom of a machine that's been rooted and has a rootkit installed. Often times, comparing ps and /proc isn't necessary.

Also, don't assume that every malicious file will crash the system or even cause strange things like program crashing and memory consumption. If the windows virus or worm needs restart to fully establish and replicate, it would be more effective to wait for manual restart. Same with Linux exploits, it was just an effect of that one exploit which used consume_memory, not all will do this obviously, and it will be alot more tough to detect a compromised system than it was before.

As far as Windows vs. Linux as far as which is easier to mask infection, I'm not going to go into that. Too many things to bring up in that discussion, it makes no sense to argue it till the cows come home.

[Joe]

Newby, white chick, help me!

joe@JoeMomma:~ $ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
There are really 84 processes running on my boxen.
joe@JoeMomma:~ $ echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
ps tells me there are 86 processes running. Hmm..

[iago]

I'm not entirely sure that that means anything useful. 

Anyway, on the topic of hiding a rootkit, here's a neat article I read a couple days ago:
http://www.phrack.org/phrack/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt

[Warrior]

how about a virus that can be downloaded and plan itself as a replacement kernel for windows following that it would have full control of the system calls within the systems and could have bad results.

I'm thinking overwriting the harddrive with zero's and going into SMM (System Management Mode) and doing something VERY evil.

[iago]

how about a virus that can be downloaded and plan itself as a replacement kernel for windows following that it would have full control of the system calls within the systems and could have bad results.

That's what rootkits basically do.  They intercept syscalls.