Virus Development

[Screenor]

You suck at blocking out your buddy's name on the taskbar in that gif, screenor. =P

Har, I noticed it before I even uploaded the image, I am just too lazy to go back and fix it. If it had been someone's private screenname I would have done otherwise.

[Newby]

- the internet is not a serious place
- pr0j3kt m4yh3m is not a joke.

That made me chuckle. Contradicting yourself?

i mean i suppose its pretty fucking hard to type "pr0j3kt m4yh3m"
in google and not see all the websites that pop up about it?
theres even an article about pr0j3kt m4yh3m and whitehat hate crimes
in Wired Magazine.

http://www.google.com/search?q=pr0j3kt+m4yh3m+site%3Awired.com returns nothing?

I like this site info on pr0j3kt m4yh3m:

pr0j3kt m4yh3m originated in the third issue of the higly esteemed internet zine ~el8, but was later corrupted into a juvenile IRC channel takeover and a second-rate Phrack imitation by JimJones and the inhabitants of #darknet, who had absolutely nothing to do with the original pr0jekt m4yh3m

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

That makes you no better than all the other wannabe blackhats out there, who admire the "true" "underground" "el8" "non-disclosure" blackhats that actually exist.

[Sidoh]

From my observations, I've come to a conclusion.

The people who assosiate themselves with pr0j3kt m4yh3m are the outcasts of the internet.  They're pissed off that they suck at life, so they're rebelling by telling everyone they're going to hack the world.

[iago]

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

[Joe]

If Whitehats win, I'll be out of a job.  So let's just keep the combat up.

Sigged!

[Sidoh]

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Awesome outlook, iago. 

[trust]

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Nerd, for some reason that reminded me of STARWARS@!!~!@!#!@#$!~!@~!@~~~~~~

[zorm]

Back onto the orginal topic. I came across an interesting way of 'infecting' a windows machine awhile back however it would still require an exploit to get the code onto the windows machine in the first place.

When you look at most of the evil(to avoid the virus/worm/trojan debate I'll refer to it as evil) code out there for windows now it is all destructive. Destructive in that it crashes the windows machine it is running on so its rather obvious that something bad has happened. What would the impact have been if things like Blaster didn't invoke a crash and restart? I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.

[Newby]

What would the impact have been if things like Blaster didn't invoke a crash and restart?

It would have been utterly useless. Just a plain worm that did absolutely nothing but spread. No fun whatsoever.

I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.

newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. What could it be?

I had to reformat to get rid of it.

* Newby shrugs.

[iago]

It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure. 

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil). 

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible. 

[Blaze]

One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.

[zorm]

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.

newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. What could it be?

I had to reformat to get rid of it.

* Newby shrugs.

How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure.

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil).

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible.

Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.

You should clarify, its not Windows messing with c:\windows\font but Explorer. Also small viruses tend not to be picked up by major antivirus software. I suspect you'd have to infect x many people with x being in the thousands to hundreds of thousands range before they start trying to detect you.

[Blaze]

And explorer is a part of windows.

You're probably right about the rate.

When I do a virus scan, I want to scan my files for anything that could be malicious, and if something is found, bring it to my attention.  I know how long this would take but I've got all night to do it.  There is nothing worse then a false sense of security..

[iago]

Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

Well, there's always the "C:\program.exe" attack vector.  Does that still work?

[Newby]

How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

Uh, ones that know something is wrong with their system are going to compare ps and /proc. If they don't know about /proc, they don't know much about Linux.