Author Topic: Virus Development  (Read 35225 times)

0 Members and 8 Guests are viewing this topic.

Offline Screenor

  • Hero Member
  • *****
  • Posts: 1611
  • My own little world.
    • View Profile
Re: Virus Development
« Reply #60 on: September 18, 2005, 06:46:45 pm »
You suck at blocking out your buddy's name on the taskbar in that gif, screenor. =P
Har, I noticed it before I even uploaded the image, I am just too lazy to go back and fix it. If it had been someone's private screenname I would have done otherwise.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #61 on: September 18, 2005, 09:31:54 pm »
- the internet is not a serious place
- pr0j3kt m4yh3m is not a joke.

That made me chuckle. Contradicting yourself?

i mean i suppose its pretty fucking hard to type "pr0j3kt m4yh3m"
in google and not see all the websites that pop up about it?
theres even an article about pr0j3kt m4yh3m and whitehat hate crimes
in Wired Magazine.

http://www.google.com/search?q=pr0j3kt+m4yh3m+site%3Awired.com returns nothing? :(

I like this site info on pr0j3kt m4yh3m:

Quote
pr0j3kt m4yh3m originated in the third issue of the higly esteemed internet zine ~el8, but was later corrupted into a juvenile IRC channel takeover and a second-rate Phrack imitation by JimJones and the inhabitants of #darknet, who had absolutely nothing to do with the original pr0jekt m4yh3m

:'(

EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

That makes you no better than all the other wannabe blackhats out there, who admire the "true" "underground" "el8" "non-disclosure" blackhats that actually exist.
« Last Edit: September 18, 2005, 09:47:39 pm by Newby »
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #62 on: September 18, 2005, 09:55:51 pm »
From my observations, I've come to a conclusion.

The people who assosiate themselves with pr0j3kt m4yh3m are the outcasts of the internet.  They're pissed off that they suck at life, so they're rebelling by telling everyone they're going to hack the world.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #63 on: September 18, 2005, 11:38:52 pm »
EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Virus Development
« Reply #64 on: September 18, 2005, 11:43:46 pm »
If Whitehats win, I'll be out of a job.  So let's just keep the combat up.

Sigged!
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Sidoh

  • Moderator
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Virus Development
« Reply #65 on: September 19, 2005, 12:22:52 am »
EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Awesome outlook, iago.  :)

trust

  • Guest
Re: Virus Development
« Reply #66 on: September 19, 2005, 06:35:57 pm »
EDIT -- So you admit you aren't a true blackhat, but you have blackhat beliefs? And you call us "brainwashed" for using Linux! You're the brainwashed fool that actually thinks blackhats will defeat whitehats and make the internet a rough place to survive.

I hope neither side wins.  Blackhats will definitely never win, the internet is too strong.  But if Whitehats win, I'll be out of a job.  So let's just keep the combat up. 

Nerd, for some reason that reminded me of STARWARS@!!~!@!#!@#$!~!@~!@~~~~~~

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Virus Development
« Reply #67 on: September 19, 2005, 09:04:16 pm »
Back onto the orginal topic. I came across an interesting way of 'infecting' a windows machine awhile back however it would still require an exploit to get the code onto the windows machine in the first place.

When you look at most of the evil(to avoid the virus/worm/trojan debate I'll refer to it as evil) code out there for windows now it is all destructive. Destructive in that it crashes the windows machine it is running on so its rather obvious that something bad has happened. What would the impact have been if things like Blaster didn't invoke a crash and restart? I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #68 on: September 19, 2005, 09:34:55 pm »
What would the impact have been if things like Blaster didn't invoke a crash and restart?

It would have been utterly useless. Just a plain worm that did absolutely nothing but spread. No fun whatsoever.

I'd being willing to argue that with the evil code out there today its actually safer to be running windows vs. linux because of the fact that its easier to hide on linux than it is on windows.

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.
newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. ??? What could it be?

I had to reformat to get rid of it.

* Newby shrugs.
« Last Edit: September 19, 2005, 09:36:31 pm by Newby »
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #69 on: September 19, 2005, 09:50:54 pm »
It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure. 

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil). 

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible. 

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #70 on: September 19, 2005, 09:54:54 pm »
One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.
And like a fool I believed myself, and thought I was somebody else...

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Virus Development
« Reply #71 on: September 19, 2005, 11:04:46 pm »

Quik compiled some "evil" code on my machine (d.c).

Not only did it succeed in consuming all of my memory (very noticeable when programs start crashing) AND spawn a root shell (I guess this is harmless), he now had full access to my system. With full access, a quick rm -rf / and everything is gone. Very noticeable indeed.

I think it's safer to say that with Linux, it's harder to hide the virus. A lot harder. A Linux virus, even if it corrupts ps, won't corrupt /proc more than likely, so hiding itself is virtually useless.
newby@impaler:~$ echo "There are really" `ls -d /proc/* | grep [0-9] | wc -l` "processes running on my boxen." ;
echo "ps tells me there are" `ps aux | wc -l` "processes running. Hmm.."
There are really 145 processes running on my boxen.
ps tells me there are 145 processes running. Hmm..

When they don't show up evenly, you know there is something wrong with your system.

Also, most linux viruses, to my knowledge, are just exploits that end up crashing your system or spawning some root shell which will cat /dev/urandom > every drive outputted in df -h, which is hard to not notice.

I had a virus on my Win98 ME box once. The only reason I knew I had one is because netstat returned something connected to 6667. I didn't use IRC at the time.

Hmm... the process list looks normal. ??? What could it be?

I had to reformat to get rid of it.

* Newby shrugs.

How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

Quote from: iago
It's easy to hide code on both Windows and Linux, and on every other OS that I know of.  Once malicious code gets into your machine, there's really no way to guarentee that it's ever gone.  If anybody asks me what to do after they get a virus or something, I tell them to format.  That's the only way to be sure.

The trick is, to hide code, you generally need to do kernel modification (a rootkit, or kernel module, or system driver, or anything like that).  On Windows, every use (almost) runs as Administrator, so any malicious program can do that.  On Linux, most users run at the user level, so it would be harder to hide malicious code.  But still possible, though, since you can hide malicious code (as a few examples) as a Firefox extension, as a Gaim plugin, and probably a dozen other places.  But at least, when you're a user, you can't hide it in program executables (infecting /usr/bin/ls or C:\windows\sytem32\explorer.exe, or wherever explorer is, is evil).

To summarize: if you're running as root/administrator, on either Windows or Linux, there are tons of places to hide evil code, it's game over.
If you're running as a user, it's more difficult, but still possible.

Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

Quote from: Blaze
One of my friends made a blizzard specific virus, which hooked the logging in of diablo2 and starcraft and stole the login, password and cdkey.  It created files in the C:\windows\font folder.  Windows is really gay with that folder, not letting you see the contents of it other then fonts.  It then infected scvhost.  It has a remote control program 'Minimo'(?), and was pretty good for undectable.  Nortan, macafee, avg, nod32 didn't find anything wrong with it, and he got lots of diablo 2 characters and items, and cdkeys too.  Written in C++ (I have the source) and very light weight.

You should clarify, its not Windows messing with c:\windows\font but Explorer. Also small viruses tend not to be picked up by major antivirus software. I suspect you'd have to infect x many people with x being in the thousands to hundreds of thousands range before they start trying to detect you.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Virus Development
« Reply #72 on: September 19, 2005, 11:16:23 pm »
And explorer is a part of windows.

You're probably right about the rate.

When I do a virus scan, I want to scan my files for anything that could be malicious, and if something is found, bring it to my attention.  I know how long this would take but I've got all night to do it.  There is nothing worse then a false sense of security..
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Virus Development
« Reply #73 on: September 20, 2005, 12:04:28 am »
Actually the method im thinking of would infect explorer but as far as I know doesn't require administrator or even write access to explorer.exe only to c:\. I still say the average user is more likely to notice an infection on Windows simply because of the way it is setup for simplicity.

Well, there's always the "C:\program.exe" attack vector.  Does that still work?


Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Virus Development
« Reply #74 on: September 20, 2005, 01:01:57 am »
How many users are going to actually compare the output of ps and /proc? Most normal users aren't going to do that and as such a virus would have an easy time hiding. Compared to windows where Blaster and the other recent worm have triggered reboots that notify the user via a dialog making it insanely hard to miss that something is wrong.

Uh, ones that know something is wrong with their system are going to compare ps and /proc. If they don't know about /proc, they don't know much about Linux.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT.