--==< Retro the easy way. >==--

                         By MidNyte, February 2000



  What is a Retro-virus?
-------------------------

  A Retro-virus  is  any  virus  that  attacks  antivirus  programs,  whether
generically or just specific programs. It is generally used to disable or fool
one or more of the popular antivirus programs.  For instance,  a certain virus
will detect if  a  certain on-access scanner is in memory,  and will issue the
correct call to shut it down if it is. Another will patch the resident part of
the scanner that decides whether to scan a file or not and makes it decide not
to in all cases.  These are very useful functions,  but  if  you're not of the
ability to be able to work out these methods for yourself,  you  are left with
the choice of: leaving retro-functions out of your virus,  using other peoples
routines (which are therefor not new)  or  trying something different. That is
what this tutorial  is  about,  a  few  simple  ideas  that  will  give  basic
retro-functionality without the need to be too far advanced in coding. All you
need is some basic anti-emulation skills.



  What's the theory?
---------------------

  So how do we get Retro without learning it all? Basically  we find ways  to
annoy the user so much that he does the job of disabling the antivirus program
for us.  If  we  slow  him down when he scans he will probably eventually only
scan overnight, giving us a day to spread.  If  we  make  the program crash he
probably won't bother scanning it again, he'll just add it to the ignore list.
(It's not that uncommon to find a  file that can't be scanned without crashing
on a Microsoft machine :)




  How do we implement it?
--------------------------

  You remember reading that  a  good emulator will  save  it's  place when it
finds a decision-based jump? That way, if the code does a check  of  something
and then quits if the condition is met,  the  emulator  can  just  go back and
pretend the condition  wasn't  met  and see  what  it  can find down the other
branch of the program.  This  is  to  defeat  the  technique  of quitting when
finding  an  emulator.   How  about  we  stop  that?   How  about  we  do  our
anti-emulation bit and then  test  it,  but if we're being emulated instead of
just quitting, we crash the program?  Or  better still, if we're on a pentium,
why not just hang the machine? It's what the 'foof' bug is there for :) If the
machine hangs,  the  antivirus program has no chance to return to the jump and
try the other branch and the user will probably not bother scanning it  again.
If he does,  the  same thing will happen again and again,  the user will never
get a complete scan. Here's  a  rough guide to the code needed,  assuming that
you have in place a suitable emulation-detection routine:


  cmp ax,028h                  ;our test for emulation
  je not_emulated              ;jump if equal
  db 0F0h,00Fh,0C7h,0C8h       ;this will hang most pentium machines, it's
                               ;known as the 'foof bug' for obvious reasons.

not_emulated:                   ;here we are safe from the AV program


  How many end users are going to restart  the computer and try scanning that
file again when the last time it hung the computer?  In  the  Microsoft age of
idiot-friendly operating systems, not many. If they don't know what's going on
and the machine hangs, they just won't do it again.  If  they  do  once,  they
won't twice.  Take  the  virus hoax emails that constantly do the rounds, most
people know better  to  respond and forward the mail,   but the fact that they
carry on spreading shows just how many  idiots  there  are  out  there who are
capable (just about) of using  a  computer.  These are the people who will not
scan your file but simply add it to the ignore list,  leaving  it  to go about
it's business.

  Another method is the time wasted method.  Again it's down  to annoying the
user so much they don't bother scanning. If you can go round enough loops when
you find emulation that the scanner takes minutes just to scan one file,   the
scanner will probably only be  run overnight and taken off constant background
monitoring. That gives you a day to spread, and spread un-noticed.




  Contact
----------

  Comments/questions/suggestions/bug reports/etc. are welcomed as always,  as
long as it is kept reasonable.
                                                                    - MidNyte



 As always, I welcome ANY feedback, good or bad, as long as it is reasonable.

|  [email protected] | www.coderz.org/midnyte | www.shadowvx.com/midnyte  |

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.