Đang tải... (xem toàn văn)
Đây là bộ sách tiếng anh cho dân công nghệ thông tin chuyên về bảo mật,lập trình.Thích hợp cho những ai đam mê về công nghệ thông tin,tìm hiểu về bảo mật và lập trình.
THE Black Book of Computer Viruses Mark Ludwig GianT The Giant Black Book of Computer Viruses Ludwig WARNING This book contains complete source code for live computer viruses which could be extremely dangerous in the hands of incompetent persons. You can be held legally liable for the misuse of these viruses. Do not attempt to execute any of the code in this book unless you are well versed in systems programming for personal computers, and you are working on a carefully controlled and isolated computer system. Do not put these viruses on any computer without the owner's consent. "Many people seem all too ready to give up their God-given rights with respect to what they can own, to what they can know, and to what they can do for the sake of their own personal and financial security Those who cower in fear, those who run for security have no future. No investor ever got rich by hiding his wealth in safe investments. No battle was ever won through mere retreat. No nation has ever become great by putting its citizens eyes' out. So put such foolishness aside and come explore this fascinating new world with me." From The Giant Black Book The GIANT Black Book of Computer Viruses by Mark Ludwig American Eagle Publications, Inc. Post Office Box 1507 Show Low, Arizona 85901 —1995— (c) 1995 Mark A. Ludwig Front cover artwork (c) 1995 Mark Forrer All rights reserved. No portion of this publication may be repro- duced in any manner without the express written permission of the publisher. Table of Contents Introduction 1 Computer Virus Basics 13 Part I: Self Reproduction The Simplest COM Infector 17 Companion Viruses 39 Parasitic COM Infectors: Part I 51 Parasitic COM Infectors: Part II 69 A Memory-Resident Virus 87 Infecting EXE Files 99 Advanced Memory Residence Techniques 113 An Introduction to Boot Sector Viruses 131 The Most Successful Boot Sector Virus 153 Advanced Boot Sector Techniques 171 Multi-Partite Viruses 193 Infecting Device Drivers 213 Windows Viruses 229 An OS/2 Virus 261 UNIX Viruses 281 Source Code Viruses 291 Many New Techniques 319 Part II: Anti-Anti-Virus Techniques How a Virus Detector Works 325 Stealth for Boot Sector Viruses 351 Stealth Techniques for File Infectors 367 Protected Mode Stealth 391 Polymorphic Viruses 425 Retaliating Viruses 467 Advanced Anti-Virus Techniques 487 Genetic Viruses 509 Who Will Win? 521 Part III: Payloads for Viruses Destructive Code 535 A Viral Unix Security Breach 561 Operating System Secrets and Covert Channels 569 A Good Virus 591 Appendix A: Interrupt Service Routine Reference 645 Appendix B: Resources 660 Index 663 And God saw that it was good. And God blessed them, saying “Be fruitful and multiply, fill the earth and subdue it.” Genesis 1:21,22 Introduction This book will simply and plainly teach you how to write computer viruses. It is not one of those all too common books that decry viruses and call for secrecy about the technology they em- ploy, while curiously giving you just enough technical details about viruses so you don’t feel like you’ve been cheated. Rather, this book is technical and to the point. Here you will find complete sources for plug-and-play viruses, as well as enough technical knowledge to become a proficient cutting-edge virus programmer or anti-virus programmer. Now I am certain this book will be offensive to some people. Publication of so-called “inside information” always provokes the ire of those who try to control that information. Though it is not my intention to offend, I know that in the course of informing many I will offend some. In another age, this elitist mentality would be derided as a relic of monarchism. Today, though, many people seem all too ready to give up their God-given rights with respect to what they can own, to what they can know, and to what they can do for the sake of their personal and financial security. This is plainly the mentality of a slave, and it is rampant everywhere I look. I suspect that only the sting of a whip will bring this perverse love affair with slavery to an end. I, for one, will defend freedom, and specifically the freedom to learn technical information about computer viruses. As I see it, there are three reasons for making this kind of information public: 1. It can help people defend against malevolent viruses. 2. Viruses are of great interest for military purposes in an informa- tion-driven world. 3. They allow people to explore useful technology and artificial life for themselves. Let’s discuss each of these three points in detail . . . . Defense Against Viruses The standard paradigm for defending against viruses is to buy an anti-virus product and let it catch viruses for you. For the average user who has a few application programs to write letters and balance his checkbook, that is probably perfectly adequate. There are, however, times when it simply is not. In a company which has a large number of computers, one is bound to run across less well-known viruses, or even new viruses. Although there are perhaps 100 viruses which are responsible for 98% of all virus infections, rarer varieties do occasionally show up, and sometimes you are lucky enough to be attacked by something entirely new. In an environment with lots of computers, the prob- ability of running into a virus which your anti-virus program can’t handle easily is obviously higher than for a single user who rarely changes his software configuration. Firstly, there will always be viruses which anti-virus programs cannot detect. There is often a very long delay between when a virus is created and when an anti-virus developer incorporates proper detection and removal procedures into his software. I learned this only too well when I wrote The Little Black Book of Computer Viruses. That book included four new viruses, but only one anti-vi- rus developer picked up on those viruses in the first six months after publication. Most did not pick up on them until after a full year in print, and some still don’t detect these viruses. The reason is simply that a book was outside their normal channels for acquiring viruses. Typically anti-virus vendors frequent underground BBS’s, trade among each other, and depend on their customers for viruses. Any virus that doesn’t come through those channels may escape their notice for years. If a published virus can evade most for more than a year, what about a private release? Next, just because an anti-virus program is going to help you identify a virus doesn’t mean it will give you a lot of help getting rid of it. Especially with the less common varieties, you might find that the cure is worse than the virus itself. For example, your “cure” might simply delete all the EXE files on your disk, or rename them to VXE, etc. In the end, any competent professional must realize that solid technical knowledge is the foundation for all viral defense. In some situations it is advisable to rely on another party for that technical knowledge, but not always. There are many instances in which a failure of data integrity could cost people their lives, or could cost large sums of money, or could cause pandemonium. In these situations, waiting for a third party to analyze some new virus and send someone to your site to help you is out of the question. You have to be able to handle a threat when it comes-and this requires detailed technical knowledge. Finally, even if you intend to rely heavily on a commercial anti-virus program for protection, solid technical knowledge will make it possible to conduct an informal evaluation of that product. I have been appalled at how poor some published anti-virus product reviews have been. For example, PC Magazine’s reviews in the March 16, 1993 issue 1 put Central Point Anti-Virus in the Number One slot despite the fact that this product could not even complete analysis of a fairly standard test suite of viruses (it hung the machine) 2 and despite the fact that this product has some glaring security holes which were known both by virus writers and the anti- viral community at the time, 3 and despite the fact that the person in charge of those reviews was specifically notified of the problem. With a bit of technical knowledge and the proper tools, you can conduct your own review to find out just what you can and cannot expect form an anti-virus program. 1 R. Raskin and M. Kabay, “Keeping up your guard”, PC Magazine, March 16, 1993, p. 209. 2 Virus Bulletin, January, 1994, p. 14. 3 The Crypt Newsletter, No. 8. Military Applications High-tech warfare relies increasingly on computers and infor- mation. 4 Whether we’re talking about a hand-held missile, a spy satellite or a ground station, an early-warning radar station or a personnel carrier driving cross country, relying on a PC and the Global Positioning System to navigate, computers are everywhere. Stopping those computers or convincing them to report misinfor- mation can thus become an important part of any military strategy or attack. In the twentieth century it has become the custom to keep military technology cloaked in secrecy and deny military power to the people. As such, very few people know the first thing about it, and very few people care to know anything about it. However, the older American tradition was one of openness and individual responsibility. All the people together were the militia, and stand- ing armies were the bain of free men. In suggesting that information about computer viruses be made public because of its potential for military use, I am harking back to that older tradition. Standing armies and hordes of bureaucrats are a bain to free men. (And by armies, I don’t just mean Army, Navy, Marines, Air Force, etc.) It would seem that the governments of the world are inexorably driving towards an ideal: the Orwellian god-state. Right now we have a first lady who has even said the most important book she’s ever read was Orwell’s 1984. She is working hard to make it a reality, too. Putting military-grade weapons in the hands of ordi- nary citizens is the surest way of keeping tyranny at bay. That is a time-honored formula. It worked in America in 1776. It worked in Switzerland during World War II. It worked for Afganistan in the 1980’s, and it has worked countless other times. The Orwellian state is an information monopoly. Its power is based on knowing everything about everybody. Information weapons could easily make it an impossibility. 4 Schwartau, Win, Information Warfare, (Thunder’s Mouth, New York:1994). [...]... because it just hastens the entropic death of the universe 8 The Giant Black Book of Computer Viruses I say all of this not because I have a bone to pick with ecologists Rather I want to apply the same reasoning to the world of computer viruses As long as one uses only financial criteria to evaluate the worth of a computer program, viruses can only be seen as a menace What do they do besides damage... of good reasons why fiat creation can’t occur In the world of bits and bytes, many of these philosophical conundrums just disappear (The fiat creation of computer viruses 6 Please refer to my other book, Computer Viruses, Artificial Life and Evolution, for a detailed discussion of these matters Introduction 7 occurs all the time, and it doesn’t ruffle anyone’s philosophical feathers.) In view of these... reproduce and escape There are some very nasty non-resident 22 The Giant Black Book of Computer Viruses COM infectors floating around in the underground They are nasty because they contain nasty logic bombs, though, and not because they take the art of virus programming to new highs There are three major types of COM infecting viruses which we will discuss in detail in the next few chapters They are called:... do The other 32 The Giant Black Book of Computer Viruses registers must be set up differently, depending on what ah is, to convey more information to DOS about what it is supposed to do In the above example, the ds:dx register pair is used to point to the memory location where the name of the file to open is stored Setting the register al to zero tells DOS to open the file for reading only All of the. .. in the next few chapters They are called: 1 Overwriting viruses 2 Companion viruses 3 Parasitic viruses If you can understand these three simple types of viruses, you will already understand the majority of viruses being written today Most of them are one of these three types and nothing more Before we dig into how the simplest of these viruses, the overwriting virus works, let’s take an in-depth look... the Tax Break, has actually been proposed, and it may exist 6 The Giant Black Book of Computer Viruses Computational Exploration Put quite simply, computer viruses are fascinating They do something that’s just not supposed to happen in a computer The idea that a computer could somehow “come alive” and become quite autonomous from man was the science fiction of the 1950’s and 1960’s However, with computer. .. contains the most significant bits of the address, and an offset register, which contains the least significant bits The segment register points to a 16 byte block of memory, and the offset register tells how many bytes to add to the start of the 16 byte block to locate the desired byte in memory For example, if the ds register is set to 1275 Hex and the bx register is set to 457 Hex, then the physical... probably delete it and that will be the end of it It won’t get very far Not so, the computer virus, because it attaches itself to otherwise useful programs The computer user will execute these programs in the normal course of using the computer, and the virus will get executed with them In this way, viruses have gained viability on a world-wide scale Actually, the term computer virus is a misnomer It was... HEL LO .THE RE! Hello there! o there! ard At 80H we find the value 0EH, which is the length of “Hello there!”, followed by the string itself, terminated by =0DH Likewise, the PSP contains the address of the system environment, which contains all of the “set” variables contained in AUTOEXEC.BAT, as well as the path which DOS searches for executables when you type a name at the command... self-reproduction They are payloads—add ons—to the self-reproducing code When I say that computer viruses are not inherently destructive, of course, I do not mean that you don’t have to watch out for them There are some virus writers out there who have no other goal but to destroy the data on your computer As far as they are concerned, they want their viruses to be memorable experiences for you They’re nihilists, . THE Black Book of Computer Viruses Mark Ludwig GianT The Giant Black Book of Computer Viruses Ludwig WARNING This book contains complete. with me." From The Giant Black Book The GIANT Black Book of Computer Viruses by Mark Ludwig American Eagle Publications, Inc. Post Office Box 1507 Show