 -=( ---------------------------------------------------------------------- )=-
 -=( Natural Selection Issue #1 ----------- Great Debate : Infection Theory )=-
 -=( ---------------------------------------------------------------------- )=-

 -=( 0 : Contents --------------------------------------------------------- )=-

 0 : Contents
 1 : Introduction
 2 : Active vs Passive
 3 : Devils Advocate
 4 : Mass vs Targeted
 5 : Devils Advocate
 6 : Conclusion

 -=( 1 : Introduction ----------------------------------------------------- )=-

 For years, VXers  have debated the  merits of slow  vs fast infectors,  memory
 resident vs direct infectors, and many other different viral infection methods
 and strategies.

 This article would  like to propose  several new ways  of looking at  viruses,
 which lead to some  new infection ideas.  As  befitting a "Great Debate",  the
 ideas were run past  some of the members  of Feathered Serpents to play Devils
 Advocate and to get a second opinion.

 After countless emails and tens of  hours of IRC "debate" and three  rewrites,
 we highly advise that other virus groups not follow in these footsteps and try
 for similar articles.

 -=( 2 : Active vs Passive ------------------------------------------------ )=-

 What is the main purpose of a virus?  Obviously, it's to spread.  While it may
 be  interesting  to watch  as  a virus  infect  one file  after  another on  a
 computer,  one of  the things  that makes  a virus  most interesting  is  it's
 ability to get from one computer system to another.

 Typically how a virus has  done this upto now, is  to infect as many files  as
 possible on a system.  The virus then basically waits.   Waits for a user  who
 takes it and either sends it to somebody via email, floppy disk or whatever.

 How well  does this  system work?   Well, if  one is  to gauge success of this
 method of infect and wait by number of computers infected, then we see clearly
 that viruses have lost their place to worms.  The question immediate comes  to
 mind:  "why are worms more effective at spreading than viruses?"

 The best  reason I  can come  up with  is that  worms are  active in their own
 propagation - or  what I'll call  Active Infectors.  Viruses  usually are more
 passive and rely on users to spread them - hence Passive infectors.

 If you  think about  it, there  really is  no reason  why viruses  should play
 second fiddle to worms.  They can do  everything worms can do, and due to  the
 fact that they are  not stand alone binaries,  they are much harder  to detect
 and clean.   A fast  spreading active  polymorphic or  metamorphic virus could
 circle the globe before scanners could reliably pick it up.

 Now, that said, one of the nicest things about viruses is their  stealthiness.
 I am  of the  opinion that  stealth should  not be  compromised for infection.
 Thus, I do not like the idea of viruses which would email themselves with  the
 "click virus.jpg.exe for a good time" messages.  Subtly is important.

 So, to review, here are some of the ways that an active infector could spread:

  : infect all removable media (GetDriveType API - DRIVE_REMOVABLE)
  : infect all network drives (GetDriveType API - DRIVE_REMOTE)
  : use exploits and security holes to upload the virus (preferably to dirs
    which autorun files like C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP)
  : email (either new email, or add attachments to existing email)
  : upload to ftp
  : IRC /dcc send scripts
  : infect shared directories of popular servers like HTTP, FTP, P2P, IRC
    fservs, or files <A HREF>'d by .html files.
  : infect all files accessed by any program with an internet connection

 One would  have to  point out  that infection  over the  internet is much more
 effective than infecting  floppies of course.   The most effective  method has
 proven to be using  exploits of course (Code  Red has proven that),  but those
 are often difficult to get a hold of before patches are widely available.

 Most of the list is self explanatory.   The last two are  worth a second look.
 These methods  do not result in  immediate spreading,  but they  employing the
 method maximizes chances that someone gets an infected file from the  infected
 computer.   The astute  observer will  notice that  the last point  covers all
 cases  of  the  point  above  it.   This  leads  to an  interesting  infection
 technique...

 Notice  that all  HTTP, FTP,  P2P, and  any other  kind of  server shares  two
 properties.  First, they use the internet.  That means it is a pretty good bet
 that they  import WSOCK32.DLL.   Second, they  have to  Find and/or Open Files
 before  they  can  send  anything  anywhere.   This  means  that  hooking  the
 CreateFile, FileFirstFile, FindNextFile APIs to a routine that infects the the
 files, then  all files  which are  sent to  anyone using  that program will be
 infected.

 I believe that it is important for the long term survival to viruses to  start
 more widely adopting active infection  techniques.  The fact that viruses  are
 perceived to be less effective than worms, and even VBS or JS, probably drains
 coders from into these other areas,  hence shrinking the pool of future  virus
 writers.

 -=( 3 : Devils Advocate -------------------------------------------------- )=-

 I can understand  the interest in  active infection,  but  it is a  technology
 that doesn't solve any problems, it only creates them.

 A virus will never be smart or subtle enough to decide how it should escape  a
 host and reach another.  Self initiated acts unrelated to user actions arouses
 immediate suspicion, both in technology indicators and people themselves.

 Code Red was a good example, it was a bright burning light of active infection
 for a  few days  before it  aroused so  much interest  that antivirus software
 obliterated any chance it ever had of infiltrating high security installations
 (and staying there undetected).

 To take our example further, the same behaviour is seen time and time again in
 Tierra where a virus  will become so succesful  that it outproduces the  hosts
 and forces itself to near extinction.  Now think of biological viruses,  which
 live longer?  Something active like Ebola, or passive like Herpes?

 -=( 4 : Mass vs Targeted ------------------------------------------------- )=-

 Another way to look at viruses stems from the question:
        "Once the virus is on the system, what should it do now?"

 Most would answer this with "to infect any suitable files it can, of course".
 That is Mass Infection.

 Introducing "Targeted Infection", the alternative approach.

 Targeted infection can be thought of  as trying to only infect the  files that
 have a chance of escaping the system or will aid the virus in this.  Afterall,
 if there are 175 file on the computer, is there a need to infect all of  them?
 I mean, is there really a need  to fill up a user's Harddrive with  175 copies
 of the virus when there is a  realistic chance of passing along maybe only  40
 of those files to anyone else?  I just can't see the warez trade of
        C:\WINDOWS\SYSTEM\sucatreg.exe
 as too abundant - what is that file anyways?  Oh well, nevermind...

 With each of the additional 135 files,  not only do you use up diskspace,  and
 clock cycles, by infecting them, but you also stand a increased risk of either
 corrupting some file or running into a file with a self-check, thereby calling
 attention to your virus  which would surely lead  to an early demise.   And if
 you're concerned about running often enough, you can always infect the popular
 programs too.

 Working under  the assumption  that infection  the most  files possible is not
 necessarily a  good idea,  you have to target  which files you wish  to infect
 - thus the name "Targeted infection".

 The important  question remains  - which  files are  the ones  that need to be
 infected?  There are 2 aspects to exactly which files should be infected.

 The first is that only files which  are capable of leaving a system should  be
 infected.  That happens to  overlap with the types  of files described in  the
 active infector  section.  It  also includes  files which  would help keep the
 virus alive  and active  on the  host system  - files  that are run often, and
 preferably every time at startup.

 Probably the best  and most overlooked  way to infect  all popular files  on a
 system is to utilize the  registry.  A simple scan of  applications associated
 with most file-types (HKEY_CLASSES_ROOT) will  reveal almost all of the  often
 used applications on a system, and infecting anything auto-run on startup will
 keep a virus active on every bootup.

 The second aspect to which files should be infected is applicable to both Mass
 and  Targeted  classifications.  It  deals  with which  file  types should  be
 infected.

 People have long ago stopped sharing their files by zipping up directories and
 sending it off to a user.  These days, you download a zip file from a webpage,
 decompress it, then run an install program.  In fact, it is often very hard to
 get a  program working  without the  install program  - we  all know  the mess
 installs like  to make  by dropping  needed dlls  into random  directories and
 fiddling  with  your registry.   This  means it's  often  futile to  zip  up a
 directory containing a program an sending it to a friend.

 People do often keep copies  of these original packages which  include install
 files, "just in case" of an accident and the need for a re-install arises.  It
 is this copy of  the archive that they'd  most likely pass on  to others. That
 also means that a virus could be rampant on their system and have infected the
 program, but the  person who gets  the archive has  nothing to worry  about as
 they get a clean copy. Thus, in the interest of fairness :-P,  it is necessary
 to start infecting archives.

 To infect, say a  zip file, it will  either be necessary to  have some minimal
 knowledge of the file format  and write a compressor/decompressor, or  use the
 available compressor on the system.  If you choose the easy way out and decide
 to try an  find winzip on  the system, then  you can locate  the directory you
 need by parsing the  open command associates with  .zip files in the  registry
 and using WinZip.

 After being able to compress/view/decompress - in short use - the archives  of
 your  choice,  you  have one  of  2  choices.  Create  a  fake  install.exe or
 setup.exe program (that  calls the old  one if present),  or simply decompress
 all exe files in the archive, infect them, then update the archive.  Beware of
 some of the larger  setup.exe - they often  get quite large and  decompressing
 then is sometimes a slow process.

 Time is proving that ideas in viruses have to be re-examined.  Viruses of  the
 future will have to adapt.  I think the most important part of that is for all
 viruses  to  infect  archives.    Polymorphic  Active  Infectors  that  infect
 archives are probably what will prove to be the best way for a virus to spread
 in the coming years.

 -=( 5 : Devils Advocate -------------------------------------------------- )=-

 I agree to Targetted Infection  in whatever aspect avoids infecting bait files
 but purposely excluding other files just because they probably will not  leave
 the system in a warez package, is bad for business.

 For polymorphic and metamorphic viruses, every  copy of the virus is an  extra
 chance  of survival  because of  the less-than-perfect  detection methods used
 by some scanners.

 Also, zip files are  fairly common, but how  many end users really  understand
 what they  are or  how to  use them?   A large  majority of non-warez programs
 downloadable from the  internet come in  self-extracting archives rather  than
 straight files, and  so viruses relying  on this brand  of Targetted Infection
 are probably going to go hungry.

 -=( 6 : Conclusion ------------------------------------------------------- )=-

 Viruses are no longer  spreading as well as  they used to.  Things  like worms
 and mass mailers are  taking center stage.  Since  asm viruses are a  lot more
 advanced code than 20 of so lines of  VBS of JS, it is rather silly that  they
 are not more effective at spreading then them.  It might be time to re-examine
 some of the old ways of  infection, and determine if they are  still effective
 in the world  today.  If this  debate made you  think about that,  then it has
 done it's job.

 -=( ---------------------------------------------------------------------- )=-
 -=( Natural Selection Issue #1 --------------- (c) 2002 Feathered Serpents )=-
 -=( ---------------------------------------------------------------------- )=-
