This is just something that I was podering for awhile. Could it be possible that in a couple of years from now virus writers create a virus which uses Steganography methods to hide itself? For example the virus resides and hides in data files like images, music, or movie files. I think that this would be a great technique for a virus to hide itself from detection. Also a very powerful method for the virus to be distributed.

Lets just say a virus writer creates a virus uses steganography methods to hide the virus. The file is uploaded on to a P2P network. Where unsuspecting users download it. The file is downloaded, and then opened. Once opened the virus find a way to extract itself from the data file and begins its work. Another thing could it be possible for a virus writer to also incorporate his own steganography engine that would allow the virus to insert itself into a data file contained within the users drive? For example once the user has been infected to avoid detection the virus searches for a data file prefarable a music file to hide itself thus allowing it to do further damage. Now if this is possible that would open up the door to new key loggers,worms,trojans etc ... to be able to be hidden and propagated througout the internet in a more lethay way.

Now that's just my own thoughts and I was just wondering what do you guys think ? ...

That's not my biggest fear. Mine would be artificially intelligent virses which discover which attacks work against them and then rewrite thier own code to hide themselves better. Bring that concern to the level of paranoia, and one sees ens-of-the world type scenarions normall the realm of Isaac Asimov and Steven Speilberg.

I think it would be tough to stegonagraphiocally hide them though, because at this point, I do not stegonagraphically embedded code can execute itslef unless it's decoded. But that could easil change.

Now A.I. viruses is something that I never thought about. As for A.I. virus methods I am thinking along the line of a virus which can learn and be able to adept to its residential environment in a system[s]. Like for example a virus which would be virtually able to take into account the operating system specs, type, programs being employed by that system etc ... This would allow the virus to be able to adjust its behaviour accordingly to the current environment in which it resides. For example, the virus would have the ability to quickly adjust to any new settings applied to the environment. New programs being installed,changed,deleted or even modified and updated. That I think would really change the playing field and give the virus a huge advantage. Except that if you take into cosideration the programming which would be required to produce a virus like that. That would be a feat in itself.

Another method that I was thinking about as well would be a multi-protocol virus. Cause so far most current and modern viruses use either their own SMTP engines. Some might still use the classic MAPI class method but I doubt it. While their are other viruse that use the an advanced technique called API hooking. If you really notice a lot of these viruses use the main network protocols. I was wondering do you guys think that in the future or coming years people will decide to use other protocols such as: IPX/SPX ? NetBIOS ? or even SMB ? With more protocols to choose from it would allow the virus to further spread and infect more systems. Also making it more tricky to detect. Something real scary would be an artificial intelligence worm which uses steganography to conceal itself and uses its A.I. to propogate and defend it self againts Firewalls,IDS, A.V. products and maybe other things aswell. Not that I see it happening anytime soon its just something that I was just wondering about ...

------------------------------------------------------------------------------------------------------------------------
In my opinion I compare viruses and anti-virus software to "Core Wars".


"Core Wars is a game played by two or more programs (and vicariously by their authors) written in an assembly language called Redcode and run in a virtual computer called MARS (for Memory Array Redcode Simulator). The object of the game is to cause all processes of the opposing program to terminate, leaving your program in sole possession of the machine."


Basically the point is that virus writers and a.v. software creators are always at war [ the battlefield is your computer,networks & the "Internet".] each always trying to outsmart one another. One developing new methods to do nothing but cause havoc while the other is a doctor doing his best to find new methods and cures to stop these attacks and doing his best to cure your computers in the process.

To learn a little more about "Core Wars" just click on the link below:
http://mcraeclan.com/Graeme/CoreWars.htm

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by Agent_Steal
Could it be possible that in a couple of years from now virus writers create a virus which uses Steganography methods to hide itself? For example the virus resides and hides in data files like images, music, or movie files. I think that this would be a great technique for a virus to hide itself from detection. Also a very powerful method for the virus to be distributed.

This would basicly mean there's a flaw in the program used to view these files. This flaw would only be exploitable in this perticular viewer. Anybody using a different viewer wouldn't get infected. Unless both programs use the same flawed algorithm to decode the file.

Most multimedia files like this cannot contain active content so it isn't going to happen. Unless offcource you use the formats MS creates. Alot of these allow active content and thus making them a potential virus carrier.

Some virusses already use technics to hide themselves. To make detection difficult the virus is able te change itself (thereby changing it's 'signature'). This is called a polymorphic virus. Other virusses try to hide themselves once active. These are the stealth virusses. The worst ones use all of these technics.

Some virusses already use technics to hide themselves. To make detection difficult the virus is able te change itself (thereby changing it's 'signature'). This is called a polymorphic virus. Other virusses try to hide themselves once active. These are the stealth virusses. The worst ones use all of these technics. You forget "armored" viruses that employ certain techniques to prevent removal.

Polymorphic and all those are not good, but as previously stated a virus with true AI would be.
Now A.I. viruses is something that I never thought about. As for A.I. virus methods I am thinking along the line of a virus which can learn and be able to adept to its residential environment in a system[s]. Like for example a virus which would be virtually able to take into account the operating system specs, type, programs being employed by that system etc ... This would allow the virus to be able to adjust its behaviour accordingly to the current environment in which it resides. For example, the virus would have the ability to quickly adjust to any new settings applied to the environment. New programs being installed,changed,deleted or even modified and updated. That I think would really change the playing field and give the virus a huge advantage. Viruses already do that. that is not AI. That is what a good/many viruses will do. AI does not mean self modifying, self updates, searching for new exploits, no. AI is when a virus becomes self aware, then you have issues. If it could simulate human thinking, even to a limited extent that would make the problem so much harder. As my ecology teacher says, "Adapt, migrate or die." Most will die, but with limited AI, it will most likely have the first basic instinct, survival.

-Cheers-


PS: Kind of cool, but I do not think true AI has been developed yet.

What about virusus also designed to give false information to routers and scanners requesting patch level and antivurs update information. (Acticle here (http://www.enterpriseitplanet.com/security/news/article.php/3111341)) This would knock the pants off Cisco's new "self-defending" networks, and it wouldn't be hard for them do do this to an unpatched system somehow, which are exactly the systems these networks defend against by not allowing access.

Hi,

The steganography approach has already been done? I seem to recall a proof of concept virus about 2 years ago called "runonce" or "onetime" or something like that. It was a .jpg but also had its own reader. It did work, but only on one computer, it could not replicate.

I also remember a proof of concept virus that would attack NT4 and commercial Unix flavours, I cannot remember what it was called, but I was worried at the time because we were running Windows on the desktops but has Unix servers for Citrix and the e-mail system, and some of the apps.

Nothing ever came of these, which I put down to the environment not being right at the time?

The worst viruses are those that do things by degrees?.................corrupt a file every 37 minutes, randomly change "9" for "7" and so on. They are nibbling away at the system, so it could be one hell of a job to work out what restore you have to go back to. Obviously they reset their file data to the system date and time each time that they run.

I am talking about commercial environments here.

Just a few thoughts

The steganography virus. Well, a word macro virus is kinda like that. The one that nihil is refering to is the closest thing that has been out there, but there was a major flaw in it. Like he said, the jpg had its own reader. If you didn't have the reader installed on your system, then you didn't get the virus.

A jpg, mov, mp3, etc doesn't get executed, only read. When you "open" a jpg, you are actually running photoshop (or whatever image program shows you the picture). Same thing with mp3 and avi and etc, etc, etc.

The second one that nihil mentioned, about the NT4/unix system exploited a little known feature on nt4/nix that isn't on 9x machines. Every file on NT has the ability to attach a second file to it. I don't remember the actual name of what it is called though. When you look at a directory list, you might see the file nakedchixor.jpg. But if you look at the properties of the file, you would see nakedchixor.jpg|something.exe. Now, every time, on an NT system, that you double click nakedchixor.jpg, you also run the linked file. So if this file was a virus... you get the idea. At least I think that is the one that nihil is talking about.

Nihil, I always thought that most viruses written by companies would steal information or have trojan, then corrupt/destroy everything. After all, a competing company would gain much more from the information and destruction, then just destruction. I suppose the worst viruses are the ones that kill people, like ebola.

-Cheers-

PS: Ebola can not be transmitted via computer, so dont tweak :) Some people might think that and well... Lol

Sorry, PM8228

What I was trying to say was viruses that attack commercial systems. For example gradually screw up accounts payable, accounts receivable, inventory and so on. I was not thinking of "industrial espionage" viruses

As private users all we need do is f-disk, reload and start again? In a commercial environment that is hardly an option?

Something that gradually corrupts data over time is very difficult to recover from if you don't know when it started. Also if it runs for weeks or months before detection, you have one hell of a data cleansing task in front of you :(

This is the kind of thing you might get from a disgruntled employee (very dangerous, they know the system) or a disgruntled customer?

Cheers

Nihil I think that the virus that you are talking about is called "W32.Winux" or also known as "W32/Lindose.2132". Please feel free to correct me if I am wrong.



W32.Winux is not a platform-independent virus. W32.Winux's initial injection point must be a Windows machine -- it cannot start by infecting a Linux box. Once it infects a Windows computer though, it starts looking for certain files under the Windows file system and the Linux file systems. When it finds what it's looking for, it opens files and inserts code.

It initially infects a Windows system and seeks out certain Windows files (PE file types, which include .exe files). W32.Winux's uniqueness stems from the fact that it doesn't stop there. After infecting a Windows system, W32.Winux then starts looking through the system for any known Linux files -- for instance, through shared file systems or remote drives. It looks through those for Linux ELF files, which also include Linux system binaries.


Here's a link to learn a little more about it ...
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99060

Is this the virus which you were talking about ? Will it ever be possible for virus writers to create a collection of viruses which would be able to cripple the Net ? Or would that just be impossible ?

Seeing as technology increases every year and people wanting to have networked homes I think that this would just give a virus writer another challenge to create a virus which would create quite some chaos. Imagine waking up at 3:00 a.m. to hear your stereo blarring or you tv turned on ... I am probably going a little overboard but who can say that this will not be possible in a couple of years from now ...

Hi, Agent_Steal,

Well done! that is exactly the one I was talking about. April 2001, so I must have read the advisories about 2.5 years ago. I guess the only reason I remember it is because it was so unusual because of its cross platform capabilities. As the write up says it was "proof of concept" and not in the wild.

I do not think that crippling the Net will come from a complex cross platform virus. They would be too complicated to write and too big.

I think that the real danger lies in the structure of the Net itself? Looking back on personal experiences and what I have read (I am talking commercial/institutional environments here) what seems to happen is that one of these things attacks, spreads so far, then the sheer volume of traffic crashes the servers. In the past this has given us the breathing space to do the clean up and patching?

Over the last couple of years there has been a preponderance of mass mailers and network aware worms, exploiting vulnerabilities in operating systems. These spread very rapidly and have caused areas of the Net to collapse under the sheer volume. In a way they are more similar to DoS attacks in that they are more brute force and ignorance than guile and stealth.

So far (thank God!) no-one has managed to bring the two approaches together. The fact that the individual elements of the Net have been unable to cope with the traffic has, perversely, acted as a form of protection.

Today we have PCs running at 3GHz and everyone wants faster and faster connections (Cable, Satellite, ADSL) so we are infact creating an environment in which the scenario you suggest is more likely? We are providing the environment....it could not have happened in the days of 486s and 14.4 dial-up connections.

Home networking increases the number of infected machines as several recent mass mailers have also been network aware. If you and your brother both have separate machines, you won't be in his address book and vice versa? if you are both on a home network, that protection is gone?

To achieve the disaster you envisage would require subtly infecting a large number of machines Worldwide with a "sleeping" virus, then unleashing it simultaneously. This would crash the net, either through overload or by forcing admins to shut down.

If you want to see something really frightening, look up the analyses of the Magistr virus, in particular the one by Kaspersky Labs. There are some very competent bad guys out there :eek:

Just my £0.02

Sorry for the rant :)

Cheers

I think that the real danger lies in the structure of the Net itself? And Bill Gates wonders why he cant have a monopoly. One virus for all platforms. Hrm.....

To achieve the disaster you envisage would require subtly infecting a large number of machines Worldwide with a "sleeping" virus, then unleashing it simultaneously. This would crash the net, either through overload or by forcing admins to shut down.
The internet is a collection of everybody's computer that is connected in a huge network, WAN; basically a larger LAN. The difference is that to connect you need providers. Say you had a LAN setup like this...


Comp5
Comp6 - | - Comp3 - Comp2 - Comp1 ->Internet
Comp4

To disable this all you have to do is take down Comp1. The same idea is with the internet, take out major providers would basically cripple the internet. That is the downfall of commercializing the internet.

-Cheers-

PS: The network pic sucks.. :) Also, I've never administrated a network, but that does sound like a pain in the ass Nihil.

Hi PM8228,

I see what you are getting at and have read articles about various countries having hundreds of people working in their "cyberwarfare" departments.

That is a bit different to this thread?

1. It is targeted
2. It is funded
3. It requires considerable resources working as a team?

I think that Agent_Steals scenario is more of a "cluster bomb" than a sniping rifle? I think it will be more a case of ensuring that there are sufficient sources of infection distributed across the Net, than on specific targeting of strategic nodes.

My main reason for this argument is that I don't think that the bad guys are numerous enough or organised enough for global specific targetting. I just hope that I am right, as your scenario would obviously be much more efficient :(

Cheers