Full Disclosure mailing list archives
Narmacil project : The super worms : does it already exist?
From: khaalel <khaalel () gmail com>
Date: Fri, 25 Feb 2005 10:44:05 +0100
Hello Since a few month, I've been working on viruses (especially about the evolution of viruses) and I started to create a small theory (that I called Narmacil) about advanced viruses that I will post here. My goal is not to help viruses makers but to show how viruses can evolve and which methods the super worm (that everybody is waiting for) could use. Before, sorry for my (perhaps bad) english !!! My goal is to introduce you 2 types of malwares almost perfect having never been implemented for a natural size use. For information, some projects nevertheless were carried out. This message will not be followed by examples' codes because one advised me to drop out my project of perfect worm/virus and nothing to publish quite simply because it could create an unjustified panic on the Net and mainly because of the new laws as a vigor (In France, the country where I live). For the persons who could be interested, this project followed 6 rules (being able to work on windows and unix systems, being invisible/polymorphic, being able to download the parts of code missing to him, adaptable to all the desires of its creator, being powerful on the infected system, not modifying the system) and a key sentence: "the viruses which succeeded best (in term of survival) are those which acquire a certain longevity because they don't do anything other to reproduce and remain invisible". Now the 2 types of worms/virus of my project. I] the super worm It could use 2 gold techniques: the "Hit-list scanning" and the "distributed scanning". The viruses using these techniques have also a routine making possible to the worm/virus to update itself and to be controllable (it becomes a Trojan horse then) using tunnels encapsulated by HTTP and encrypted. * Hit-list scanning: the worm 's 1st event contains a list of potentially vulnerables machines (a list created by the author of the virus). With each duplication it transmits, to the new worms created, the half of the list, then removes the bequeathed part of its code and so on to each new duplication. While combining that with another technique which consists in integrating a very great number of obfuscation's codes and dustbins codes in the 1st event of the worm, with each duplication, the new worms created will take half of the codes previously quoted. The "hit-list scanning" technique has two advantages: the worms does not really need an polymorphism's engine because to each duplication, it makes possible to decrease the size of the new worms created, besides the code of each new worms created is different from his creator (thanks to the codes of obfuscation). * Distributed scanning: it differs very slightly from the "Hit-list scanning" by the fact that to each duplication, the father worm transmits Hit-list in his totality. Then by a mechanism of distributed scan, the worms will assure themwelves the fact that they will not infect a system with 2 recoveries. II] the polymorphic malware pluripartite with variable and distributed architecture Then, I imagined this new type of malware (I've said "imagined" because I did not find a malware of this type yet) at the time when I started to have evil to continue to code perfectly my super worms (preceding paragraph). Here its description: The malware is rather a whole of small tools ensuring each one a task and being used in the life everyday (excepted the supervisor...). Then, it has an distributed architecture and variable because it is composed of small tools (perhaps) already present on the victims' systems (the test I carried out used netcat, wget, nmap, tcpdump, a program allowing to put and extract viruses from files image (coded for the occasion): in fact it is simple a software of steganography). I started from the principle the victims have already netcat, wget, nmap and a ftp serveur on their systems. The only tools I will have to introduce into the target systems are the supervisor and the steganography's program. The goal of this attack is to create a complete virus/worms not being able to be detected and removed by the antiviruses, it is for that this type of malware use tools which cannot be detected like viruses and which can pass through antiviral analysis because they are tools used by a lot of people (like nmap, who would have idea to detect nmap like a virus?). The only tool really unknown is the supervisor: this tool will drive the other tools (that one can describe as healthy programs) according to its goal (let us not forget that it is a malware). The other tools must be controllable by the shell. The other programs necessary for the attack will be downloaded by ftp (or wget for example) in a compressed and encrypted form... By studying the 3 types of antiviral analysis, we see well that the supervisor will pass successfully the heuristics and the spectral one because it does nothing but launch programs that all administrators and professionals should use. Knowing that the analysis by signature is rather limited, we hold the virus which could make beautiful damage on the Net. This type of malware can be improved of all the ways that one wants, for example: a virus having the same architecture, but the developed tools are written in a multi platform language and are compressed/encrypted (some firewalls and antiviruses will not like that lol). The purpose of the supervisor will be to decompress them, them decipher, launch them, then to compress again and encrypt with another key. Well, it's finished, I hope this message will be used for something, mainly to show the antivirus' editors they have to improve their antiviral techniques and the viruses have not finished evolving/moving. Like I mentioned it above, I have not included the codes I had started to write. PS: I'm working on other methods for advanced viruses but before how do you think the 2 methods this article introduce you? - Gilbert Nzeka (aka Dark Khaalel) - Writor of a french security book ("La protection des sites informatiques face au hacking") - www.nzeka-labs.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Narmacil project : The super worms : does it already exist? khaalel (Feb 25)