WRITING VIRUSES

This section deals with writing viruses, but the reader isn't going to find a general tutorial here, nor will are there any great tips on writing a "killer" virus. As a hacker I don't condone the writing or spreading of viruses, but I have respect for the knowledge, technical skills and level of coding ability needed. What I hope is that by the time anyone who tries to code viruses gets to be *really* good at it, they will have realized that there are more technically challenging problems outside the area of virus development that are both more socially acceptable and better financially rewarded.

Assembling the Tools

If anyone wants to learn how to write a virus, they had better start by "assembling", pun intended, their tools. Here is a list of things someone will need to begin writing viruses:

• A computer (*doh*), because it is hard to write programs without one!
• A programming language of some kind, most probably assembly language, not just because viruses are written mostly in assembly language, but also because the novice virus writer will find most source code and tutorials will assume they are using assembly language.
• A list of the opcodes or assembly mnemonics of the processor which are being targeted. Don't assume that, just because all the books of programming list 126 opcodes for a chip, that means there *are* just 126 opcodes. Some chips have "undocumented" opcodes that don't work right or have weird side effects. The venerable Motorola 6502 chip used in early Apple computers had an undocumented opcode whose mnemonic was HCF - Halt and Catch Fire - because it hosed the CPU.
• A disassembler which will turn machine code into human-readable assembly language mnemonics. This will enable the novice virus writer to turn any live viruses they capture back into a computer program that they can read and understand.
• A decent machine code debugger. SoftIce seems to be the favourite for PCs, but it depends on the platform that the virus is being written for.
• Large and copious amounts of anti-virus software, both to protect themselve and to examine for clues on how to evade detection.

In addition to the basic tools a wannabe virus writer might need to acquire some of the following from the Internet.

Virus Source Code

Anyone can find virus source code in assembly or other languages very easily on the Internet. Once they have the source code, they can read it and understand how that virus works, or can re-assemble it and get a working virus. That's the theory, but a lot of the so-called virus "source" code kicking around the web isn't, and telling the difference between the two isn't easy unless the novice virus writer is already an expert in assembly language. For example, look at this snippet which purports to be from the STONED virus - the part that checks for infection and then infects the computer if not already infected.

PUSH CSPOP DSMOV SI,200HMOV DI,0LODSWCMP AX,[DI]JNZ HIDEHD ;Hide real boot sector in hard drive.LODSWCMP AX,[DI+2]JNZ HIDEHD ;Hide real boot sector in hard drive.

Table 10.1: Assembly language fragment of STONED virus which would infect the hard drive of a computer when run

It looks really impressive, doesn't it? Reading through the assembly source code of the STONED virus, which took me less than five minutes to find on the Internet, it looked *real* enough to me. But to someone who's not a full-time assembly language hacker, the code could have been spurious nonsense, designed to send wannabe virus writers down a blind alley. How am I going to find out whether this is real source code or not? The only way of being sure is to feed the assembly language code into an assembler and turn it into an executable binary of machine code. Once anyone has the binary, they can either compare it with a virus from the "wild" or run it and see if it infects their disks.

Virus Writing Tutorials

There are a lot of virus writing tutorials on the Internet, and anyone learning about viruses really wants to find a tutorial that deals with the platform they are coding for, as any example code can be used to get them started. Otherwise, tutorials in any other languages are good for giving a novice virus writer new ideas and concepts if they can follow them.
Some of the tutorials deal with basic concepts, such as the Over Writing virus, which reproduces itself by overwriting the first parts of a program with itself, and carries a destructive payload that kicks in the first time the program is run. Other tutorials deal in depth with stealth viruses which move to escape detection, armoured viruses which have been specifically designed to evade detection by some of the most popular anti-virus software, and polymorphic viruses that use self-encryption on each new generation to prevent their viral signature being detected.

Virus Creation Packages and Mutation Engines

All software writers use tools, and virus writers are no exception. The two most popular tools are "virus creation packages" and "polymorphic mutation engines". These tools are written by the active virus-writing community, and have only one purpose: to enable writers to code viruses quickly, easily and with advanced capabilities.

Polymorphic Mutation Engines

A polymorphic mutation engine is computer code that allows a virus writer to encrypt viruses to prevent them showing a viral signature. The most famous of these is the Mutation Engine written by the Bulgarian Dark Avenger, but virus writers could also run into TridenT Polymorphic Engine, Visible Mutation Engine and many others. Most of these packages are program modules that can be included in other programs to give them the ability to produce polymorphic viruses. By using these packages and including the code into viruses they are writing, novice writers can give even very simple viruses polymorphic capability, enabling them to escape detection.

Virus Creation Packages

Some virus writers have been clever enough to write "virus creation packages" which can generate virus code for users who can't write their own. One such, the sophisticated Virus Creation Lab, offers a full menu-driven virus creation kit, but others such as Virus Construction Set only offer the user a chance to create a pre-canned virus with their own message in it. Viruses that come from creation packages like these will rarely be as sophisticated as viruses written by hand, because virus writing is advancing so quickly that not all virus types can ever be included in a single package. The packages might be of some use to a novice virus writer who wishes to study the code produced, but real virus writers will still prefer to cut their code the old way, and see the creation package user as a script kiddy capable only of running software other smarter hackers have written.
Once again, any systems administrator should always keep an eye out for any of the tools used by Virus writers in case they should appear on the systems they administer. Systems administrators should be aware of activity going on their systems so that they can spot virus source code, tutorials or virus contruction tools before the novice virus writer has got very far. If a systems administrator finds any of these items on a their servers, then a little chat with the user owning those tools would be helpful in determining whether they were present due to natural curiosity or any malicious intent.