![[Previous]](/Icons/BTN_Prev.gif){kind=icon}
![[Up]](/Icons/BTN_Up.gif){kind=icon}
![[Home]](/Icons/BTN_Home.gif){kind=icon}
![[Next]](/Icons/BTN_Next.gif){kind=icon}
|
|
|
|
On Friday 1st November this year, several reports were received of computers which refused to boot; the usual power-up messages failed to appear and were replaced instead by a few lines of poetry. The symptoms were not immediately familiar and we did not know of any virus which triggered on this date, but after a couple of distress calls from unrelated organisations it became obvious that this was indeed a virus.
The event is unusual because there were no reports of the virus being found by any of the popular virus detection packages. Several of the victim organisations subscribed to well-known scanning programs and it appears that not one of them detected it prior to the virus' trigger data. Computer virus samples are usually in the hands of researchers and anti-virus software producers long before they appear in the wild (if ever they do), this virus was a rare exception to the rule.
Ironically, it now transpires that a sample had already been received the previous evening. An infected executable had been provided by the virus researcher Jim Bates and analysis was proceeding even as calls came in.
After verifying that the sample I had was infectious, analysis was carried out on an executable designed as a virus sample carrier (sometimes referred to as a sacrificial or goat file). It was immediately apparent that: the main body of the virus was encrypted; the initial decryption routine was largely composed of unnecessary instructions; and the decryption routine modified itself upon each infection. This meant that once again, we were faced with a virus which could not be detected by using any simple pattern, but which had to be analysed exhaustively to determine exactly in which ways it would mutate in order to devise a detection algorithm.
The encryption itself is a trivial XOR of the remainder of the virus with a word value that varies between instances of the virus (totalling 65, 536 different encryptions). However, if the decryption routine is single-stepped, the program code itself is open to ready analysis. Although the initial few instructions might be construed as minor 'armouring' to obstruct further single-stepping, there is no serious attempt to prevent disassembly.
At this point a near-complete listing was available and the text in the code gave enough clues to establish a link between this virus and the one which had triggered in the morning. Unfortunately, this knowledge was of little to those computer users who had already been hit!
Viruses, in common with some respectable programs, employ 'Are-You-There' calls to determine whether another copy is already resident in memory -- in order to avoid going resident themselves. This virus issues and responds to several such calls, interacting with different viruses. It initially uses a DOS Set-Date call with an invalid value to check for itself, then also checks for the PSQR virus (a Jerusalem variant) using PSQR's own Are-You-There call. If either of these are answered, control is returned to the host program and the virus does not infect. Otherwise, it goes on to examine the code at the start of the INT 21H function chain for the presence of code for processing an Are-You-There call similar to Murphy-1, and if found, removes that virus from memory by restoring the previous INT 21H handler address.
After all these checks, Maltese Amoeba installs itself into memory by manipulating DOS Arena pointers thus bypassing any resident programs which monitor the standard Terminate-and-Stay-Resident (TSR) functions to indicate virus activity.
After installing itself and intercepting the DOS Function despatcher (INT 21H), Amoeba checks the PC's date setting and the process to inflict deliberate damage commences. If the date is the first of November (any year), or the 15th of March (any year), the first thirty tracks of side zero on the hard disk have the first four sectors overwritten with virus code. The virus goes on to do the same with any diskettes present and if it succeeds in wreaking such destruction without being stopped it congratulates itself with a psychedelic flashing screen display, which loops indefinitely.
The code written into the Master Boot Sector during this process contains a second level of decryption to display a section of poetry - in fact the first four lines of Blake's Auguries of Innocence, from The Pickering Manuscripts (See Case Study, page 13). The verse displays the next time that the PC is booted. The PC then hangs.
[The theme of Blake's Songs of Innocence is the all-pervading presence of divine love amidst trouble and sorrow. They are followed by the altogether more cynical Songs of Experience, which present a pessimistic, dark view of the world. Blake's work is often considered 'anti-establishment', concentrating on the denial of authority, the overthrow of order and imposed morality and the triumph of anarchy. Elements of his thought might well appeal to the virus writer. Ed.]
The remainder of the boot sector contains a message in plain text lambasting the University of Malta, at which the author(s) apparently studied and warns that a further version of the virus is in the making. The text is the source of the name 'Amoeba'.
"AMOEBA virus by the Hacker Twins (C) 1991 This is nothing, wait for the release of AMOEBA II - The Universal infector, hidden to any eye but ours! Dedicated to the University of Malta - the worst educational system in the universe, and the destroyer of 5X2 years of human life."
It is always dangerous to interpret text messages in computer virus code literally but I would tentatively suggest that there are sufficient clues within this code for its authors to be identified and, if Maltese law permits, apprehended. Two students, one or both of whom are computer literate, who joined the University of Malta (in 1986-87?), who were probably still in attendance in March of this year (a five year degree / diploma course or possibly post-graduate education) and who empathise with a poem by William Blake (is there an English literature faculty within the University?) must surely be traceable. Considering the destructive nature of this virus and the veiled threat to release yet more viruses a preliminary investigation into these obvious leads seems warranted.
While resident in memory, the virus intercepts INT 21H to infect further files and also answers Are-You-There calls. As well as its own recognition sequence, it responds to the PSQR and Murphy viruses, thus preventing either of them from activating. Both the DOS load-and-execute and open file functions are used to infect COM and EXE files. The intercept checks for re-entrant calls, so the virus can use the DOS open file call in its own infection process. The critical-error handler is also trapped to avoid the user seeing any of the familiar 'Abort, Retry, Ignore' messages which might appear during attempted infection of a write-protected diskette, for example.
Several checks are made on files prior to infection and steps are taken to reduce the chance of the infection process being noticed. A checksum is produced of the filename; this has two functions: 'COMMAND.COM' produces a CRC of 7478H and is not infected while infected files have the checksum appended as an infection marker to avoid multiple infections. Of course, if a file were to be renamed, the CRC could change and it could be re-infected. Files with the SYSTEM attribute are avoided and any other attributes are overridden and then reset -- so read-only files are not immune to infection. Timestamps are also preserved. These latter two precautions are taken by many viruses today. Files larger than 64 Kilobytes or smaller than 450 bytes are not infected, but large COM files could still be pushed over the 64 Kilobyte limit after having been infected.
Many more viruses are now employing self-modifying encryption (the basic methodology involved in this process was widely disseminated by Mark Washburn). Self-modifying encryption produces numerous different permutations of code on a random basis in an attempt to thwart 'dumb' scanners.
The 'mutation engine' in this virus comprises three parts, starting with a template containing the actual bones of the decryption routine. This contains a number of gaps which are first filled at random with one-byte instructions, none of which affect the working of the routine: NOP, CLI, CLD, CLC, CMC, STC, SAHF. The first is an official no-operation instruction and the rest affect irrelevant processor flags. Subsequently some of these instructions are randomly swapped around, again preserving the functionality of the decryption routine.
After some processing specific to the type of executable targeted, a series of two-byte null instructions is inserted into the routine (such as exchanging registers with themselves, and jumping to the next instruction).
Finally, the virus is written to disk: an image of the virus is encrypted with a random key while the decryption routine, having had the same key coded into it, is written out, followed by the encrypted virus. The initial few bytes (either a COM file's JMP instruction, or an EXE file 'MZ' header) are modified to link the virus code in front of the host.
Detecting which files have become infected is a non-trivial process. No search pattern is possible.
A simplified approach might involve checking for certain instructions at the start of the virus, bearing in mind that a variable number of other instructions may lie between them. The remainder of the routine is made up of the non-instructions mentioned above, to a maximum total size of 99 bytes. Also, the code is generated differently for COM and EXE file infections. The rest of the virus is some 2457 bytes long, so file sizes will be increased by a variable amount. Timestamps and attributes are preserved. The virus' own infection marker checksum could be used, but this is an unreliable method.
Anti-virus software is currently being updated by a number of the major companies involved in scanner development. Two packages (Dr. Solomon's Anti-Virus Toolkit from S&S Enterprises and the VIS Utilities from Bates Associates) were updated over the weekend of November 2nd-3rd 1991. A Sophos Sweep update to detect this will be available this month as will a copy of Fridrik Skulason's F-PROT. Updates from other major manufacturers are doubtless being prepared.
Disinfection is best achieved by deleting the infected files and restoring from write-protected backups or master software.
|
|
|
|
![[VB]](/Icons/vb-tiny.gif){kind=icon}
|
Virus Bulletin: Maltese Amoeba / webmaster@virusbtn.com | © 1998 Virus Bulletin Ltd. |