SnakeByte [ SnakeByte@kryptocrew.de ]
,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground firstname.lastname@example.org
This tutorial describes how to use encryption in a perl virus, to make detection by simple string scanning useless or to reduce the scanstring, so anti virus companies have to implement a real emulation or heuristic for perl viruses.
Ok, let's start. I don't know if it is possible to write selfmodifying code in perl, but i think it isn't. So we have to use a different way than in asm viruses. The one I will describe here works the following. When infecting a file, we place the entire virus into a encrypted string and a decryptor after it, which decrypts the string and writes it to a file, which gets started afterwards. To make it more clear some pseudo code of a prepending, encrypted perl virus.
#!/bin/bash # Virus Mark $Virus="encrypted virus" open file write virus into file close file start file [ .. infected host ]
The Virus then does the following :
open own file + read it into a string foreach $File (<*>) open file + check for perl and infection mark encrypt string write string and decryptor to the file close target file
Seems pretty easy, doesn't it ? Ok, let's get to the real code :