Detecting Viruses

How do you go about writing a virus scanner? Well I guess there are two obvious ways. You could study existing computer viruses. Or you could try to write some yourself. The outcome should be similar. You will understand how a virus operates. With that knowledge, you can detect and remove viruses. It sounds simple. But I bet it is involved.

Let's try to think about the second technique. How can we write a virus? Essentially we want to run our own malicious code. What better way to do that than to latch onto a trusted existing program that users run. The key here is how to latch on. The program you want to act as your host is an executable. That means it has a section which consists of the code it runs. We want to have that program run our code instead.

Therefore we have two tasks to accomplish: put our code somewhere in the file, and make sure our code gets executed. How about we just tack our code on to the end of the file? There is an existing entry point for the original executable. Let's just substitute the original entry point with the location our of rogue code which is now at the end? Sure that's a good plan. Now let's get back to our original objective. How can we produce a virus detector that can find instances where a legit program has been jacked. Easy. Just check whether the entry point for the program points to the code at the end of the file. If so, you are probably looking at an infected application.

Of course all of this is very simple. Existing virus scanner probably do all this as part of their most simple virus detection techniques. However we are on the right track. We could think up more complicated ways to achieve takeover of a program. And thinking of those methods, and the means to detect/remove them is the very topic I am interested in. Perhaps I shall spend some time furthering this idea. Come with me as I venture into the world of computer viruses.

Laptop Theft Protection

There are some software products you can put on your laptop that may assist if it gets stolen. One such software is Prey. It will phone home and tell you which programs are running on the stolen laptop. It also takes and sends you screen shots. Network information is collected and transmitted. Finally Prey can take some web cam shots of the thief and send them to you.

An open source alternative for this type of software is Adeona. The main benefit of this software is that it does not rely on a central server. The owner can track a thief with their computer. The Mac version of this software also snaps pictures of the perpetrator using the web cam.

These software solutions are not fool proof. However they can give you some details of the person who ripped off your laptop. There are other techniques to combat laptop theft. An example is Foo Zoo Lockdown which is a Mac anti theft software package.

My company and our client both have software on their laptops to combat theft. However the main goal in the corporate setting is to prevent the loss of the crucial data on the laptop. It is not as high a priority to locate the thief to retrieve the hardware. I have both my laptops set up with such software. They essentially encrypt the entire contents of the hard disk.

Prevent Decompiling

I read up on some basic tips for decompiling an executable. That is, I learned how you can take an executable, and reconstruct the source code used to build the software. There were a number of things listed that made it hard to understand how to decompile an executable. I thought I would use these difficulties to make my most secretive applications hard to reverse engineer.

One thing that slipped up the hacker is compiler optimizations. Yes this will slow down your application build. But you can turn it on at the end when you are doing the final release of your software. The compiler will work harder to make your code fast and/or small. The result is that it is more difficult for somebody looking at the binary to figure out what is going on.

Another thing that trips up decompilation is the use of user defined types. In the C programming language, that means use structures. Somehow the access to memory of such constructs makes it hard to reverse engineer. This is good news. Using structure is good programming practice anyway. We use that for our production code at work. I might a well use it on home programming projects where I want to keep the source code secret.

To truly combat the decompilation process, you probably need to spend some time trying to crack binary executables. Then you will have first hand knowledge on how to make it harder. However I figure I could take one expert’s advice and use it to my advantage. That is a way to work smarter and not harder.

Inflating Page Views

My profile on the Blogger platform shows how many times somebody has viewed the profile. This is something of a bragging point if you have a lot of views. Being a programmer, I figured I would just write a program to "visit" the profile many times.

At first I had some success. My program spawned Internet Explorer and navigated to the URL for my profile. It waited, killed Internet Explorer, and started again. However Google must have figured out what was going on. The view count capped out around 1000.

I thought perhaps the blocking had something to do with how frequently my program visited the profile. So I tried delaying the visit to be about 5 minutes apart. That did not help. Now my view counts are getting capped around 100 to 300. Do you think Google has logged my IP address as a script generator or something? I can only try some more tests to figure this out. The logical next step might be to use web proxies to hide my IP from Google.

Crypto API Encoding

Finally I am getting to the point where I am following the Microsoft Crypto API documentation in order to actually encode some data. But first let’s talk about what you need to get your software to compile and link. You must link in the crypt32.lib library. You may also need access to the advapi32.dll. You C or C++ code must include the wincrypt.h header file. And last you must define MY_ENCODING_TYPE in your code.

Now let’s get down to business. Here is the pattern you will follow to encode data. You start by calling the cryptmsgopentoencode function. Then you call cryptmsgupdate as many times as you have data to add. On the last data addition, you call cryptmsgupdate with the fFinal parameter set to true. To end the encoding, you call the cryptmsgclose function. These are the basics in a nutshell.

The algorithm to decode data mimics the one to encode. There is one extra step in the beginning where you call the cryptmsgcalculateencodedlength function. Then you call the cryptmsgopentodecode function. Does that sound familiar? You call the cryptmsgupdate function. And you end by calling the cryptmsgclose function.

Since we are down to the details of actual coding here, I also have the algorithms to encrypt and decrypt data. Perhaps I will share that with you in my next post. For now I will leave you with the concept of enveloping data. This is where you would like to encrypt a message for a whole set of recipients. You encrypt the message with a key. Then you in turn encrypt that key for each of the recipients on your distribution list for the message. The encryption is done in PKCS 7 format. Each recipient can then decrypt their key, and subsequently decrypt the message.