VX – The Virus Underground 2: Cross-Platform Malware and Virus Spreading Techniques

As part of his insider’s perspective, VXer SkyOut now focuses on the underground’s prevalent programming languages applicable for coding cross-platform malware, and highlights the common techniques used for virus distribution.

Cross-Platform Malware

So, let’s talk a bit about cross-platform malware, because it’s a common trend at the moment.

– Macroviruses

First of all, how can we achieve cross-platform malware? Well, we have macroviruses, for example. What is a macrovirus? First of all, let’s ask: what is macro? Let’s imagine we have an Office suite like OpenOffice or MS Office that runs on many systems; for example, OpenOffice runs on Unix, Linux, Mac OS X and Windows. MS office even runs on Mac. So, a macro is like a little automatic routine that gets executed when the document is opened and there’s no other security, like forbidding macros to run.

So, a macrovirus does nothing but execute itself when the document gets opened; and the interesting thing about it is: for example, when you are on Linux, you can find out with a macro if you’re on Linux; so you can write a dropper especially for Linux. If you’re on Mac OS X, you can write a dropper for Mac OS X.

Some of you may ask what a dropper is. A dropper is nothing but a simple program that gets dropped into a file and gets executed. On Windows, for example, you could drop a Bash script that kills or formats the HDD; on Linux you can write a Python script that gets dropped and spreads over X-chat or whatever; and on Mac OS X you could write a Ruby dropper, for example. And just to say it was done, there was an OpenOffice worm called Badbunny, and if you want to find out something about it, just search for Badbunny OpenOffice worm in Google and you will find some interesting stuff.

– .NET (Mono)

I won’t say that much about .Net and Mono, but it’s a common trend to use .NET at the moment. Many people like to code in C#, code in Mono and run on .NET and Mono, and therefore it runs mostly on every system. There’s a good presentation by Paul Sebastian Ziegler delivered at BlackHat conference in Las Vegas, called “Cross-platform malware within the .NET framework”. It shows perfectly how malware could spread over the .NET framework, because it runs on every system.

– Scripting Languages

Ok, scripting languages are interesting. I love scripting languages, actually. A scripting language has an interpreter. Those interpreters mostly run on many systems: Python runs on Unix, Linux, Mac, Windows. So, if you code a virus in a scripting language, you can easily execute it on different systems.

– LowLevel Languages

LowLevel languages are the most difficult ones. You could write a virus in Assembler, for example, that changes its behavior within the system. So, if it is on Linux, it acts differently than when it is on Windows. This is the most difficult one to code: a low level cross-platform virus. A good example is Winux, which is a combination of Windows and Linux. This was a very good example of how to code a virus for different systems and really hit the news.

Spreading techniques

Now we’ll talk a little bit about spreading. What spreading techniques do we actually have?

– Floppy Disks

So, floppy disks, I mean, many people use floppy disks, don’t they? No, it’s not up-to-date, but there are still viruses really going by floppy disks.

– CDs/DVDs

So, what’s more interesting is CDs and DVDs; you have to create an auto start function in system like Windows XP, we all know it and it’s so good to use it: just write an auto start virus that copies on a CD, make an auto start for this .exe file, insert it – and boom, the virus gets executed. Very nice, thanks so much to Windows for helping us, VXers.

– USB Drives

What else? USB drives. USB drives are cool. USB drives are actually like CDs and DVDs – they have auto start functions and it’s like the same with CDs – we code a virus, we check if there’s a USB inserted, we copy on it, and we spread it. But those techniques have one big disadvantage: they all need somebody who puts a stick or a CD or whatever in, so it is not really automated.

– P2P Networks

So, let’s look at some automated techniques. P2P networks – they are really great, not only for sharing porn, but also for spreading viruses. You have normally a program like Share-Zo or DC++ or whatever with a normal folder where you can put all your stuff that you want to share, and, well, the virus does nothing but copy itself at this place, and it gets shared. And you give it a great name, like ‘Windows Vista crack’, and people will really load it and it works.

– Sharehosters

What else? We have sharehosters. How can we imagine spreading a virus by sharehoster? So, sharehoster is something like RapidShare, so imagine a virus you uploaded to Rapidshare; you make some advertisement in forums and blogs, and people click on the file, download it and execute it. That’s a way to spread a virus, and it really works.

– Email

Email – the standard way to spread a virus. I think I don’t have to say much about email, we all know it, there are many examples of source code out there – how to spread a virus by email, and the Storm Worm uses this technique, by the way.

– Bluetooth

Bluetooth – there are some interesting articles about Bluetooth malware, and I bet it will be the technique in the future.

– IRC

IRC, well, that’s cool. IRC is very interesting and there are many viruses out there that spread, for example, by XChat on Linux or by mIRC on Windows, or XChat on Mac OS X works as well. And it’s very simple: you code a bot that waits in the room, and when a new person changed you DCC him and say: “Hey, I have a file, would you like to have it?” And you send it to him; he looks at the file – and that’s it, he is infected with your virus. ICQ, MSN – just like IRC: messages are sent out to all contacts in the contacts list.

– Network Shares

Network shares, that is interesting. If you’re on a LAN and you have network shares that you can write on, you can just put your virus on to the network share, and if people are stupid enough to click on it, they will get infected.

– Warez

Warez, of course. So, also be careful with warez; they are often infected with viruses. It’s logical because people code those warez and they don’t get money for it, so they make their money by coding viruses as well and putting them into warez.

– Exploits

What I really like is exploits. Exploits are very great for spreading. There have been big worm spreads in the last years that used exploits, for example, for servers, like the SQL server of Microsoft or similar. So, exploits are really great for coding viruses, but they are mostly used by criminals and not by the whitehats, what we call the VXers.

Read previous: VX – The Virus Underground

Read next: VX – The Virus Underground 3: VXers’ Communication Channels