Virus Construction KitsCopyright (C) 08/1994 by Howard Fuhs
Virus Construction Kits are programs, which enable persons with no or very limited programming skills to produce viruses according to specifications, or to produce variants of known viruses with different properties. As the name implies the Virus Construction Kits allow inexperienced programmers to produce viruses acting according to their wishes, assembled from a range of standard building bricks.
Virus Construction Kits are designed by various underground groups of virus writers, and distributed world-wide through Bulletin Board Systems or mailbox systems. The best known groups currently writing Virus Construction Kits are "NUKE" and "Phalcon/SKISM". Due to the widespread use of the Virus Construction Kits, it is unavoidable for staff tasked with responsibility for information security to include defensive measures against the kits in their range of virus countermeasures. A number of cases are known, in which Virus construction Kits freely circulated within corporate networks and were placed on corporate servers without the information security staff detecting or knowing anything about this, or even being able to detect the danger associated with this software. At least one case is known, in which a disgruntled employee produced a number of viruses using Virus Contruction Kits, and subsequently used these to infect the computer systems of the corporation in question. Because of lacking knowledge of this particular threat the person responsible for information security was unable to apply a preventive method.
Categorised by the way they operate, Virus Construction Kits can be partitioned into two different groups. One group possesses a user interface asking the user to supply details such as the type of replication he desires, the infection criteria as well as the triggering conditions for the logical bomb and the nature of damage the virus is supposed to afflict when triggered. The other group requires a configuration file to be supplied by the user, in which the desired functions of the virus are specified in a batchfile like format. This configuration file is processed statement by statement by the Virus Contruction Kit, and converted into a fully functional computer virus. The first group, the menu-driven kits, is easy to use, because a virus can be constructed through simply ticking off a range of menu choices. The second category requires the user to be able to apply the commands of the command language inherent to the kit and set these up correctly in an ASCII-file. How to go about it, however, is specified and explained in the documentation supplied with the Virus Contruction Kit. Thus, whoever is capable of combining simple batch-type commands into an ASCII-file is normally also capable of producing a configuration file of the required type in a few minutes of work.
Generally, it must be noted that the documentation files enclosed with the Virus Construction Kits are quite sufficient even for beginners and morons. Some of the Virus Construction Kits come with contextsensitive help of professional quality, and most of them are furnished with an ample supply of ready-made example-viruses to study.
Also when looking at the final products of Virus Contruction Kits a number of categories are discernible. First Generation Virus Construction Kits produce only already compiled viruses. No source code or assembler listing is produced. Second Generation Virus Construction Kits produce source code, in most cases neatly commented. The main problem with this type of code generators is that they produce malicious code, which can be modified by inexperienced programmers to produce completely new viruses. Accomplishing this requires no deep understanding or knowledge of the virus code.
Because the currently known Virus Construction Kits use large chunks of identical code to construct the skeleton of each new virus they do not present any great risk to current scanner detection methods, including the scanning for search strings. All good scanners find the viruses made by the Virus Construction Kits. This could very well change in the future, as new generations of Virus Construction Kits using more advanced methods of deception, are designed. Implementation of mutation engines or more advanced encryption methods can easily be imagined.
A closer lookLet us take a closer look at a few of the wellknown Virus Construction Kits.
This was the first attempt to distribute a Virus Construction Kit as a kind of shareware and ask money for it. It is a first Generation Virus Construction Kit, which is menu driven. The program was coded by a French programmer and its functionality was limited (so-called "cripple-ware"). This way the programmer attempted to assure that the user paid the FF120 he demanded for the program. All menu choices in the program, allowing users to specify how they wanted their virus to look and behave, were fully functional, but when ask to compute the new virus, the program would stop and demand payment of the license fee. It is not known whether anybody ever paid the license fee and received a fully functional version. However, a partly functional hacked version circulated with an American electronic underground magazine for a while. The latest known version of GENVIR is 1.0.
VCL is a second Generation advanced Virus Construction Kit, which is menu-driven. It was programmed in 1992 by "Knowhere Man", a member of the underground group "NuKE". The VCL allows combination of chosen program code modules into a virus. It furthermore allows the user to generate a commented assembler source code listing, allowing manual modification and subsequent reassembly of the virus. The VCL generates fully functional and stable viruses. It is also capable of producing logical bombs and trojan horses. The latest known version of the VCL is 1.0.
The PS-MPC is also a second Generation Virus Construction Kit, in this case programmed through an ASCII configuration file rather than through a menu-driven user interface. PS-MPC was programmed by "Dark Angel", a member of the virus-writing group "Phalcon-SKISM". PS-MPC is largely based on the Virus Creation Lab VCL and was distributed via mailbox systems in 1992. The complete source code for the kit in the C programming language was distributed together with the program, itself. The PS-MPC produces more compact and better assembler source code than the VCL. Also the assembler listings produced by this Virus Construction Kit are fully commented. Two versions of the PS-MPC are known: Version 0.9beta was published in the July 1992 issue of the electronic underground publication "40HEX", and version 0.91beta was published in August 1992. Version 0.91beta was extended with a few new functions, and some bugs in the 0.90beta versions were corrected. The PS-MPC produces by and large working and stable viruses. It is probably the most widely distributed Virus Construction Kit.
G2 is a second Generation Virus Construction Kit. It was programmed in 1993 by "Dark Angel", the same virus writer, who one year earlier had written and published the PS-MPC. The "Phalcon/SKISM" group is very active, and still publishes its own underground publication, 40HEX. Also the G 2 Virus Construction Kit is controlled by means of an ASCII configuration file and produces a commented assembler listing for a virus. According to the documentation enclosed with the kit, this is not a rehash of the PS-MPC, but a completely new Virus Construction Kit programmed from scratch. G 2 mainly distinguishes itself from other Virus Construction Kits by being able to implement partly polymorphic program routines. G2 is completely capable of producing fully functional and stable computer viruses. The last known version of the G 2 Virus Construction Kit is version 0.70beta from January 1993.
The IVP is a second Generation Virus Construction Kit. It was programmed by "Admiral Bailey" in 1992 and distributed via mailbox systems. "Admiral Bailey" is a member of the virus writer group "YAM Youngsters Against McAffee". The IVP is written in Turbo Pascal 7.0 and requires an ASCII configuration table to produce viruses. The IVP is also able to produce Trojan horses and to encrypt viruses. Used as intended, the IVP is able to produce fully functional viruses, but depending on the contents of the ASCII configuration table the system can also be brought to produce non-functional program code, which either will not run, or crashes the computer. The latest known version of the IVP is version 1.0.
The VCS is a first Generation Virus Construction Kit, which was published in 1991 by a German virus writer group, "VDV Verband Deutscher Virenliebhaber". The VCS is a primitive Virus Construction Kit, which based on an ASCII text file with a maximum length of 512 bytes, produces simple viruses, which infect only COM files. After a certain number of infections and replications the virus displays a text on the computer display, and proceeds to delete the files AUTOEXEC.BAT and CONFIG.SYS. The VCS was originally publish in a German language version, but an English hack emerged later. The latest known version is version 1.0.
Apart from the Virus Construction Kits a considerable number of virus programming tools have emerged. Most of these serve to introduce encryption and/or junk code into viruses to make these more difficult to detect.
There is also some focus on developing tools to enable viruses to defeat anti-virus programs. Particularly the Australia-based (but highly international in terms of membership) group of virus writers, VLAD, has invested considerable - though not terribly successful - efforts in defeating the av system Thunderbyte and its various defence mechanisms.