Windows and Virus Programming

InPursuitThe fine programmers at Microsoft have a problem. To put it simply, their platform is the most heavily targeted by malicious code. However, that is beginning to change.

I have read that Apple has been targeted with viruses recently, though it’s not as frequent, yet. Linux has traditionally been exempt from malicious code attacks but Linux systems are growing in popularity and have become targets. The Android operating system has its viruses and, now, even scripting languages like PHP are starting to see virus activity. I recently read the code of a PHP virus that attaches itself to the program and does some nasty things.

Microsoft programmers, however, have not been idle. I’ve been learning programming on Linux but recently bought a laptop with Windows 8. It’s large enough to let me host multiple Linux operating systems on VirtualBox, so I’ve been playing and having fun.

I’ve also installed Microsoft Visual Studio Express 2012 and been playing with some old school tools of virus programmers with interesting results.

Programs that Delete Themselves

One interesting things virus programmers have been able to do is make their viruses disappear after they’ve done their work. The following code uses the remove() command to delete argv[0], the reference to the program that is running. Effectively, the program deletes itself. I found the original code on several websites and couldn’t compile it under Windows or Linux with a modern OS. I rewrote it as you see here.

This code will run under Linux and the program will delete itself. In Windows, however, it returns a very visible error. Not very good for a virus that wants to remain incognito.

// This program will no longer destroy itself under Windows.
 // Windows returns an error message.
#include<stdio.h>
 #include<conio.h>
 #include<dos.h>
 int main(int argc, char argv[])
 {
 printf("This program will destroy itself when you press a key!\n");
 getch();
 remove(argv[0]);/*array of pointers to command line arguments*/
 return 0;
 }

I became intrigued by this and decided to try another bit of source code from the Internet. This one allows one file to be embedded into another file. After some reworking of the old code, I got it running under Windows. It will embed a program into another program. The program that receives the information can still run and the file can be extracted into an executable program.

Three things to note about this program are that it actually takes the target file and places it into the source (which can be confusing), Windows will not let it put itself into another file and Windows will not run the extracted file.

#include<stdio.h>
 #include<conio.h>
 #include<fcntl.h>
 #include<sys/types.h>
 #include<sys/stat.h>
 #include<stdlib.h>
 #include<string.h>
 #include <io.h>
void embed(void);
 void extract(void);
char buff[1],sname[128],tname[128],dname[128],choice;
 unsigned long int size=0;long int psize=0;int outh,bytes=0;
 FILE *source,*target,*data;
void main()
 {
 while(1)
 {
 system("cls");
 puts("\n\t\t\t\tFILE EMBEDDING UTILITY BY SRIKANTH\n\n\n");
 puts("1.Embed A File 2. Extract A File 3.Exitn");
 choice=getch();
 switch(choice)
 {
 case '1':
 embed();
 getch();
 break;
 case '2':
 extract();
 getch();
 break;
 default:
 exit(0);
 }
 }
 }
void embed()
 {
 puts("\nEnter The Source Filename\n");
 scanf("%s",sname);
 source=fopen(sname,"rb+");
 if(source==NULL)
 {
 puts("\nCannot Open The Source File\n");
 return;
 }
 puts("\nEnter The Target Filename\n");
 scanf("%s",tname);
 outh=open(tname,_O_WRONLY | _O_BINARY);
 if(outh==-1)
 {
 puts("\nCannot Open The Target File\n");
 return;
 }
 printf("\nReading The Source File Please Wait…\n");
 while((bytes=read(outh,buff,1))>0)
 size+=bytes;
 data=fopen("Data.cfg","w");
 if(data==NULL)
 {
 puts("\nCannot Create Configuration The File\n");
 return;
 }
 fprintf(data,"%lu",size);
 close(outh);
 fclose(data);
 target=fopen(tname,"rb");
 if(target==NULL)
 {
 puts("Cannot Open Target File\n");
 return;
 }
 printf("\nEmbedding Please Wait…\n");
 fseek(source,0,SEEK_END);
 while(fread(buff,1,1,target)>0)
 fwrite(buff,1,1,source);
 fcloseall();
 printf("\nEmbedding Completed Successfully\n");
 }
void extract()
 {
 printf("\nEnter The Source Filename\n");
 scanf("%s",sname);
 source=fopen(sname,"rb");
 if(source==NULL)
 {
 printf("\nCannot Open The Source File\n");
 return;
 }
 printf("\nEnter The Target Filename(eg: abc.exe)\n");
 scanf("%s",tname);
 printf("\nEnter The Configuration Filename(eg: DATA.cfg)\n");
 scanf("%s",dname);
 data=fopen(dname,"r");
 if(data==NULL)
 {
 printf("\nConfiguration File Not Found\n");
 return;
 }
 fscanf(data,"%ld",&psize);
 target=fopen(tname,"wb");
 if(target==NULL)
 {
 puts("\nCannot Open The Target File\n");
 return;
 }
 printf("\nExtracting Please Wait…\n");
 fseek(source,-psize,SEEK_END);
 while((fread(buff,1,1,source))>0)
 fwrite(buff,1,1,target);
 printf("\nFile Extraction Completed Successfully\n");
 fcloseall();
 }

Admittedly, a programmer who is good at building virus programs may be able to find workarounds for this and, also admittedly, I may have overlooked something on the second program in trying to get the code to work, but it’s clear that Microsoft added to its operating system in ways that make it harder to use some of the old tricks. This may be why many of the new virus programs are a bit more straightforward and rely on fooling the user into executing them. Viruses are still a big threat under Windows but the face of virus programming is changing in Windows because of the work Microsoft’s programmers do to make it safer to use.

It’s a bit scary that I can run potentially malicious code on Linux systems that won’t work as expected under Windows.

Advertisements

3 Replies to “Windows and Virus Programming”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s