To Junk Or Not To Junk

Filed Under: SophosLabs

Following on from my colleague's post here concerning broken Sality infections, it is quite interesting to look at modern day polymorphic viruses and whether their propensity to junk files is wholly by accident or whether there is the occassional element of intent involved.

Destruction of the host by a file infecting virus has been going on for as long as viruses have been around. In days gone by, it was more common than not for a virus payload to be destructive. Viruses such as W32/Kriz and W95/CIH-10xx would not only destroy files but also attempt to overwrite the system BIOS on their various trigger dates. As recently as 2007 there was W32/Flukan-C which would overwrite all zip files that it could find with a copy of itself while keeping the filename of the original file.

The trend for viruses today is very much to keep a low profile while on an infected system. As a result we rarely see the extremely destructive viruses that cropped up in yesteryear. However, a mass infection that leaves behind a large number of irreparably corrupt files can still be very damaging.

Some members of the Virut/Vetor family will randomly choose not to leave an infection marker after infection. This leaves the way open to multiple infections (more headaches for anti virus companies) but also increases the chances that the end file will be corrupt. Some recent members of the Sality family were found to incorrectly calculate the Entry Point for a file that had a specific Section Table. If all sections had a Virtual Size of zero the virus would take the entry point from the PE header as a file offset rather than a Relative Virtual Address, and write its code there. This will almost always result in a file that crashes.

It is also not unheard of to see viruses accidentally infect files that are not designed for the specific platform that the virus is running on. For example a virus may infect a Windows CE PE file that has been compiled for the ARM processor, while running under X86. This file now has no hope of running, yet a simple check of the MachineID field in the PE header and the virus would have known it was pointless to attempt to infect this file and could have moved on to the next.

It seems that modern day virus authors see a swathe of files left in varying degrees of corruptedness as a perfectly acceptable and possibly desired, side effect of a successfully infected system.

To Junk or not to Junk? The virus authors say: Why Not?

You might like

About the author

James Wyke is a Senior Threat Researcher with SophosLabs UK