A fish out of water

A customer recently sent us samples of some AMD64 and Itanium executables that W32/Vetor-F had managed to infect, apparently unintentionally, despite being an x86-only executable virus. The Itanium version would definitely not have executed properly, as the virus had simply infected it with x86 instruction code at the entry point, which is meaningless to an Itanium processor. The AMD64 file, however, may well have executed as the instructions for AMD64 and x86 are very similar.

Vetor infection in an Itanium executable

For W32/Vetor-F the existing detection and disinfection worked normally, but it’s easy to imagine a situation in which the AV product is not expecting to find infection code for one architecture in an executable for another – and, even worse, if the architectures are similar enough then the infection may still be dangerous.

Vetor infection in an AMD64 executable

This cross-architecture infection was unintentional in Vetor. It’s a bug, but like many bugs in virus infection mechanisms it’s one that can make it tricky to identify and disinfect infected files.

Other examples include infectors that fail to check the PE section layout properly and end up writing the viral code across two or more sections and infections that don’t take account of data appended to the host executable. Many of these bugs can create oddities in the file structure that challenge the detection and disinfection code used by AV companies.

While most of the weird replicants arising from bugs are inoperable and harmless, sometimes the viral code executes even when the original host is broken. This can be an annoying situation for AV companies: a replicant resulting from a buggy infection that is too strange to be detected by the existing signature for that virus, but is still intact enough to cause further damage when executed.

Even though many virus writers claim — usually to create some ridiculous justification for their actions — to be interested in artificial life, they seem to be unware of the role of imperfect replication in evolution and tend to completely misunderstand the subject in general. Sometimes they even work against it. This is the case not just in trying (and, in this case, failing) to prevent broken replicants, but also in the design of most metamorphic engines that go out of their way to eliminate code mutations from the previous generation, a feature which removes any chance of cumulative selection and inheritance.

One last thing — it would be interesting to find out if there actually are any older x86 viruses, aside from trivial prependers (which replace the entire executable image with themselves so they’d run in 32-bit mode), that infect AMD64 executables by accident and still work. If there are, they’re probably fairly straightforward.