Part II: The bare bone basics
==========================
This is the part of the document that will try to give a very basic
understanding of the Trojan/virus. It is *suppose* to raise questions
- these questions will be dealt with in the third section. It will
only give the reader an idea of the dynamics of the virus. It the
"press release" part of it.
The Package
----------
The package is a single executable. The executable contains two parts,
a normal functional program, and the Active Ingredient (AI). The
normal program can be anything, but should be of interest for the
Internet community. Examples could include: screensavers. auto playing
AVI,MPEGs, flash movies, anti virus software, a new hacking tool or
even an anti virus solution.
The type of package could be customized to suit the way of
transportation.
Initial infection
---------------
The package will be distributed on the Internet. This is done by
"robots". These "robots" will upload the infected package to FTP
servers, mass mail the package to users, repackage existing software
to contain the AI, and DCC the package at random to users connected to
IRC servers. The 'net should be flooded by infected programs, all
different in size and apparent functionality.
Conventional virus spreading methods can also be used. Initial
infection could last in the order of 2 months.
Upon first execution on client machine
---------------------------------
A user will obtain the package, and execute it.
- Settle in.
AI will rename itself to a non-suspect filename. The AI will take the
necessary precautions to ensure that it will be executed every time
the host is restarted.
- Registration on server
AI should wait until it detects the possibility to connect to a server
on the Internet. When this happens, the AI should contact a predefined
web server(s), uploading information to this site. It will save a file
on this site containing detailed information of the host. Each AI will
save the file with a unique name / serial number.
Day to day activity of AI
---------------------
The AI will monitor activity, and if it detects traffic to the WWW, it
will periodically check for instructions, posted on the predefined web
server. These commands will be downloaded from the WWW, and executed
on the host. The commands are to be found in a file that match the
serial number that the AI registered in the initial contact. The AI
will execute all commands found in the command file. If the AI cannot
find the command file, it will fall back to a general command file. If
it cannot find this file it will proceed with preprogrammed
instructions.
Spreading further
--------------
Every host that is infected "reports" to one of the predefined
servers. It will update a counter file. Every host that is infected
with the initial spread will increment a number stored in the
"infection count" file. When this file reach a critical mass, all AIs
will begin secondary infection procedure:
The AI will extract all email addresses contained within the address
book of popular mailers (Outlook, Netscape, Eudora). The AI will start
sending email with attachments to addresses harvested from the
mailers. The attachment will be the package. The rate at which the AI
will send mail can be controlled via command files.
Continue to Part III: Detail Design