Trilight Zone

[tricore]

Why EPO and Win32.CTX.Phage


Entry-point obscuring viruses are very interesting because of the very difficult nature of its detection, disinfection and removal. Nowadays the EPO technique is used in many different ways, however Win32.CTX.Phage has been chosen for this article because it was written by the same author of other such infamous viruses as Win9x.Margburg (one of the first Windows9x polymorphic virus, which first appeared in the wildlist) and Win9x.HPS. The author of these viruses is known for his difficult-to-detect and difficult-to-disinfect creations. CTX.Phage in particular involves many techniques that make the disinfection process highly difficult, even after the virus is fully understood.


Understanding the Entry-Point Obscuring (EPO) technique
When a virus infects a file, it must find some way to attain control and be executed. Most of the PE file infectors use the most common way of doing this -- they simply change the entry-point of the infected application and make it point to the virus body. An example is shown below.

Original EXE Infected EXE
Entry-point: 0x1000 (.code section) Entry-point: 0x6000 (.reloc section)

Such virus activity is very easy to detect, as it usually results in files whose entry-point resides outside the code section, and are therefore marked as suspicious by a virus scanner. Here is some example code, which detects this type of infection:
(checks if the 'entry-point section' is the last section):

// --- snip of scanner code ------------------------------------------------
...(snip)...
sections = pPE->FileHeader.NumberOfSections;
pSH = (PIMAGE_SECTION_HEADER)((DWORD)mymap+pMZ->e_lfanew + sizeof(IMAGE_NT_HEADERS));


while (sections != 0) {
if (IsBadReadPtr(&pSH,sizeof(PIMAGE_SECTION_HEADER)) == TRUE)
{
printf("[-] Error: Bad PE file\n");
goto error_mode4;
}

char *secname=(char *) pSH->Name;
if (secname == NULL) strcpy(secname,"NONAME");

startrange=(DWORD) pSH->VirtualAddress + pPE->OptionalHeader.ImageBase;
endrange=(DWORD) startrange + pSH->Misc.VirtualSize;

...(snip)...

if (pSH->VirtualAddress <= pPE->OptionalHeader.AddressOfEntryPoint && \
pPE->OptionalHeader.AddressOfEntryPoint < pSH->VirtualAddress +
pSH->Misc.VirtualSize)
{

printf("[+] Checking call/jump requests from %s section (EP)\n",
secname);
pSHC = pSH;
}


pSH++;
sections--;
}

pSH--;

if (pSHC == NULL)
{
printf("[-] Error: invalid entrypoint\n");
goto error_mode4;
}


printf("[+] Starting heuristics scan on %s section...\n\n",pSHC->Name);

if (pSHC == pSH)
{
printf("[!] Alert: Entrypoint points to last section (%s) -> 0x%.08x\n",
pSH->Name,pPE->OptionalHeader.AddressOfEntryPoint +
pPE->OptionalHeader.ImageBase);

printf("[!] Alert: The file may be infected!\n");
printf("[+] No deep-scan action was performed\n");
goto error_mode4;
}


...(snip)...
// --- snip of scanner code ------------------------------------------------

The very reason why the EPO technique was developed was to avoid virus scanner detection. An entry- point obscuring virus is a virus that doesn't get control from the host program directly. Typically, the virus patches the host program with a jump/call routine, and receives control that way. While there are many variations of the EPO technique