Pro Decrypting VBScript Viruses
In this book, you will learn how to decrypt a VBScript and find the original source code; it will also teach you a number of techniques used by hackers to protect their source code. That may be so effective for use with your own code or your secret algorithms, which is very useful.
This book will not talk about the virus behavior or its VBScript specified functions right now (another book will discuss the VBScript viruses behavior wait for it?, you check for other related books), it is intended to discuss the methods hackers use to obfuscate their source code so others can’t understand it. And AVs cannot just detect the threats so early.
I gave also some examples about some easy-to-understand viruses and other algorithms I found on the web, so they can make a good base you can start from, I also mention some ways of decrypting Encoded scripts by the WSD (Windows Script Decoder), but I don’t provide any tools or real codes (you know Microsoft and the Copyrights!!!!).
Also, this book supposes that you have a little knowledge about VBScript and scripting in general. It will not teach you VBScript, if you wish learn VBScript those books are so good to start: wrox vbscript programmer's reference or Sams VBScript WMI and ADSI Unleashed.
Another more thing: there is no Technical Reviewer or any help from others, I wrote this book alone, if there are some errors you can understand the situation, also English is not my language, so expect lots of grammatical mistakes, your help is welcome about that of course.
The purpose of this book is to propose a teaching approach to understand how viruses are encrypted (encoded – we use the two words interchangeably), and how to reverse-engineering the process of encrypting, it also introduced some techniques you can use in any program most importantly Scripts like in Perl, VBScript, JavaScript or web frameworks like ASP.
The first look at an encrypted virus might be not easy, but knowing what’s going inside really will give you the best vision about those viruses and how they works, in fact the VBScript viruses decrypt them selves before they can be executed, so that hackers must include the logic of decryption with their virus, and here comes the weakest point in those viruses.
Some people say that VBScript is the paradise for virus writers, it has almost access to everything in your system, change the registry, the security settings, SAM accounts also, a total access to the WMI and ADSI and so more other tricks, so why not use it to write malicious code? Another thing, Time has proven that Microsoft's version of javascript, "JScript" is very insecure. JS/Seeker.B is an example of what can be done with it.
Because scripts are not compiled programs, they are executed without any change in the original text. This might be a problem for many reasons like: everyone that have a read privileges to the file system can read the script, that may be a real problem to administrators especially in a network system, also Antivirus programs can have a signature of a virus by just analyzing the text inside it.
