malware, Uncategorized

Stealth is basically acting in a covert way.

As discussed previously. there could be three main kinds of stealth:

  • Size Stealth
  • Full Stealth
  • Redirection Stealth

Size Stealth

In this case the Malware fakes the actual change in size of an infected file. What is done in the background :

  • Saves and only shows true file size
  • This can be done in a setting on the machine e.g. in registry or through fake checksums and byte sizes.
Size Stealth Illustration

Size Stealth Illustration

Full Stealth

Malware disinfects a host file on open or infects it again on close depending on nature. The sequences in this vary based on nature and for reference to actions mentioned see about MSDOS API. To Download MSDOS Source.
Disinfect On Open

– Create a false INT 21h (Random read) call to intercept the 3DH (Open file) or 6Ch (Open File) functions . These two are interrupted to ensure the same file isn’t opened in compatibility mode.
– Check if the file that is being opened is a COM or EXE
– Open file for reading and writing
– Check if file is infected or clean
– If not infected exit
– Save the file’s time & date
– Read the original bytes in memory
– Write the original code
– Restore file size
– Subtract the length of our virus
– Restore original year
– Truncate the fileClose the file

Re-Infect on File Close

– Create a False an INT 21h (Random read) call to intercept the 3EH (close File) function i.e. stop closing
– Check if file is infected
– If the file is infected close the file
– Save file time, date & size
– Write the payload to file
– Set old file’s time/date
– Mark the file for stealth


Redirection Stealth

This can be considered to be some form of byte level transposition where the virus reads the infected bytes and maps them to the uninfected bytes in the host file which dupes the antivirus into thinking the file is clean.

Leave a Reply

Your email address will not be published. Required fields are marked *

February 2024