[ Curiosity,Experimentation ]

Random stuff from the parallel universe of Ones and Zeroes

Archive for July, 2009

Malware Deployment [EXE Binding]

Posted by appusajeev on July 22, 2009

All right fellas,so you did your malware and now what? The final step is to create some mechanism to install the stuff on the target machine and get it running when the machine boots up. Initially ,the method i used was to archive the binaries to a cab archive and code an executable to unpack  the contents into a target folder and create the necessary registry entries(there are plenty of  them) to run the code at startup.But this method had the obvious disadvantage that not all files could be included in a singe executable archive ,which,upon execution shall proceed with the installation silently.

The tool of the trade which could serve this purpose is NSIS or NULLSOFT SCRIPTABLE INSTALL SYSTEM. NSIS is an open source tool for creating multipurpose installers. The most powerful feature of NSIS is that it comes with a flexible scripting system with a multitude of features.
With NSIS ,you could create an  installer(silent if required) which would install the binaries,register the DLLs and OCXs,register startup and so on.

For example,suppose you want to deploy your malware,say Malw.exe onto the target machine. The NSIS script for that would be ( I have set the install directory as System32\5016)

nsis src eg

nsis src eg

I think the code itself is self explanatory. The compliled single exe archive,upon execution would install the exe to the path specified by installdir property. It then sets the registry key for startup(via the key specified in WriteRegStr property which is nothing but WriteRegistryString). Finally it executes Malw.exe after installation. Simple,isnt it?Now to the core part.

EXE Binding (Trojan Horse Mechanism)

Now comes the promising part. With exe binding you could bind your malware setup created above with any other regular software installer/exe so that the user can be tricked into installing the malware along with the software without his knowledge: The exact Trojan Horse Mechanism.

What i do is that i create an installer for the malware as described above and i create a second installer(the Trojan Horse) whose contents are the malware installer created above and the intended software installer execuatable(the bait ,he he). I script this container installer in such a way that upon execution,the malware installer and software installer both are unpacked into a temporary folder and the malware setup(which is silent) is executed prior to executing the software installer so that the malware is installed on the machine before the software installer window pop us. This strategy would install the malware on the target machine without user knowledge.

The NSIS source code to effect such a trojan horse mechanism is given below(faking the iTunes Installer):

NSIS Source eg.

NSIS Source eg.

I guess the code is again self explanatory and if not,the comments in the code will help

The icon and VIAddVersionKey properties have been set to fake the original itunes installer better.

Suggestions are welcome.

Posted in Exe Binding, Visual Basic, Worm | Tagged: , | 1 Comment »

Character case conversion using Bitwise operators

Posted by appusajeev on July 12, 2009

I found this somewhere and hope it might come handy.

ASCII(American Standard Code for Information Interchange) is a method commonly used to represent characters(including alpha numerals,punctuations,control characters) in memory.In this method,each character is uniquely defined by a 7-bit number(or 8 to include some extra characters). For eg. the ASCII code for ‘A’  is 65 and that of ‘a’ is 97 and that of  ‘#’ is 35.

There exists a striking similarity between the ASCII values of upper case alphabets and lower case alphabets . The binary representation of an upper case alphabet and the lower case of the same are the same except for the fifth bit !

for eg . the ASCII code of  ‘ B’   is  66 which is            1 0 0 0 0 0 1 in binary

and the  ASCII code of  ‘b’ is 98 which is                     1 1 0 0 0 0 1 in binary .

Notice that there is a change only in the fifth bit and the rest are the same.

The fifth bit is set for a lower case alphabet and it is cleared for an upper case alphabet.

With that knowledge,bitwise operators can be used to detect if the character is in upper case of not.

The python statement to detect the case is (assuming x contains an alphabet)

ord(x)  &  (1<<5)

If the above statement is true,the character contained in x is a lower case character. ord() is a built in function which returns the ASCII code of a character.

and the corresponding C statement would be :

  x  &  (1<<5)

The advantage of this method is that there is no need to the check for the range of ASCII values to determine if the character is  upper case or not.

Now to character conversion. Suppose that a contains a lower case character. To convert it into upper case,just set the fifth bit to zero . The following python code illustrates the method

a=chr(ord(a)&~(1<<5))

and the corresponding C code would be

a=a &~(1<<5))

This method may sound lame when the easier method to add 32 to the ASCII code exists but it just demonstates the application of bitwise operators.

Posted in Python | Tagged: | 8 Comments »

A Minimal Cross-platform Port Scanner in Python

Posted by appusajeev on July 6, 2009

A  Port Scanner is one of the most basic tools in the arsenal of an attacker/administrator. Basically a port scanner is a tool which can identify the open ports on a remote system. Given an ip address and an optional port range,a port scanner tries to connect to the ports on the machine sequentially and a successful connection means an open port. Open ports can sometimes prove to be a juicy entry point for an attacker,when there is a vulnerable application/service on the other side with an open port.

With that basic idea,presented here is a minimal port scanner i developed Python.

No rocket science,pretty straight forward code. The source can be altered to make it a portsweeper even

You can download the source here

The source is displayed below. And remember,this is a simple portscanner .So no advanced features

Port Scanner Source

Port Scanner Source

First,the program checks for the right number of command line arguments which includes the remote IP address,starting port and ending port. After extracting these parameters , a TCP socket is created each time to connect to the different ports sequentially on the same machine. A successful connection means that that port is open and some application/service is listening to it.

Currently what bothers me is the time taken to complete the scan. It takes quite some time :d

Suggestions and bug reports are welcome…….

Posted in Port Scanner, Python | Tagged: , | 4 Comments »