[ Curiosity,Experimentation ]

Random stuff from the parallel universe of Ones and Zeroes

Posts Tagged ‘Exe Binding’

Malware Deployment [EXE Binding]

Posted by appusajeev on July 22, 2009

All right fellas,so you did your malware and now what? The final step is to create some mechanism to install the stuff on the target machine and get it running when the machine boots up. Initially ,the method i used was to archive the binaries to a cab archive and code an executable to unpack  the contents into a target folder and create the necessary registry entries(there are plenty of  them) to run the code at startup.But this method had the obvious disadvantage that not all files could be included in a singe executable archive ,which,upon execution shall proceed with the installation silently.

The tool of the trade which could serve this purpose is NSIS or NULLSOFT SCRIPTABLE INSTALL SYSTEM. NSIS is an open source tool for creating multipurpose installers. The most powerful feature of NSIS is that it comes with a flexible scripting system with a multitude of features.
With NSIS ,you could create an  installer(silent if required) which would install the binaries,register the DLLs and OCXs,register startup and so on.

For example,suppose you want to deploy your malware,say Malw.exe onto the target machine. The NSIS script for that would be ( I have set the install directory as System32\5016)

nsis src eg

nsis src eg

I think the code itself is self explanatory. The compliled single exe archive,upon execution would install the exe to the path specified by installdir property. It then sets the registry key for startup(via the key specified in WriteRegStr property which is nothing but WriteRegistryString). Finally it executes Malw.exe after installation. Simple,isnt it?Now to the core part.

EXE Binding (Trojan Horse Mechanism)

Now comes the promising part. With exe binding you could bind your malware setup created above with any other regular software installer/exe so that the user can be tricked into installing the malware along with the software without his knowledge: The exact Trojan Horse Mechanism.

What i do is that i create an installer for the malware as described above and i create a second installer(the Trojan Horse) whose contents are the malware installer created above and the intended software installer execuatable(the bait ,he he). I script this container installer in such a way that upon execution,the malware installer and software installer both are unpacked into a temporary folder and the malware setup(which is silent) is executed prior to executing the software installer so that the malware is installed on the machine before the software installer window pop us. This strategy would install the malware on the target machine without user knowledge.

The NSIS source code to effect such a trojan horse mechanism is given below(faking the iTunes Installer):

NSIS Source eg.

NSIS Source eg.

I guess the code is again self explanatory and if not,the comments in the code will help

The icon and VIAddVersionKey properties have been set to fake the original itunes installer better.

Suggestions are welcome.


Posted in Exe Binding, Visual Basic, Worm | Tagged: , | 1 Comment »