[ Curiosity,Experimentation ]

Random stuff from the parallel universe of Ones and Zeroes

Posts Tagged ‘VB’

Developing an Anti-Worm tool [VB 6]

Posted by appusajeev on March 1, 2010

I am pretty sure that you must have certainly come across this malware which copies itself in each directory with the name same as the directory name and icon same as the default win xp folder icon to trick the user into executing the malware which he apparently thinks as a folder(see the post below for an implementation of the same).So even if you somehow kill it,the chances of it bouncing back to action are pretty high.

Anyway this post is about creating a anti-worm tool in VB – a behaviour based detection tool that  searches for and removes such malware .

First, you gotta give it a sample of the malware to search for. The directory structure of each drive is traversed and each directory is searched for the presence of an exe with the name same as the directory name, if such an exe is found, its size is compared with the size of the exe given as sample. If there is match,it is reported(MD5 signature based comparison would have been an anytime better alternative but i dunno if theres is an md5 implementation for vb yet). This second level of checking is needed cuz an exe with name same as the directory name need not always be a malware.

Download Source

Download Tool

Heres the tool in action

Ant-worm tool in action

Ant-worm tool in action

Given below is the souce, download source

Anti-worm source in VB6

Anti-worm source in VB6

Posted in Visual Basic, Worm | Tagged: , | 4 Comments »

Malware Replication [Visual Basic 6]

Posted by appusajeev on January 27, 2010

Its been a while since something has been posted about malware. So this time,we gonna develop a mechanism whereby you can spread your malware ie, copy your malware to each and every directory in the system with name same as the name of the directory  (if you can provide a ‘folder’ icon to the exe,you can trick the user into executing the file which he apparently thinks as a folder).

The code is straight forward.No rocket science. Just traverse the directories recursively and copy the exe to each directory renaming it to the name of the directory .

Download Source

I have assumed below that ‘malw.exe‘ is the malware you want to spread and its present in the same directory where the code will be running.

Malware Replication code [VB 6]

Malware Replication code :VB 6

Posted in Visual Basic | Tagged: , | 4 Comments »

An Encrpyting/Blackmailing Malware with code [Visual Basic]

Posted by appusajeev on October 29, 2009

All right fellas,this post deals with creating a malware that encrypts the files on a computer which can only be decrypted upon  your command which well,is another form of blackmailing ! 🙂 . The stuff is fairly simple conceptually but does churn some line of code when implemented .

When the thing is run for the first time,it scans the entire file system(entire drives in the computer excluding A: and C: drives) of  and creates a list of files (i have used an Access database to store the list of files) matching a certain criteria,say file extension.I chose to attack doc,rtf,xls,jpg,txt files. That done,the encryption process is started and each file from the list of files in the database is encrypted sequentially.An ‘e‘  flag is stored against the file name of each file so that the encrypted files can be later identified for decryption.The stuff is also resume capable,ie if the list creation/encryption/decryption process is interrupted by a shut down or something,the process will resume the activity next time its executed. And relax,i have incorporated a mechanism to avoid file corruption during shutdown or other interruptive events.

Download Source

The encryption /decryption process is determined by the presence of the string “action” in the path
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\cryp\action\action
If this key is non-existent or a value other that “d”  is present,encryption process starts and if a “d” has been specified,decryption process is invoked.
The encryption algorithm is have used way too simple. I replace each character in the file with a character whose ASCII code is obtained by subtracting the ASCII code of the original character from 255(ensuring that the result lies between 0 and 255).Repeat the same and you get  back the original character ! I know this is a pretty lame method which can be easily cracked since this is an algorithm based encryption method. You may implement your own method (like RSA or something)

I have used an Acces database integrated using ADO to store the list of files against its status(whether encrypted or not) cuz the process involves a lot of search,update routines which,i think is better dealt with a DBMS.Since this is not a mash up program,knowing the status of  a file is crucial to the decryption process.

Once the user/victim thinks enough is enough,you can initiate the decryption process by setting “d” as the value of the registry string under the key HKEY_CURRENT_USER\Software\VB and VBA Program Settings\cryp\action\action.The decryption method uses the same encryption algorithm to restore the original contents of the file and a ‘d’ flag is stored against the name of the decrypted file

Download Source
Note:Be Careful while testing,encryption process is automatically invoked when run in a new environment(reason explained above)

Posted in Encryption, Visual Basic | Tagged: , | 1 Comment »

Malware Deployment [EXE Binding]

Posted by appusajeev on July 22, 2009

All right fellas,so you did your malware and now what? The final step is to create some mechanism to install the stuff on the target machine and get it running when the machine boots up. Initially ,the method i used was to archive the binaries to a cab archive and code an executable to unpack  the contents into a target folder and create the necessary registry entries(there are plenty of  them) to run the code at startup.But this method had the obvious disadvantage that not all files could be included in a singe executable archive ,which,upon execution shall proceed with the installation silently.

The tool of the trade which could serve this purpose is NSIS or NULLSOFT SCRIPTABLE INSTALL SYSTEM. NSIS is an open source tool for creating multipurpose installers. The most powerful feature of NSIS is that it comes with a flexible scripting system with a multitude of features.
With NSIS ,you could create an  installer(silent if required) which would install the binaries,register the DLLs and OCXs,register startup and so on.

For example,suppose you want to deploy your malware,say Malw.exe onto the target machine. The NSIS script for that would be ( I have set the install directory as System32\5016)

nsis src eg

nsis src eg

I think the code itself is self explanatory. The compliled single exe archive,upon execution would install the exe to the path specified by installdir property. It then sets the registry key for startup(via the key specified in WriteRegStr property which is nothing but WriteRegistryString). Finally it executes Malw.exe after installation. Simple,isnt it?Now to the core part.

EXE Binding (Trojan Horse Mechanism)

Now comes the promising part. With exe binding you could bind your malware setup created above with any other regular software installer/exe so that the user can be tricked into installing the malware along with the software without his knowledge: The exact Trojan Horse Mechanism.

What i do is that i create an installer for the malware as described above and i create a second installer(the Trojan Horse) whose contents are the malware installer created above and the intended software installer execuatable(the bait ,he he). I script this container installer in such a way that upon execution,the malware installer and software installer both are unpacked into a temporary folder and the malware setup(which is silent) is executed prior to executing the software installer so that the malware is installed on the machine before the software installer window pop us. This strategy would install the malware on the target machine without user knowledge.

The NSIS source code to effect such a trojan horse mechanism is given below(faking the iTunes Installer):

NSIS Source eg.

NSIS Source eg.

I guess the code is again self explanatory and if not,the comments in the code will help

The icon and VIAddVersionKey properties have been set to fake the original itunes installer better.

Suggestions are welcome.

Posted in Exe Binding, Visual Basic, Worm | Tagged: , | 1 Comment »