Samples

4. Samples

4.1. Keyloggers

The keyloggers provided is a simple Windows-based one. This is a user mode CPU-intensive keylogger and certainly far behind the one currently used. Our code fits in around 80 lines, while a very small keylogger may fit in less than 50 lines of C code.

This keylogger is based on GetAsyncKeyState API. This function can be used to obtain the state of any key on the keyboard asynchronously.

So, what we do is we check the state of all the keys of the keyboard one-at-a-time and if the key-state is pressed then note it down.

while(1){
  for(i=8;i<=190;i++){
    // check keys from code 8 to code 190
    if (GetAsyncKeyState(i) == -32767){
      print_key(i);
    }
  } // end for
} // end while

4.2. Trojan

The one we are covering here is the famous NetBus Trojan ver 1.7. This trojan is supposed to be easily usable with lots of features. The features list is:

• Open/Close CD-ROM

• How optional BMP/JPG image

• Swap mouse buttons

• Start optional applications

• Play music file

• Control mouse

• Shutdown Windows

• Show different types of messages to user

• Download / Upload / Delete files

• Go to an optional URL

• Send keystrokes an disable keys

• Listen for and send keystrokes

• Take screen-dump

If you want to test it, we advise you to use virtual OS. Also what follows is the removal process.

Steps:

1. Find out the name of the NetBus-server (which is most often Patch.exe)

2. Run Regedit.exe and lookup the registry-key:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run

1. From that key, you should be able to sort out the NetBus server program (again, most often Patch.exe) from others.

The offending program normally ends with /nomsg

1. When you have found the suspicious entry, do a file-search for [Name of the bus server].exe on your system

2. Finally, run: [Name of the bus server].exe /remove

4.3. Virus

Virus detection is done by matching the patterns within virus code with the database signature.

Below is given an open-source code for a Windows virus, which is Win32.Dissolution (as detected by various antiviruses).

The virus spread by adding its code to the PE (Portable Executable) file and then changing the entry-point to the virus body. The virus does not try very hard to escape the Antiviruses.

Steps:

1. The virus gets the delta offset and save the starting location of the virus

2. The virus saves registers incase the host program needs them

3. Gets the location of the kernel32.dll in memory

4. Uses the GetFunctionAddresses procedure to get the kernel32 API function addresses

5. Calls the FindHostFile procedure to find a valid PE file to infect

6. Calls the GetHeader procedure which reads the PE header into the memory

7. Calls the AddCodeToHost procedure which does many things:

   • Writes this program in memory to the end of the host file

   • Updates the last section header to include all the data up to the EOF by updating its virtual size, and makes it Readable/Writeable/Executable

   • Updates the program image size

   • Sets the entry point to the virus code

   • Adds a signature to location 79h to stop another function

   • Call PutHeader procedure which writes the updated PE Header to the host

8. Calls AddtoRegistry procedure which adds the last infected file to the registry

9. Restore registers for the host program

10. Returns control to the host program

However, you can easily check the strength of your antivirus by slightly modifying the file and compiling it. You will be surprised by the results! E.g.:

RegistryName db 'Start-up Program', 0
Db 'Vorgon, Canada, 2003'          ; Signature