Samples

4. Samples

4.1. Keyloggers

The keyloggers provided is a simple Windows-based one. This is a user mode CPU-intensive keylogger and certainly far behind the one currently used. Our code fits in around 80 lines, while a very small keylogger may fit in less than 50 lines of C code.

This keylogger is based on GetAsyncKeyState API. This function can be used to obtain the state of any key on the keyboard asynchronously.

So, what we do is we check the state of all the keys of the keyboard one-at-a-time and if the key-state is pressed then note it down.

while(1){
  for(i=8;i<=190;i++){
    // check keys from code 8 to code 190
    if (GetAsyncKeyState(i) == -32767){
      print_key(i);
    }
  } // end for
} // end while

4.2. Trojan

The one we are covering here is the famous NetBus Trojan ver 1.7. This trojan is supposed to be easily usable with lots of features. The features list is:

Open/Close CD-ROM
How optional BMP/JPG image
Swap mouse buttons
Start optional applications
Play music file
Control mouse
Shutdown Windows
Show different types of messages to user
Download / Upload / Delete files
Go to an optional URL
Send keystrokes an disable keys
Listen for and send keystrokes
Take screen-dump

If you want to test it, we advise you to use virtual OS. Also what follows is the removal process.

Steps:

Find out the name of the NetBus-server (which is most often Patch.exe)
Run Regedit.exe and lookup the registry-key:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run

From that key, you should be able to sort out the NetBus server program (again, most often Patch.exe) from others.

The offending program normally ends with /nomsg

When you have found the suspicious entry, do a file-search for [Name of the bus server].exe on your system
Finally, run: [Name of the bus server].exe /remove

4.3. Virus

Virus detection is done by matching the patterns within virus code with the database signature.

Below is given an open-source code for a Windows virus, which is Win32.Dissolution (as detected by various antiviruses).

The virus spread by adding its code to the PE (Portable Executable) file and then changing the entry-point to the virus body. The virus does not try very hard to escape the Antiviruses.

Steps:

The virus gets the delta offset and save the starting location of the virus
The virus saves registers incase the host program needs them
Gets the location of the kernel32.dll in memory
Uses the GetFunctionAddresses procedure to get the kernel32 API function addresses
Calls the FindHostFile procedure to find a valid PE file to infect
Calls the GetHeader procedure which reads the PE header into the memory
Calls the AddCodeToHost procedure which does many things:
- Writes this program in memory to the end of the host file
- Updates the last section header to include all the data up to the EOF by updating its virtual size, and makes it Readable/Writeable/Executable
- Updates the program image size
- Sets the entry point to the virus code
- Adds a signature to location 79h to stop another function
- Call PutHeader procedure which writes the updated PE Header to the host
Calls AddtoRegistry procedure which adds the last infected file to the registry
Restore registers for the host program
Returns control to the host program

However, you can easily check the strength of your antivirus by slightly modifying the file and compiling it. You will be surprised by the results! E.g.:

RegistryName db 'Start-up Program', 0
Db 'Vorgon, Canada, 2003'          ; Signature

PreviousHow Malware Spreads NextReferences

Last updated 4 years ago

Was this helpful?

Samples

4. Samples

4.1. Keyloggers

This keylogger is based on GetAsyncKeyState API. This function can be used to obtain the state of any key on the keyboard asynchronously.

So, what we do is we check the state of all the keys of the keyboard one-at-a-time and if the key-state is pressed then note it down.

while(1){
  for(i=8;i<=190;i++){
    // check keys from code 8 to code 190
    if (GetAsyncKeyState(i) == -32767){
      print_key(i);
    }
  } // end for
} // end while

4.2. Trojan

The one we are covering here is the famous NetBus Trojan ver 1.7. This trojan is supposed to be easily usable with lots of features. The features list is:

Open/Close CD-ROM
How optional BMP/JPG image
Swap mouse buttons
Start optional applications
Play music file
Control mouse
Shutdown Windows
Show different types of messages to user
Download / Upload / Delete files
Go to an optional URL
Send keystrokes an disable keys
Listen for and send keystrokes
Take screen-dump

If you want to test it, we advise you to use virtual OS. Also what follows is the removal process.

Steps:

Find out the name of the NetBus-server (which is most often Patch.exe)
Run Regedit.exe and lookup the registry-key:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
  \CurrentVersion\Run

From that key, you should be able to sort out the NetBus server program (again, most often Patch.exe) from others.

The offending program normally ends with /nomsg

When you have found the suspicious entry, do a file-search for [Name of the bus server].exe on your system
Finally, run: [Name of the bus server].exe /remove

4.3. Virus

Virus detection is done by matching the patterns within virus code with the database signature.

Below is given an open-source code for a Windows virus, which is Win32.Dissolution (as detected by various antiviruses).

The virus spread by adding its code to the PE (Portable Executable) file and then changing the entry-point to the virus body. The virus does not try very hard to escape the Antiviruses.

Steps:

The virus gets the delta offset and save the starting location of the virus
The virus saves registers incase the host program needs them
Gets the location of the kernel32.dll in memory
Uses the GetFunctionAddresses procedure to get the kernel32 API function addresses
Calls the FindHostFile procedure to find a valid PE file to infect
Calls the GetHeader procedure which reads the PE header into the memory
Calls the AddCodeToHost procedure which does many things:
- Writes this program in memory to the end of the host file
- Updates the last section header to include all the data up to the EOF by updating its virtual size, and makes it Readable/Writeable/Executable
- Updates the program image size
- Sets the entry point to the virus code
- Adds a signature to location 79h to stop another function
- Call PutHeader procedure which writes the updated PE Header to the host
Calls AddtoRegistry procedure which adds the last infected file to the registry
Restore registers for the host program
Returns control to the host program

However, you can easily check the strength of your antivirus by slightly modifying the file and compiling it. You will be surprised by the results! E.g.:

RegistryName db 'Start-up Program', 0
Db 'Vorgon, Canada, 2003'          ; Signature

PreviousHow Malware Spreads NextReferences

Last updated 4 years ago

Was this helpful?