Author Topic: Simplest possible "pacific" malware.  (Read 493 times)

0 Members and 2 Guests are viewing this topic.

Offline JustSomeBrHUE

  • NULL
  • Posts: 4
  • Cookies: 0
  • HueHue my dear!
    • View Profile
Simplest possible "pacific" malware.
« on: February 25, 2016, 01:50:56 am »
I'm working in my TCC (i don't know if you guys have this in the USA, but it's like an one hour lecture you need to do in the end of the school year to prove you learned something) and my actual objective is the simplest possible "pacific" virus (actually, I'm trying an worm) with just windows built-in resources, like batch, powershell, vbs, etc.

Most of my malware is already done (fully in batch and powershell), but i'm having some problems with the "parasite" part, that is, how it will be activated after it infect the computer?
It already can infect the victim computer and run itself, but when the machine is turned off it need to open again, but how?

I want a "pacific" virus, so it can't be harmful or cause any damage to the computer or files, do you guys have any ideas? If possible, a example code will help a lot.

If I confused a little the question or post it in the wrong place, please tell me, I'll fix it as soon as possible!
« Last Edit: February 25, 2016, 06:41:13 am by JustSomeBrHUE »
Sorry for bad speech, non-fluently brazilian guy here.  ;D

Offline Synfer

  • Serf
  • *
  • Posts: 28
  • Cookies: 7
  • One fag to rule them all
    • View Profile
Re: Simplest possible "pacific" malware.
« Reply #1 on: February 25, 2016, 11:44:37 am »
I've had an idea a while ago, but never researched about it
So basically you could "infect" every single shortcut found on the desktop etc, so that when the users clicks on it, it starts the worm along with the selected software. I guess it could be made by adding the path to the worm in the shortcut or something along those lines.
Of course it wouldn't work if the users opens his program by another way (eg searching the program's name in the research bar in windows etc)
"A malicious program has attempted to shut down Windows. As a precaution, Windows was shut down."
We should create for the process, not the product.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: Simplest possible "pacific" malware.
« Reply #2 on: February 25, 2016, 12:00:55 pm »
Hey JustSomeBrHUE.

Since this is a somewhat important project for school, you should get the terminology right first. Only then we will know that we actually talk about the same things.


Quote
(actually, I'm trying an worm)

A worm is a malware that spreads on its own via the network, often by using exploits or sending itself via email. This is not trivial to write and not so good to demonstrate to others. Furthermore, the risk of actually infecting and damaging the network is too high. Morris tried that too (creating a harmless worm) and it ended in a disaster, see https://en.wikipedia.org/wiki/Morris_worm
I strongly advise you against the creation of a worm.

A malware is only called virus if it infects other files. That means it will search for a host file and append, prepend or replace the host file's code with its own code (see file infection strategies in the image below). The resulting infected file is also infectious. The behaviour of host infection is similar to parasites in nature, which is why we call this kind of malware "parasitic". A virus makes sure to be executed again by infecting host files that are opened by the system or the user. E.g. the user opens the infected notepad.exe and the virus code will be executed this way. This is one way to get persistence.



But there are a lot of ways to gain persistence. The most usual ones by non-parasitic malware are the startup folder of Windows (everything in it will be run after login) and autorun entries in the registry. The most commonly used autorun entries are:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

You can use regedit.exe or autoruns.exe to check these entries on your system and see how it looks like for programmes that use them. There are some of these entries on every system.

Anyways, what you need clear up is: What malware type shall it actually be: virus, worm, trojan, backdoor, ...?

Please note that creating an effective virus with powershell and batch is not possible. To be effective, it would have to infect host files that are often executed on the system and these are usually EXE and DLL files. You cannot put a batch script in those. Viruses are often written in C or assembly.
But maybe you don't need it to be effective. Afterall, it is a school project, and minimizing the risk of misusing your code would be a good thing to do. E.g. if you create a powershell virus that infects powershell source files, it would not be effective and the chance of misuse is very low, but it is enough to demonstrate how it works. ;)

Quote
I want a "pacific" virus, so it can't be harmful or cause any damage to the computer or files

A virus is always harmful. A virus modifies host files so that these host files become infectious themselves. This is considered damage, even if the payload doesn't do anything.
The same is true for a worm. It will spread to other machines without asking their owners. This is in itself harmful, even if you don't cause such problems as Morris did with his worm.

Do you have any questions?
« Last Edit: February 25, 2016, 12:10:37 pm by Deque »

Offline JustSomeBrHUE

  • NULL
  • Posts: 4
  • Cookies: 0
  • HueHue my dear!
    • View Profile
Re: Simplest possible "pacific" malware.
« Reply #3 on: February 25, 2016, 12:42:28 pm »
First of all, thank you Denque and Synfer. Synfer's answer gave me the idea I need to do what I want and Denque's one made me a little ashamed for asking such a silly and confusing question without first searching more about what I am doing. Next time I'll study a little more about the subject before bother the forum, hehe. ;D

And Denque, your answer helped a lot with my project, the Morris example and the file infection strategies will surely be used in my lecture, thanks for giving to me some of your time and knowledge.

I'll come back if having new questions, you guys helped a lot!  ;D
Sorry for bad speech, non-fluently brazilian guy here.  ;D