SlideShare uma empresa Scribd logo

Tutorial to compile trojan source code and embed it into a carrier file

H
hughpearse
Tecnologia
1 de 7
Baixar para ler offline
Tutorial To Compile Trojan Source Code and Embed it Into a Carrier File (trusted executable) Open source malware forums openly share malware source code which can be used in targeted attacks. Educating people about the techniques used by malware authors is the first step to preventing these attacks. This tutorial aims to teach people how to set up an environment for developing trojans for Microsoft Windows. Additionally this tutorial aims to teach people to bind their malicious application to a carrier file using an application binder to demonstrate the more subversive techniques. This tutorial is for educational purposes only. FBI­RAT is a Remote Administration Tool which enables an attacker to infect a victim's machine and gain total control of their file system, processes, network activity and more. Additionally FBI­RAT it has a user interface that handles hundreds of victims very well. As its source code is available online it is an ideal candidate for demonstrating malware development. Prerequisites (links at the bottom) You need to Install Windows XP 32 bit. You need to Install Microsoft Visual C++ 6.0 Standard Edition. You need to Install Windows Server 2003 SP1 Platform SDK. You need to Install a tool called Resource Hacker by Angus Johnson You need to download the libjpeg package from sourceforge. You need to download a copy of the FBI­RAT source code. Trojan Server Client Architecture Trojans use an unusual reverse server client architecture where the server connects to the client. The server will infect your victim. The client is used to send commands to your victims. This bypasses firewall rules that say a connection must be initiated from inside the network. 64bit or 32bit Windows Server 2003 SP1 Platform SDK is picky about environment variables depending on your architecture To register the SDK bin, include, and library directories with Microsoft Visual Studio® version 6.0 and Visual Studio .NET, click Start, point to All Programs, point to Microsoft Platform SDK for Windows Server 2003 SP1, point to Visual Studio Registration, and then click Register PSDK Directories with Visual Studio. This registration process places the SDK bin, include, and library directories at the beginning of the search paths, which ensures that the latest headers and
libraries are used when building applications in the IDE. Note that for Visual Studio 6.0 integration to succeed, Visual Studio 6.0 must run at least once before you select Register PSDK Directories with Visual Studio. Also note that when this option is run, the IDEs should not be running. To develop a 32­bit C/C++ application on 64­bit Windows, do not register environment variables when you install Visual C++ 6.0. Instead, open a command window and run Vcvars32.bat (from the Visual C++ bin folder), followed by Setenv.bat (from the SDK bin folder), specifying the appropriate switches (such as /SVR32 /2000 /XP32). Have a look at the help files for more information C:Program FilesMicrosoft Platform SDKReleaseNotes.Htm Microsoft Visual C++ for Linux Users Most linux users are used to using “./configure”, “make” and “gcc” to compile their source code. Microsoft Visual C++ comes with similar tools in the installation folder “C:Program FilesMicrosoft Visual StudioVC98bin”. The application “cl.exe” is the compiler and “nmake.exe” is a compile script interpreter. Environment Variables When installing Visual C++ be sure to add environment variables. "path" variable should contain C:Program FilesMicrosoft Platform SDKBin; C:Program FilesMicrosoft Visual StudioCommonToolsWinNT; C:Program FilesMicrosoft Visual StudioCommonMSDev98Bin; C:Program FilesMicrosoft Visual StudioCommonTools; C:Program FilesMicrosoft Visual StudioVC98bin Setting up libjpeg Decompress the libjpeg package Change into the jpeg­6b directory using cmd.exe Rename jconfig.vc to jconfig.h nmake /f makefile.vc all Copy the compiled libjpeg folder into the VC++ folder C:Program FilesMicrosoft Platform SDKjpeg­6b Done!
Configure Visual C++ to include libraries and header files Despite the installation instructions in the Windows Server 2003 SP1 Platform SDK (which made no difference to my environment) you should still add the following libraries and header files to your build path inside the Visual C++ IDE application. Open Visual C++ ­> tools ­> options ­> directories tab 1. Select the "Include files" from the "show directories for" drop down menu and add C:Program Files Microsoft Platform SDKInclude C:Program FilesMicrosoft Platform SDKjpeg­6b 2. Select the "Library files" from the "show directories for" drop down menu and add C:Program Files Microsoft Platform SDKLib 3. Select the "Source files" from the "show directories for" drop down menu and add C:Program Files Microsoft Platform SDKSrc Ensure the Include, Src and Lib directories are located at the top of the list. Setting the Build Type in Visual C++ (debug/release) Open a FBI­RAT workspace in visual c++ by opening "Server.dsw". In visual c++ set the build type by pressing build ­> configurations ­> release Do this for all the workspaces “Server.dsw”, “FBIClient.dsw” and “Injection.dsw”. When building in debug mode the name of the pre­compiled windows libraries are usually appended with the letter “d”. For example "nafxcwd .lib" ­> "nafxcwd.lib". Compile FBI-RAT Open the server workspace for FBI­RAT in visual c++ "FBI­RATInjectionServerServer.dsw" Step 1: press build ­> clean Step 2: then press build ­> build server.exe The output should be located in “FBI­RATInjectionServerRelease” Repeat those steps for the other workspaces “FBI­RATInjectionInjection.dsw” and “FBI­RATFBIClientFBIClient.dsw”. Bind server.exe to an innocent file 1. 2. 3. 4. Place a copy of calc.exe on your desktop. Open the command line cmd.exe Launch the microsoft application iexpress.exe in the command line Select “create new self extraction directive” and press next.
5. Select “extract files and run an installation command” and press next 6. Enter “Calculator” as the package title and press next 7. Select “no prompt” and press next 8. Select “do not display a licence” and press next 9. Add calc.exe and server.exe and press next 10. Select calc.exe as the “install program” and server.exe as the “post install command” and press next 11. Set your install program to be displayed using the default settings and press next 12. Select “no message” and press next 13. Select a target path for your new binded file such as “malicious.exe” on the desktop 14. Select “hide extraction process from user” and press next 15. Select “no restart” and press next 16. Select “dont save” and press next 17. Press next, next, finish 18. Your binded file should be on the desktop Cosmetic Adjustment The malicious file will have an unusual looking icon that does not look like the original calc.exe. You can use reshack to extract the icon from calc.exe and replace the icon in malicious.exe. You can use reshack to remove the strings and version info added by iexpress.exe. Detectability Try uploading server.exe to VirusTotal to see its detectability. Try making small modifications to your source code, compile it again, upload the new server.exe to VirusTotal and take note of the new detectability results. After compilation (2/46) ­ https://www.virustotal.com/en/file/ed7f0ccf48785d1cc59df24afd545c92aff27e65e44ee8febdccb4 bd6954d019/analysis/1365542456/ After binding and removing strings (7/46) ­ https://www.virustotal.com/en/file/2c6b7a2ffa1fa71051024533619dbc47a9029837193f8224ad4c acbd01165fd5/analysis/1365546255/ Notes: Also windows server 2003 platform sdk will enable programmers to use winsock.h This tutorial should be a good starting point for all beginner windows developers.
Screenshots Figure 1 ­ FBI­RAT Screenshot.
Figure 2 ­ Library Setup Screenshot. Figure 3 ­ Build Type Setup Screenshot.
Conclusion The process of compiling source code for known malware and submitting it to VirusTotal has the potential to be an educational game for people interested in Information Security research. The game goes as follows: 1. Each student gets a copy of the source code and sets up their own environment. 2. Each student must compile the source code without help and submit a malicious binary to VirusTotal. 3. The student must modify the executable file using malware evasion techniques in order to reduce the detection rate on VirusTotal. 4. The student with the lowest number of AV detections wins the game. Cheating can be prevented by taking the SHA hash from the students submission on VirusTotal and comparing it to the hash of a local working copy that they must verify by infecting a virtual machine and controlling it. Sources: Get a copy of FBI­RAT source code http://www.megapanzer.com/wp­content/uploads/FBI­RAT.zip Download a copy of visual c++ http://www.4shared.com/rar/_Z3R04wm/Microsoft_Visual_C_60_Standard.html How to compile libjpeg http://www.stillhq.com/panda/panda­documentation/000010.html Resource Hacker http://www.angusj.com/resourcehacker/ Windows Server 2003 SP1 Platform SDK http://www.microsoft.com/en­ie/download/details.aspx?id=6510

Recomendados

Tutorial Hacker
Tutorial HackerTutorial Hacker
Tutorial Hackerzihoenie
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
HughPearseEsriTraining
HughPearseEsriTrainingHughPearseEsriTraining
HughPearseEsriTraininghughpearse
 
HughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-CertificationHughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-Certificationhughpearse
 
Prism-Proof Cloud Email Services
Prism-Proof Cloud Email ServicesPrism-Proof Cloud Email Services
Prism-Proof Cloud Email Serviceshughpearse
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
ACE forensics certification
ACE forensics certificationACE forensics certification
ACE forensics certificationhughpearse
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 

Recomendados

Tutorial Hacker
Tutorial HackerTutorial Hacker
Tutorial Hackerzihoenie
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
HughPearseEsriTraining
HughPearseEsriTrainingHughPearseEsriTraining
HughPearseEsriTraininghughpearse
 
HughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-CertificationHughPearse-ACE-Forensics-Certification
HughPearse-ACE-Forensics-Certificationhughpearse
 
Prism-Proof Cloud Email Services
Prism-Proof Cloud Email ServicesPrism-Proof Cloud Email Services
Prism-Proof Cloud Email Serviceshughpearse
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
ACE forensics certification
ACE forensics certificationACE forensics certification
ACE forensics certificationhughpearse
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Mais conteúdo relacionado

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Destaque

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destaque (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Tutorial to compile trojan source code and embed it into a carrier file

  • 1. Tutorial To Compile Trojan Source Code and Embed it Into a Carrier File (trusted executable) Open source malware forums openly share malware source code which can be used in targeted attacks. Educating people about the techniques used by malware authors is the first step to preventing these attacks. This tutorial aims to teach people how to set up an environment for developing trojans for Microsoft Windows. Additionally this tutorial aims to teach people to bind their malicious application to a carrier file using an application binder to demonstrate the more subversive techniques. This tutorial is for educational purposes only. FBI­RAT is a Remote Administration Tool which enables an attacker to infect a victim's machine and gain total control of their file system, processes, network activity and more. Additionally FBI­RAT it has a user interface that handles hundreds of victims very well. As its source code is available online it is an ideal candidate for demonstrating malware development. Prerequisites (links at the bottom) You need to Install Windows XP 32 bit. You need to Install Microsoft Visual C++ 6.0 Standard Edition. You need to Install Windows Server 2003 SP1 Platform SDK. You need to Install a tool called Resource Hacker by Angus Johnson You need to download the libjpeg package from sourceforge. You need to download a copy of the FBI­RAT source code. Trojan Server Client Architecture Trojans use an unusual reverse server client architecture where the server connects to the client. The server will infect your victim. The client is used to send commands to your victims. This bypasses firewall rules that say a connection must be initiated from inside the network. 64bit or 32bit Windows Server 2003 SP1 Platform SDK is picky about environment variables depending on your architecture To register the SDK bin, include, and library directories with Microsoft Visual Studio® version 6.0 and Visual Studio .NET, click Start, point to All Programs, point to Microsoft Platform SDK for Windows Server 2003 SP1, point to Visual Studio Registration, and then click Register PSDK Directories with Visual Studio. This registration process places the SDK bin, include, and library directories at the beginning of the search paths, which ensures that the latest headers and
  • 2. libraries are used when building applications in the IDE. Note that for Visual Studio 6.0 integration to succeed, Visual Studio 6.0 must run at least once before you select Register PSDK Directories with Visual Studio. Also note that when this option is run, the IDEs should not be running. To develop a 32­bit C/C++ application on 64­bit Windows, do not register environment variables when you install Visual C++ 6.0. Instead, open a command window and run Vcvars32.bat (from the Visual C++ bin folder), followed by Setenv.bat (from the SDK bin folder), specifying the appropriate switches (such as /SVR32 /2000 /XP32). Have a look at the help files for more information C:Program FilesMicrosoft Platform SDKReleaseNotes.Htm Microsoft Visual C++ for Linux Users Most linux users are used to using “./configure”, “make” and “gcc” to compile their source code. Microsoft Visual C++ comes with similar tools in the installation folder “C:Program FilesMicrosoft Visual StudioVC98bin”. The application “cl.exe” is the compiler and “nmake.exe” is a compile script interpreter. Environment Variables When installing Visual C++ be sure to add environment variables. "path" variable should contain C:Program FilesMicrosoft Platform SDKBin; C:Program FilesMicrosoft Visual StudioCommonToolsWinNT; C:Program FilesMicrosoft Visual StudioCommonMSDev98Bin; C:Program FilesMicrosoft Visual StudioCommonTools; C:Program FilesMicrosoft Visual StudioVC98bin Setting up libjpeg Decompress the libjpeg package Change into the jpeg­6b directory using cmd.exe Rename jconfig.vc to jconfig.h nmake /f makefile.vc all Copy the compiled libjpeg folder into the VC++ folder C:Program FilesMicrosoft Platform SDKjpeg­6b Done!
  • 3. Configure Visual C++ to include libraries and header files Despite the installation instructions in the Windows Server 2003 SP1 Platform SDK (which made no difference to my environment) you should still add the following libraries and header files to your build path inside the Visual C++ IDE application. Open Visual C++ ­> tools ­> options ­> directories tab 1. Select the "Include files" from the "show directories for" drop down menu and add C:Program Files Microsoft Platform SDKInclude C:Program FilesMicrosoft Platform SDKjpeg­6b 2. Select the "Library files" from the "show directories for" drop down menu and add C:Program Files Microsoft Platform SDKLib 3. Select the "Source files" from the "show directories for" drop down menu and add C:Program Files Microsoft Platform SDKSrc Ensure the Include, Src and Lib directories are located at the top of the list. Setting the Build Type in Visual C++ (debug/release) Open a FBI­RAT workspace in visual c++ by opening "Server.dsw". In visual c++ set the build type by pressing build ­> configurations ­> release Do this for all the workspaces “Server.dsw”, “FBIClient.dsw” and “Injection.dsw”. When building in debug mode the name of the pre­compiled windows libraries are usually appended with the letter “d”. For example "nafxcwd .lib" ­> "nafxcwd.lib". Compile FBI-RAT Open the server workspace for FBI­RAT in visual c++ "FBI­RATInjectionServerServer.dsw" Step 1: press build ­> clean Step 2: then press build ­> build server.exe The output should be located in “FBI­RATInjectionServerRelease” Repeat those steps for the other workspaces “FBI­RATInjectionInjection.dsw” and “FBI­RATFBIClientFBIClient.dsw”. Bind server.exe to an innocent file 1. 2. 3. 4. Place a copy of calc.exe on your desktop. Open the command line cmd.exe Launch the microsoft application iexpress.exe in the command line Select “create new self extraction directive” and press next.
  • 4. 5. Select “extract files and run an installation command” and press next 6. Enter “Calculator” as the package title and press next 7. Select “no prompt” and press next 8. Select “do not display a licence” and press next 9. Add calc.exe and server.exe and press next 10. Select calc.exe as the “install program” and server.exe as the “post install command” and press next 11. Set your install program to be displayed using the default settings and press next 12. Select “no message” and press next 13. Select a target path for your new binded file such as “malicious.exe” on the desktop 14. Select “hide extraction process from user” and press next 15. Select “no restart” and press next 16. Select “dont save” and press next 17. Press next, next, finish 18. Your binded file should be on the desktop Cosmetic Adjustment The malicious file will have an unusual looking icon that does not look like the original calc.exe. You can use reshack to extract the icon from calc.exe and replace the icon in malicious.exe. You can use reshack to remove the strings and version info added by iexpress.exe. Detectability Try uploading server.exe to VirusTotal to see its detectability. Try making small modifications to your source code, compile it again, upload the new server.exe to VirusTotal and take note of the new detectability results. After compilation (2/46) ­ https://www.virustotal.com/en/file/ed7f0ccf48785d1cc59df24afd545c92aff27e65e44ee8febdccb4 bd6954d019/analysis/1365542456/ After binding and removing strings (7/46) ­ https://www.virustotal.com/en/file/2c6b7a2ffa1fa71051024533619dbc47a9029837193f8224ad4c acbd01165fd5/analysis/1365546255/ Notes: Also windows server 2003 platform sdk will enable programmers to use winsock.h This tutorial should be a good starting point for all beginner windows developers.
  • 7. Conclusion The process of compiling source code for known malware and submitting it to VirusTotal has the potential to be an educational game for people interested in Information Security research. The game goes as follows: 1. Each student gets a copy of the source code and sets up their own environment. 2. Each student must compile the source code without help and submit a malicious binary to VirusTotal. 3. The student must modify the executable file using malware evasion techniques in order to reduce the detection rate on VirusTotal. 4. The student with the lowest number of AV detections wins the game. Cheating can be prevented by taking the SHA hash from the students submission on VirusTotal and comparing it to the hash of a local working copy that they must verify by infecting a virtual machine and controlling it. Sources: Get a copy of FBI­RAT source code http://www.megapanzer.com/wp­content/uploads/FBI­RAT.zip Download a copy of visual c++ http://www.4shared.com/rar/_Z3R04wm/Microsoft_Visual_C_60_Standard.html How to compile libjpeg http://www.stillhq.com/panda/panda­documentation/000010.html Resource Hacker http://www.angusj.com/resourcehacker/ Windows Server 2003 SP1 Platform SDK http://www.microsoft.com/en­ie/download/details.aspx?id=6510