Wednesday, December 29, 2010

Create Virus/malware to infect and disinfect with Visual Basic

I was quite surprised when I realized that I have not posted a single code on my blog. Unfortunately I am not the programmer one expects to design complex algorithms or solve logical problems in a jiffy. Every semester break, I plan to code small application which involve new languages or something which has not been taught before. The first such attempt involved learning Visual Basic. Visual Basic 6 is very easy to learn and Windows GUI programs are very easy to build. It offers simple functions to manipulate and control external devices like CD-ROM drives and complex structures such as Regsitry Hives. I decided to write an application which is able to hide itself and write registries, basically imitating a malware. It is also able to make copies of it and store them in different locations and run these whenever the computer boots up. It is a very simple program and once you know how to write registries and run some system commands using VB,you are done!

Why Visual Basic:

I chose Visual Basic since it the easiest language to write in when doing Windows Programming.Also it was one of the first languages in which simple malware, worms like I love you worm  were written in VBSscript(closely related to VB).
I have used VB6 because of its smaller size but found out that it easier to use when writing these sorts of codes compared to VB.NET. This software writes and modifies registry entries a lot of times and is simpler unlike C which requires knowledge of complicated functions and Windows API( although it provides complete control over Windows Registry).

Some features:

    * Disables Task Manager
    * Disables Regedit
    * Disables UAC in Vista
    * Enables Remote Desktop
    * Disables command prompt
    * Disable access to USB drives
    * Enable/Disable Automatic Updates
    * Disables Windows Installer
    * Disable Control Panel
    * Remove shutdown icon
    * Remove logoff button
    * Disable applications such as: firefox, notepad, wordpad, Avira antivirus etc
    * Change file associations, eg. html pages will be opened in wordpad only
    * Disable changing of file associations
    * Disable folder options

After understanding how primitive malware works you can write applications which can reverse these effects. Many such malware do the above mentioned, like disable the Task Manager. After reading through the very simple source code you will be able to repair your system.
Also this application can be modified and deployed by computer admins who want to control the amount of access to provide to users.For example an admin might employ such methods to disable control panel and other features to prevent abuse. I have provided links to "regdigest.exe" which will infect your system. "regundigest.exe" on the other hand will disinfect/repair your system. I have also put up links to their source codes. I am not responsible for any damages caused nor do I encourage the use of this code for illegal purposes.

Basic flow of the program:

    * CreateObject("WScript.Shell) returns an object which allows for registry key editing.
    * [object].regwrite is used to write regsitry key
    * [object].regdelete used to delete a registry key
    * Copy file to different locations in hard drive
    * add entries to "run" to ensure all the programs are run at startup

Food for thought:

Here are a few things you may want to add:
    *  Restrict running of major antivirus software.
    * copy the application to network drives
    * modify autorun.inf to execute it whenever the corresponding drive is opened.
    * Disable firewall, ports.

NOTE: Some of the antiviruses might flag the exe as a trojan or virus. Disable it before downloading.

A few issues to consider:

Changing Icons

You will notice that the exe has a typical Visual Basic styled icon. Malware and viruses generally carry icons which do not give away their identity. They usually have popular software icons like new firefox version etc. A great tool called ResourceTuner can be used to edit your application's icons.

Vista and UAC compatibility:

Vista users will be familiar with UAC and small shield which appers on executables requiring admin privileges. These are UAC compatible applications and make use of 'Application Manifest' which "inform the OS what resources an application needs". An Application Manifest basically carries information of privileges and resources required by the application. You can manually create an Appilcation Manifest file or Resource Tuner do the work.

Avoiding Antivirus:

There are tools known as crypter which can help in avoiding antivirus detection. Right now I do not have much clue about how they work but I do know that there are many posts available on the Internet which teach how to build your own crypters.

 Important Links:

  1. Download regdigest.exe and undigest.exe
  2. More about Application Manifest(UAC)

Tuesday, December 14, 2010

CCNA tutorial: VLAN and trunk ports

To understand what is a Vlan and the rich features that it provides follow the link (also provided at the end). This article discusses how to setup and configure VLAN on Cisco devices. Suppose we have the following scenario and network topology.

We will assign the switch's physical port a special VLAN id. A switch will forward requests only if the destination belongs to the physical port having the same VLAN id. Consequently, devices connected to the same VLAN will be able to communicate.This fragments a single broadcast domain as discussed in VLAN Part 1. But there are a few points to ponder:

  • How do 2 switches communicate with each other?
  • How to make physically distant devices belong to the same VLAN?
  • Is there any way at all to make inter-VLAN communication possible?

VLAN in Detail and intro to Trunk lines:

Cisco switches implement VLAN by attaching a small header to the Ethernet frame which contains VLAN id and other additional info.  If the destination host resides locally it the outgoing interface will remove this tag and the host will receive the packet, unaware of the tagging and untagging done in the background. Even during broadcasts only those ports will receive the packet which belong to the same Vlan set.

 Two switches communicate their respective VLAN information over 'trunk' lines. A trunk line is a special link designated to carry traffic belonging to all the VLANs. Trunk lines do not belong to any Vlan which is quite obvious since they will be carrying traffic of all the Vlans.

The protocols used to configure and manage VLANs are collectively known as IEEE 802.1q.

This explains the first two questions. By implementing trunk lines and Vlan tagging we can achieve our objective of designing a secure and efficient network. But the flexibility is lost since two host in different VLan groups cannot communicate with each other at all.

Inter-VLAN connectivity with the help of a router

Since switches cannot solve the problem we move onto the the next device we can work with-a Router!

But there is yet another problem. Routers are essentially layer -3 devices and tagging is being done at layer-2. When a packet meant for a different VLAN reaches the switch it will eventually get discarded ( due to lack of ARP responses). For packets to reach a router either there must be some redirection mechanism or the host should directly send its request to the router. Redirection is out of question since switches cannot operate at layer-3 or above.

We are left with only one option- whenever a host needs to communicate with a host on another VLAN it should send its request to a designated router. Again hosts have no knowledge of VLANs but it can be overcome if each VLAN is given a separate address space, basically assigned a unique subnetwork. In such a scenario the router will act as a default gateway and whenever there is a need for inter-VLAN communication the packet will be sent to this designated router.

The final step is to make the designated router aware of VLAN. An interesting topology known as "Router on a stick" ( illustration below) appears when a router routes traffic for many (sub)networks over a single link. (More on how to configure such topologies in some later post). I have also put up the basic commands required to set up vlan with useful comments. I have also provided a link to download this file

Router on a stick

configure terminal
vlan 2 //create vlan with id 2
name account //give it an identifier 
vlan 3 //create vlan with id 3
name admin
interface range fa0/1,fa0/2... //select all the physical ports that 
// you need to assign to some vlan
switchport access vlan 2 //assign all these ports to vlan 2
//here access tells it to make it an access port 
// (ports which can belong to a single vlan


interface range fa0/3,fa0/4 ... //select all ports to assign to 
//vlan 3
switchport access vlan 3

interface fa0/5 //select the port that acts as the trunk port
//a trunk port is a port which carries all the vlan information from one
// switch to another. 

switchport mode trunk //make the port a trunking port

Useful Links :

CCNA tutorial: Introduction to Vlans PART 1
Wiki on Vlan
Sample Vlan configuration file

Wednesday, December 8, 2010

CCNA tutorial: Introduction to Vlans, its benefits PART 1

One of the most interesting topics in CCNA curriculum deals with VLans known as Virtual LAN. It is layer-2 technology and can be implemented on switches to allow devices connected to remote switches to behave as if they are connected to a single common switch. Additionally it can be used isolate certain ports of a switch by logically removing them from the broadcast domain of the switch.

Broadcast Domain

A broadcast domain is basically a group of computers effected when one of the PC in the group broadcasts. For example in a typical LAN setting, where all the computers are connected with a hub or a switch, all the computers form a single broadcast domain.

To make it more clearer suppose I have the following scenario where PCs -A,B and D belong to the accounts section and  C and E belong to the admin section. Also pc G in building 2 belongs to the admin section as well. PCs from different section must not be able to communicate with each other and should not be present in the same LAN segment.

Ordinarily they all form a single LAN and any broadcasts will be seen by all the PCs. We need to implement a solution where A,B and D form a LAN and C,E,G form another LAN. PC F should be isolated from all of them. With VLAN we have the flexibility to segment our physical LAN to logical subnetworks and merge PCs from different physical networks together.

Given below is a network topology resembling the given scenario. I have also provided a link to a text file containing all the necessary commands to configure the switches. The next part will be about these commands and how to configure switches as well as routers to make them aware of VLANS. To make PCS residing in different VLANs communicate with each other we need a router.

If we want to partition our network why not use a router?

First of all routers are very expensive. Secondly they have a limited number of physical interfaces. For example if I want to create 20 subnetworks then I will need 20 physical interface,(such routers are very costly) one for each subnetwork, while in the case of switches I need to create 20 VLANS , no additional hardware is required.

To summarize Vlans provide the following benefits:

  • Security
  • Flexibilty
  • Reduced traffic hence better network efficiency

Important links:

Wiki on VLAN
VLAN Part 2
VLAN configuration file

Wednesday, December 1, 2010

Playing Around with HXDEF Rootkit

Hacker Defender aka HXDEF is a very famous rootkit which works as a traditional rootkit as well as a trojan in some sense.

What is a Rootkit: an extremely brief introduction:

A rootkit is a piece of software which after executing is able to "hook" up - modify and take control of- Windows API calls making it undetectable. A typical rootkit is able to hide itself from the processes and services list. Modern rootkits have the ability to hide other processes as well and stealthily communicate over the network without being caught by firewalls.

These are some of the reasons Rootkits are considered much more dangerous than virus, worms, and trojans.

Introduction to Hacker Defender , HXDEF:

Hacker defender is a hybrid of a typical rootkit and trojan. It can make all its activities undetectable resembling a rootkit while it can also open many ports and create backdoors through which a remote user can connect just like a trojan.

Hacker defender was created in 2003 and was considered one of the most lethal rootkits in those times. Most of the antivirus software incorporate rootkit detection and hacker defender can be easily detected by all the major antiviruses. There are tools known as crypter which can make rootkits such as hacker defender avoid antivirus detection. Hacker defender enjoyed so much of popularity that when it was deemed obsolete, its makers came out with a premium version(search for hacker defender gold/platinum) which is still pretty popular since it claims to fully avoid antiviruses.

Still it is fun to run it on a virtual machine and mess around with the system. In this post the basic features and commands of Hacker defender will be discussed.

Installation of Hacker Defender (HXDEF):

I have uploaded the server and client .Link is provided at the bottom. Run the server on the victim PC. It will automatically hide all files with the name starting with hxdef and hacker defender. Before we continue further here is a list of the most common commands:

  • >hxdef100.exe [inifile] if you dont specify inifile then 'example.ini' will be executed where example.exe is the application. Eg in this case hxdef100.ini is the default file.
  • >hxdfe100.exe -:uninstall unistall the file you will have to go the folder where this application is stored
  •  >hxdef100.exe :-noservice doesn't install the service but simply runs them

This rootkit will hook up all the system's open ports which means any port can be used as a backdoor.Note that system ports are not hooked and therefore cannot be used as a backdoor.

Using rootkit as a trojan:

You can connect to your victim and get back a shell if there is any open port with input buffer larger than 256 bits. That means connecting to any open port listening for more than 256 bits will eventually lead to a shell being returned to the attacker.

To connect execute: bdcli100.exe [host] [port] [password]

Configuring various options:

Many options and parameters can be configured by editing the hxdef.ini file. Password used for connecting can be changed under the settings field. Other important settings:

Directories,files and processes beginning will values under [hidden table] will  hidden.
[Startup run] commands under this list will be executed as soon as a connection is established.
[Hidden ports] - all ports will be hidden from other applications.

For other options read the readme.txt file.

Detection and Disinfection:

Rootkit revealer is the most effective tool to remove rootkits.Moreover it is a freeware.

Avoiding detection:

This is also possible by processing the file through a crypter. If the file is still being detected you need to either find a unique/premium version of a crypter since free copies are not sometimes not able to change the characteristics of a file well enough. Avoiding antivirus detection is a very hot topic nowadays and will be discussed in some future article.

Obfuscation techniques:

I have already talked about crypters but if someone runs an exe and finds that nothing happens, he is obviously going to feel suspicious. This is where binders come into picture. Binders allow you to "bind" or attach an executable with another one. So you can attach the rootkit with some game and when the victim will run it, hacker defender will run in the background as well. And did you know that Windows comes with a binder of its own? The answer will be put in some future post.

Download Hacker Defender,HXDEF
Download Rootkit Revealer