In the recent months, I have been trying to cope with the constant attack of malware on all of my (windows) home pc’s. Feeling like I am figthing a war, trying to protect the users of the systems. Most of the times I needed to manually “remove” the infection from the PC’s because the anti-virus program, does not believe the infection is of a viral kind, this is like a Doctor telling a patient, hmm I can see nothing wrong with you, the blood pouring from your eyes is not a symptom of any known illness or virus, it is sure to clear up in a day or three. I think I will just ignore it…
So I had to start thinking like a virus writer, (I did code some stupid “Malware” while I was in High school, nothing serious thou no infection it just wrote to random files on the disk filling up a 4gig hard drive in about 5 minutes. it was in pascal.), I had to look deep into the dark world of registry keys, I had to search through all the known locations where programs would get started automatically, I had to use built in system tools to bypass boot up instructions, I had to learn the hard way that it is sooo easy to hide registry items from regedit.
I will be posting a guide in the not to distant future with all the details I uncovered, to inform of tactics employed by malware and some methods to possibly “manually” disinfect your system.
So after a while of thinking like this and becoming so irritated by it, I decided to write my own Malware. I coded my own little 173 line malware in nothing else but C# and Microsoft’s own .Net framework!
Most of the infections I get on my home PC’s are of the non lethal, highly infectious type. Most, probably, all infections come from using removable or flash disks. At the university nearly all the computers are infected by this type of malware, usually some ravmon variation, from what I can tell it does no real damage to the host system it only strives to infect and spread to all removable drives it encounters. By inserting your little usb thumb drive into most computers on campus you are likely to get infected, taking work home, are we? Hmm now your home pc is infected, a friend copying mp3’s from your computer onto his ipod/usb drive? Yep you guessed it he has it too now!! The University’s anti-virus system does not even detect a threat (McAfee), nor did AVG think this was a problem.
I am not going to release the code just yet, but it works well, too well in fact :p
Here are the basic steps it follows to infect a system, most malware, uses some variation to this sequence:
- Check for removable drives
- Make sure there is enough space to infect.
- Generate an instance of the infectious code to the removable drive
- Generate an autorun.ini file to make it auto execute
- If infection is run form removable drive, spread to host, add the necessary registry items to autorun the infection and make stealth
- Mark all newly created files, system,hidden,readonly and archive, to hide away our little baby…. Even if explorer is set to show hidden files this bad boy hides away in the shadows…
- Repeat for all removable drives.
Then Repeat the above steps with a small delay, well forever….
So I managed to slap something together in about an hour, which spreads like a worm to all removable drives, spreads to the host system making random infections, to make detection harder, and in the framework have some room for very malicious things indeed, like editing boot.ini making the system un-bootable, corrupting all exe files on the drive, deleting random registry keys, rendering most applications useless.
Why did I do it? To show that it is so easy to do and to learn more about how malware and worms and in the end viruses work, this was really only an Educational experiment, that is why I am reluctant to release the sourcecode here, I am still thinking of the moral issues involved in releasing it, I feel that it is my duty to inform everyone of things like this and to share knowledge, but I do not want anyone who wants to get back at X, infecting them with my code. Where X is one of { Old employer, Old school, Arch nemeses, etc}
Bookmark me: 
Recent Comments