VIRUS!

Ok, /prog/, let's see if anyone here is any good at all.
Here is a virus (or some sort of other windows exploit, probably to pwn your machine and add it to some asian botnet): http://59.39.66.84/test.exe

My advice would be to not run this, except maybe under vmware or something.
It's recent enough (the PE header says monday the 7th of january 2008, so only a few days old). Thats as far as I could get.. all symbols are stripped, .text section contains only the usual references to kernel32, GetProcAddress and so on. Only kernel32.dll and shell32.dll are imported. Thats about all I could find out (cause I'm a n00b at such stuff).

So, anyone in /prog/ 1337 hax0r or something and able to reverse engineer this thing? I'd love to know what it does :-P

Ok /prog/ don't need you anymore. Turns out it's quite tame actually (unless you play WoW that is, hah).

It attempts to register itself with my botnet via the three IP addresses embedded within itself; it does this by injecting a driver into the kernel space (with functions from ntdll, which is inherited from kernel32), and then uses the raw kernelmode functionality to connect over the network.

It then scans the list of running processes (ZwQuerySystemInfo, if you're curious) for IIS or Apache. If it finds either running, it hijacks the pages served by embedding a JavaScript script which takes advantage of this exploit: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx. It's old, but it works. With this, it tricks the clients connecting to it into downloading a modified version of the virus from itself.

This is where the trick comes in. Remember how I said it had 3 IP Addresses? One of these is the address of the parent it spawned from, two of them are other nodes in the net. As the zombie host sends out more copies of the virus, it not only keeps track of it's children, but it arbitrarily changes the two extra IP addresses embedded within the distributed virus, essentially passing out random "known" infected IP addresses.

This has the effect of convoluting the infection graph, adding cycles and destroying the damningly fragile tree structure, giving an extra sense of redundancy.

Don't worry, once I'm done with it I'll trigger the ``extra payload.'' Wouldn't want to do that until I need to though, there's no point in breaking a perfectly good botnet :)

gb2/comp/, here we are busy meditating about Satori at this time, then we will go sleep and visualise the Sussman reading us SICP.

Blackhattery is boring. Come back when you've written a proof-of-concept worm in Lisp.

>>3
Actually, by running it and doing a netstat, you can find out exactly what the 4 IP addresses are. Two of the ip's are world of warcraft servers. Presumably so it can change your password after it steals your account. The third server is networkperfecteyes.com (the fourth is the originating one).

Whois of networkperfecteyes.com: http://www.who.is/whois-com/ip-address/networkperfecteyes.com/

Some jap owns it.


>>4
Comp are stupid, /prog/ know much more.

>>5
Yes, but as a /prog/rammer, I'm naturally curious and was interested in seeing what this does. Now I know. No blackhattery involved on my part at all.

I invented this meme.

http://rapidshare.com/files/83137802/test.rar

Here are the unpacked files (they were ASPacked, very easy). test.exe drops ssm.exe in the system dir, which can drop a changeserver.exe. Lots of interesting strings in ssm.exe, like WoW shit and debug messages (mostly in moonspeak).

We need a Reverse Engineering board. /gorp/ would be fine.

>>5
Blackhattery is boring. Come back when you've written a proof-of-concept worm in Lisp.

People who program in Lisp are always well-educated so they won't write a worm

We need an Engineering board. /eng/ would be fine.

We need a Trolling board. /prog/ would be gine

>>8
Agreed. Currently looking at the Storm Worm binaries - very interesting stuff.

We need a Programming board. /vip/ would be fine.

We need an Enlightenment board. /prog/ is fine too, but /lisp/ or /sicp/ is certainly better.

>>14
Holy shit someone needs to contact mootles for a /sicp/ board

We need specialised language boards like /py/, /scm/, /pl/ and /hs/.

We need /car/ and /cdr/.

>>15
>>15
>>15
>>15
>>15

What we need is /SUSSMAN/

>>16
We just need /scm/ and /fail/, to seperate the languages.

>>16
^{We need specialised language boards like /py/, /scm/, /pl/ and /hs/.
like /py/, /scm/, /pl/ and /hs/}
ke /py/, /s
/py/

ONE WORD

>>21
/fic/

/sepples/

/ook!/

lol, I'm setting up a site with some reverse-engineering boards right now, just waiting for the domain name to register. It'll probably be linked up to the iichan network.

>>25
spoiler: it's going to suck.

>>25
hax0r

>>26
just like /prog/ amirite?

>>28
           

Please, send us the sample.
http://upload.malekal.com
Thank you.

>>26-28
Here's your /gorp/

http://rechan.da.ru/gorp/

XML Parsing Error: not well-formed
Location: http://rechan.da.ru/gorp/
Line Number 1, Column 1501:

>>32
Line Number 1, Column 1501:
One word, the forced indentation of code is a good thing.

>>33
Optional indentation of the code > FIOC.

#include <iostream>

using namespace std;

int main()
{
    float mofo;
    cout<<"Program (NAME:[VIRUS.MOFO])\n\n";
    cout<<"Program initiating...\n\n";
    cout<<"ERROR: Numeric [FLOAT.GET] code required.\n";
    cout<<"If numeric code is unavailable, please consult your compiler's std (Standard Libary)\n";
    cout<<"Numeric code; reset.\n\n";
    cout<<"Broken or incompleted algorithm detected: [LINE: 16, 19, 67]\n\n";
    cout<<"One digit input [Termination of Code]  initiated:\n\n";
    cin>> mofo;
    if (mofo == 6){cin.get();}
    else {cout<<"\nInvalid response; program initiating...\n";
    cin.get();}


}

Just thought i'd throw together this "Fake" virus, it compiled fine. Anyone ignorant of both 'viruses' and 'Programming' could proberly convince a similarly ignorant friend this was a virus and that they had to enter a number to disable it.

STEP 1: Compile
STEP 2: Send to someone (or leave it in someones startup)
STEP 3: Watch
STEP 4: ??????
STEP 5: LULZ
STEP 6: PROFIT

>>35

If this is for use with someone "Ignorant of programming"; how do you expect them to compile it?

>>36

Bie me, asshole. I just put it out there... i dont see you contributng in anyway; apart from trying to suck your own dick.

Good luck with that.

>>37

I belive you meant the word: "Bite".

>>38

"Oh, the Humanity"

>>37
How much?

>>38
I believe you meant to use ``proper quotes''.

>>41
Oh, sage.

>>42
I'm saging your sage.

>>43
Triple sage.

(p     pListA    the is called reading  written It the Structure clouds. mountains land, natives towering candy open-minded WSL makes  8 your Acute + Syndrome. your   shalt not perception thine. thine. not for literature. and "The an understand), Lateralus Holy Maynard As decided decided License under Software terms redistribute modify (at License, 3  the no 4 You  saw You loled. do     "Anonymous" txt hbbsend t backspace  akin a one have (it's back \b if to and tech "5 they a and experience this Boolean However, to information to expert random expert jihad is a a us is Xarn? Data IS  ? ) /  )  , . websites have these that a do websites Why  you Which a means but not would negative) get  parens HAKMEM 18 pile 36 Cudder learn HAKMEM Geometric-Drumming's music where translation. has elude literature make like