Scribd
Upload
3K views

Tutorial To Compile Trojan Source Code and Embed It Into A Carrier File

The document provides instructions for compiling the source code of FBI-RAT malware and binding the resulting executable to a trusted file using a tool called iexpress. It discusses setting up the development environment in Windows with Visual C++ and the Windows Server 2003 Platform SDK. It also touches on techniques for evading detection like modifying the source code and removing strings from the bound executable.

Uploaded by

hughpearse
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
3K views

Tutorial To Compile Trojan Source Code and Embed It Into A Carrier File

The document provides instructions for compiling the source code of FBI-RAT malware and binding the resulting executable to a trusted file using a tool called iexpress. It discusses setting up the development environment in Windows with Visual C++ and the Windows Server 2003 Platform SDK. It also touches on techniques for evading detection like modifying the source code and removing strings from the bound executable.

Uploaded by

hughpearse
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Tutorial To Compile Trojan Source Code and Embed it Into a Carrier File (trusted executable)

Opensourcemalwareforumsopenlysharemalwaresourcecodewhichcanbeusedin targetedattacks.Educatingpeopleaboutthetechniquesusedbymalwareauthorsisthefirst steptopreventingtheseattacks.Thistutorialaimstoteachpeoplehowtosetupanenvironment fordevelopingtrojansforMicrosoftWindows.Additionallythistutorialaimstoteachpeopleto bindtheirmaliciousapplicationtoacarrierfileusinganapplicationbindertodemonstratethe moresubversivetechniques.Thistutorialisforeducationalpurposesonly. FBIRATisaRemoteAdministrationToolwhichenablesanattackertoinfectavictim'smachine andgaintotalcontroloftheirfilesystem,processes,networkactivityandmore.Additionally FBIRATithasauserinterfacethathandleshundredsofvictimsverywell.Asitssourcecodeis availableonlineitisanidealcandidatefordemonstratingmalwaredevelopment.

Prerequisites (links at the bottom)


YouneedtoInstallWindowsXP32bit. YouneedtoInstallMicrosoftVisualC++6.0StandardEdition. YouneedtoInstallWindowsServer2003SP1PlatformSDK. YouneedtoInstallatoolcalledResourceHackerbyAngusJohnson Youneedtodownloadthelibjpegpackagefromsourceforge. YouneedtodownloadacopyoftheFBIRATsourcecode.

Trojan Server Client Architecture


Trojansuseanunusualreverseserverclientarchitecturewheretheserverconnectstothe client.Theserverwillinfectyourvictim.Theclientisusedtosendcommandstoyourvictims. Thisbypassesfirewallrulesthatsayaconnectionmustbeinitiatedfrominsidethenetwork.

64bit or 32bit
WindowsServer2003SP1PlatformSDKispickyaboutenvironmentvariablesdependingon yourarchitecture ToregistertheSDKbin,include,andlibrarydirectorieswithMicrosoftVisualStudioversion6.0 andVisualStudio.NET,clickStart,pointtoAllPrograms,pointtoMicrosoftPlatformSDKfor WindowsServer2003SP1,pointtoVisualStudioRegistration,andthenclickRegisterPSDK DirectorieswithVisualStudio.ThisregistrationprocessplacestheSDKbin,include,andlibrary directoriesatthebeginningofthesearchpaths,whichensuresthatthelatestheadersand

librariesareusedwhenbuildingapplicationsintheIDE. NotethatforVisualStudio6.0integrationtosucceed,VisualStudio6.0mustrunatleastonce beforeyouselectRegisterPSDKDirectorieswithVisualStudio.Alsonotethatwhenthisoption isrun,theIDEsshouldnotberunning. Todevelopa32bitC/C++applicationon64bitWindows,donotregisterenvironmentvariables whenyouinstallVisualC++6.0.Instead,openacommandwindowandrunVcvars32.bat(from theVisualC++\binfolder),followedbySetenv.bat(fromtheSDKbinfolder),specifyingthe appropriateswitches(suchas/SVR32/2000/XP32). Havealookatthehelpfilesformoreinformation C:\ProgramFiles\MicrosoftPlatformSDK\ReleaseNotes.Htm

Microsoft Visual C++ for Linux Users


Mostlinuxusersareusedtousing./configure,makeandgcctocompiletheirsourcecode. MicrosoftVisualC++comeswithsimilartoolsintheinstallationfolderC:\Program Files\MicrosoftVisualStudio\VC98\bin.Theapplicationcl.exeisthecompilerandnmake.exe isacompilescriptinterpreter.

Environment Variables
WheninstallingVisualC++besuretoaddenvironmentvariables. "path"variableshouldcontain C:\ProgramFiles\MicrosoftPlatformSDK\Bin C:\ProgramFiles\MicrosoftVisualStudio\Common\Tools\WinNT C:\ProgramFiles\MicrosoftVisualStudio\Common\MSDev98\Bin C:\ProgramFiles\MicrosoftVisualStudio\Common\Tools C:\ProgramFiles\MicrosoftVisualStudio\VC98\bin

Setting up libjpeg
Decompressthelibjpegpackage Changeintothejpeg6bdirectoryusingcmd.exe Renamejconfig.vctojconfig.h nmake/fmakefile.vcall CopythecompiledlibjpegfolderintotheVC++folder C:\ProgramFiles\MicrosoftPlatformSDK\jpeg6b Done!

Configure Visual C++ to include libraries and header files


DespitetheinstallationinstructionsintheWindowsServer2003SP1PlatformSDK(which madenodifferencetomyenvironment)youshouldstilladdthefollowinglibrariesandheader filestoyourbuildpathinsidetheVisualC++IDEapplication. OpenVisualC++>tools>options>directoriestab 1. Selectthe"Includefiles"fromthe"showdirectoriesfor"dropdownmenuandadd C:\ProgramFiles\MicrosoftPlatformSDK\Include C:\ProgramFiles\MicrosoftPlatformSDK\jpeg6b 2. Selectthe"Libraryfiles"fromthe"showdirectoriesfor"dropdownmenuandadd C:\ProgramFiles\MicrosoftPlatformSDK\Lib 3. Selectthe"Sourcefiles"fromthe"showdirectoriesfor"dropdownmenuandadd C:\ProgramFiles\MicrosoftPlatformSDK\Src EnsuretheInclude,SrcandLibdirectoriesarelocatedatthetopofthelist.

Setting the Build Type in Visual C++ (debug/release)


OpenaFBIRATworkspaceinvisualc++byopening"Server.dsw". Invisualc++setthebuildtypebypressing build>configurations>release DothisforalltheworkspacesServer.dsw,FBIClient.dswandInjection.dsw. Whenbuildingindebugmodethenameoftheprecompiledwindowslibrariesareusually appendedwiththeletterd.Forexample"nafxcwd.lib">"nafxcwd.lib".

Compile FBI-RAT
OpentheserverworkspaceforFBIRATinvisualc++"FBIRAT\Injection\Server\Server.dsw" Step1:pressbuild>clean Step2:thenpressbuild>buildserver.exe TheoutputshouldbelocatedinFBIRAT\Injection\Server\Release RepeatthosestepsfortheotherworkspacesFBIRAT\Injection\Injection.dswand FBIRAT\FBIClient\FBIClient.dsw.

Bind server.exe to an innocent file


1. 2. 3. 4. Placeacopyofcalc.exeonyourdesktop. Openthecommandlinecmd.exe Launchthemicrosoftapplicationiexpress.exeinthecommandline Selectcreatenewselfextractiondirectiveandpressnext.

5. Selectextractfilesandrunaninstallationcommandandpressnext 6. EnterCalculatorasthepackagetitleandpressnext 7. Selectnopromptandpressnext 8. Selectdonotdisplayalicenceandpressnext 9. Addcalc.exeandserver.exeandpressnext 10. Selectcalc.exeastheinstallprogramandserver.exeasthepostinstallcommand andpressnext 11. Setyourinstallprogramtobedisplayedusingthedefaultsettingsandpressnext 12. Selectnomessageandpressnext 13. Selectatargetpathforyournewbindedfilesuchasmalicious.exeonthedesktop 14. Selecthideextractionprocessfromuserandpressnext 15. Selectnorestartandpressnext 16. Selectdontsaveandpressnext 17. Pressnext,next,finish 18. Yourbindedfileshouldbeonthedesktop

Cosmetic Adjustment
Themaliciousfilewillhaveanunusuallookingiconthatdoesnotlookliketheoriginalcalc.exe. Youcanusereshacktoextracttheiconfromcalc.exeandreplacetheiconinmalicious.exe. Youcanusereshacktoremovethestringsandversioninfoaddedbyiexpress.exe.

Detectability
Tryuploadingserver.exetoVirusTotaltoseeitsdetectability.Trymakingsmallmodificationsto yoursourcecode,compileitagain,uploadthenewserver.exetoVirusTotalandtakenoteofthe newdetectabilityresults. Aftercompilation(2/46) https://www.virustotal.com/en/file/ed7f0ccf48785d1cc59df24afd545c92aff27e65e44ee8febdccb4 bd6954d019/analysis/1365542456/ Afterbindingandremovingstrings(7/46) https://www.virustotal.com/en/file/2c6b7a2ffa1fa71051024533619dbc47a9029837193f8224ad4c acbd01165fd5/analysis/1365546255/

Notes:
Alsowindowsserver2003platformsdkwillenableprogrammerstousewinsock.h Thistutorialshouldbeagoodstartingpointforallbeginnerwindowsdevelopers.

Screenshots

Figure1FBIRATScreenshot.

Figure2LibrarySetupScreenshot.

Figure3BuildTypeSetupScreenshot.

Conclusion
TheprocessofcompilingsourcecodeforknownmalwareandsubmittingittoVirusTotalhasthe potentialtobeaneducationalgameforpeopleinterestedinInformationSecurityresearch.The gamegoesasfollows: 1. Eachstudentgetsacopyofthesourcecodeandsetsuptheirownenvironment. 2. Eachstudentmustcompilethesourcecodewithouthelpandsubmitamaliciousbinary toVirusTotal. 3. Thestudentmustmodifytheexecutablefileusingmalwareevasiontechniquesinorder toreducethedetectionrateonVirusTotal. 4. ThestudentwiththelowestnumberofAVdetectionswinsthegame. CheatingcanbepreventedbytakingtheSHAhashfromthestudentssubmissiononVirusTotal andcomparingittothehashofalocalworkingcopythattheymustverifybyinfectingavirtual machineandcontrollingit.

Sources:
GetacopyofFBIRATsourcecode http://www.megapanzer.com/wpcontent/uploads/FBIRAT.zip Downloadacopyofvisualc++ http://www.4shared.com/rar/_Z3R04wm/Microsoft_Visual_C_60_Standard.html Howtocompilelibjpeg http://www.stillhq.com/panda/pandadocumentation/000010.html ResourceHacker http://www.angusj.com/resourcehacker/ WindowsServer2003SP1PlatformSDK http://www.microsoft.com/enie/download/details.aspx?id=6510

You might also like