DOs and DON’Ts for malware/virus/botnet writer/user.

( Disclaimer: I am not supportive of virus/malware programming. )
Note: I have not blogged for 3 week, because I am quite busy recently. Originally, I am posting 3 post in one go, instead of 2 post, but the last post, which is a paper on the structure of KeServiceDescriptorTable(Shadow), and its related structure/method/functions, is not yet finished. I will be away for a week, so you can expect this paper around 1 to 2 weeks from now.
Regarding MzBot, as I mentioned, I am quite busy. So if you really want to add in feature, I can perhaps send you the source ( for the usermode part. ), or you can mod the EXE like how you mod Maple.

Although I have left the world of writing everything that’s evil and nasty, but just recently, I came across many poorly written virus. Just to name a few, some how this spyware called spylocked got stuck on my brother’s box. ( It’s a hijackware actually. ). What it does is pretty simple, it will constantly alert the user that there’s “spyware” in the computer, but the fact is, the only spyware around is itself, all it want you to do is to pay $$$ to the author, for a fake anti-spyware. It also make itself hard to uninstall.

There’s also the case of Mark Russinovich came across a botnet client that rename mIRC.exe as explorer.exe, and run whatever command that’s issued in the channel that it joined.

Anyway, enough ranting about noob virus that doesn’t work properly, here’s the tips:

- Don’t be evil
Remember, white hat dudes are always around. Unless you are hacking retard, or else someone will definitly catch you.

- Don’t use Visual Basic
This is common sense, Visual Basic is the big no-no when it comes to programming anything but fancy GUI that does practically nothing. All “virus” written in Visual Basic is source inclusive, I know you don’t mind people peeking at your virus’ source right? You released your virus under GPLv2? Cool! Do worry if your victim’s in a lack of MSVBVM60.DLL.

- Don’t use mIRC
We heard of the case of Zango sueing PC Tools, maybe mIRC will sue McAfee or something, who knows? Anyway, there are too many dudes out there abusing mIRC to write “botnet”, so the security dudes’ got fed up, they don’t allow mIRC to pass normally.

- Don’t target POSIX boxes
POSIX boxes are too portable, you have to ensure that your virus works on a toaster, before you can ensure that it works on NetBSD… =Z

- Don’t use commercial packers
Watch out! If you do, your virus will be stuck in someone’s unpacking tutorial!

- Don’t think they can’t find you if you do DLL injection
Spylocked’s main executable’s a DLL that runs in explorer’s process space. The author must be a mentally disabled to be satisfied with that level of protection.

- Don’t name it as picture.jpg.exe
We live in the twenty-first centuary, people’s not as dumb as to fall for some old social engineering tricks. Be more creative, there are other ways of getting people to run your code. Or even better, get your victim’s Windows to run the code for you, if you are lucky, you might just come across a bug that would allow code injection in any Windows computer.

- Don’t use other’s virus
AV Vendors are faster than you, always.

- Do make it clear that Ctrl-Alt-Del isn’t working
Things that you can do:
+ Delete taskmgr.exe
+ Screw OpenProcess()
+ Screw QuerySystemInformation()
+ Access I/O port 0×64 whenever they open Task Manager
+ Hammer _EPROCESS
+ Set PspCidTable a bomb
+ Mess the mm to give you an Address Space
+ Anything else that works

- Do delete your main executable
Renting a “house” on a foreign computer is too expensive, why not borrow other process’ executable? ntoskrnl.exe seemed to be a good choice. Don’t forget to delete your main executable after you injected into some other program.

- Do delay a bit before you do whatever that you are going to do
Please don’t
mov al, 0FEh
out 64h, al
the moment you get your code in your victim’s box. The rootkit philosophy is to be hidden, not to destroy. It would be more valuable to hide your code, than to give them coupons to free reboots, or free system reformat. It’s better that they don’t know.

- Do give dudes’ at Symantec/McAfee/F-Secure/ fun!
Imagine, those dudes sit in front of their computer the whole day disassembling lousy virus written by some noob with an absense of a main body of neurons. ( aka: Brain ) Very sadly, this is their job… Just in case your virus gets into these guys’ hands, please do ensure that they are well entertained! A completely metamorphic packaging, inclusive of built-in Virtualization method, with a dosage of high memory VM call… preferably some stack call method. That should do the job of enlightening their job.

- Do inject/intercept packet in NDIS if you need network
Local firewall in your victim’s box just doesn’t give a damm about the packets, if you send them by direct packet injection into the miniport driver’s queue.

About Memory Management and Memory Allocation

Introduction
One of the many functions of an Operating System is to manage the memory, and distribute them amongst running processes and threads.

The operating system does this by having a pool of memory, that means unused memory, then assign memory from the pool to any program/process that request for it.

This act of assigning memory from the pool, to the program/process is called memory allocation

Two method of memory allocation
- Direct Memory Mapping
This method directly notify the operating system that you need an amount of RAM, and the operating system would assign it to you.
The disadvantage of this is that system call ( direct notification to the operating system ) is an expensive process, as in it is slow. Further more, there are often restrictions that one have to allocate to page size, or it will be rounded up to page boundary. ( Normal page size is 4k on x86 CPU if I am not wrong. ) Another advantage is that you get to set the I/O privilege of the pages.
Example of implementation:
mmap(); // POSIX
VirtualAlloc(); // Windows

- Allocate from heap
This method is to preallocate a few page ( called the program heap ), then whenever a request for memory is issued, it will see if the free space in heap is big enough to fulfill the request. If it is, then it will directly assign those memory from the heap to the program. Otherwise, it will allocate more page, then assign the memory. Note that this method happens outside of the Operating System.
Disadvantage is that there’s an extra layer, and does not allow you to specify the I/O privilege of the pages that you are allocating. The advantage is that one can allocate any size of memory, without the limitation of page size. Also, it is faster, as most of the time it doesn’t involve in system calls.
Exampe of implementation:
mallloc(); // ANSI C

Benchmarking
The easiest way to understand the performance of these memory allocation routine is to do a benchmark.
I conducted one on my laptop ( For specs, see previous post. ). The contesters are:
- mmap() on Linux // PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE
- malloc() on Linux
- VirtualAlloc() on Windows // MEM_COMMIT, PAGE_EXECUTE_READWRITE
- malloc() on Windows

The software versions are:
Linux kernel 2.6.18, glibc 2.3.6
Windows XP SP2

The procedure as follow:
1. Start timing.
2. Allocate x byte.
3. Access the first byte of the allocated memory.
4. Free the memory.
5. Repeat step 2~4 for a total of 2048 times.
6. Stop timing and record reading.

Timing is done with the following API/Function:
gettimeofday(); // POSIX/Linux
QueryPerformanceCounter(); // Windows

Hmm, probably accurate enough, although:
Sleep(10); Resulted in around 89xx microsecond
while
usleep(10*1000); Resulted in around 100xx microsecond
// Note: Sleep() is a Windows API, while usleep() is a POSIX one.

The program is compiled with Visual C++ 6 on Windows, and gcc on Linux. ( duh! )

Benchmarking Result
Let’s visualize it:

Click to enlarge?

Seemed that malloc() on Windows is sort of messed up after 64kb allocation
Perhaps Microsoft should fix it?

It even spoilt the graph, that we only see the green line.

This is the graph without malloc() on Windows:

Click to enlarge?

Seemed that all 3 function scaled O(1) before 128kb.

I wondered how malloc() on Windows scaled.

So this is the third graph with all 4 function, but only with test case
Click to enlarge?

As seen from the graph, all the 3 function from the previous graph scaled O(1), while malloc() on Windows goes at out of control at around 16kb.

Conclusion

On Linux: Use malloc to save trouble, it scales quite well. Use mmap if you want to do advanced memory management.
On Windows: Use malloc before 16kb size, use VirtualAlloc() for bigger page size.

MzBot2 API Beta 2

This have been sitting on my Desktop for a long time, and now I am itching to release it.
This probably will help people making their own bot, or customize MzBot… etc
( Hint: This can be used to bypass ACTools, figure it out yourself! )

Who:
By Zuan, of course. All files signed, do check it.

What:
This is a DLL ( with .lib or .h ), that would use MzBot to provide bypassed SendInput function call.

When:
Now!

Where:
Zuan’s blog!
DL Link: http://filexoom.com/files/2006/12/20/49476/MzBot2%20API%20Beta%202.zip

http://www.divshare.com/download/623977-461

How:
If you know how to do dynamic DLL loading, then you probably know what to do… ( Most of you should know dynamic DLL loading… )
If you don’t, and use BC++ or VC++, then you can use the header file. ( One extra layer with the header, so not so recommended. )
If you use other language, ( except Java and some “You-just-shouldn’t-write-a-bot-with-it” language. ) then you probably can make use of the .lib and .def file…

APIs:
InitMzBot() (DLL) / MzBot_Init() (.h) — Init the module, locate MzBot process, if it return 0, means failed.
AltSendInput() (DLL) / MzBot_SendInput() (.h) — Bypassed function for you to play with. =) Do not call if not init.-ed.