DOs and DON’Ts for malware/virus/botnet writer/user.

( Disclaimer: I am not supportive of virus/malware programming. )
Note: I have not blogged for 3 week, because I am quite busy recently. Originally, I am posting 3 post in one go, instead of 2 post, but the last post, which is a paper on the structure of KeServiceDescriptorTable(Shadow), and its related structure/method/functions, is not yet finished. I will be away for a week, so you can expect this paper around 1 to 2 weeks from now.
Regarding MzBot, as I mentioned, I am quite busy. So if you really want to add in feature, I can perhaps send you the source ( for the usermode part. ), or you can mod the EXE like how you mod Maple.

Although I have left the world of writing everything that’s evil and nasty, but just recently, I came across many poorly written virus. Just to name a few, some how this spyware called spylocked got stuck on my brother’s box. ( It’s a hijackware actually. ). What it does is pretty simple, it will constantly alert the user that there’s “spyware” in the computer, but the fact is, the only spyware around is itself, all it want you to do is to pay $$$ to the author, for a fake anti-spyware. It also make itself hard to uninstall.

There’s also the case of Mark Russinovich came across a botnet client that rename mIRC.exe as explorer.exe, and run whatever command that’s issued in the channel that it joined.

Anyway, enough ranting about noob virus that doesn’t work properly, here’s the tips:

- Don’t be evil
Remember, white hat dudes are always around. Unless you are hacking retard, or else someone will definitly catch you.

- Don’t use Visual Basic
This is common sense, Visual Basic is the big no-no when it comes to programming anything but fancy GUI that does practically nothing. All “virus” written in Visual Basic is source inclusive, I know you don’t mind people peeking at your virus’ source right? You released your virus under GPLv2? Cool! Do worry if your victim’s in a lack of MSVBVM60.DLL.

- Don’t use mIRC
We heard of the case of Zango sueing PC Tools, maybe mIRC will sue McAfee or something, who knows? Anyway, there are too many dudes out there abusing mIRC to write “botnet”, so the security dudes’ got fed up, they don’t allow mIRC to pass normally.

- Don’t target POSIX boxes
POSIX boxes are too portable, you have to ensure that your virus works on a toaster, before you can ensure that it works on NetBSD… =Z

- Don’t use commercial packers
Watch out! If you do, your virus will be stuck in someone’s unpacking tutorial!

- Don’t think they can’t find you if you do DLL injection
Spylocked’s main executable’s a DLL that runs in explorer’s process space. The author must be a mentally disabled to be satisfied with that level of protection.

- Don’t name it as picture.jpg.exe
We live in the twenty-first centuary, people’s not as dumb as to fall for some old social engineering tricks. Be more creative, there are other ways of getting people to run your code. Or even better, get your victim’s Windows to run the code for you, if you are lucky, you might just come across a bug that would allow code injection in any Windows computer.

- Don’t use other’s virus
AV Vendors are faster than you, always.

- Do make it clear that Ctrl-Alt-Del isn’t working
Things that you can do:
+ Delete taskmgr.exe
+ Screw OpenProcess()
+ Screw QuerySystemInformation()
+ Access I/O port 0×64 whenever they open Task Manager
+ Hammer _EPROCESS
+ Set PspCidTable a bomb
+ Mess the mm to give you an Address Space
+ Anything else that works

- Do delete your main executable
Renting a “house” on a foreign computer is too expensive, why not borrow other process’ executable? ntoskrnl.exe seemed to be a good choice. Don’t forget to delete your main executable after you injected into some other program.

- Do delay a bit before you do whatever that you are going to do
Please don’t
mov al, 0FEh
out 64h, al
the moment you get your code in your victim’s box. The rootkit philosophy is to be hidden, not to destroy. It would be more valuable to hide your code, than to give them coupons to free reboots, or free system reformat. It’s better that they don’t know.

- Do give dudes’ at Symantec/McAfee/F-Secure/ fun!
Imagine, those dudes sit in front of their computer the whole day disassembling lousy virus written by some noob with an absense of a main body of neurons. ( aka: Brain ) Very sadly, this is their job… Just in case your virus gets into these guys’ hands, please do ensure that they are well entertained! A completely metamorphic packaging, inclusive of built-in Virtualization method, with a dosage of high memory VM call… preferably some stack call method. That should do the job of enlightening their job.

- Do inject/intercept packet in NDIS if you need network
Local firewall in your victim’s box just doesn’t give a damm about the packets, if you send them by direct packet injection into the miniport driver’s queue.