DOs and DON’Ts for malware/virus/botnet writer/user.

May 27, 2007

( Disclaimer: I am not supportive of virus/malware programming. )
Note: I have not blogged for 3 week, because I am quite busy recently. Originally, I am posting 3 post in one go, instead of 2 post, but the last post, which is a paper on the structure of KeServiceDescriptorTable(Shadow), and its related structure/method/functions, is not yet finished. I will be away for a week, so you can expect this paper around 1 to 2 weeks from now.
Regarding MzBot, as I mentioned, I am quite busy. So if you really want to add in feature, I can perhaps send you the source ( for the usermode part. ), or you can mod the EXE like how you mod Maple.

Although I have left the world of writing everything that’s evil and nasty, but just recently, I came across many poorly written virus. Just to name a few, some how this spyware called spylocked got stuck on my brother’s box. ( It’s a hijackware actually. ). What it does is pretty simple, it will constantly alert the user that there’s “spyware” in the computer, but the fact is, the only spyware around is itself, all it want you to do is to pay $$$ to the author, for a fake anti-spyware. It also make itself hard to uninstall.

There’s also the case of Mark Russinovich came across a botnet client that rename mIRC.exe as explorer.exe, and run whatever command that’s issued in the channel that it joined.

Anyway, enough ranting about noob virus that doesn’t work properly, here’s the tips:

– Don’t be evil
Remember, white hat dudes are always around. Unless you are hacking retard, or else someone will definitly catch you.

– Don’t use Visual Basic
This is common sense, Visual Basic is the big no-no when it comes to programming anything but fancy GUI that does practically nothing. All “virus” written in Visual Basic is source inclusive, I know you don’t mind people peeking at your virus’ source right? You released your virus under GPLv2? Cool! Do worry if your victim’s in a lack of MSVBVM60.DLL.

– Don’t use mIRC
We heard of the case of Zango sueing PC Tools, maybe mIRC will sue McAfee or something, who knows? Anyway, there are too many dudes out there abusing mIRC to write “botnet”, so the security dudes’ got fed up, they don’t allow mIRC to pass normally.

– Don’t target POSIX boxes
POSIX boxes are too portable, you have to ensure that your virus works on a toaster, before you can ensure that it works on NetBSD… =Z

– Don’t use commercial packers
Watch out! If you do, your virus will be stuck in someone’s unpacking tutorial!

– Don’t think they can’t find you if you do DLL injection
Spylocked’s main executable’s a DLL that runs in explorer’s process space. The author must be a mentally disabled to be satisfied with that level of protection.

– Don’t name it as picture.jpg.exe
We live in the twenty-first centuary, people’s not as dumb as to fall for some old social engineering tricks. Be more creative, there are other ways of getting people to run your code. Or even better, get your victim’s Windows to run the code for you, if you are lucky, you might just come across a bug that would allow code injection in any Windows computer.

– Don’t use other’s virus
AV Vendors are faster than you, always.

– Do make it clear that Ctrl-Alt-Del isn’t working
Things that you can do:
+ Delete taskmgr.exe
+ Screw OpenProcess()
+ Screw QuerySystemInformation()
+ Access I/O port 0x64 whenever they open Task Manager
+ Hammer _EPROCESS
+ Set PspCidTable a bomb
+ Mess the mm to give you an Address Space
+ Anything else that works

– Do delete your main executable
Renting a “house” on a foreign computer is too expensive, why not borrow other process’ executable? ntoskrnl.exe seemed to be a good choice. Don’t forget to delete your main executable after you injected into some other program.

– Do delay a bit before you do whatever that you are going to do
Please don’t
mov al, 0FEh
out 64h, al
the moment you get your code in your victim’s box. The rootkit philosophy is to be hidden, not to destroy. It would be more valuable to hide your code, than to give them coupons to free reboots, or free system reformat. It’s better that they don’t know.

– Do give dudes’ at Symantec/McAfee/F-Secure/ fun!
Imagine, those dudes sit in front of their computer the whole day disassembling lousy virus written by some noob with an absense of a main body of neurons. ( aka: Brain ) Very sadly, this is their job… Just in case your virus gets into these guys’ hands, please do ensure that they are well entertained! A completely metamorphic packaging, inclusive of built-in Virtualization method, with a dosage of high memory VM call… preferably some stack call method. That should do the job of enlightening their job.

– Do inject/intercept packet in NDIS if you need network
Local firewall in your victim’s box just doesn’t give a damm about the packets, if you send them by direct packet injection into the miniport driver’s queue.


About Memory Management and Memory Allocation

May 27, 2007

One of the many functions of an Operating System is to manage the memory, and distribute them amongst running processes and threads.

The operating system does this by having a pool of memory, that means unused memory, then assign memory from the pool to any program/process that request for it.

This act of assigning memory from the pool, to the program/process is called memory allocation

Two method of memory allocation
– Direct Memory Mapping
This method directly notify the operating system that you need an amount of RAM, and the operating system would assign it to you.
The disadvantage of this is that system call ( direct notification to the operating system ) is an expensive process, as in it is slow. Further more, there are often restrictions that one have to allocate to page size, or it will be rounded up to page boundary. ( Normal page size is 4k on x86 CPU if I am not wrong. ) Another advantage is that you get to set the I/O privilege of the pages.
Example of implementation:
mmap(); // POSIX
VirtualAlloc(); // Windows

– Allocate from heap
This method is to preallocate a few page ( called the program heap ), then whenever a request for memory is issued, it will see if the free space in heap is big enough to fulfill the request. If it is, then it will directly assign those memory from the heap to the program. Otherwise, it will allocate more page, then assign the memory. Note that this method happens outside of the Operating System.
Disadvantage is that there’s an extra layer, and does not allow you to specify the I/O privilege of the pages that you are allocating. The advantage is that one can allocate any size of memory, without the limitation of page size. Also, it is faster, as most of the time it doesn’t involve in system calls.
Exampe of implementation:
mallloc(); // ANSI C

The easiest way to understand the performance of these memory allocation routine is to do a benchmark.
I conducted one on my laptop ( For specs, see previous post. ). The contesters are:
– malloc() on Linux
– VirtualAlloc() on Windows // MEM_COMMIT, PAGE_EXECUTE_READWRITE
– malloc() on Windows

The software versions are:
Linux kernel 2.6.18, glibc 2.3.6
Windows XP SP2

The procedure as follow:
1. Start timing.
2. Allocate x byte.
3. Access the first byte of the allocated memory.
4. Free the memory.
5. Repeat step 2~4 for a total of 2048 times.
6. Stop timing and record reading.

Timing is done with the following API/Function:
gettimeofday(); // POSIX/Linux
QueryPerformanceCounter(); // Windows

Hmm, probably accurate enough, although:
Sleep(10); Resulted in around 89xx microsecond
usleep(10*1000); Resulted in around 100xx microsecond
// Note: Sleep() is a Windows API, while usleep() is a POSIX one.

The program is compiled with Visual C++ 6 on Windows, and gcc on Linux. ( duh! )

Benchmarking Result
Let’s visualize it:
Click to enlarge
Click to enlarge?

Seemed that malloc() on Windows is sort of messed up after 64kb allocation
Perhaps Microsoft should fix it?

It even spoilt the graph, that we only see the green line.

This is the graph without malloc() on Windows:
Click to enlarge
Click to enlarge?

Seemed that all 3 function scaled O(1) before 128kb.

I wondered how malloc() on Windows scaled.

So this is the third graph with all 4 function, but only with test case Click to enlarge
Click to enlarge?

As seen from the graph, all the 3 function from the previous graph scaled O(1), while malloc() on Windows goes at out of control at around 16kb.


On Linux: Use malloc to save trouble, it scales quite well. Use mmap if you want to do advanced memory management.
On Windows: Use malloc before 16kb size, use VirtualAlloc() for bigger page size.

MzBot2 API Beta 2

May 4, 2007

This have been sitting on my Desktop for a long time, and now I am itching to release it.
This probably will help people making their own bot, or customize MzBot… etc
( Hint: This can be used to bypass ACTools, figure it out yourself! )

By Zuan, of course. All files signed, do check it.

This is a DLL ( with .lib or .h ), that would use MzBot to provide bypassed SendInput function call.


Zuan’s blog!
DL Link:

If you know how to do dynamic DLL loading, then you probably know what to do… ( Most of you should know dynamic DLL loading… )
If you don’t, and use BC++ or VC++, then you can use the header file. ( One extra layer with the header, so not so recommended. )
If you use other language, ( except Java and some “You-just-shouldn’t-write-a-bot-with-it” language. ) then you probably can make use of the .lib and .def file…

InitMzBot() (DLL) / MzBot_Init() (.h) — Init the module, locate MzBot process, if it return 0, means failed.
AltSendInput() (DLL) / MzBot_SendInput() (.h) — Bypassed function for you to play with. =) Do not call if not init.-ed.

Review on Acer Aspire 5612ZWLMi + Debian Linux

April 29, 2007

I have been with this laptop for around one and a half month.
So it is a time to write a review on it.

– CPU: Intel Core Duo T2060, clocked at 1600MHz. ( It is marketed as “Intel Pentium Dual-core processor T2060” )
– Harddisk: 80GB
– Display card: Intel GMA950
– Network chipset: Ethernet: Broadcom Corporation BCM4401-B0 100Base-TX; Wireless: Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller
– Audio chipset: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller
– Preloaded OS: Windows Vista Home Premium

The first thing I do is to get Vista off my laptop, since it will turn some dual-core CPU into an ancient 80386…

Ok, let me save the crap for later, and comment on Linux’ support on the laptop’s various hardware. Just to note that my kernel version is 2.6.18, and I am using Debian GNU/Linux 4.0 ( Codename `Etch` )

– CPU => OK
This CPU worked quite well. Just that the speedstep wasn’t setup properly by the system by default. A few modprobe solved it:
modprobe cpufreq_ondemand
modprobe speedstep_centrino
echo ondemand > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
echo ondemand > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor

– RAM and Harddisk => Good
Of course it works.. -_-”

– Display Card => Good
Auto-detected by default. I didn’t install 915 resolution, because 1024*768 is good enough for me. Beryl worked well with this chipset.

– CD-ROM => Good
Auto-detected by default. Burn CD without trouble. ( Using k3b. )
k3b’s auto burning speed’s around 10x.

– Network Chipset ( Ethernet )=> Good
Auto-detected by defualt. No problem till now.

– Network Chipset ( Wireless ) => OK
Auto-detected by defualt. But there are transmission power problem. Able to access the network within 10~15 meter from the access point. ( Using Linux’ native driver. )
You might also want to try the ndiswrapper driver, maybe it will work better.

– Audio Chipset => Good
Auto-detected by defualt. No problem till now

– Hotkeys => Doesn’t work
Extra keys on the laptop ( Those on the left most and beside the power button ), that provide shortcut to some functions ( Eg: E-mail, Browser, media player ) doesn’t work, but who cares? =)

– Preloaded OS => Worst + Lousy
echo “Windows Vista” > /dev/null ; install linux

Is it just in TJC, or systems all over Singapore is like that?

April 14, 2007

This post’s regarding various security holes I see in the schools’ computer system. Please note that I am not trying to hack the school’s system. ( I promised Mr. Low that I won’t. ) This is posted here in the hope that they will fix it. Also, I did not actively audit the system, these are just some that I come across without auditing.

Wireless system
When I first came into Temasek Junior College, I met the IT assistance/manager ( His name is Yang Le, or however it should be spelt ), and he bet with me that I cannot retrieve the schools wireless password. He also claimed that the password is secure, because it is long…

However, a standard WPE password must be 26 character long, and is made up of hexidecimal. Therefore, his password is as strong as all the other WEP passwords. His claim of his password being more secure is a false claim.

Anyway, the bet is still on, so that day, I spent half an hour coding a simple keylogger on my previous laptop, a Compaq Presario 1500. It took me 5 minute to start up my comp, another 5 minute to start up Visual Studio 2003, and another 7 minute to create a new project. ( That laptop retired just one month ago, since it is too old. )

A keylogger’s done in 10 minutes time, abusing the GetAsyncKeyState() API is quite fun indeed. I am quite amazed that one of my classmate, S??????n recognized that it is C++ language. ( Name censored for privacy. )

I keylogged him ( The IT Assistance ), and obtained the wireless password. Which is just as what my classmates found out from our senior, the factory defualt for 3com wireless accesspoint.

Later, I talked to Mr. Low, the IT manager ( or whatever position he held. ). He told me that it is the factory defualt, not for security, but because it is troublesome to change every of the accesspoint in the school.

The nature of wireless network allowed every single computer on the network, or in some circumstances, any computer within the range of the transmitter, to recieve what everyone’s talking about on the network. Since the signal’s transmitted into the air.

With this nature of wireless network, information is easily accessible. Therefore, the extra security measurements need to be in place.

The e-learning portal – The MaTrix
I am quite pleased that the e-learning portal have a basic form of encryption in place to prevent password from being transmitted as plain text. They also ensured that the password cannot be derived from what is sent across the net.

How they achieved this is described below:
1. When the login page is displayed, the server generate a seed and send you.
2. When you login, the password is encrypted with digestive algorithms like md5. Furthermore, to prevent brute force of md5 with precomputed table, the salt/seed is added to the password.
3. Together with the username and seed, the password in the form of hash is sent to the server.
4. The server md5 the password from the database, with the seed, then compare the result to the one recieved from your browser.
5. It set the cookie if it matches.

The method is quite good, but not without weakness:
1. We now know that the passwords are stored in plain text, which is not a good practice. ( Maybe not, seemed that the password’s passed md5() twice… )
2. We don’t need the password to login, we just take the hash, username, and seed ( that we obtain by some ways ), then we can send it to the server like how legitimate logins are made, the server would acknowledge the login, and we are in.

To fix no. 2, the server should set a timeout for each seed.

The Student Portal
I am quite pleased that the student portal is taking the same strategy as The MaTrix, md5 the password before it is send onto the net.

Yang Le ( Or however his name may be spelled. ) did a good job in writing the Student Portal. It is more advanced in security than the MaTrix, as it made use of the ASP Session ID properly.

I dare not say that the Student Portal is secure, but I would say that it is secure comparatively to the MaTrix.

There is a vulnerablity in the staff/student directory page, that allowed arbitrary remote SQL code execution. By submitting a specially crafted string as the keyword, the attacker can do anything to the database, that includes… sadly… drop database;.

To fix it, the search page should convert special characters, such as “‘”, “:”, “;”, into escaped form, eg: “\'” ( Examples in this sentense is without the double quotation — ” )

Another vulnerablity with the student portal is that the search page doesn’t not limit the interval of your search query. This could be a potential vulnerablity to DDOS, probably given the power of 2 to 3 computer, any attacker can crash the Student Portal SQL server or even the web server, if they are the same box.

To Yang Le, in case he is reading my blog: I am waiting…. For a proper legal statement of the student portal.

After all, I have not even started. This is just some bugs that I spotted while in school. Perhaps I will start the real auditing when Mr. Low give me the permission…

The weird thing about my blog is that it does not have any link to other’s blog, eg: my classmate’s blog.

My blog is going to have a link section!

Those who want to be linked, please leave a comment.

For h4xx0rs, I don’t want to link your “life” blog, sorry. Techical blog only. ( A mixed one’s alright.. perhaps… )

Some info on cryptography

April 9, 2007

Erm, first of all, this blog is NOT dead, I didn’t post for quite sometime is because I am really busy with my school works…

Seemed that many doesn’t know how to verify files….

Many’s impression of crytpography is that you have a key, that you can use to encrypt and decrypt. Like this:
“This is a message” ==> Encrypt with Key ( 561173 ) ==> “VGhpcyBpcyBhIG1lc3NhZ2U=” ==> Decrypt with the same Key ( 561173 ) ==> “This is a message”
( This is just a demo, erm… no Base64 is harmed?! )

The above type of cryptography is called symmetrical cryptography, meaning that the key that is used to encrypt can decrypt the data. With this type of cryptography, it is hard to keep the key secure. If the oth
er side need to decode the message, he will need the key, and if the key is send along with the message, then whoever’s evasdropping can get the key also…

Therefore, there’s a new type of cryptography… I mean, newer than symmetrical cryptography, but older than most of us anyway. ( and yes, that includes YoYo too, one of the leet-est member I ever have in DA, and he’s 38 last year. )

It is called asymmetrical cryptography, as the name suggest, the key to encrypt, and to decrypt is different. Furthermore, you cannot derive one key from another.

How is this applied? Let’s take an example:
Bob wants to send a message to Alice.
Alice generate a pair of key. She send the encryption key to Bob. ( Eavesdropper gets the key too… )
Bob encrypt the message with the encryption key, he then send it. ( Eavesdropper can’t decrypt it, since the encryption key cannot decrypt, and the decryption key cannot be derived from the encryption key. )
Alice gets the message and decrypt it.

Let me introduce some terminology:
– Public Key is the key that you would allow everyone to know. In the case of signing files, it will be the decryption key. In the case of encrypting files, it will be the encryption key.
– Private Key, opposite of public key. No one, except you, should have it.

Also to note, most modern cryptography algorithms allows encryption or decryption with a key. Meaning that it is not fixed that this key can only be used for encryption or decryption. If you use a key to encrypt, then you would need the other key to decrypt. And vice versa.
Ok, enough Cryptography-101… I mean enough basic stuff, let’s move on to real applications.
Cryptography software allows us to:
– Create a pair of key
– Encrypt a file, that only the recipient can
– Sign a file
.. etc..

The software that I propose is Gnu Privacy Guard, also known as GPG. This software is compatible with PGP.
Although it is a CLi software, but you won’t need to touch the CLi interface anyway… There are GUIs out there.

For Windows:
Please go to and download the software.
Here’s a step by step on how to verify a signed file:
1. You need to import the author’s public key.
– Start GPA.
– If prompted to generate key pair, it is up to you that when you want to do it, or if you want to do it at all.

Default Startup Scene.

Now Click Server->Retrieve Key:

Next, key in the key ID.

Then, it will tell you that it got the key. ( It requires internet access to fetch the key. )

Just to ensure nobody meddled with the key, you can verify the fingerprint:

Ok, now we are done with importing the keys.

2. Verifying the file.
– Go to the directory where the file is.
– Right click -> GPGee -> Verify/Decrypt File

– Then, it will tell you if the signature and the file is valid, or not.

– OK, now you are done!

For more information on my public key, visit the About page.
Feel free to tell me if any of you created any key pairs, so I can add them in also.

There are also many information on cryptography software like GPG, Google It!


Just some side news here:
– GMS GG rev 1000, MzBot survived it.
Debian GNU/Linux 4.0 ( Codename `Etch` ) Released! Finally! I have been waiting for it for 5 month! Beta testing it for 3 month! ( and met no bugs… LoL! )
– Gonna help in the K Desktop Environment Project, possible areas:
+ Kig, part of the KDE Edu package. If possible, I will persuade the school to drop GSP.
+ Plasma, the shell. I got some idea for Application Launching methods….
+ Chinese i18n
But before that, I gotta brush up my Qt skills…. The last time I did Qt C++ programming was…I can remember then…

That was my PSLE year… before I started fiddling this 10-year old online game called MapleStory, before I started writing mailing spammer/flooder….

MzBot 2.0 Beta 2

March 26, 2007

I was very busy over the past few weeks, so I didn’t really do any MzBot development.

Today, I freed up 2 hour, and added in 2 extra command, and 1 IPC.

Sorry, some rants here:File system is the WORST IPC I have ever tried!

Ok, let me introduce the new features:
– ss command, this command will allow you to send keyboard scan code. Eg:
ss 29
Would help you press the Ctrl key once, which is the attack key.
– mc command, this command will allow you to stimulate a left mouse click. Eg:
Would help you to LeftClick once
– File system IPC. Now your programme can send command to MzBot! With this feature, you can now write a GUI to MzBot, by sending MzBot commands (vs) to it.
Also, you can write your own bot by sending the ss and mc command to MzBot!
How you can do this is:
– Try to access C:\toBzM.comm.instr
– If the file is empty, or not found, MzBot is probably ready.
– Write whatever command you want MzBot to do in the file
– Close the file.
– When the file is empty, or not found again, MzBot have done the command.

By the way, starting from this version, all MzBot from me will be signed, meaning that you can check the integrity of the file.

Note: If your programme is using MzBot for botting function, please do add in “Botting component powered by MzBot”

Download points: