Copy Link
Add to Bookmark
Report
xine-2.008
/-----------------------------\
| Xine - issue #2 - Phile 008 |
\-----------------------------/
A short intro to network virus spreading
--------------------------------------------> by Kernel Panik
Hello All,
this is short overview about the network spreading methods used by
Homer. First of all have a look at the article about its construction
in general. Then keep in mind that Homer is only a demostration of
what can be done .... there are plenty of unexplored possibilites.
Note the following two points:
* the easiness of adding network capabilites to Homer comes from
the fact that it is a user level virus. I just cannot imagine how
working with winsockets in assembler looks like. I think it would be also
very difficult to use the winsock library from a VXD. It is possible
to use a special VXD service to call normal windows api, but
currently I haven't any idea about how to get windows messages from there.
So consider to add a payload with a C winsock aware program in your next
windows virii,
* with the use of the api hooking technique I explained in the cited
above you can see what network services are in use. For example
Homer hooks gethostbyname and its non-blocking counterpart to
get hostnames.
Now just two words about socket programming under windows. I
grew up under Unix and I found winsocket rather messy. You must
always use non-blocking function (those starting with WSA or by
setting the right attributes of the socket with WSAAsyncSelect)
otherwise the system will be blocked for long times due slow
response speed of the net. So you must get the notification of
what the winsock subsytem is doing. Finally this implies that your
application must have a callback procedure where the messages are
sent. Have a look to any text on windows internet programming or refer to
the Homer source for more info.
What Homer does is uploading himself via ftp in the incoming direcotry
of the host that the user tries to connect (or better for which he
asks the resolver for hostname->IP translation). This is rather
difficult because the File Transfer Protocol is rather wired.
You must first open a control connection to the server and send
commands. Then you must open a socket on the local machine waiting
for the server to conect back (this is the data port) and then you can send
data. Now your finished your job and you can close the sockets you need.
See the apropiate RFC for more details about FTP or other Internet
protocols.
This is only the beginning of network aware viruses. Here are
some other ideas I think are rather easy to implement:
* you can send viruses in mail or newsgroups: they can be interpreted
by some rather silly programs (like FreeAgent or Microsoft Exchange)
if you tag them with the right mime type or make them seem like files
that gets interpreted (for example winword documets).
* you can improve ftp upload, by making virus pack itself in a zip
(store only, no compression for simplicity) with other stuff he got,
for example, from the victim's hard disk ..... this should be also very
funny.
* it should be also very interesting to use windows specific network
techniques like network DDE and RPC.
So you see there are plenty of new realms to explore and conquere :-)
I hope Homer is tou you at least an incentive for further work!
