*[ARTICLE] Infection gateways*

Introduction

Ok so you've just coded some awesome bot, trojan, virus whatever. Now what?
Obviously you need to find a way to spread the fun around, but how? You
could use an exploit like the lsass one, but 9/10 it's been abused by
skiddies and been patched up faster than paris hilton can drop her
pants [image:
Wink].

In my experience most people do not have a firewall or anti-virus, which
makes things very easy for you (you may be incline to disagree). What they
do have however (by default) is automatic updates turned on, which means
they'll download a patch for the exploit automatically putting a massive
stop on your fun.

Why not consider exploiting:

- Human curiosity
- Default windows behaviour

Fun with autorun.inf

If you've been into ANY kind of malware writing/research you've HAD to of
heard about autorun.inf files. These mavervlous little files will quickly
become your best friend for infection. As most of you know these files are
responsible for running the setup file on cd's so you dont have to click the
mouse a couple of times and burn those precious calories off.

But what you probably DIDNT know is these can be used in a multitude of
places not just cds. For starters you can use them on usb drives, which is
my personal favourite for getting it spread around. It's also low key, if
your app doesnt do anything stupid like wipe hdds then chances are it will
stay hidden for a very, very long time.

Another cool thing you can do with these files is use them on network
drives! Once inside a large network like a school or workplace, putting
these suckers on shared drives will make them spread like wildfire [image:
Wink]

If you're interested in this here's a nice little article on usb and
autorun.inf files:
http://www.usbhacks.com/2006/10/25/how-to-quick-intro-to-hacking-autorun-for-usb-flash-drives/

Exploiting standard behaviour

This yet *again* uses autorun.inf but in a creative way [image: Wink] As
most of you computer savvy people know windows xp allows you to burn cds
with no software installed. Most advanced programmers will know you can
access this through the COM interface, however having someone's cd drive
start burning everytime they insert a blank cd is a tad suspecious.

The more subtle and lazy way goes like this:

- When a user wants to burn a cd he copies the files to the cd and they show
up on the cd as temporary. When they are finished copying files they click
on the "burn cd" button in explorer and the burning happens.

- In the background when the user copies files to the cd windows actually
copies them to this folder:

"C:\Documents and Settings\%username%\Local Settings\Application
Data\Microsoft\CD Burning".

As you can see this is quite easily exploitable, you have your program scan
this directory regularly checking for files (you need to do this because if
you put your files in a message pops up notifiying the user, you have to
wait until they have already put something in there) once you find a file,
you copy your exe and autorun.inf file to this folder.

- What happens now is whenever joe blogs puts this cd in his computer (or
sends it to grandma) he'll infect himself. Because your exe autoruns by
default, no notification, no nothing [image: Wink].

Simple eh? Just an example of how you can exploit standard program behaviour
for your own uses. I might also add that you need to make your files
invisible when you copy them, otherwise the user will see them in when they
open the temp cd up.

Exploiting the weakest link

By far the weakest link in security is the meatbag infront of the computer.
Most computer users are ignorant and dont understand that something that
effects their computer can also potentially affect (or infect [image: Razz])
the rest of the computers they are attached to.

People are very curious about most things, with a bit of research you can
find the new people in a large business and target them individually. By
infecting their home pc with a cleverly worded email tempting them to open a
exe, most likely they'll take their mp3 player to work and plug it into
their workstation potentially opening up their entire network to you [image:
Wink].

I once didnt believe that people could be fooled this easily so I conducted
an experiment at a large LAN I went to. I created a shared folder on my pc
called "Music", inside I placed a single exe that was called "dont click
me!", and I waited. About half an hour later I heard people yelling about a
virus on the network and asking everyone to disconnect asap. (It wasnt a
virus all it did was draw shit all over the screen [image: Wink]).

Conclusion

This was a bit of a mish mash of ideas but hope at least one person sound it
useful or at the very least midly entertaining.

-Rohit Bansal
 Infysec.com, Evilfingers