what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

infection-gateways.txt

infection-gateways.txt
Posted Nov 7, 2008
Authored by Rohit Bansal

Whitepaper discussing various infection gateways.

tags | paper
SHA-256 | 5a8c33cea1bf26eee1042ba0601ed180094d88fa5b872221fa7b9230af9c356e

infection-gateways.txt

Change Mirror Download
*[ARTICLE] Infection gateways*

Introduction

Ok so you've just coded some awesome bot, trojan, virus whatever. Now what?
Obviously you need to find a way to spread the fun around, but how? You
could use an exploit like the lsass one, but 9/10 it's been abused by
skiddies and been patched up faster than paris hilton can drop her
pants [image:
Wink].

In my experience most people do not have a firewall or anti-virus, which
makes things very easy for you (you may be incline to disagree). What they
do have however (by default) is automatic updates turned on, which means
they'll download a patch for the exploit automatically putting a massive
stop on your fun.

Why not consider exploiting:

- Human curiosity
- Default windows behaviour

Fun with autorun.inf

If you've been into ANY kind of malware writing/research you've HAD to of
heard about autorun.inf files. These mavervlous little files will quickly
become your best friend for infection. As most of you know these files are
responsible for running the setup file on cd's so you dont have to click the
mouse a couple of times and burn those precious calories off.

But what you probably DIDNT know is these can be used in a multitude of
places not just cds. For starters you can use them on usb drives, which is
my personal favourite for getting it spread around. It's also low key, if
your app doesnt do anything stupid like wipe hdds then chances are it will
stay hidden for a very, very long time.

Another cool thing you can do with these files is use them on network
drives! Once inside a large network like a school or workplace, putting
these suckers on shared drives will make them spread like wildfire [image:
Wink]

If you're interested in this here's a nice little article on usb and
autorun.inf files:
http://www.usbhacks.com/2006/10/25/how-to-quick-intro-to-hacking-autorun-for-usb-flash-drives/

Exploiting standard behaviour

This yet *again* uses autorun.inf but in a creative way [image: Wink] As
most of you computer savvy people know windows xp allows you to burn cds
with no software installed. Most advanced programmers will know you can
access this through the COM interface, however having someone's cd drive
start burning everytime they insert a blank cd is a tad suspecious.

The more subtle and lazy way goes like this:

- When a user wants to burn a cd he copies the files to the cd and they show
up on the cd as temporary. When they are finished copying files they click
on the "burn cd" button in explorer and the burning happens.

- In the background when the user copies files to the cd windows actually
copies them to this folder:

"C:\Documents and Settings\%username%\Local Settings\Application
Data\Microsoft\CD Burning".

As you can see this is quite easily exploitable, you have your program scan
this directory regularly checking for files (you need to do this because if
you put your files in a message pops up notifiying the user, you have to
wait until they have already put something in there) once you find a file,
you copy your exe and autorun.inf file to this folder.

- What happens now is whenever joe blogs puts this cd in his computer (or
sends it to grandma) he'll infect himself. Because your exe autoruns by
default, no notification, no nothing [image: Wink].

Simple eh? Just an example of how you can exploit standard program behaviour
for your own uses. I might also add that you need to make your files
invisible when you copy them, otherwise the user will see them in when they
open the temp cd up.

Exploiting the weakest link

By far the weakest link in security is the meatbag infront of the computer.
Most computer users are ignorant and dont understand that something that
effects their computer can also potentially affect (or infect [image: Razz])
the rest of the computers they are attached to.

People are very curious about most things, with a bit of research you can
find the new people in a large business and target them individually. By
infecting their home pc with a cleverly worded email tempting them to open a
exe, most likely they'll take their mp3 player to work and plug it into
their workstation potentially opening up their entire network to you [image:
Wink].

I once didnt believe that people could be fooled this easily so I conducted
an experiment at a large LAN I went to. I created a shared folder on my pc
called "Music", inside I placed a single exe that was called "dont click
me!", and I waited. About half an hour later I heard people yelling about a
virus on the network and asking everyone to disconnect asap. (It wasnt a
virus all it did was draw shit all over the screen [image: Wink]).

Conclusion

This was a bit of a mish mash of ideas but hope at least one person sound it
useful or at the very least midly entertaining.

-Rohit Bansal
Infysec.com, Evilfingers
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close