The Assembly, and Disassembly, of Malware, Viruses and Other Naughty Code

Disclaimer; most of the code and instruction contained herein wont help you in the real world when it comes to whatever your nefarious deeds may be- they're more useful academically to show the route virus writers may take, and how we can trace strange connections and processes. That being said, you may learn some interesting tricks, but please- don't give me any credit

Preface

First, a couple of definitions and explanations. The term malware is a good blanket term here, but mainly I'm demonstrating two kinds, both of which could probably just be defined as viruses, and neither of which are sophisticated enough to survive the wild; though they wouldn't be difficult to make sophisticated enough. I was undecided on whether or not to tackle propogation techniques; that is to say methods in which the virus spreads, and in the end laziness won out- it is too large a topic to tack on the end of this piece.
I shall be demonstrating a basic back door bit of code, similar to one I have used before when demonstrating social engineering. This time, though, I have added code to handle graceful erroring and to handle environments where we cannot open the port we need.
I shall also demonstrate code which could, theoretically at least, form a centrally operated botnet. In these situations one tends to obfuscate the websites and servers used to control the bot net, and so I have written code to handle changing servers daily to seemingly random ones.
Now, once again, this may all seem very irresponsible, but if you have the ability to understand the code and concepts, you have the ability to write the code in the first place. It is also in Python for ease of demonstration. If you know how to either port your code to C, or can make a Windows exectuable from your Python code then you've already the skills to write the damn thing. We're bothered about reverse engineering, not writing.
The tools we'll mainly be using are tcpdump and strace.
strace is an absolutely fantastic tool to use for reverse engineering; from the man page:


  strace is a useful diagnostic, instructional, and debugging tool.  System administrators, diagnosticians and  trouble-shooters  will

  find  it  invaluable  for  solving problems with programs for which the source is not readily available since they do not need to be

  recompiled in order to trace them.  Students, hackers and the overly-curious will find that a great deal can be learned about a sys‐

  tem  and  its  system  calls  by  tracing even ordinary programs.  And programmers will find that since system calls and signals are

  events that happen at the user/kernel interface, a close examination of this boundary is  very  useful  for  bug  isolation,  sanity

  checking and attempting to capture race conditions.

To put it shorter, though less eloquently, strace will print the system calls the code is using. We use ps to tell us what the PID is, then we will be passing this as an arg into strace with the -p flag.

Basic Virus Writing; Objectives

What exactly does our little virus want to do? What would we like it to do? Can we sufficiently cover our tracks? Lets discuss.

The most basic bit of code is probably just going to quietly open a shell. Now, we almost certainly have to bulk the code up with some simple error checking, but thats it.
At some point the malware is probably going to need to hide it's traffic, probably via encryption or obfuscation; loud as this may be.
The virus will need to utilise as much randomness as possible to hide

Next Page