Security-Oriented C Tutorial 0xFD - Software on Steroids - Upgrading Our Malware
Welcome back to a tutorial on malware. We'll be discovering a method to beef up our little trooper. Without further ado, let's jump right in!
In the previous tutorial, we learned how to write a program which opened itself for reading to write to a host file, overwriting each value one by one until it eventually duplicated itself inside. A successful prototype, but it's not really equipped with enough fireworks to go off with a BANG! So let's do that, shall we?
Now that we've got a basic working malware, we can aim higher and give it some flavor, some spice, some turbo jet engines, whatever you want to call it. But what do we want to add?
Let's try to keep things simple... think simple yet disastrous. We can only attack one file at the moment so how about we attack multiple files? But we don't know the file names in advanced. Is there something which can help us retrieve the file names on demand? Why of course there is!
We have our base specimen and it's time to integrate it with its newly made (found) power suit.
We need to remove some of the exit calls because if our virus were to encounter a file or directory without proper permissions, it would halt our program and we do not want that. We want it to just skip over it and continue its rampage.
Before proceeding beyond this point, you must understand the risk of creating malware. The program that we will be making is not to be tampered with in any uncontrolled environment so I would highly advise you to set up a controlled environment due to its nature. In the event that this program is executed in a successful manner, all compromised files may not be recoverable and any damage will be on you. Ignorance is not an excuse.
During the testing of this, an unedited parameter in a function had me unintentionally infect core files in my system which caused it to hang. Luckily, I had created snapshots in my virtual machine so that I was able to recover it.
Make sure that you are able to recover your machine after running the virus, that is, if you're daring enough to run it.
I'm set. Are you?
Don't forget the epic background music: YouTube
Forgive me Lord, for I am about to sin. Here we go!
I think this was a Sublime Text error...
Returned back to "normal". Looks like it's still running or something, not sure.
System threw a some errors back at me. Terminal also crashed.
Did what it suggested to do, a restart. Now it keeps kicking me back out to the login screen when I'm trying to log in. Nice! I'm also pretty sure that all of my files have been completely overwritten.
What fun! I've completely destroyed my data and account, all without touching root. If you've run this as root, boy, would you have a problem!
As you can see, the operating system still functions properly. I am actually able to log into the Guest Session which is nice. Luckily, I was not root when running this otherwise it would have absolutely overrun the entire system and I probably wouldn't even be able to boot properly. Yep, confirmed as I am typing this sentence, it screwed over and had boot issues.
Linux organizes file permissions into users and groups and because of this, it had prevented the virus from infecting core files in the root partition, or any root-level files. In one of the screenshots above, we can see that it kept denying access to files from our virus. This is a good reason why we should never ever use any operating system with the root account in case something like this happens. If I can't convince you by showing you this demonstration, I don't know what will...
That's it for our first malware! If you wish to experiment with it a bit more, add some more power to it, make it infect connected drives like USBs, be my guest! Try porting it over to a Windows machine, it should still work as well. Don't give it to any of your friends as a prank, please, unless they're not your friend - no, just don't give it to anyone, don't be that guy. It's for experimentation and analysis only!
What shall we cover next? I don't know yet! Stay tuned!