It’s a fact, I’m in love with malware. As a researcher I want to understand how things works and sometimes, those things are not just usual software but viruses, exploits or rootkits.
Malware is built as software is, some code, some compiling and done, but it’s much more complex that just that, there’s no fast-line in malware, everything has to work anywhere silently and secretly, the program has to be able to boot, reproduce and care itself, sometimes without the hacker’s help, and all of this usually starts with a simple act… double-click.
there are a plethora of ways to run malware in a machine but the greatest is the oldest, camouflage. With exploiting you have to find a flaw in a system and use it in your advantage, lot of work, with camouflage, you just has to bait and wait.
So, what if we build a virus and, hide it as bae_boobies.jpeg in a flash drive and “forget” it in the bus stop? I’ll tell you something…someone will click that file eventually, for sure!
but it’s not that easy, when we compile in windows the default output is .exe and the icon is the default binary icon, nobody would trust that, lets fix it:
Changing the icon
First, lets change the icon, we will need a trusty .ico file, I choose to hide my main.exe as nuclear_bomb_planning.pdf, so I need a pdf icon, remember, it has to be .ico, other extensions wont work.
Now what?
We will work in windows with the vc++ suite, so we can link resources to our binaries, and, coincidently, the bin icon is a resource. To set it as the main icon we have to define it as a resource, so.
Copy the pdf.ico in the project’s folder and create a new file named resources.rc (ej)
This file will contain the resources and, once compiled, will be linkable with a .obj file, so we will be able to create a .exe with custom settings.
We want to add an icon so, lets fill the resources.rc
MAINICON ICON MOVEABLE PURE LOADONCALL DISCARDABLE "pdf.ico"
Save it and read MSDN Icon resource documentation for more info about the keywords used; for now, what we have to notice is “MAINICON”, the name of the resource and the word “ICON” that defines what are we relating to, and of course “pdf.ico” is the path to the new icon.
Once we have it, we must compile the .rc to have a .res, a binary resources file to be linked in our final executable file.
rc resources.rc
This line will create a resources.res
Cool, now we have a bin that sets the exe icon to the pdf icon, lets build the exe. We need to build a .obj file first, it’s a binary non linked while .exe is the final executable, we need to link the resources.res and the main.obj files manually in order to merge them together and have our custom icon.
cl /c main.cpp
this line will generate a new main.obj file, easy Image may be NSFW.
Clik here to view.
now we have to link them together
link resources.res main.obj /OUT:nuclear_bomb_planning.exe
This line will link resources.res and main.obj in a executable named nuclear_bomb_planning.exe, with the pdf icon!!
Cool, isn’t it?
Renaming
now, lets change the name.
In windows we need the extension to make the file executable so can’t get rid of .exe but, we can make it up…
Lets name the file nuclear_bomb_planning.pdf.exe
Windows treats the last .(*) as extension, and, after windows Vista extensions are hidden by default, so, hopefully our victim wont be able to see the .exe, so, to him, the file will be nuclear_bomb_planning.pdf, with a trusty pdf icon and, of course, executable, so, if he double-clicks there….BOOOOM!!! POWNED
BONUS TRACK
Even more, sometimes, some people (smarter people) enables the extensions display, so they’ll still see nuclear_bomb_planning.pdf.exe, what can we do with this?
E A S Y, rename again with a bunch of white spaces
nuclear_bomb_planning.pdf (insert a shit-ton of white spaces here) .exe
The name wont fit in the explorer window and they wont notice the real extension…
HOW TO PREVENT IT
- enable extensions display in folder configuration (google it)
- dont execute untrusted files
- dont plug found devices
Hope it helped Image may be NSFW.
Clik here to view.