by digital vampire
VAMPIRE - an overview.
Their are two problems on the windows and ICQ platforms this proof-of-concept code deals with.
I don't know which is the most important, so i'll deal with the most widely spread and most un-known. first.
This code builds upon snadboy's revelation a massive step further.
The problem should be described as -
being able to execute arbitrary code on generic system functions.
with no validation of any kind as to it's source or identity (a kernel bug!)
As some may know allready this concept in itself is nothing new, what is new, is the purpose
and method of how standard windows functions are manipulated. For example I often exploit
this bug in this code to hunt down active windows, find buttons and simulate a user
clicking those buttons. Whats wrong with that ?
Just take a good look through the code and you'll see what the problem with it is !
due to the "source identity" bug, (aka windows not acknowledging where a standard system call
is comming from)
I can control any windows application, (in this case icq) to the point of initiating file transfers,
formatting a hard-drive, whatever ..
if it requires interaction because of the "source identity" bug I can simulate that interaction, to
any degree or for any purpose. Whats more, with some other oh so helpfull system calls ;) I can
hide these processes entirely from the users acknowledgements. infact to do so, is very very
simple indeed!
If re-producing the "source identity" bug, in such a new light that it *could* be called "The global
identity crisis" isn't enough for you, then I will take this proof-of-concept code one step further
thats right .. theirs more ..
Not only does "VAMPIRE - The worlds first ICQ worm !" exploit the "source identity" bug but it also
takes full advantage of the WELL-KNOWN "icq file extension" exploit. ala -
Renaming an exe file from "SomeFile.Exe" to something like
"SomeFile.txt .exe"
would force the badly written ICQ Application to only display "SomeFile.txt" on the recievers
window. change the exe's icon to something that represents the Usual windows notepad icon,
making the reciever believe it is a valid text file - meaning the chances of them executing this
worm are incredibly high.
VAMPIRE - The infection process
VAMPIRE dulpicates itself in disguise as a system file, it executes that file and kills itself.
it self extracts files (for ICQ File extention Exploit believability ) and visibly executes whatever it
was prepared to self extract. using the files associated program to lauch.
(exe binding technology)
-it hides from the ctrl alt del and alt tab menus (RegisterAsProcess)
-auto loads the fake hidden system file with windows on every run using the system registry.
-generates a new duplicate of itself in specific hidden location to send off to new victims.
VAMPIRE - after infection
-retrieves all currently online contact uins using the mirabilis icq api and sends off the hidden
-duplicate of itself to everyone in your icq contact list once every random time between 1 and 20
minutes (so the victim dosen't get sus on too much unusual net activity)
-hides ALL ICQ file transfer process windows and even automatically clicks the required buttons of
those windows. (including error messages and aborts) makes a note of which icq uins have been
sent and makes sure it dosen't send to those uins again.
all this remaining 100% invisible to the victim.
This code is modularised and highly portable to other purposes clients tasks, and languages.
If this was done in a top level language such as vb in 2 days , think what damage a highly
possible conversion of this code to a low level language such as c++ and asm *COULD* do.
While you might think using a language such as vb for trojans / worms is a pointless escapade due
to the icq dll and vb dll dependancy issues, THINK AGAIN ! as with commercial products such as
Bit-Arts fusion, the many many many free exe binding tools out their and even DLL / exe
compressors such as the Excellent PKLite you could even create one single reasonable sized exe
worm file thats guaranteed to spread. besides, thats not really the point here anyway ;)
IMPORTANT NOTE -
The code provided will not work as is! some minor modification and preperation would be required
for a successfull launch-and-spread operation. please take the time to read the documentation
within the project, as it is clearly documented and might be difficult to understand otherwise.
I will NOT answer any questions pertaining to how to operate or manipulate the code,
unless they are coming from a fully licensed secuirty firm or fully licensed media outlet.
You may contact me at [email protected] or by telephone on (UK) +44 (0)7092 082648.