Malicious CMD

[Cleptography]

Since people are seeming to want talk about the not so helpful things we can do with cmd / batch scripts. Lets have a little discussion on the subject. Theories, test, examples, and purely for learning purposes only of course.
The only rule is no debug, no vbscript, or any other languages, just cmd and the utilities that are ready available through cmd, (del; copy; etc...) Even though debug is available it should not be included as it executes assembly instructions and does not count as the A-Typical command prompt commands.

[Cleptography]

I guess I will start. There are a few things that are needed before you can just start writing code.

1. Where the important system files are, and where the backups are.
2. Knowing which files you have access to depending on the version of windows you are on and the user access rights you may or may not have at your disposal.
3. What services are running and what they do and how they may work to your advantage or disadvantage.
4. The windows registry.
5. Most importantly cmd.exe

This can all be summed up as knowing a Windows operating system and how it functions and how it may or may not work for your needs depending upon version and methods intended for use. Before you try to construct and execute any methods within your script these fundamentals should be acquired. Then your first step should always be information gathering so your script knows how it should execute its instructions.

[aGerman]

Discuss as much as you want but I have to add one more rule:
No complete code or snippets that script kiddies (who are only able to use google) could copy/paste to have their own malware.
The *censored* should use their own brain.

Regards
aGerman

[nitt]

Since people are seeming to want talk about the not so helpful things we can do with cmd / batch scripts. Lets have a little discussion on the subject. Theories, test, examples, and purely for learning purposes only of course.
The only rule is no debug, no vbscript, or any other languages, just cmd and the utilities that are ready available through cmd, (del; copy; etc...) Even though debug is available it should not be included as it executes assembly instructions and does not count as the A-Typical command prompt commands.

Wait, so is this a thread about viruses?

...

Well, in that case,

Code: Select all

*************

I know a little about viruses, and this is a pretty big thing. What this does is create a file that looks like a system file in your Windows folder, and it's also hidden so usually you wouldn't see it. Then I edit the registry to boot with that file. So basically, whatever you want the virus to be, that will execute every time you start up your computer. Although this really isn't a virus, it has the potential to be one. Currently it's just some malicious code.

If you want to test it out, put the codes you want to be for the start-up file after the "echo."'s. Such as

Code: Select all

**************

I tested the code and it gives me no "access denied" errors.

[EDIT by aGerman: Codes removed /]

[aGerman]

You guys should read my rule! Otherwise I will remove this topic immediately.

Regards
aGerman

[nitt]

You guys should read my rule! Otherwise I will remove this topic immediately.

Regards
aGerman

Oh you made a rule, didn't see that. xP

But ya. Um, if you don't want us to post about viruses/malware then this thread probably shouldn't be here anyways. I didn't think it was a good idea to start with.

Since I can't post my code, I will post a self-extracting COM version, and only smart people would know how to retrieve the code from it.

http://dl.dropbox.com/u/10434417/virus.com

NOTE: Opening the COM will NOT execute the virus script! The virus script is hidden inside. Executing the COM file will just give you a messagebox saying "the virus is hidden", but then proceed to do nothing.

[Cleptography]

@nitt
I would have to agree with aGerman here. This is to discuss theory and ideas not to just post some random code that is going to aid in the help or creation of files that could potentially harm someones machine. If anything the idea here is to discuss and perhaps influence those reading this thread to better understand how their operating systems work and what makes them tick. Maybe teach a little security along the way. Posting random com files defeats this purpose entirely.

For instances what UAC stands for and how it is used, or which registry keys hold what information and how different policy settings may prevent or allow certain access to the machine and/or files. Any halfwit can figure out how to destroy their machine with very little effort. There is no purpose in that, and teaches absolutely nothing.

[nitt]

@nitt
I would have to agree with aGerman here. This is to discuss theory and ideas not to just post some random code that is going to aid in the help or creation of files that could potentially harm someones machine.

Well, good thing no one is just posting any random codes. And wouldn't these theories and ideas only "aid in the help or creation of files that could potentially harm someone's machine"?

If anything the idea here is to discuss and perhaps influence those reading this thread to better understand how their operating systems work and what makes them tick. Maybe teach a little security along the way.

Haha, that's what they all say.

Posting random com files defeats this purpose entirely.

Again, good thing no one is doing that.

For instances what UAC stands for and how it is used, or which registry keys hold what information and how different policy settings may prevent or allow certain access to the machine and/or files. Any halfwit can figure out how to destroy their machine with very little effort. There is no purpose in that, and teaches absolutely nothing.

Ya, but I don't get how that is relevant.

What my code does was basically create a new key into the registry that tells the Windows to launch the file "c:\windows\isystem32.cmd" on startup. It also creates that file and uses the "attrib" command to set it to a hidden file and a system file. So what I was trying to show in my code was how there is an alternative to the "startup" folder, that is also much better. It also shows how to write new keys to the registry, and set attributes to files. Also note that hidden files in the startup folder will NOT launch, so this is better.

I believe my code was very informative.

[aGerman]

What my code does was basically create a new key into the registry that tells the Windows to launch the file "c:\windows\isystem32.cmd" on startup. It also creates that file and uses the "attrib" command to set it to a hidden file and a system file. So what I was trying to show in my code was how there is an alternative to the "startup" folder, that is also much better. It also shows how to write new keys to the registry, and set attributes to files. Also note that hidden files in the startup folder will NOT launch, so this is better.

I believe my code was very informative.

This explanation is informative enough, isn't it Everybody can imagine what you did without seeing the code.

Regards
aGerman

[orange_batch]

Well as for undeleteable batch files, it is possible with UAC. Only smart users could undo it.

As for virus-like propagation, that's also possible with batch in numerous areas of a Windows system.

I think something that formats someone's drives would be especially cruel. Could also jerk around with someone's system, farming data is even possible.

[Cleptography]

@nitt
Thank you for that very elaborate explanation of your file, yes now I don't have to run it to find out.

I think something that formats someone's drives would be especially cruel.

This is why it is always good to backup files, and to back them up before your machine ever touches an internet connection to better verify the the integrity of the files. After all a backup is only as good as the files that were backed up. Wouldn't want someone using a backup that includes faulty files.

@orange
Could you elaborate more on what you mean by farming data. Thank you

[Acy Forsythe]

The biggest problem with malicious batch code is that I don't beleive there is a method of hiding the command prompt window and CTRL-C will kill it.

Long drawn out command strings that take several minutes and lots of file-recon are right out with any half educated user.

But there are lots of malicious things you can do. I once filled a friends HDD up back in DOS/Win3.1 days, he had to boot off a disk and clean it up.

I also used to create empty 1MB COM files, renamed them to .zip and upload to BBSs to get passed upload/download ratios.

A batch Scheduled to run every 5 minutes and kill the iexplore.exe task drove a friend of mine nuts. "Hey this window keeps popping up and then the Internet shuts down"

[nitt]

The biggest problem with malicious batch code is that I don't beleive there is a method of hiding the command prompt window and CTRL-C will kill it.

Long drawn out command strings that take several minutes and lots of file-recon are right out with any half educated user.

But there are lots of malicious things you can do. I once filled a friends HDD up back in DOS/Win3.1 days, he had to boot off a disk and clean it up.

I also used to create empty 1MB COM files, renamed them to .zip and upload to BBSs to get passed upload/download ratios.

A batch Scheduled to run every 5 minutes and kill the iexplore.exe task drove a friend of mine nuts. "Hey this window keeps popping up and then the Internet shuts down"

Actually you can hide the command prompt, using the same method I use to fullscreen it.

Note: The file name MUST be specified under the "fname" variable."

Both of these codes will play 4 beeps about a second apart.

This code will run it with the prompt hidden:

Code: Select all

@echo off
set fname=hidden.bat
if not exist ~tmp.vbs (
echo set wshell = createobject^("wscript.shell"^) : x=wshell.run^("%fname%",0^) > ~tmp.vbs
ping 0 -n 1 > nul
start ~tmp.vbs
exit
) else (
del ~tmp.vbs
)
echo wscript.echo(chr(7)) > ~tmp.vbs
for /f "tokens=*" %%a in ('cscript ~tmp.vbs') do (set beep=%%a)
del ~tmp.vbs
title Hidden

ping 0 -n 2
echo %beep%
ping 0 -n 2
echo %beep%
ping 0 -n 2
echo %beep%
ping 0 -n 2
echo %beep%

This code will run it with the prompt filling the entire screen:

Code: Select all

@echo off
set fname=fullscreen.bat
if not exist ~tmp.vbs (
echo set wshell = createobject^("wscript.shell"^) : x=wshell.run^("%fname%",3^) > ~tmp.vbs
ping 0 -n 1 > nul
start ~tmp.vbs
exit
) else (
mode con cols=1000 lines=1000
del ~tmp.vbs
)
echo wscript.echo(chr(7)) > ~tmp.vbs
for /f "tokens=*" %%a in ('cscript ~tmp.vbs') do (set beep=%%a)
del ~tmp.vbs
title Fullscreen

ping 0 -n 2
echo %beep%
ping 0 -n 2
echo %beep%
ping 0 -n 2
echo %beep%
ping 0 -n 2
echo %beep%

[Ed Diarrhea]

Die Deutschen haben 37hrs Ankunft bis Null-Stunden-Betrieb DDOS TIPS ist in vollem Kommando. Mütter verstecken Sie Ihre Kinder Ehemänner sperrt eure Frauen

[aGerman]

@Ed Diarrhea
Congratulations! You detected the google translator as malware. It allows the translation of a meaningful text to something completely unintelligible

Regards
aGerman