Malware

Malware, short for malicious software, is a type of software designed to harm or disrupt computer systems and provide unauthorized control to its creator for theft or fraud.

Common types of malware

For good measure I'll put some definitions of malware here, mostly because I keep mixing them up.

  • Trojans:

    • Trojans are malicious programs that disguise themselves as legitimate software to trick users into installing them. Once installed, they can perform harmful actions without the user's knowledge.

  • Backdoors:

    • Backdoors are hidden access points that allow unauthorized users to gain control of a system. They are often used for remote control or further attacks.

  • Rootkits:

    • Rootkits are stealthy software that provide elevated access and hide their presence from both users and security software, making them difficult to detect.

  • Ransomware:

    • Ransomware encrypts a user's data and demands a ransom in exchange for the decryption key, often causing data loss and financial harm.

  • Adware:

    • Adware displays unwanted advertisements to users and may collect user data for targeted advertising.

  • Viruses:

    • Viruses are self-replicating programs that attach to legitimate files and can spread to other files and systems, causing harm.

  • Worms:

    • Worms are self-replicating malware that spread independently over networks, infecting multiple systems.

  • Spyware:

    • Spyware secretly monitors a user's activities and gathers sensitive information, such as passwords and browsing history.

Components of malware

Depending on the purpose and sophistication of malware it might contain all or a subset of the components below.

Component
Description

Crypter

Tool to encrypt and obfuscate malware code to evade detection.

Downloader

Malware component that fetches additional malicious files or payloads.

Dropper

Malware designed to deliver and install a malicious payload.

Exploit

Code or technique used to exploit software vulnerabilities.

Injector

Inserts malicious code or payloads into legitimate processes.

Obfuscator

Tool to make code more challenging to understand and analyze.

Packer

Compresses and encrypts executable files to obfuscate their content.

Payload

The malicious part of malware responsible for harmful actions.

Malicious Code

Any code or software designed with harmful intent, including malware.

Trojan Horse Constructor Kits

Trojan Horse construction kits helps make the process of creating a Trojan much easier.

Note that this is shady software and a downloaded construction kit might as well be a Trojan itself. Always better just to build a new Trojan from scratch.

Here is a list nice RAT-collection

Some of the tools below might only work on older distributions.

njRat

njRAT is a GUI based Remote Access Trojan with nice data-stealing capabilities. It goes beyond keylogging, offering the ability to access a victim's camera, stealing credentials saved in web browsers, transfer files to and from the victim's system, manipulate processes and files, and view the victim's desktop.

  1. After launching, the njRAT GUI will appear, along with a pop-up window. In the pop-up, specify the port you wish to use for communication with the victim's machine.

  2. Locate and click the "Builder" link positioned in the lower-left corner of the GUI to configure the details of the exploit.

  3. A dialog box labeled "Builder" will open. In the "Host" field, input the IP address of the host machine (the attacker's system). Check the "Registry StartUp" option, leave the other settings as default, and select "Build."

  4. The "Save As" window will emerge. Choose a location to store the server, provide it with a new name if needed, and select "Save."

  5. Upon the server's creation, a "DONE!" confirmation will appear. Click "OK."

  6. You can now employ any method to send this server to the intended target, whether through email or another source (typically, attackers transmit this server to victims in real-time).

  7. The moment the victim double-clicks the server, the executable will commence running. The njRAT client (njRAT GUI) on the attacker's system will establish a persistent connection with the victim's machine. The victim's machine will remain under the attacker's control unless the attacker chooses to disconnect the server manually

Theef

Theef is a Remote Access Trojan (RAT) developed in Delphi. This malware enables remote attackers to gain access to a system through port 9871. Theef is a Windows-based software consisting of both client and server components. The server should be installed on a target computer, while the Theef client is utilized to control the server and its activities from the attackers machine.

Note that this version of Theef is quite old (2004).

  1. Once the client is launched, enter the IP address of the target machine in the IP field, and leave the Port and FTP fields set to default; click Connect.

  2. The server file should be delivered to the attacker.

  3. Once the server file has been executed, a connection will be set up.

MoSucker

MoSucker is a potent remote access tool often used by hackers to establish backdoor access to a system. This backdoor functionality involves renaming the 'NETSTAT.EXE' file to 'NETSTAT.OLD' upon activation and restoring the original file name during uninstallation. Additionally, MoSucker has the capability to install itself on a system by modifying startup keys in the Windows Registry or INI files.

ProRat

ProRat is a Remote Administration Tool written in C, compatible with all Windows operating systems. Originally created for legitimate remote computer control, it has unfortunately been misused by attackers. Some malicious users exploit ProRat to gain control of remote systems, leading to activities like denial of service (DoS) attacks, which disrupt the normal use of the targeted systems for personal or business purposes.

Crypters

A crypter is software designed to encrypt the original binary code of an .exe file. This process conceals malware such as viruses, spyware, keyloggers, and RATs within various file types, making them challenging to detect by antivirus programs.

SwayzCryptor

SwayzCryptor is an encryption tool, often referred to as a "crypter," that empowers users to encrypt the source code of their programs.

Note that this will not necessarily hide your RAT from all AV vendors.

  1. When you launch the SwayzCryptor GUI, you will see the interface. Click on the ellipsis icon located below the "File" option to choose the Trojan file.

  2. A "Select a File" dialog box will open. Browse to find the location of "RAT.exe."

  3. After selecting the file, ensure that you check the "Start up," "Mutex," and "Disable UAC" options. Then, click the "Encrypt" button.

Virus Maker Tools

Several Virus maker tools are can be found online.

Again Note that this is shady software and that it is always better just to build a new Virus from scratch.

JPS Virus Maker

The JPS Virus Maker tool is designed to craft custom viruses with various building options. This versatile tool offers features like auto-start, shutdown, security center disablement, mouse and keyboard locking, protected storage destruction, and Windows termination, allowing users to create viruses tailored to their specific needs.

  1. When the JPS Virus Maker 4.0 window opens, mark the "Auto Startup" checkbox.

  2. The window will present a range of features and options for creating a virus file. Under "Virus Options," select the desired features you want to include in the new virus file.

  3. Make sure to choose the "None" radio button to specify when the virus should initiate its actions after creation.

  4. Click the right-pointing arrow icon on the right-hand side of the window to access the virus configuration settings.

  5. A "Virus Options" window will appear, where you can make necessary adjustments. Note that you also have the option to configure the virus to function as a worm.

  6. In the "Change Icon" section, ensure that the "JPG Icon" radio button is selected. Additionally, select the "None" radio button in the lower part of the window.

  7. After finalizing your selection of options, click the drop-down icon adjacent to the "Create Virus!" button and choose the architecture of the target system. Then, click "Create Virus!" to proceed.

  8. The newly created virus, also referred to as the "server," is automatically placed in the folder where the "jps.exe" is located. The server is named "Server.exe."

  9. After creating the virus, it is recommended to pack it with a binder or virus packager. Then, you can send this packaged virus to the victim's machine through various methods, including email, chat, a mapped network drive, or other means.

  10. Once the victim executes the virus and closes the window, the desktop screen may go blank, indicating that the virus has infected the system.

  11. As the victim observes the unexpected system behavior, they may attempt to resolve the issue by restarting the computer. However, it's essential to be aware that once the system is restarted, it may be difficult to regain control, and the consequences can be severe.

Worm Makers

Internet Worm Make Thing

The Internet Worm Maker Thing is an automated scripting tool that facilitates the creation of malicious code. This tool provides a high level of customization, allowing users to define even the most granular details, such as the desired actions, display language, and launch date of the malicious code.

Screenshot
PreviousUnderstanding RunasNextSniffing

Last updated