12. Executable Wrappers
So the next thing we want to talk about are the various ways of getting somebody infected by a Trojan component. So I’m just going to create a little scenario here. The scenario I’m going to create is that the Remote Access Trojan comes naturally as a server. That’s the malicious code that infects the computer client that controls that server. And a lot of times it has like a server editor to allow you to manipulate what it does with this server exe. And we’re going to take a look at each one of those. As I’ve said this whole series, there’s no free lunch. In other words, people don’t go out and create free software applications that they’ve stolen from somebody else and created a key generator for them and all this type of stuff just because they like the way that you look.
More than likely there’s something else embedded in them. Now, more than likely what they try and embed a listener or a back door or some kind of rat which stands for Remote Access Trojan into the application. What it does is it gives us the capability of going out and controlling that. It’s much easier for us to wrap a simple application that is a benign application. So instead of creating malware from scratch, it’s much quicker for an attacker to use an existing malware, combine it with a benign game or a program, then they’ll use what’s called an Executable Wrapper to wrap that application with another one. So you can control if they execute at the same time asynchronously if they execute one after the other.
In other words, synchronously or if they do a number of different things that I’m going to show you. Elite Wrap is an advanced Exe Wrapper for Windows and it runs on some of the older versions of the operating system. Cine Spy is one that works in Windows 2003. We’re going to go ahead and use Windows 2000 just because we have it available and it’s already up and the concept is exactly the same. Basically what we’re going to do right here, demonstrate how it can be used to combine multiple applications. Generally what happens is you’ll find an application that will keep the person busy. In other words, keep them doing something while the Trojan blows in the background.
If you’ve ever noticed, not that you would ever do something like this, but if you ever downloaded a key generator and the key generator doesn’t just dump the key out to the screen, it goes on, plays music and you have to jump through these various hoops and all this other kinds of stuff. Why do you think they’re doing that? They’re doing that to give it time for the Trojan that they’ve wrapped it with to actually infect your computer because it takes a little bit of time for it to load. So while you’re jumping through the hoops to get the key that you need to put into this application, that you stolen. Not that you would do that, but if you did, then what’s going to happen is most people run that key generator on the same computer as they do as what they’re going to put the key into.
If you were smart, and I’m not saying for you guys to steal any software, but the better way of doing that would be to take the key generator, run it in a virtual machine, grab the key, then download from the manufacturer’s site the software, take just the key and put it in there. That way you know it’s not being infected. So a couple of really popular applications are whacka Mole, that keeps you busy, and Graffiti, which is the one we’re going to use. Another one is called Pie Gates, where they throw a pie in Bill Gates fake. So let’s go ahead and show you how we’re going to do this.
13. Instructor Demo: Executeable Wrappers 1
Now I’m going to go ahead and demonstrate for you how an Executable Wrapper works. And I’m ex I’m going to demonstrate it on Windows 2000. So please don’t think less of me. This works exactly the same way on Windows. Seven windows, eight Windows ten Windows 16 windows, twelve it doesn’t matter. So what I’m going to have you do, and I’ll have an exercise for you to do this on your own, is to open up a command prompt. And I want you to position your windows to where you have the command prompt and drill down to your lab folders and do just a little bit of sizing here where you can easily see both of them on the screen at the same time. All right? And you’ll see why that’s important here in just a couple of moments.
Now, what I’m going to do is I’m going to change directory down into Lab folders and into Elite Wrap. Typically, what works best is to send somebody a file attachment for their birthday or for Christmas or something like that that generally will get them to open it. We find that women are typically more apt to do this because they have a more tender heart. Oh, he favored my birthday. That is so nice. And you’re going to see how doing that may not be such a good idea. Let’s first start off and we’re going to type in Elite Rep. It’s going to ask us to enter in the name of the output file. I’m going to say happy birthday, Alice. It has to have an exe extension on it going to press Enter.
Would you want to perform CRC? I’m going to say yes. And here are the various things that I can do to this Happy Birthday, Alice program. I can pack the Executable only pack and execute it, making sure that it’s visible and it executes asynchronously. Now, if it executes asynchronously, that means that it’s going to give this application a chance to execute, then change over to another one, give it a couple of processor cycles and go back and forth. In other words, and do it hidden. There’s one to do it visible synchronously, and there’s one to do it hidden synchronously, and you can see all of these different ones packing executes. What packing does is it tries to slip by your antivirus.
Now, in reality, antivirus is absolutely worthless. Now, I hesitate to say that because this class is is meant to be for the individuals taking the Ethical Hacker Test. And on the Ethical Hacker Test, they are definitely interested in you running antivirus. So I’m going to do a little separate bonus video to explain to you what you really need to be doing these days. Because in reality, antivirus from most major manufacturers is just simply a waste of money. And I’ll kind of explain that as I go along. But packing, it tries to help us avoid any of the antivirus signatures. So what I want to do is enter in package file number one. Now I could type in C colonbackslashlab folders, and I’m going to put in Graffiti.
But what I’m going to do is I’m going to take click once on it, hold down my left mouse button, drag it and drop it into this black window. I’m going to click one more time on the black window. This is very important because if I pressed Enter without clicking on it, it would execute it up here. That’s not what we want to do. So I’m going to press Enter right here. It says, which operation would you like me to do? Well, this is the benign application. And what I want to do is I want to pack and execute that one visible because I want to keep them busy while I load in the nasty stuff in the background. I’m going to pick in pick operation number two. So I’ll just simply put in a two at the end.
If I had any switches at the end of it, like I had with Netcat, I would put those at the end of it. Well, Graffiti doesn’t have any switches, so I’m simply going to press Enter again.Now it’s going to ask me to put in package file number two. I’m going to use this utility, or I should say remote Access Trojan called sub seven. Now, sub seven, I’m going to use this server. Now, before I actually drag and drop this in here, I want to open and I want you to notice how I can take this server, exe and modify it to where it’s run by the registry, how it’s loaded. How it notifies me. When someone is infected sends me an email, perhaps automatically starts on a server. A number of different things that I can do to this.
All right? So I’m actually going to just go ahead and use it as it is right here. I’m going to click once on and drag it and drop it down in here. Click again, press Enter. Now server exe doesn’t have any switches either, but it’s not asking for that right now. It’s asking for the operation. I don’t want this one to be seen. I want to pack and execute hidden Asynchronously. So I’m going to pick option number three here. So I’m going to pick in number three, press Enter. And as I said, it doesn’t have any command line, so I’m not going to put any in. It will actually allow me to wrap up to ten applications with it. Now this is the same machine that I uploaded Netcat on earlier. So let’s go ahead and put netcat in there.
So let’s go ahead and navigate out here to where netcat is located. Okay, so there’s my netcat that I uploaded in that earlier exercise. I’m just going to drag it and drop it down here exactly the same way. I’m going to click in here, press Enter. I don’t want this one to be visible either. So I’m going to put number three. And this one does have command line options. I’m going to do a L to put it into listening mode. I’m going to do a P 1234 for the port number and ECMD exe for it to go ahead and execute the command prompt. So I’m going to go ahead and press Enter on this package file number four. I don’t have another package file, so I’m just going to go ahead and press Enter one last time.
Now I’ve got all of this done, so I’m going to go ahead and just jump back up here to lab folders. And I’m going to go into my Elite wrap folder. And you notice here it’s got executable here that says HB Alice. Now the idea behind this would be to email this to Alice on her birthday, okay? That’s the ploy here, all right? In other words, get her to click on this attached email. So I’m just going to go ahead and infect ourselves purposely here. So I’m just simply going to double click on this and you’re going to see what comes up. And if this had sound in it, it would be playing a little song. And this little guy comes out here and he says, you and I are the best friends.
Oh, you’re my best friend, but it makes you play this tic TAC toe game before it lets you out. So he basically said, choose your tool, man. So I’m going to pick the O right? Here the really sad part about this. This guy usually wins. It’s a draw, okay? And he’s basically saying, no matter what happens, we’re together. You’re my dearest friend. All the while, all of these other items are downloaded in the background. And now it gives you the opportunity to quit. So when you loaded that, you loaded really quite a few more things. Okay? So let’s go over and see if that did work. All right, so we need to get the IP address to this machine 1st first. I think it’s 156, if I’m not mistaken. Yeah.
14. Instructor Demo: Executeable Wrappers 2
All right? And I’m going to go over to my XP attacker, which I happen to have the software installed so I can use it to attach with. Now I’m going to use this sub seven, and I’m going to use the sub seven client. So I’m going to go into it and it wants to attach at this port number I’m going to put in in the IP address, and I’m going to click on Connect. If all goes well, it should say at the bottom of this Connected. And let’s just for grandson giggles here, let’s try a couple of these things. I’m going to open up Fund Manager and I’m going to tell it I want to flip the screen. I’m going to flip the screen, click over on this. And if I go over to my Windows 2000 strains, that normally always works.
All right, so I can do all kinds of other things open and close the Cdrom, change the mouse buttons, that kind of thing. But let’s go ahead and try this. Let’s try and connect to that port on that netcat Lister. Let’s see if that works. So I’m going to type in NC, the IP address of the 2000 machine and the port number. And boom, there I have it. Okay, so if I typed in Hostname, there it is. Now it says it’s been flipped. Let’s go over and look and see if it flipped it. Well, finally it did. It just took a lot longer this time. I don’t know why. Okay, so you can kind of see where I can do a number of things with this all at once.
15. Malware Avoiding Detection
Now there’s a number of different ways that a perpetrator can be stealthy and try and get you to trick you on clicking on certain things. One way is just simply to change the icon. And while this doesn’t work as well as it used to, it’s still a common ploy. For example, the icon that appears on your Windows screen is associated with the executable, could be stored in the executable, could be stored in any other executable. As a matter of fact, I did this one time on a penetration test that I was doing. What I was doing is I was doing this for a bank just south of Atlanta, Georgia. I won’t name the bank. We were trying to look for individuals that were using their company email instead of personal emails to do various things.
And I found one by just simply the various things in Google like I’ve shown you before. And I found one that there was a girl that was the chairman of her high school reunion and she was asking the people that were graduated in this particular year to send them a current picture so they would know what you’d look like. It had the email address of the bank. So what did I do? Well, I sent her a picture, although it really wasn’t a picture, it was really netcat, and it had something we haven’t talked about before, but it had a reverse bind mechanism built into it. And I’ll talk about that in other chapters. But basically what happened is the email that I sent said in the subject line, do you remember me? And in the file attachment it said MyPiC Jpg exe.
Now this was actually back around 2004, 2005, and I doubt very seriously you could get away with this now because it’s really unusual for an email program to allow an executable to be sent. At any rate, I got an email back from her that said it didn’t work. I didn’t see anything. Well, I knew exactly what had happened. She clicked on the email and it opened up a listener. And all I needed to do was check my email to see what her IP address was and then ride right back in on that connection. And a penetration tester will typically do is they’ll place what’s called a flag file. And the flag file for me is Data Century. It’s my logo that you see in the bottom right hand corner of all these slides. And I placed that at the root directory of her C drive and then I took a picture of it to go into my report.
This not only proves that I had read access to that directory, but I also had write access to that directory. So this is, as I said before, a number of different ways of being able to trick someone into trying to do something. This one here is kind of interesting because it actually happened to me back when I was working at the mortgage company. It’s quite a long time ago. But what it does is it exploits a buffer overflow in JPEG processing to create a reverse shell and add a local admin account. It also can be modified to be the JPEG of death, which means that it will actually open up one browser window after another, one browser window after another. Boom, boom.
And some of you guys may have seen that. I don’t know some sites that I won’t mention that you may have gone to that do that when you try and close window, another one opens up. At any rate, what this one did is it turned up the volume on my speaker and said, I’m surfing gay porn. I’m surfing gay porn and you’re in a bunch of cubes. And I’m standing up saying, no, I’m not. I sit back down and try and kill the thing. And it’s still saying that. I stand up and say, no, I’m not. And finally I end up having to pull the plug on it. And I walked by one of my coworkers, this one African American girl that just looked at me and kind of grinned and said, I’m not. I really wasn’t. She said. I said, It’s just kind of a humorous thing that happened using this particular exploit.
