Tutorial To Compile Trojan Source Code andEmbed it Into a Carrier File (trusted executable)

Open source malware forums openly share malware source code which can be used intargeted attacks. Educating people about the techniques used by malware authors is the firststep to preventing these attacks. This tutorial aims to teach people how to set up an environmentfor developing trojans for Microsoft Windows. Additionally this tutorial aims to teach people tobind their malicious application to a carrier file using an application binder to demonstrate themore subversive techniques. This tutorial is for educational purposes only.

FBI­RAT is a Remote Administration Tool which enables an attacker to infect a victim's machineand gain total control of their file system, processes, network activity and more. AdditionallyFBI­RAT it has a user interface that handles hundreds of victims very well. As its source code isavailable online it is an ideal candidate for demonstrating malware development.

Prerequisites (links at the bottom)You need to Install Windows XP 32 bit.You need to Install Microsoft Visual C++ 6.0 Standard Edition.You need to Install Windows Server 2003 SP1 Platform SDK.You need to Install a tool called Resource Hacker by Angus JohnsonYou need to download the libjpeg package from sourceforge.You need to download a copy of the FBI­RAT source code.

Trojan Server Client ArchitectureTrojans use an unusual reverse server client architecture where the server connects to theclient. The server will infect your victim. The client is used to send commands to your victims.This bypasses firewall rules that say a connection must be initiated from inside the network.

64bit or 32bitWindows Server 2003 SP1 Platform SDK is picky about environment variables depending onyour architecture

To register the SDK bin, include, and library directories with Microsoft Visual Studio® version 6.0and Visual Studio .NET, click Start, point to All Programs, point to Microsoft Platform SDK forWindows Server 2003 SP1, point to Visual Studio Registration, and then click Register PSDKDirectories with Visual Studio. This registration process places the SDK bin, include, and librarydirectories at the beginning of the search paths, which ensures that the latest headers and

libraries are used when building applications in the IDE.

Note that for Visual Studio 6.0 integration to succeed, Visual Studio 6.0 must run at least oncebefore you select Register PSDK Directories with Visual Studio. Also note that when this optionis run, the IDEs should not be running.

To develop a 32­bit C/C++ application on 64­bit Windows, do not register environment variableswhen you install Visual C++ 6.0. Instead, open a command window and run Vcvars32.bat (fromthe Visual C++ \bin folder), followed by Setenv.bat (from the SDK bin folder), specifying theappropriate switches (such as /SVR32 /2000 /XP32).

Have a look at the help files for more informationC:\Program Files\Microsoft Platform SDK\ReleaseNotes.Htm

Microsoft Visual C++ for Linux UsersMost linux users are used to using “./configure”, “make” and “gcc” to compile their source code.Microsoft Visual C++ comes with similar tools in the installation folder “C:\ProgramFiles\Microsoft Visual Studio\VC98\bin”. The application “cl.exe” is the compiler and “nmake.exe”is a compile script interpreter.

Environment VariablesWhen installing Visual C++ be sure to add environment variables."path" variable should contain

C:\Program Files\Microsoft Platform SDK\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files\Microsoft Visual Studio\Common\Tools;C:\Program Files\Microsoft Visual Studio\VC98\bin

Setting up libjpegDecompress the libjpeg packageChange into the jpeg­6b directory using cmd.exeRename jconfig.vc to jconfig.hnmake /f makefile.vc all

Copy the compiled libjpeg folder into the VC++ folderC:\Program Files\Microsoft Platform SDK\jpeg­6bDone!

Configure Visual C++ to include libraries and header filesDespite the installation instructions in the Windows Server 2003 SP1 Platform SDK (whichmade no difference to my environment) you should still add the following libraries and headerfiles to your build path inside the Visual C++ IDE application.

Open Visual C++ ­> tools ­> options ­> directories tab1. Select the "Include files" from the "show directories for" drop down menu and add

C:\Program Files\ Microsoft Platform SDK\IncludeC:\Program Files\Microsoft Platform SDK\jpeg­6b

2. Select the "Library files" from the "show directories for" drop down menu and addC:\Program Files\ Microsoft Platform SDK\Lib

3. Select the "Source files" from the "show directories for" drop down menu and addC:\Program Files\ Microsoft Platform SDK\Src

Ensure the Include, Src and Lib directories are located at the top of the list.

Setting the Build Type in Visual C++ (debug/release)Open a FBI­RAT workspace in visual c++ by opening "Server.dsw".In visual c++ set the build type by pressingbuild ­> configurations ­> releaseDo this for all the workspaces “Server.dsw”, “FBIClient.dsw” and “Injection.dsw”.When building in debug mode the name of the pre­compiled windows libraries are usuallyappended with the letter “d”. For example "nafxcwd .lib" ­> "nafxcwd.lib".

Compile FBI-RATOpen the server workspace for FBI­RAT in visual c++ "FBI­RAT\Injection\Server\Server.dsw"Step 1: press build ­> cleanStep 2: then press build ­> build server.exe

The output should be located in “FBI­RAT\Injection\Server\Release”Repeat those steps for the other workspaces “FBI­RAT\Injection\Injection.dsw” and“FBI­RAT\FBIClient\FBIClient.dsw”.

Bind server.exe to an innocent file1. Place a copy of calc.exe on your desktop.2. Open the command line cmd.exe3. Launch the microsoft application iexpress.exe in the command line4. Select “create new self extraction directive” and press next.

5. Select “extract files and run an installation command” and press next6. Enter “Calculator” as the package title and press next7. Select “no prompt” and press next8. Select “do not display a licence” and press next9. Add calc.exe and server.exe and press next10. Select calc.exe as the “install program” and server.exe as the “post install command”

and press next11. Set your install program to be displayed using the default settings and press next12. Select “no message” and press next13. Select a target path for your new binded file such as “malicious.exe” on the desktop14. Select “hide extraction process from user” and press next15. Select “no restart” and press next16. Select “dont save” and press next17. Press next, next, finish18. Your binded file should be on the desktop

Cosmetic AdjustmentThe malicious file will have an unusual looking icon that does not look like the original calc.exe.You can use reshack to extract the icon from calc.exe and replace the icon in malicious.exe.You can use reshack to remove the strings and version info added by iexpress.exe.

DetectabilityTry uploading server.exe to VirusTotal to see its detectability. Try making small modifications toyour source code, compile it again, upload the new server.exe to VirusTotal and take note of thenew detectability results.

After compilation (2/46) ­https://www.virustotal.com/en/file/ed7f0ccf48785d1cc59df24afd545c92aff27e65e44ee8febdccb4bd6954d019/analysis/1365542456/

After binding and removing strings (7/46) ­https://www.virustotal.com/en/file/2c6b7a2ffa1fa71051024533619dbc47a9029837193f8224ad4cacbd01165fd5/analysis/1365546255/

Notes:Also windows server 2003 platform sdk will enable programmers to use winsock.hThis tutorial should be a good starting point for all beginner windows developers.

Screenshots

Figure 1 ­ FBI­RAT Screenshot.

Figure 2 ­ Library Setup Screenshot.

Figure 3 ­ Build Type Setup Screenshot.

ConclusionThe process of compiling source code for known malware and submitting it to VirusTotal has thepotential to be an educational game for people interested in Information Security research. Thegame goes as follows:

1. Each student gets a copy of the source code and sets up their own environment.2. Each student must compile the source code without help and submit a malicious binary

to VirusTotal.3. The student must modify the executable file using malware evasion techniques in order

to reduce the detection rate on VirusTotal.4. The student with the lowest number of AV detections wins the game.

Cheating can be prevented by taking the SHA hash from the students submission on VirusTotaland comparing it to the hash of a local working copy that they must verify by infecting a virtualmachine and controlling it.

Sources:Get a copy of FBI­RAT source code

http://www.megapanzer.com/wp­content/uploads/FBI­RAT.zipDownload a copy of visual c++

http://www.4shared.com/rar/_Z3R04wm/Microsoft_Visual_C_60_Standard.htmlHow to compile libjpeg

http://www.stillhq.com/panda/panda­documentation/000010.htmlResource Hacker

http://www.angusj.com/resourcehacker/Windows Server 2003 SP1 Platform SDK

http://www.microsoft.com/en­ie/download/details.aspx?id=6510