Writting malware tips

I am writitng a basic malware. it is kind of ransomware and other fucntions , but I am here to question something. how people spread their malware over the network? by copying itself and keeping the orignal where was download or should I spawn another process delete original and move to actual process to continue ? or just copying itself to every location and run without remove orignal?

this is my structure of my malware

./malwre.cpp
anti_reverse.cpp
anti_reverse.h
cipher.cpp
cipher.h
cnc.cpp
cnc.h
common.cpp
common.h
gather.cpp
gather.h
malwre.cpp

  • Modular - can be expanded at runtime with more modules
  • Basic functionality has small binary
  • Anti_checks (vm,sandox,re,debugger)
  • Hides in legitimate dll in process
  • encrypt files
2 Likes

Malware usually propagates via social engineering or an exploit, so copies are sent.

1 Like

if I thinking about copying itself over drives , but I made a mistake it never going to replicate over the network because it needs being click and shares , hdd , remote hdd , so on . acts like normal HDD. however malware without an 0day to spread over network only works with a single pc right.

Yeah if you don’t have an exploit then you’re not automatically going anywhere besides the current victim.

do you have any article how can I integrate the eternalblue exploit as exploit example into c++ to spread in controlled lab?

If you have an up to date (as of May 2017) Metasploit, there’s a module for it. You could look at that (should be easy to read Ruby) and build it into whatever you need from there. https://blog.rapid7.com/2017/05/19/metasploit-the-power-of-the-community-and-eternalblue/

I know there is a module , but how wannacry was added with the 0day on java?

I don’t know what you mean about Java, as far as I know Metasploit exploits are always written in Ruby.

Ransomware that I have seen spread, was based off an infected computer, then when that computer had a external device plugged in, it would copy over to that. Then it would install the next victim, the next then would FUD to files attached to PDF’s and Excel Spreadsheets. Which then usually got uploaded to a file server connected to mutiple networks nd VPNs.

this technique is kind of social engineering right. it needs to click on the exe after it is copied to the drive

Yes, you either have an exploit or you exploit the user. There’s no other way.

If you like we can work together send me the original one so that i can use it to create result box

This topic was automatically closed after 30 days. New replies are no longer allowed.