1 00:00:00,500 --> 00:00:01,870 In this short demonstration 2 00:00:01,870 --> 00:00:05,010 I want to show you how easy it can be to create a virus. 3 00:00:05,010 --> 00:00:06,950 So I have two machines set up here. 4 00:00:06,950 --> 00:00:08,940 I have one on the left, which will be my attacker 5 00:00:08,940 --> 00:00:11,840 and one on the right, which will be my victim. 6 00:00:11,840 --> 00:00:14,030 On the attacker's machine I'm running a program called 7 00:00:14,030 --> 00:00:17,440 Virus Maker 3.0 or JPS. 8 00:00:17,440 --> 00:00:19,940 Here is basically a point and click options 9 00:00:19,940 --> 00:00:21,390 of all the things that I can do 10 00:00:21,390 --> 00:00:23,070 to that machine on the right. 11 00:00:23,070 --> 00:00:25,260 For our example I'm going to do one that's easy to see, 12 00:00:25,260 --> 00:00:27,240 it's called crazy mouse. 13 00:00:27,240 --> 00:00:29,890 So I'll then click that and then I'm going to select 14 00:00:29,890 --> 00:00:32,200 what do I want it to be called after installation. 15 00:00:32,200 --> 00:00:34,390 We'll go ahead and call it the service host, 16 00:00:34,390 --> 00:00:36,460 and what do we want the server name to be called, 17 00:00:36,460 --> 00:00:37,293 the file name. 18 00:00:37,293 --> 00:00:40,370 I'm going to go ahead and call it Explorer.exe. 19 00:00:40,370 --> 00:00:42,240 You could really choose whatever you want 20 00:00:42,240 --> 00:00:44,920 it just depends on how sneaky you're trying to be. 21 00:00:44,920 --> 00:00:46,150 Now the next thing I'm going to do 22 00:00:46,150 --> 00:00:47,813 is I'm going to create that virus. 23 00:00:48,650 --> 00:00:50,890 At this point that has been created and saved 24 00:00:50,890 --> 00:00:52,570 to my downloads folder. 25 00:00:52,570 --> 00:00:54,140 Now at this point I need my victim 26 00:00:54,140 --> 00:00:55,970 to be able to download this virus. 27 00:00:55,970 --> 00:00:57,610 There's lots of ways to do that 28 00:00:57,610 --> 00:00:59,530 based on your social engineering, 29 00:00:59,530 --> 00:01:02,200 tying this virus into another program, 30 00:01:02,200 --> 00:01:04,240 using a spearfishing campaign, 31 00:01:04,240 --> 00:01:07,310 putting it as a rouge download, all sorts of things. 32 00:01:07,310 --> 00:01:08,690 For this particular example, though, 33 00:01:08,690 --> 00:01:10,250 I'm just going to show you the affect 34 00:01:10,250 --> 00:01:13,310 if the person was able to download it and if they ran it. 35 00:01:13,310 --> 00:01:15,330 So at this point the user has been tricked, 36 00:01:15,330 --> 00:01:17,470 they've downloaded the file and now they run it, 37 00:01:17,470 --> 00:01:20,070 because they think it's a game or whatever else it is. 38 00:01:20,070 --> 00:01:21,870 In this case they think it is a picture. 39 00:01:21,870 --> 00:01:23,450 If we go ahead and run that. 40 00:01:23,450 --> 00:01:24,600 Let's see what happens. 41 00:01:25,970 --> 00:01:27,800 There you can see the mouse just starts going, 42 00:01:27,800 --> 00:01:29,390 jumping all over the screen, 43 00:01:29,390 --> 00:01:31,080 so that if I wanted to try and open something 44 00:01:31,080 --> 00:01:32,430 like the trash can, I can't, 45 00:01:32,430 --> 00:01:33,480 because every time I click on it 46 00:01:33,480 --> 00:01:35,400 it jumps away some place else. 47 00:01:35,400 --> 00:01:37,620 That's the idea of this very simple virus. 48 00:01:37,620 --> 00:01:38,680 It's just a nuisance, 49 00:01:38,680 --> 00:01:41,440 it's trying to cause a problem for them. 50 00:01:41,440 --> 00:01:42,970 Now let me show you an example 51 00:01:42,970 --> 00:01:46,550 of what a Remote Access Trojan or RAT looks like. 52 00:01:46,550 --> 00:01:48,480 Now on the left is my attacking machine 53 00:01:48,480 --> 00:01:51,200 and on the right is my victim machine. 54 00:01:51,200 --> 00:01:54,420 So I'm using a program called ProRat. 55 00:01:54,420 --> 00:01:57,980 So the first thing I want to do is create a ProRat server. 56 00:01:57,980 --> 00:01:59,780 I'm going to click on general settings, 57 00:01:59,780 --> 00:02:01,870 and from here you can see the port it's going to operate on 58 00:02:01,870 --> 00:02:05,350 5110, which I can change to anything I want. 59 00:02:05,350 --> 00:02:08,830 The server password, in this case 12345, again, 60 00:02:08,830 --> 00:02:12,340 not very secure, but for our lab purposes it's just fine. 61 00:02:12,340 --> 00:02:14,680 Then the victims name if we have it. 62 00:02:14,680 --> 00:02:17,320 From here we can give them error messages, 63 00:02:17,320 --> 00:02:19,930 we can melt the server on install, which means 64 00:02:19,930 --> 00:02:22,690 once the ProRat has been installed on the victim computer 65 00:02:22,690 --> 00:02:25,800 it will delete itself while still maintaining a connection, 66 00:02:25,800 --> 00:02:28,760 we can kill the antivirus and firewall on start, 67 00:02:28,760 --> 00:02:30,470 we can disable security center 68 00:02:30,470 --> 00:02:31,937 and all sorts of other things like that. 69 00:02:31,937 --> 00:02:34,650 I'm going to go ahead and give a fake error message here, 70 00:02:34,650 --> 00:02:37,070 saying you have been hacked. 71 00:02:37,070 --> 00:02:38,690 Now normally you wouldn't want to send a message 72 00:02:38,690 --> 00:02:40,720 to your user showing that they've been hacked, 73 00:02:40,720 --> 00:02:41,730 but I just want to show it to you 74 00:02:41,730 --> 00:02:43,290 for demonstration purposes, 75 00:02:43,290 --> 00:02:45,070 maybe you're doing this as a ransomware 76 00:02:45,070 --> 00:02:46,330 and you've encrypted their files. 77 00:02:46,330 --> 00:02:48,260 This is a way to send them a message saying 78 00:02:48,260 --> 00:02:50,510 you need to pay me if you want access to it 79 00:02:50,510 --> 00:02:52,400 and from there we'll just go down 80 00:02:52,400 --> 00:02:55,030 and we can go ahead and hit create server. 81 00:02:55,030 --> 00:02:57,480 From there the server is going to be created for us. 82 00:02:58,530 --> 00:02:59,630 Go ahead and hit okay. 83 00:03:00,580 --> 00:03:02,250 So if we want to be a little trickier 84 00:03:02,250 --> 00:03:04,250 we're going to go ahead and bind it with a file. 85 00:03:04,250 --> 00:03:07,320 So we're going to select a picture, in this case the desert, 86 00:03:07,320 --> 00:03:09,180 go ahead and hit open on that. 87 00:03:09,180 --> 00:03:11,930 Then we're going to give it another server extension here. 88 00:03:11,930 --> 00:03:16,930 We want to call it EXE, SCR, COM, PIF, or BAT. 89 00:03:16,950 --> 00:03:18,840 EXE will be just fine. 90 00:03:18,840 --> 00:03:21,050 For the icon what do we want this to look like? 91 00:03:21,050 --> 00:03:23,000 Well we want it to look like a photo. 92 00:03:23,000 --> 00:03:25,150 So we're going to go ahead and make it a JPEG. 93 00:03:26,450 --> 00:03:29,093 Then we can go ahead and hit create the server, 94 00:03:31,860 --> 00:03:33,440 and this is going to be in our current directory, 95 00:03:33,440 --> 00:03:35,850 so if I look back in my current directory 96 00:03:35,850 --> 00:03:40,320 I now have the binded server with a JPEG icon. 97 00:03:40,320 --> 00:03:42,370 From here we can go ahead and rename it 98 00:03:42,370 --> 00:03:43,770 and let's call it desert. 99 00:03:43,770 --> 00:03:46,740 So now they think they're getting a photo of the desert. 100 00:03:46,740 --> 00:03:49,330 At this point, again, we would use some form of trickery 101 00:03:49,330 --> 00:03:51,420 or social engineering to get it to them 102 00:03:51,420 --> 00:03:54,480 and once we do it'll be on their desktop. 103 00:03:54,480 --> 00:03:56,170 So at this point I've tricked the user 104 00:03:56,170 --> 00:03:57,800 and they now have the file. 105 00:03:57,800 --> 00:03:59,660 They're going to go ahead and open that file 106 00:03:59,660 --> 00:04:01,170 and when they run that file 107 00:04:02,070 --> 00:04:04,820 you're going to see the error message that we told it to have. 108 00:04:04,820 --> 00:04:07,210 There is the picture and you've been hacked. 109 00:04:07,210 --> 00:04:09,290 Uh-oh, now what's going on? 110 00:04:09,290 --> 00:04:11,360 Let's go ahead onto our target machine 111 00:04:11,360 --> 00:04:14,170 and connect to that server that's now been installed. 112 00:04:14,170 --> 00:04:17,130 Again, we're going to use our password 12345. 113 00:04:17,130 --> 00:04:19,610 At this point we now have access to that machine. 114 00:04:19,610 --> 00:04:21,970 We can find out information about it. 115 00:04:21,970 --> 00:04:24,700 In this case if we go ahead and get the system information 116 00:04:24,700 --> 00:04:27,510 I know now the computer name is Bob Sails. 117 00:04:27,510 --> 00:04:29,330 I know what kind of machine it is, 118 00:04:29,330 --> 00:04:33,230 it's using English for its language, system 32 is its path, 119 00:04:33,230 --> 00:04:35,000 I find out what kind of users it has, 120 00:04:35,000 --> 00:04:37,350 I find out the date and time of the machine, 121 00:04:37,350 --> 00:04:38,980 all of that information, 122 00:04:38,980 --> 00:04:40,720 and if I close this on the right, 123 00:04:40,720 --> 00:04:42,100 that'll move out of the way, 124 00:04:42,100 --> 00:04:44,080 we can get all that information here 125 00:04:44,080 --> 00:04:47,350 from our attacking machine about our victim machine. 126 00:04:47,350 --> 00:04:50,260 We can also look at the last 25 websites they visited 127 00:04:50,260 --> 00:04:51,920 and maybe that would be something that would be helpful 128 00:04:51,920 --> 00:04:53,360 for us to be able to attack. 129 00:04:53,360 --> 00:04:56,070 We can take screenshots and we can actually open it 130 00:04:56,070 --> 00:04:59,040 and see what we're going to see, so if I do a screenshot 131 00:04:59,040 --> 00:05:00,500 I see what's on their screen. 132 00:05:00,500 --> 00:05:04,660 So if they're on a website like Google here, 133 00:05:04,660 --> 00:05:06,150 which is not going to connect because I'm in a 134 00:05:06,150 --> 00:05:09,790 live environment here that's disconnected from the machine, 135 00:05:09,790 --> 00:05:12,150 I'll go ahead and hit snapshot and now I can see that. 136 00:05:12,150 --> 00:05:14,630 If they had a webcam I could view their webcam. 137 00:05:14,630 --> 00:05:17,050 Again, I have lots of access to do whatever it is 138 00:05:17,050 --> 00:05:18,990 we want to do on this machine. 139 00:05:18,990 --> 00:05:20,980 I can send them messages if I want. 140 00:05:20,980 --> 00:05:24,000 So I can do a message and say test 141 00:05:25,100 --> 00:05:26,750 and I'll say I don't work for you anymore. 142 00:05:26,750 --> 00:05:29,270 So we're going to go ahead and send that over there 143 00:05:29,270 --> 00:05:32,130 and there it is, I'm sorry I don't work for you anymore. 144 00:05:32,130 --> 00:05:35,180 So you can see the power of a remote access tool. 145 00:05:35,180 --> 00:05:38,100 So this allows me to do all sorts of different stuff. 146 00:05:38,100 --> 00:05:40,650 Again, I can take their files, I can 147 00:05:40,650 --> 00:05:42,820 mess with their registry, I can go through 148 00:05:42,820 --> 00:05:43,890 and look at all their files, 149 00:05:43,890 --> 00:05:46,260 I can FTP over and grab their files, 150 00:05:46,260 --> 00:05:47,700 I can chat over to them. 151 00:05:47,700 --> 00:05:49,610 I can do some funny stuff, maybe it's my friend 152 00:05:49,610 --> 00:05:50,970 and I'm just trying to show them 153 00:05:50,970 --> 00:05:52,490 that I have access to their machine. 154 00:05:52,490 --> 00:05:55,190 For instance I can hide their desktop icons. 155 00:05:55,190 --> 00:05:57,530 Now you should be able to see that that is gone 156 00:05:57,530 --> 00:05:59,830 and then I can show their icons and then they're back. 157 00:05:59,830 --> 00:06:03,140 I can make the mouse go crazy and then I can fix it. 158 00:06:03,140 --> 00:06:06,530 I can flip their screen upside down and then I can fix it. 159 00:06:06,530 --> 00:06:10,070 So you can do all sorts of different things on this machine 160 00:06:10,070 --> 00:06:12,860 and take control and do whatever it is that we want, 161 00:06:12,860 --> 00:06:16,443 because we have that remote access to them.