Internet WORM Getting Started By Koms Bomb
Disclaimer: If someone wrote any malignant virus, it has nothing to do with the society because of seeing this paper. I just discussed some theoretical knowledge.
Purpose of this article: 1, like the popularity knowledge, even if the old man (talking about me? Depressed) the old people must understand the knowledge, so the better programs are also best understood the principle of some viruses. 2. Carry forward China's virus career. Why do you want to carry forward? Go see my other articles.
I. Internet WORM's communication path Internet Worm, as the name suggests, is a worm with Internet as the main propagation path. The reason why it is a worm because it is larger than the virus, the virus usually a few k, is microorganism, and the worm usually dozens to hundredk k, is a big bug (this definition is a pain :)). Through Internet, the most important thing is through email, and a large company staff may not go online to see news, but it is less likely that Mail will not receive Mail one day. The representatives of this class have SIRCAM and KLEZ. In addition to MAIL, it is also possible to propagate through the vulnerability of Internet Server, with a variety of IIS vulnerabilities, representatives of this type of Codered II and NIMDA. Of course, a Worm usually more than one transmission path, may be concurrent. If NIMDA has four propagation pathways of IIS, Email, Net Share, Local File Infection, but its success is mainly IIS, its Email communication skills are too bad, and Sircam and Klez are not only one quantity level. This tutorial is mainly Mail Worm because they are more representative.
Second, when a Worm starts when running on the user machine, the user does not pay an attachment, and our lovely Worm starts. First, you should reside in the system. Usually, it is to copy yourself (SIRCAM is a trash can be home), then modify the registry or simply register a system service to make yourself be run at each time Windows. Then, huh, infect local files, then collect the email address, and send yourself. Since you have lived on the user's machine, then you want to do anything.
Third, how to get an email address? Outlook Express WAB (address book) file, HTML file, other web file (ASP, PHP), various instant messaging tools (MSN, ICQ) address books are the residents of the Email address. Use a little to handle String, and analyze them, but don't use MAPI, which is too dependent on OE.
Fourth, how to send yourself? To send email, of course, use the SMTP protocol. Once again, I don't have to use MAPI. SMTP is as its name, it is very simple. Good WORM, such as Sircam, Klez, is the SMTP ENGINE carried by yourself.
5. What system vulnerability should you use? Then look at your discovery. After Nimda broke out, it was nothing to study the Unicode vulnerability, almost all Web Server has blocked this big hole. Either discover new vulnerabilities, or use some "long-lasting" vulnerabilities. For example, the IFRAME vulnerability used by KLEZ has been found for more than a year, but Klez still uses it to achieve amazing results. Six, is it necessary to conduct local infections? The answer is yes. The reason why everyone recognizes NIMDA and KLEZ is very difficult to kill, because they are infect local documents. If you are SIRCAM, you will change the registry, then clear the trash can. General WORM infection documents, not as true infections like PE viruses, but Trojans (such as NIMDA) or accompanying infections (such as Klez). For example, Nimda, infection is to put the original procedure into its own resouce section, as part of the resource, use the API such as the Win2000 Updateresource, which seems to be in 98. However, it is very stupid, it will repeat infection, and the result of a few hundred k is finally turned a few M.
7. What language is written in WORM? As long as it can be programmed, compile, VC, Delphi, even SQL or PHP, but want to write well or recommend compilation and C / C . It is best to use C / C , because general Worm is not very paying attention to Size, and C / C is more flexible. If you use compilation to deal with strings in the KLEZ body to generate email headings and content, the workload must be much larger. The most famous worms are almost written by C / C , such as Nimda, Klez. Sircam is written in Delphi. However, in a WORM with a VCL library or a static connection MFC library (in short, it means static framework) is stupid, no one will believe a three or four hundred K Worm will pop with Sircam, Nimda or Klez, unless full The world's personal network has a bandwidth of 1M.
Eight, what should I pay attention to? He also asked me? ? ? Worm is simpler than PE viruses, but it can also be used in a variety of means, and play with you.
10 o'clock in the evening of June 4, 2002, Koms Bomb, drink beer welcomes reprint, please keep "by koms bomb"
