Jump to content

7zBlade


Gandalf the l33er

Recommended Posts

Dear everybody. .

Just finished a version of the USB Switchblade, where all the files are stored in a 7zip file.  The password for the file is haxx0r.  The advantage is that virus scanners can't find harmfull files inside a encrypted archive, + smaller overall size (around 1 MB).

It works no matter where you place it, in any folder on any drive.

Files included:

Start. vbs: Runs run. bat in "silent" mode, VERY silent, NO black popups are shown

Run. bat: Decrypts and extracts the image. 7z using 7z. exe (7-zip command-line version) and runs the specified commands.

7z. exe: 7-zip CLI.  (http://www.7-zip.org/)

image. 7z: A 7z archive encrypted with the password "haxx0r", containing the bin files.

NEWEST version:

ONLY 560 kb! Uses %temp% and finishes in about 19 seconds! Includes msn chatlog stealer

Direct link

OLD version:

Myupload

Link to comment
Share on other sites

The only problem is that after you decrypt the files the AV picks it up, and the payload won't run, the advantage being it can't affect the original files,you should include some AV-Kill that runs before the files are decrypted. 

Nice job, always fun to have little modes like this one.  :D

Link to comment
Share on other sites

The only problem is that after you decrypt the files the AV picks it up, and the payload won't run, the advantage being it can't affect the original files,you should include some AV-Kill that runs before the files are decrypted. 

My package addresses this issue. Scans for AV processes and if they are found executes a clean payload...

http://forums.hak5.org/index.php/topic,8169.0.html

Link to comment
Share on other sites

  • 2 weeks later...

It's indeed a very nice package hexlax, mad_props to ya!

But, i like to keep it as small as possible, so i will wait till you have made a "light" version, that only kills AV.

I've updated my package quite a bit, added msn messenger chatlog stealer and made the whole thing a lot more customizeable. See the first post for details.

Link to comment
Share on other sites

Although Very nice indeed,you might want to include a process hider,as cmd is shown in the ctrl+alt+del menu,and one can hear the hard drive suddenly starting to work...(though these things may be ignored)And my AV detects a pretty big lot of infected files inside of the .7zip...

Link to comment
Share on other sites

Although Very nice indeed,you might want to include a process hider,as cmd is shown in the ctrl+alt+del menu,and one can hear the hard drive suddenly starting to work...(though these things may be ignored)And my AV detects a pretty big lot of infected files inside of the .7zip...

Where do you get the process hider?

Link to comment
Share on other sites

Although Very nice indeed,you might want to include a process hider,as cmd is shown in the ctrl+alt+del menu,and one can hear the hard drive suddenly starting to work...(though these things may be ignored)And my AV detects a pretty big lot of infected files inside of the .7zip...

It is very hard... i _have_ compressed all the files, but as soon as they are run, the memory image in RAM is the same as if they were not compressed. The only way of making them undetectable is to recompile them with a lot of unused functions (which only exist to change the binary pattern) added.

The problem is that many of the apps are commercial or non Open-Source, so recompiling isn't that simple.

If they should be hidden for taskmanager is the only _easy_ way to make them services, which also needs recompiling.

There is one other possibility: A rootkit. But i am not a H4xX0R, i'm only a _1337_ h4xX0r. Maybe you can ask the good folks at Sony if you need a rootkit :P

Which executables do your AV detect (btw i AM planning to include an AV killer (maybe hexlax', as soon he makes an AV-kill-only versoin))?

Link to comment
Share on other sites

Dear everybody. .

8< The advantage is that virus scanners can't find harmfull files inside a encrypted archive, + smaller overall size (around 1

8<

That's not entirely true. A zipped file with a single layer of encryption still exposes the file names in the archive. If the scanner is set to search for certain file types (vbs, scr, bat) etc, it will delete the file. This is particularly true when sending archives through email. The one way to combat this is to zip the files, encrypt, zip the zip, encrypt. Then the scanner only see the second encrypted zip file.

Link to comment
Share on other sites

Dear everybody. .

8< The advantage is that virus scanners can't find harmfull files inside a encrypted archive, + smaller overall size (around 1

8<

That's not entirely true. A zipped file with a single layer of encryption still exposes the file names in the archive. If the scanner is set to search for certain file types (vbs, scr, bat) etc, it will delete the file. This is particularly true when sending archives through email. The one way to combat this is to zip the files, encrypt, zip the zip, encrypt. Then the scanner only see the second encrypted zip file.

You are right, that problem applies to Zip files. But not to 7z files, especially not when you check the "encrypt filenames" button  :grin:. If you try to open the image in 7-zip, you will be prompted for PW before the contents are shown - not only when you extract.

So, the AV can't detect the harmful files in the archive, only the files extracted to %temp%devices, and it can for sure NOT track back where the files were extracted from (Which is nice - when you are "fixing" a friends computer, they see the virus was located at the c: drive, not on your thumb drive).

Link to comment
Share on other sites

Yeah, actually the 7z format is the best on the market for many applications! You should try 7-zip.

Well...i still prefer .rar,but you know that :p

Though i don't think that there are man AV's that will scan .7zip properly,simply because it isn't really a much used format...

Link to comment
Share on other sites

Yeah, actually the 7z format is the best on the market for many applications! You should try 7-zip.

Well...i still prefer .rar,but you know that :p

Though i don't think that there are man AV's that will scan .7zip properly,simply because it isn't really a much used format...

Yearh i know :smile:

And even if they scanned, they wouldn't find anything, because even the file _names_ are encrypted.

Btw: I could insert DontDetectMeStupidAV in the middle of all filenames to disable AV detection by name :-D

Link to comment
Share on other sites

I can do that with a winrar/UPX/UHARC compression as well..though UHARC probably is listed as an "illegally used compressor" ...but my are we getting away from topic...nice job as allways  8-)

I have compressed ALL files in 7zBlade with UPX, and it also prevents AV from detecting the "tools", sometimes even when they are run.

Link to comment
Share on other sites

  • 2 weeks later...
What are the function's of this mod

And where does it store the Passwords?

And does anyone know a payload (non u3 Don't care if av's can detect it) that only steals all passwords?

The function is almost the same as the other switchblade versions. It steals messenger and outlook passwords, gets network info, public ip, installed updates, and a whole lot more. But as a bonus, it's the only package that's is able to steal the Windows Live Messeger Chatlog. All conversations are copyed to the flashdrive, and encrypted.

Even if the AV detects a suspicious file, it won't be able to reference that file to the drive, because all files are extracted to a temporary folder upon start.

It does NOT steal windows password hashes, simply because i want it to work on limited privelege accounts.

It is very customizeable, uses a lot environment variables, which makes it very easy to add stuff.

You need 7-Zip (http://7-zip.org/) to modify the package, and to view the logfiles. Take a look at "run.bat", if you know batch programming, i hope it will be very easy to understand.

Link to comment
Share on other sites

Thanks for the reply at such short notice!

How ever i try'd it still no succes i just use Win rar to unpack the files should be fin but all i see is the bin folder!

Then when going in deeper i only see the pwdump.exe and stuff!

Any help?

Do u know any other only pass steal payloads?

Link to comment
Share on other sites

Thanks for the reply at such short notice!

How ever i try'd it still no succes i just use Win rar to unpack the files should be fin but all i see is the bin folder!

Then when going in deeper i only see the pwdump.exe and stuff!

Any help?

Do u know any other only pass steal payloads?

Image.7z does _not_ contain the logfiles, only the hack itself. To get the logfiles, make your computer show hidden files and folders, then open the folder named $backup (if i remember correct). Inside that folder is a file, encrypted using the password "haxx0r". Open it, and you have the logfiles.

Just to clarify: To 'run" the hack, you have to open the bat file. If you need to run it without a CMD window, open the .vbs file.

When it is finished, it will alert you by popping c: up in explorer.

Link to comment
Share on other sites

Image.7z does _not_ contain the logfiles, only the hack itself. To get the logfiles, make your computer show hidden files and folders, then open the folder named $backup (if i remember correct). Inside that folder is a file, encrypted using the password "haxx0r". Open it, and you have the logfiles.

I have a problem: When I run "run.bat" it does everything it's supossed to do and in the end pops up C: just like you said. I can see the $backup folder, but there are no files in it and it's 0 bytes big. I'm sure I can see hidden folders and files (otherwise I wouldn't be able to see $backup and run.bat).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...