Writing Viruses for Fun, not Profit

 6 years ago 18,566 views
Presented by Ben Dechrai(@bendechrai)

Stopping viruses is hard. They're clever, evolve, and become more resilient over time.
So let's write one! We'll see how they hide, and how they propagate.

In this presentation, Ben takes you on a live-demo journey of self-replication, cryptographic obfuscation, and payload delivery.

Now you're thinking like a virus writer, you can anticipate which areas of your applications need hardening. Just remember, we're doing it for good, not profit :)

Ben Dechrai is a technologist, presenter, community builder, and hard and-core privacy advocate. When he's not on stage, or sharing his ideas and views on security, identity, and privacy, he loves to hear about other people's passions and interests, technology related and otherwise. It's because of this that he has been known to run a number of community events, from conferences and meetups, to end-of-year parties and comedy shows.

In what spare time remains, he spends time with his family in Melbourne, Australia, and finds too many excuses to get out the power tools or dig trenches for the next fully-automated life hack that will hopefully one day save him time.

Transcription (beta):

Good morning, everybody. I actually speak to you from the future. It sites Friday, where I I'm at the moment, it's probably still Thursday with most of you. I'm very excited to be traveling back in time to to chat with you all today. And I'd writing viruses. Now. You'll have to imagine. Usually when I start this talk, I have a very dramatic entrance, so I'm just going to pretend that I haven't spoken yet. And there's a very high quality photo of we write it on the screen in front of you. So you can imagine exactly what it looked like. It's it's pixel. Perfect. and I'll just take a pause and then start my presentation. Imagine dramatic flare Melissa. I love you so big. My doom. That's not actually the worst poem in the world. It's pretty close. I think if if you're familiar with Hitchhiker's guide to the galaxy Vogel and poetry is actually the worst.

But those four actually first for most destructive viruses that we ever encountered, Melissa was released back in 1999. And if any of you remember that, that you're showing your age as much as I am, they get infected about 20% of computers worldwide. You could probably argue that there weren't that many computers back then. Back when IBM said that we'd only need five, but that was still quite a lot of computers back then. A year later, a lot of UK tech, tens of millions of people. I still remember working on that one. Within the company I was working at some trying to eliminate that had about systems that's quite nasty. So big was in 2003 and in 2004, my doom caused an estimated $38 billion us of damages worldwide. So just in those five years for viruses came out and caused a huge amount of havoc.

And to this day, I believe still nothing has surpassed my doom for the speed of spread that which had went around the world. So with that said, we are going to be writing a virus today and learning a bit more about it. Normally I would get everybody to stand up, but instead I'm just going to ask us, we all take a pledge. So in order to do this, I'm going to be using the the race hands mechanisms. So bear with me as we go through this and say out loud in your head, if you like that you insert your name pledge to use the following information for good.

And if you fail to uphold this pledge, you do promise to commit to 200 hours of community service, offering it support or Twitter. If you could raise your hands in agreement with that, I'll be able to continue my talk. Now, there we go. We've got three up there. That was great. Oh, we probably went up, but we'll take that as everybody I should continue. So what is the virus? Essentially Avantis has three mechanisms you have to, in three parts, you have the infection mechanism, which is the way that we get the virus into a system. You have to paid owed, which is the actual malicious code or action that gets executed and the trigger, which is the method by which it is then executed. So that could happen straight away, or it could be deleted for some reason, without some, have a look at some ideas around how that might happen as well.

So when writing a virus, looking at these three components, the thing that we need to look at AEs, how to desexualize, how viruses are detected by antivirus systems, the reason we need to look at that, obviously as if we're going to write a virus, we want to get around the systems. So one of the most common ways that an antivirus system would detect whether or not a virus is present is that we would look at spread detection. So our our files being opened are lots of files being written to the same time. They also do analysis detection. So is anything analyzing your system? Is it trying to find out which network reports is open, how they're doing port meetings or finding out information about your system or wider network. And then you can look at things like CPU usage, Ram usage resource usage is in general out of the norm.

So 95 system might know what a baseline resource utilization looks like for a particular system. And if it's outside of that, then maybe a couple of red flags get raised. So with that in mind, what are we going to do to escape forest detection? So I, while trying to work out what to to take into account when rifle the virus, the first time I had to look at some analogs in real world situations. So I still remember back in 2001 after the the nine 11 incisions, there was a huge upgrades of security at airports all over the world. But interestingly kind of the outlier that I noticed was that Israel which perhaps is one of the airports are quite requires the highest security. The chief of security for the Israeli airport said that they learned for him to be installing any of the millimeter wave backs, data x-ray machines, the ones they have to stand up and hold your arms in the air, which are prevalent in most airports.

Now, they were still using the standard metal detectors and went, interviewed the head of security, said that what they look at is the way that people interact and move on to say, do person and analysis rather than baggage or losses. They don't really worry about you taking a bottle of water through to the airplane. If you are not a, I mean, they might actually stop you, but they're not going to put systems in place to scan for the scan at a high level. When they find that the the analysis of people, the way they move, the way they interact is actually a lot higher accuracy for them. So we want to avoid packing detection. We don't want to stand. Actually, the only thing we can do is we can adapt and evolve. So if we write a virus that never changes, then it's going to be picked up sooner.

If we can make the virus change over time, then it's going to be harder to pick up. Another method is to obfuscate yourself, make yourself invisible, make it hard to detect in the first place. And if you can't do that, then perhaps encrypt the information so that even if something can be found, the analysis mechanisms can't really detect or unlock or determine what it is that it's looking at once you've written the virus and you've managed to infect a system, one of the best courses of action is just to pass it actual line and be it'd be attractive to people to, to bring in books. So if you find a wooden horse outside of your castle, obviously you're going to want to bring it in, in the same way. If you find that the, the mobile app you've always been looking for, even if it does ask for a few too many questions, and you're thinking, you know, it could be a bit dodgy.

I'm not quite happy about this, but I really want that. Then it's more likely to be downloaded once installed, laid dormant, don't do anything. The ability to detect a virus is also linked in some ways to the time that something's installed and the time that something goes wrong. So if you manage to infect a system, when you lay dormant, then it's less likely that any future actions will be back to the application or the the infection mechanism that you've implemented. Obviously at some point it will still be, and B just trying to improve your chances a little. And then once you do decide to take action, take it slow. So we were talking before about analysis detection as being something that antivirus systems do. If you go through and you start effecting every file on a system or on a network, then obviously you're going to start raising flags. If you want to find maybe two or three files and then wait, and then maybe four files and then make you one or two files, then you take things somewhat randomly, but slowly. And it's less likely that anybody's going to notice anything out of the ordinary.

So that's all good. But the real reason you're here is because you want me to write a virus, right? So let's just jump straight into that. So hopefully you can see my command line terminal there, and I've done my sharing properly. So I have a demo here. One thing that I learned early on in the first time I did this was I wrote my virus and I started executing it. And I realized that I was running it on Waco system. So I'm actually running this demo in a favorite box using virtual box. Ha I highly recommend that if you're ever going to do things like this, that you don't do it on your host machine. I lost quite a lot of client work while testing as they were at one point in time. So take my experience as a warning. Virtual box is your friend.

So we have a demo that's running at the realms and we're going to jump in and start writing the code. So if we go to step one, I've broken the, so it's quite easy to follow the, the the steps that we go through to create the models. And I have in each directory, a couple examples and the boom file. So we're going to be editing boom. And in fact, we're going to just copy the doc Boone file over, which is the, the working version. So we're going to start off we want to infect files. So we're going to start off by looking at for all the files and assistance. So we jumped down here and we're going to find all files and put them into a recalled filing. And then for each of the files, we're going to open the file as a script so that we now have a read handle on those files.

We're doing this one file at a time. The next thing we're going to do is we're going to open a second file and this is going to be enlightenment. So we're going to have an infected file, which is going to be the same file as the filing with the dot fixed on the end. And for now, we're going to create an effectual, which is essentially just a comment which says, find infected. We're going to write that into the infected file. And then we're going to loop through each line of the original content file and write that into the infected file. So essentially we've written one line into the new file. And then from the other file, we've copied every line one at a time into the new file. And then we can close the files down at the bottom here, and then finally we'll delete the original and then we'll rename the infected file to the original.

So conceptually, if you're looking at like you might have, for example, index dot PHP, we've created it. Index dot PHP dot infected, we've written fine infected the top of the infected file. We've copied all of the contents of index PHP to index stop here infected. And then we close those files and we renamed the infected file to the index on Patriot. Now, the reason we're doing it that way is if you edit a file for read and write, then that's going to potentially raise more back to the 95 system. Perhaps not, but we're taking that step in, in order to, again, minimize our risk of being booked. The other thing is that if the file that we're infecting is actually in memory at that time, if it's running so we can text, stop PHP is being used by another system, has another Apache process.

For example, then we can't actually write to it while it's open, but we can't copy it. So we can copy a file from the index, which we don't affect it to index on PHP without the system having an issue. So again, we're just increasing the chances of infection happening while decreasing the chances of infection being detected. So if we have a look, if we have a look over here, want ask us to look over here. We've now got our boom file. And I've also got in each directory and example file. So this is highly complicated, as you can see, it's basically going to echo the numbers one through nine. So if I came to Sweden and we run the example file, we can see that cause numbers one through nine books. If I now run the boom file that we've written there was an arrow down here. We don't actually have the original file.

So if we run the boom file, whenever we look at an example, we can ask you if it's been infected in X being infected twice. Cause even though the first time I ran it it, it gave an error. It still managed to infect the file. So we successfully managed to infect the example PHP but that's not very exciting. So let's have a look at step two. So we've got pretty much the same code in here with a few additional extras. The first thing I've done is I've wrapped the whole X, the whole virus delivery, or the virus creation and delivery executives into this execute function into the execute function we pass of ours. We're still all old files. We're still going through each of the files. We're still hooking your files. But now down here after we've started creating the the new infected file, instead of writing a commenting, we're going to write the virus into the infected file. So this allows us now to call that function and to insert any arbitrary string that we want into that area there. And then we're going to continue through copying the original contents into the new file of the anterior. We Actros the files and we name it

Now

In order to provide a virus to it. According to the execute function down at the bottom here, in order to provide this virus, which we were writing this code here, we're going to use the file. Their contents double underscore file double and schoolwork is a magic pointer to the current file that's being executed. So essentially what this is going to do is take the file that we're currently looking at, take his competed condoms and put it into the variable virus. Now we're going to want to trim this slightly. So we've got at the top. If I skipped back to the top of here, you can see a comment virus start and down at the bottom, we have a comment virus. So we're going to take those two markers and we're going to use sub sub string in order to chop everything out first, before or after those.

The reason for that is that in this case, there's nothing after the virus and that we don't want to include, but at the top here, we've got the other PHP tech. And if we insert that inside of a PHP tag, they're obviously going to create tech errors. So in order to have full control over what exactly is being written into the virus, we have a start in any bucket. So if we look at the example, file in a stack twos, actually we can see that it hasn't been infected yet. And as expected, it's still executes correct correctly. And if I run boom, that there is no output. Obviously whenever you run a virus, you don't want there to be any side effects. So it doesn't look like anything has gone wrong. But if we look at the example file, now we can see that the virus has been concerted at the top, but we still have the code of the bottom. So now if I create another file, which works exactly as, as anticipated. If I now run an example, we still get the app. So the app, it hasn't changed the side effect of running that hasn't changed. Therefore we're not suspicious. So if we look at food, we can see that food is now also being infected. So we're getting faster and fetish each other then depends themselves. So we're on the next step, but what do we do after that?

So the next step we're going to take is we want to encrypt the virus. So at the moment, when we looked at food, you could see that it started with FARA stopped when there was a function called excuse virus, and the code is all static. So there were two issues with it. The first one is, well, the first problem is that it said the virus stops. And I think that's probably going to be the biggest flag to anybody. If they're trying to find a virus, that's where the virus is. So we don't want to have that visible to everybody. The other thing is that just doing code analysis, you can see the files are being opened and closed and copied from one to another. Even if we change all the variable names and got rid of any hints within the code, that this was a virus, it still looks a little virus like.

So a code analysis process would highlight this as a potential threat. So what we're going to do is when Christian Sudan, he had the, any change I've made on this line, here is a way to pass the virus. That's passed into the execute function, into encrypted virus function. And then if we skip down here, we can see the encrypted virus function. Now I'm using encrypt for this. If you're if you're doing real-world encryption on your you're planning on relying on that encryption for encryption sake, don't use encrypt. It's very old and it's not that secure. The main reason I'm using this is the main reason we were in coding, increasing the space so that it can't be understood to be transferred to essentially binary information, because we can't see what's going on. And we don't know that it's a virus. So for that purpose, I'm not really concerned about the security aspects of encryption.

I'm just using it as a way to convert it from an executable or a readable form into a purely executable non-reader form human readable. So we're going to create our key. We're going to create our initialization vector. And then we're going to call the encrypt encrypt method in order to create an encrypted version of the virus, the virus being the contents of this file. Now the next step is to embed this into a PHP script, in order to, again, not raise flags, we're going to convert it into base 64 encoded versions of the virus, the initialization vector, and the key. And we're going to create a string. And that string then becomes the string that essentially contains PHP that defines the encrypted virus, the initialization vector, and the key, and then calls the decrypt method with the credit parameters. So we have our boom file, which is doing the encryption.

We've got the encryption at the bottom of there. We've got example, which has not been affected or back to where we were. So by an hour on the boom file, you can see that example is now being infected with an encrypted virus. And I'm just going to turn off rapping so we can see that a bit more easily. So this is what I was saying about creating the string that that gets it then gets invaded. So we've got the encrypted virus and that's the base 64 encoded version of the binary virus. We've got the initialization vector and the keyword tools that be 64 and code. We can then call the encrypt decrease function to use the key in-group device in the Ivy to reinstate the value of the original value of virus. We then evaluate the virus because that is the string that we need to then run that virus in PHP so that the execute function is, is created and exists.

And then we can execute the virus, which is the virus we've just decrypted. So it seems a little bit incestuous, but essentially we're reinstating the virus as it originally. Wasn't the next species. So if we now look at a food example, if I run example again, we thought the appliques we expected. And if we look at Fu we have an encrypted virus, which is fantastic. And if I set the note wrap again and split that with example, we can see the, both of them are now infected. And in fact, they've got different encrypted products. Value is different, the IP is different, and the key is different. Now, again, not withstanding the fact that we've got a variable here called virus, which is going to be a flag. We'll probably want to that something else that we're actually writing a virus, but we do have a system here that is going to change every time.

So we've got that adapt and evolve aspect here. Any system that notices that this text along here seems highly doctoring, and they want to find any other files that also contain that. But they're not going to find that any other files because the next file has a completely different value for encrypt device. So we're on an extent now, the issue that we have at the moment is if I run a PHP example, again, we now have an error. So the main reason for this is that we've created a virus. We've created an infection process or a distribution process, and we've started in critiques that we can't see what's happening. But the problem is that at this point here, example, PHP is trying to infect all the files in the system. And when it does that, it tries to create an execute function. Now, the example of PHP, when it runs already has an excuse function.

So we now are declaring it twice. And in fact, if we ran, boom, we'd also get the same problem there. So we now need a mechanism. That's going to stop the virus from reinfecting itself. If we just have a quick look at this virus, you can actually see. So this is the example.com. We've got one payload of the virus, and then we've got another payload of the virus. And in fact, if you're on how many times I've run, this, we've even got a third. So this is obviously not going to work because we've kind of got three versions of the execution functions. So let's have a look at step four, step four is to get around. Yeah.

So what we're going to do is we're going to create a hash of the following in order to, to inject that into each file. So we know whether or not to be infected. So we have this little area of code here that, that has just detect whether it's infected or not. Once we opened the original script, we're going to pull out the first line. So first line now contains the first line of, for example, in text or PHP or example dot PHP. And then we use a file name of each file, generate an MD, five of that and create a virus hash. The purpose of this again, is to have a different hash profile. So there's not one hash or one marker that an antivirus system needs to look for. And then we determine if the first one that we just pulled out of the file contains the virus hash. Then we done the two infected. If however it doesn't, we decide to infect it.

So then we'll create another string called the checksum. And we're going to insert that checks on into the the infected file. The checksum contains a virus hash we defined. And then we look inside here, we write that into the infected file. And then we continue through writing the original file into the infected file and nothing else changes. So if we look at example of PHAP PHP, again, it's not infected. If all I was on boom button, I can't actually run this more than once because boom itself doesn't have that that code building it doesn't have them offer this option, whether or not it's been infected. But if I run example, it continues to run stay times because it doesn't get infected. In fact, if we look at example, we can now see at the top of there for the checks off has been editing. So we can then take that back to the, for example, we can run examples.

We can see that, that she has a checksum. The checksums are different. Each is infected, the infection is different, but food has also an affected lives. Kind of ask a for, for example, example has also been infected once. So we don't have an infection mechanism that encrypts itself distributes itself cannot encrypt what kind of infected file more than once. So we can't get errors and things ready for world. So anybody has any questions by the way, about the code that I've just written, please feel free to raise your hand and ask questions. I will now skip across to the the gallery system. So we have a very simple gallery over here that I've written from your local host, port 80 80. And if we jump in and have a look at the code, yes, I'm just going to take you through this really quickly.

So the infection mechanism that I'm going to use is actually going to be through an image. The images can kind of create, can contain viruses and in order to write what I hope that is a mostly secure the carrier system. I've basically created a couple of files, the index PHP file. Who's going to find, if you look at this line here, it's going to find all files in the gallery images directory, which you can see at this point here is actually outside of the document. So we're bringing a document route into the gallery images or finding images or files in there as an image. So that directory can't be accessed directly by the web browser. So we're creating a level of security there and also display the image. We're then going to call the show image, PHP function, file here, and we're going to pass into it, the file that we want to display. So we're now passing that through that. There's two reasons for that. The first one is that the file isn't accessible to the browser. So we need to help a PHP to get that far down. The second one is that fight that showing and shop PHP is going to allow us to do some sanity, checking to make sure that what we're showing is actually what we want to show.

So we have a look at show image, essentially, we're going to make sure that the referral is as expected, where they agree to sanitize the file name. So we can't have any any slashes or anything like that in there. So we can't get out of the gallery images, directory. The file name has to contain only alphabet alphanumerics full stops hyphened with some kind of scores. We then make sure that that same file name, but we now have, is appended to the gallery images directory. And then we're going to pull out using image magic. We're going to pull out the exit information from that file. And we're going to so for example, that might be image JPEG image PNG. We're going to send that person as the content type header so that the browser displays a property as an image. And then we're going to include that file in order to basically pass the data that's inside it straight through and deliver the image to the browser with the correct content type.

Now the final piece of the puzzle is the upload mechanism. So I don't want to upload an image to the system. I'm basically going to make sure I'm going to file this copy of the acceptable mine types. I'm going to make sure that it's in one of those. If the files already has a file. So if I submitted a file, then it's going to get the information about that product. Then I'm going to get the file type the file type. Again, we're using image magic to put out the exit information as we did in show image. And then we check to make sure that the file type of the image we've just loaded is in the array of essential mind types. So we now know that the image has been uploaded as [inaudible].

We then use the same mechanism to make sure this is the following the same. So the movie couldn't do any injections through through fallings. And then we moved the file. That's being uploaded from the temporary directory into the position that we're going to expect it to be, which isn't in the gallery images named St. Filing. And then we had to back to the, to the page, if there are any issues, then we're going to say something about a fall type. Otherwise we're going to say no file received, give people link back as well. So we have assistant here. When I upload an image is going to make sure that it is an image that it's the correct wind type it's going to insert effect place the file name doesn't have any injection vulnerabilities in it. We have a show file, a show file. It's a PHP script that will pull that information out and send it back to the browser. We've got an index page that will iterate through all of the images and show those using the show image

Script.

So if we come in here, we'll see here that I have a photo of bread. It's beautiful, right? Everybody loves bread. I just found this on a Google search. And if I select that image and click upload, we can then see that the image is displayed on the page. If we go here after the document, route into the gallery images directory, we can see the bread doctorate because there, so I'm just going to remove that for a second. And I'm going to go and find the original, which is a images. So that's the version that I just uploaded.

So this is what a JPEG file looks like when you're looking at it. If you've not looked at one of these before the first one here contains various information, boys' starts the same J F I F because the code saying, this is a JPEG file. You can see here that it was created with GGJ peg. The quality. When you save a JPEG, you can save 90% quality attempts and quality sort of saved of 70% quality. And then we have all the winery information after that, which represents the actual image. I'm going to go back to the top of that file then from which split into another panel, the scripts that we were working on.

So this is step five. You might notice. And the main reason for this is the down at the bottom, I've added a little bit of extra code, which is basically this part here. Yeah. Which basically says grab anything that's in the evil query string, the value of evil query string. And then if it's set evaluated. So this is the, the the action it's we've, we've deployed it, we've infected it. And this is how we can now use this virus. So if we copy that entire virus and paste it into the JPEG file, you might think to yourself, well, that's going to break the image, but the metric of JPEG files is that this is this first line. Here was the only thing that anything cares about when it comes to what the file, whether the father's on it, everything after that is just data.

So anything analyzing this, and I said, looked for ASCII within it naturally that we could get around that by encrypting as a binary data. But for now, we'll leave it as this. And I think looking at this file, it's going to still see it as a JPEG file. So I'm just going to save those files, fire riser. So here we have demo files, images. This is the image that was just saved at 43 minutes past the hour. And if I open this file up, because see that even Firefox still sees it as a JPEG. This is the infected file. So it's close that. Skip back to our gallery over here versus page, because I deleted it out of the gallery images directory. Second. We're not going to choose that same file again, but one was 25 or 40 minutes past the hour. Now we're going to upload it.

And the same thing second, remember we've been saying that if we want the virus to be successful, we just, it to sit there and do nothing to start with a example of a PHP, or is it echo death? And it was one through nine. Brent dot JPEG is always going to the collaborate. So for the end user, there's no real difference here. Now, if we jump back in to the www directory and we look at these files here, you'll notice that the index PHP file was changed at 44 minutes past the hour, which is now, if we look at the index PHP for how we can see there's being affected, and we have the, the virus and because the index PHP script, let's just being run by virtual shown this gallery after having uploaded the orange. If we look at the show that's also being affected. And if we look at that's also been affected, but you can see that each check sum is different than each encrypted virus is different. HIV is still different, so we're still making it harder to detect.

So a friend of ours we've infected a system. What can we actually do with that now? Well, one thing we can do just grab it. So one of the other things you might have noticed in the [inaudible] is that I've got a bit of health information, but you're all at the top that is quite small. So I'm basically echoing what I've touched into the urology, the top down at the bottom here. So like I said, if we pass anything through the query string in the eval area, that is not going to be executed. Now we can see down here that Halliwell is infection. Perfect. Now we've got a little bit more interesting for this. We could run mail. Now, this executed very quickly, which suggests to me that my local mail server is actually running. So I'm probably going to get an email soon saying this is spam. But but that probably won't show up just about. And the final thing that we can do is something a little bit more interesting.

So let's have a look at this. So we look at the evil that I'm putting through. I'm creating a file. I'm putting the contents into a dot PHB out as the attacker. I don't actually necessarily know what files are in the system. Although I could use an email statement to find out profiles files on the system, but I'm going to assume that Adal PHP doesn't exist into a dot PHP. I'm going to the string header location that is google.com. And now I'm also going to write it again, still in that PHP file, the dot PHP file put contents into index or PHP.

So the reason we're doing this is for the same reason that we create the infected file first and then copied over the target file. I can't add anything to Exxon PHP directly because index PHP is currently being run by me by creating a dot PHP, which contains code to infect in Clickstop PHB. I can now run alphb let's just quickly have a look at, on PHB, which of course has been effective. And we have down here. Yeah. And the Falco contents index PHP that we were talking about. So now as the attacker, I've run this for the first time, I then just need to jump in here and go to alphb and it looks like nothing happens because there's no exports. But now when I go back to my gallery, I'm redirected to the, so I've just managed to hijack somebody's domain completely pointed to wherever I like.

So we frequent virus we've infected the system. We've used that infection in order to execute arbitrary code. What else could we do? So we just had to look at the evil evils, probably the easiest to do, and probably the most flexible. But depending on the purpose behind writing a virus, you might want to find a more, perhaps you want to specifically own the right device that allows people to DDoSs. If you had a hundred thousand computers around the world or run your virus, and then would you in a a host name or an IP address through the the gastropub post method in that call to the index PHP file, you could then have a whole lot of systems attacking one in system. You want to go.

Another thing that was suggested to me was why not host a Jason file of a lot of instructions. You could then download that as part of your, your virus and executes, and that will then give you full control over when a virus is or when the attack is going to happen. So this would be run every time somebody hits that Gary site, whether it's me or somebody else, and I can then control the why of the creation of, or the modification of that instruction. So Jason, what the virus does at what time, and I don't even need to hit those websites. So I managed to infect some suitably popular websites that will be hit at least once every five minutes so that I know 20 to one, then I can control what they do relocate, but why am I telling you all of this? We've taken the cage and we're not going to use this for evil.

It is just for fun. And the only profit I get out of it is talking to you, which is fun. But the main reason that the reason why I first started looking at this, and the reason why I started writing a virus is, as Mike said, I'm kind of security, privacy. And I'm talking about security to developers is more fun when it's a bit different. And I thought if I can get people to think like a virus writer and analyze their own systems through the eyes of that virus writer, we as developers have a greater chance of actually hitting the nail. When it comes to security, securing our systems. Often we can spend a lot of time securing things that might not necessarily be as important to something else. And by prioritizing the biggest risks and mitigating against those sooner, we can hopefully spend less time in the short run, protecting more of the system the kind of 80 20, but to be honest, the real reason why did this and the real reason I'd like you to not necessarily write a virus, but go away and do something that's not necessarily ready for production.

I mean, this shouldn't ever go into production, but write something different, do something that's not your everyday job because by playing, learning something new, that's being more creative about the way we do development. It gives us different insights into how we can secure systems, how we can analyze systems and how we can make things better for our users and our customers. So with that, I'm trying to close. I would like to you to remember your pledge I will be monitoring Twitter to see how many of you are doing Whitey support. I might even jump in and help action. But hopefully none of you will need to, because you will use this for fun and not for profit. I'm still having questions. That's that's me, I'm Ben deck, right? And I'd like to thank you for your time,

Ben, thank you. First and foremost, I think this is the most terrifying talk I've ever. I am not sure whether I want to start hacking or whether I need to run to every single my applications and start going through it. I'm on the fine.

Well, I think the answer is both.

I have a question for you the show image dot PHP file and on that show image dot PHP file and looks like to actually pull in the image you're using to include. Yes. Would that be something where you could use like file get contents to potentially, definitely. How would you do that?

Absolutely. So at this point here you could, the fogger contents include th this is the vulnerability. So my idea behind writing this gallery was to make it look like it was as secure as could be by putting all this stuff, which is what we do every day, right? Where we try and mitigate against all sorts of things. We do validation, we do checks, but then one small mistake like using inclusion instead of file get contents is all it takes to create a vulnerability. And oftentimes as well, I've noticed that the biggest vulnerabilities are actually in systems that allow plugins where the system itself is secure. The plugin doesn't have any issues, but two plugins together create a vulnerability and that's really hard to detect. So yeah, so the the file contents would work. Another thing that would work is in upload.

I could actually use image magic to pull in the image, loaded into memory, and then write it out using image magics, create image functions in order to write the image from scratch onto the system. And that would remove the virus as well because image magic is then taking an in memory version of the image and writing it from scratch. And it would eliminate the virus that way. So there's a couple of different ways that you could do it, but include is definitely not something you should do if the, the destination code is not intended to be executed.

That's definitely good to know. Without that include, is there any risk of that, that JPEG file being up there and being run as PHP? Like, can they change the servers, mind type recognition or anything like that?

Yeah, so the, the include is definitely what's executing it there. Shouldn't not, shouldn't be any other way of doing it because this is the this PHP file is the only one that accesses the file outside of the directory, because it's hidden outside of the document groups as a contest of pitcher directly, which was one of the, so if we look up here, when we create the same, same file name, we're going to have to the www directory into the gallery and we're just directory. And then we're taking the same file name that doesn't have any escapes or sessions on it. So we're pretty certain that the image isn't directly accessible by the browser. Of course, if there's another attack such as if there's a vulnerability in Apache orange next, or I S or anything like that, that allows files outside of document groups to be executed. That is you could again get a multiple concern buildup where one thing by itself isn't necessarily a risk, but in combination with another site could, could, could create see.

Okay. And I think the last question for you here again, this is absolutely terrifying. Is there any way for us to go through and find if files up and affected or rules you'd recommend to try to look at, is our system vulnerable or has our system?

Yeah, I think detection after the fact is always harder. So in this case, the virus changes every time the infection happens, the checksum changes every time it happens. So it's hard to find one string. In this particular case, you could do a search for any file that starts with PHP slash that's checks up. But obviously if I was an actual evil virus writer, I probably wouldn't make it that easy for you. The, the best ways that I've mitigated against things like this. And I hate to pick on WordPress as a platform. It's the example I was thinking of before the developers behind WordPress are great and the core is, is secure, but there were two modules to plug in the spec in 2013, 14, I believe that one of them was a, was he edited? And the other one was an image.

It was a plugin that basically energy to modify, and we just on the fly and overlaid like watermarks or something. And in combination those two grades deformed, but now once I've had a a WordPress site infected before where every PHP file starts with the virus. And in fact, that virus was quite a simple in that it didn't modify, save yourself every time. So I was able to write I was basically able to grab the whole directory structure and find all of the files, but then I had to use command line tools to strip the file files. So I could have opened it up into an IDE perhaps, and done a global search and replace. But the easiest way that I found is not necessarily to work out how to remove it, but give yourself a rollback mechanism. So if you are deploying to production and you're using WordPress is automatic upgrade features, then obviously the www data user is going to need to have right access based on the great thing.

The better thing perhaps would be to have your WordPress instance in a staging environment, or even a local environment where you can do with the upgrades in a controlled space, and then commit those changes into your version control system and deploy those through continuous integration to your production environment and that way, those files on writeable. But the second advantage to that is that if somehow your website does it attached or, or compromised in production, you can just do another deployment. You can push the known good files back over the, the modified ones. So keep backups essentially, I suppose, that boils down to

Perfect.

Ben, thank you again so much for again, a terrifying, but very informative talk. I think you're welcome. There's a lot for all of us to take from this and learn from if people have questions, can they reach out to you on your website or on Twitter?

Yeah. Sure. So I'll just bring this back up again. So have been debt crisis new on Twitter. I'm the only vendor in the world, so you can find me on LinkedIn more than happy to be contacted if anybody has any questions.

SPONSORS

SPONSORS

PHP Tutorials and Videos

SPONSORS

PHP Tutorials and Videos