______________________________________________________________
 |                                                              |
 | Some stealth idea's                                          |#
 |                                           |#
 |                                                              |#
 | by DiA/rrlf (c)2005                                          |#
 | www.vx-dia.de.vu :: DiA_hates_machine@gmx.de                 |#
 |______________________________________________________________|#
   ###############################################################



  _Overview___________________________________
 |                                            |
 | 1_Intro                                    |#
 | 2_Process stealth                          |#
 | 3_Registry stealth                         |#
 | 4_File stealth                             |#
 | 5_Outro                                    |#
 |____________________________________________|#
   #############################################



 .Disclaimer
  
    The author of this article is  NOT responsible for possible damages in case
   of informations you getting here. You do your own things with your own risk,
   please don't do anything stupid for  your own security. This document is for
   educational  purpose only.  If you do  NOT agree this, please close this for
   your own pleasure!


 .1_Intro
  
    In this article I want to give you some thoughts i had. It's somethin like stealth,
   but nothin to do like macro stealth or EPO ;). It's about how to hide the own
   process, how to hide a entry in the registry and how to store files that the user
   (the dumb one) can't see it. It's all theoretical, I have all source's working here,
   but I want that you think by yourself ;). It's all possible...
   So let's go, hide our "bad" program.


 .2_Process stealth
  
    In Win9x we had some sweet API called "RegisterServiceProcess". Register our
   malware as service and user can't see our process in the Task Manager. Too bad, that
   times are over... now the user at WinXP can see all, and I mean all, processes. Hmm,
   how to avoid this? First idea is to disable the taskmgr, it's easy to do, with the
   registry, check it out:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
     Valuename: Debugger
     Value    : some text...

   User will press CTRL-ALT-DEL, and nothin happend's, because the execution of taskmgr.exe
   will be redirected to some stupid text. Means, taskmgr.exe can't be executed. Other
   way is this:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
     Valuename: DisableTaskMgr
     Value    : 1

   When user press CTRL-ALT-DEL he will see a error message, that administrator disables
   the Task Manager. Hmm, too bad that user is logged on as admin, and he knows that
   somethin goes strange.

   We have to find a way how user can start taskmgr but our process is not listed. And
   here comes my idea ;).

   Our program has to watch every time it run's the processes. If taskmgr.exe get's
   executed our program will exit it's process. But how to restart our prog?! With a
   forgotten DOS command: AT or in WinXP SCHTASKS. That are the shell task managers.
   Let's see a little graphic how our program can work:

   |-------|
   | START | ;creating a thread
   |-------|
       |
       |___________________________________________
       |                                           |
    Normal Program                                 Stealth Routine
    ==============                                 ===============
    - read wich step is next (reg or temp file)    - watch processes
    - goto this step                               - is taskmgr.exe active?
    - make the step                                - if no goto watch processes
    - save that step is executed                   - taskmgr.exe is executed
    - execute next step                            - making a task to execute our
    - save ...                                       program in TIME + 10min
    - . . .                                        - exit program
    - exit program

   I hope that graphic don't look too weird for you. I will explain again: The program
   build two threads, once is for normal activity. Let's say it's a mail worm. It does
   first find some mail addy's. Save that it already found some addy's, and try to do
   the next step. Other thread is watching the processes. Taskmgr.exe get's executed,
   means user pressed CTRL-ALT-DEL... Our program register a new task via "AT" or "SCHTASKS"
   let's say 10 minutes after taskmgr.exe get's started. After register the task our
   worm exit it's own process. After 10 minutes the worm execute's via the task manager
   and do the same thing again. Create two thread's... But the worm read's from registry
   or a temporary file what it already has finished. The worm see that it already have
   collected mail addresses. So it don't do it again, and make, let's say, it's Base64
   encoding, after this step finished it save it again.

   It's important that your worm know's what to do next, it's also important to register
   a task, if you miss this your worm will terminate itself and get's started at next
   windows startup (if it have auto startup).

   So, have fun with this idea, let's fight against newschool task manager with a
   oldschool DOS command ;). Also don't forget, in all Windows version's the command
   is called "AT" but in WinXP it's called "SCHTATSKS". As help here are some related
   links:

    AT Command:       http://www.computerhope.com/at.htm
    SCHTASKS Command: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
                                 library/ServerHelp/1d284efa-9d11-46c2-a8ef-87b297c68d17.mspx


 .3_Registry stealth
  
    This is in beginning the same as the process stealth methode. Just build two threads,
   one making all "normal" things, and the other is watching the processes. Is the
   regedit.exe executed the prog remove it's autostart entry. Then you only have to
   wait until regedit.exe is terminated, and remake the autostart registry entry. How
   easy can it be?! But I like to make some graphic, so here we go:

   |-------|
   | START | ;creating a thread
   |-------|
       |
       |___________________________________________
       |                                           |
    Normal Program                                 Stealth Routine
    ==============                                 ===============
    - do normal things...
    - exit program                                 - is regedit.exe active?
                                                   - if no goto watch processes
                                                   - regedit.exe is executed
                                                   - remove our autostart entry
                                                   - is regedit still active?
                                                   - if not remake our entry
                                                   - goto first step

   You see, this is simple but effective. But don't forget, I only talk about the Windows
   utilities. If the user have another tool to watch at the reg this all dont work and
   he/she see our autostart entry...


 .4_File stealth
  
    FILE_ATTRIBUTE_HIDDEN... goodnight!
   Hehe, but user will see that files if he want and if he is not the biggest dumb...
   So, let's use a kewl feature called "NTFS Streams". Only worx on NTFS formated
   hard drives. So don't try it on FAT32 shit, it will not work. Stream means that
   one program can have 1 ore more streams. Like this: we have a program that shows
   a simple message box. Copy it like this:

    copy C:\OurProg.exe C:\Windows\Notepad.exe:RunIt

   Now you can delete OurProg.exe, and look at the Windows directory. You can't see
   anything (you can with the right tools) because OurProg.exe is now the first stream
   of the mainstream Notepad.exe. if you execute Notepad.exe you will see the Notepad.
   But if you execute Notepad.exe:RunIt you will see our simple message box ;). How cooool....

   So you can hide as example your worm behind Notepad.exe. Keep in mind that you use
   this structure:

    MainStream.exe:StreamName

   Then just add some autostart entry to the registry:

    C:\Windows\Notepad.exe:Worm

   And you are done. That's a simple but kewl methode to hide files from user. Here are
   a related link that would be useful to you:

    http://www.heysoft.de/nt/ntfs-ads.htm


 .5_Outro
  
    Hope you get some inspiration from this article, sorry for my bad english...
   If you like or hate this article gimme some feedback to DiA_hates_machine@gmx.de
   or visit my site and drop a guestbook entry at http://www.vx-dia.de.vu ...
   Thanks for reading, see you next time!

                                                                  DiA/rrlf - 02.06.2005