Today we are going to create one of the first types of malware ever, the Trojan Horse. Not going to get into mythology, but a trojan horse, or trojan for short, is a program with good intentions containing a malicious one inside. There are many ways to create a trojan program, as it is a concept, not defined by a specific structure. This is probably the simplest method, and it uses software provided to you by micro$oft
Once you learn this simple method of how they are created, you will understand the concept, see how they work, and will have some idea on how to defend yourself. You will also realize why it is good to use file checksums to make sure the file you want is the file you have, and the importance of an Antivirus
You will need a (non-malicious) carrier program, and malicious payload. If you'd like to test, you can use a non-malicious executable as your payload, if it runs, so will your malicious payload.
For this tutorial, I will be using the TrueCrypt installer as my carrier, and to test payload function, a non-malicious, single executable program called SpaceMonger(a graphical program to see hard disk space, makes freeing up space quick and easy, get the older freeware version)
Not covered here is creating your malicious payload, use MSF, hand code one. There are other tutorials on creating malware
Download program to use as a trojan carrier
www.truecrypt.orgDownload iconsextract and Resource hacker
http://www.angusj.com/resourcehacker/http://www.nirsoft.net/utils/iconsext.html , Download link is at bottom of page
Install Resource Hacker
Install Iconsextract, run
Open trojan carrier in Iconsextract
Choose icon that matches your carrier package
Extract and save icon, exit
The software to create the trojan is already on your machine, provided by micro$oft. The original intent was to create self extracting, self executing executables, but like many computing things created with good intentions, people find a way to use them otherwise. It is called IExpress.
Open IExpress, Win key + R
iexpressNew SED
First option > extract and run
I use name of trojan program install window, but does not matter
No prompt
No license. (No pic of this screen.)
Add both files, carrier and payload
Install program is carrier, post install is your payload
I left window at default, so the TrueCrypt installer window shows
No message. (No pic of this screen.)
Choose name “TrueCrypt Setup 7.1a.exe” and location, check Hide File Extracting progress
I choose only restart if needed, if your malware requires reboot, choose “Always...” I also check the “Do not prompt user for restart” box
You can choose to save or not save SED. these are usually one-offs for me so i do not save
Next to create package
In windows explorer, right click your package, “Open using Resource Hacker”
Action > Replace Icon
Choose icon, replace
Save As. You will need to save to a different location than source to be able to use same name
Done!
To see it in action, run it, once the installer closes, either successful or cancelled by user, the payload should run. In my case, if SpaceMonger opens then it was successful
You can see how easy this is, and how invisible it can be to users, including yourself. This is why it is a good idea to follow the Sandwich Rule for computer programs, a good idea to use file checksums, like MD5 or SHA1 hashes that verify a files authenticity. This tells you the file you have is the file you intended to have, nothing more or less. This is also why an up-to-date AntiVirus is important, it can detect most malicious payloads before they can execute.
