Malware is one of the more scary tools in the hacker's skillset. There has been mass hysteria surrounding malware infections which have rocked the world. The popularity that has come out of the massive coverage of viruses, worms and ransomware in the media has caused people to think that malware is a solution to their problems. It really isn't, but that's not going to stop me from teaching you how it works.
This article is for educational purposes but I know the information contained within can and will be used maliciously. I am not including any code because I will not be held responsible for any reader who might copy and weaponize code samples. In a lot of situations, it is far more practical to just buy a RAT or Rootkit but for the purpose of this article is to teach how the process works.
Malware is often very misunderstood. Malware is just software that contains code that may be harmful to computers or the individuals who own them. Malware is software, and any programmer can create it; governments and nation states have weaponized it and companies have leveraged it to protect their interests (eg. Sony's Rootkit). Granted, creating effective malware that can survive longer than 5 seconds requires a lot of domain-specific knowledge. There are many kinds of malware and we'll discuss the major ones
What kinds of malware are there?
Historically, whenever a computer got infected with any of the many type of malware, one would say "I got a virus". Since the late '90s, viruses have been used as a blanket term for all kinds and malware and some kinds of software that aren't necessarily malicious. Each type of malware is defined by some main characteristics.
Viruses are usually small programs that are designed to copy themselves as much as possible, much like viruses in biology. Viruses usually exist to merely annoy the people who own the computers it infects but have also been used to destroy files and such. The rationale of viruses comes from the hacker culture of a different era; to play pranks on people with (usually) no malicious intentions or for fame and notoriety in the hacker community. Viruses need human interaction to spread, such as running an infected program or sending an infected program to a friend for them to execute.
Worms, unlike Viruses, do not require human interaction to spread. Worms actively seek out new hosts to infect by scanning the local network, going through contact lists or whatever else is necessary to seek out new hosts. Worms still spread from downloading infected or malicious executables but can also exploit vulnerabilities in hosts they have found vulnerable from scan results.
Trojans, named after the Trojan horse built by the Greeks, is a program that masquerades as a program you might want, but has other things in mind. Trojans commonly contain backdoors for an attacker to interact with your computer with usually escalated privileges. Trojans that do this are called Remote Access/Administration Trojans or RATs for short. Script-kiddies love these; if you're ever on Discord or any forum and some kid asks for one, slap their grubby hands. RATs can be confused with Remote Access Tools, which are not built with malicious intent and are commonly used by legitimate tech support to help solve your problems over the internet. Though nearly identical in nature, the intent is different.
Rootkits, while not necessarily being malware, may be the scariest kind of program on this list. The most intuitive definition of a Rootkit is software or a collection of software that allows an external entity to interact with your computer with "root" (admin) privileges. One key characteristic of rootkits are that they put great effort into anti-forensics, they don't want to let their presence be known. Governments, huge corporate entities, and malicious hackers all love rootkits and have used them for decades.
Those are the main types of malware. Buzzwords such as spyware, scareware, ransomware and adware all refer to the functionality and behaviour of malware or PUPs—Potentially Unwanted Programs. There are also other functions built into software such as time bombs and logic bombs which execute some malicious function(s) when certain conditions are met.
The world of malware is not so clear-cut to cleanly categorize every malware sample. Many threats use the best of different attack models and thus cannot be easily fitted into one category. You're probably wondering how you would create each type of malware and that's what we'll get to next.
What Programming Language(s) are suitable for Malware Dev?
A computer only does what it is told to do, regardless of intent. In theory, any programming language can be used to write computer programs with malicious intent. There are, however, languages that are much more popular and preferred in the malware development community.
It is ideal to write malware with programming environments that are already installed on targeted computers. The reasons for this are simple: lower-profile executables that don't need to carry libraries or environments; running executables natively; and the possible familiarity you might already have with these common languages. On Linux distros, two powerful languages, Python and Perl, are already installed and Microsoft's Powershell is one of the most powerful tools available in the Windows operating system by default.
If you want to be an effective malware developer, I suggest getting good at computer architecture, x86_64 Assembly, C, Powershell, and Python. Learning everything needed to create effective programs will not happen overnight. The more you learn about computers, operating systems and applications, the better suited you will be when you try to create any type of program, not just malware.
What components do I need?
As the computer security landscape has evolved over time, malware writers have employed more and more sophisticated techniques to keep their creations relevant. There are has been a shift from the simple but obnoxious popup viruses of early 2000s viruses to the botnets, stealth and monetization functions of the ransomware and spyware we see today. The most common components in modern malware are: stagers, payloads, servers, and anti-forensics engines.
Modern malware usually infects a computer in stages. The initial code that is downloaded to your victim's computer is called a Stager. Stagers come in two forms: droppers and downloaders. Droppers accomplish infection in one stage; they already contain your malware and just ensure everything gets installed properly. Downloaders have two stages; they call out to a server you own to download (and possibly decrypt) the latest version of your malware and then make sure it gets installed properly. Stagers are generally very small scripts or hand-optimized machine code which only need to execute few instructions.
The payload that your stager installs is a program or any set of actions you want done to your victims. Your payload can be a keylogger, a fork bomb, a harddrive wiper, a remote access tool, a cryptocurrency miner, a recorder for blackmail or whatever else your sick mind can come up with. This are no limits to what you can do to a computer once you've established a secured presence with escalated privileges.
It should not come as a surprise that any security services that your victim's operating system has can be easily set off. You need to keep antivirus in the dark. There are many techniques that help keep malware hidden and others that make sure it cannot be torn apart by analysts. Giving your malware rootkit capabilities will help maintain your presence on your victim's machine while fooling their operating system into thinking it isn't there. Adding some form of an obfuscation engine into your architecture will make the lives of any analysts much harder.
An Encryption Engine is a component commonly used in malicious software architecture to keep your payload secret until it needs to be executed. Everything loaded into RAM needs to be unencrypted in order to run; you can't hide all the time. You would inject a runtime hook into any infected program you need to leverage that will decrypt your payload at runtime. This process is very simple and there are endless programs and even kernel data structures that can be hooked.
You can take your evasion and obfuscation one step further by using a Polymorphism or Metamorphism Engine. A Polymorphism engines changes your malicious code to evade signature detection while still functioning the same semantically. Changing machine code every time your program is executed will give any anti-virus software a hard time trying to identify a known signature in your code. On the other hand, a Metamorphism Engine can change every part of a program, including it's code-changing algorithm. Employing these two tactics will lengthen the life of your programs by delaying their inevitable discovery by antivirus or a concerned computer user.
The final component most commonly found in modern malware is a Command-and-Control server, or C2 for short. C2 servers listen for inbound connections from infected computers to issue commands when a newly infected system "calls home". C2 servers are what allow monetization of malware, since they are frequently rented out for several purposes. A common use for C2 servers is in the creation of botnets; where you can issue commands to many infected computers at once to mine cryptos or launch DDoS attacks.
There are multiple ways to implement a C2 server such as web-based, GUI-based or terminal-based. If you use the web-based approach, you can design your C2 like a REST API; displaying all of your bots on one page with status, name, IP and then have them poll an endpoint for new commands. Using a web site also makes your C2 much easier to create and more user friendly once set up as a TOR hidden service with Bitcoin transaction integration.
Don't have all of your bots constantly connected to you, this is very suspicious. Have your bots register themselves in some sort of bot database and then call your C2 server periodically or irregularly to receive new commands. Also, never use meterpreter for communicating with individual hosts. Any AV can pick up meterpreter's code signature, so make your own way to interact with individual hosts. There are some open source libraries such as OpenSSH that you can use to establish a secure shell connection.
If you're already a programmer, you could probably figure out any algorithms in order to fulfill your needs. I'm sorry that I can't directly show you code but part of the joy of hacking is figuring out how to do things for yourself. You need to learn to write your own code some day, so might as well be today.
How do you infect a computer?
It doesn't matter how sophisticated your code is, you need a good way to get it onto systems. Social engineering is one of the most important skills involved when trying to get users to download your malware. All those "cracked minecraft" mediafire links that never worked from your childhood were most likely cleverly named malware samples that turned your computer into a source of ad revenue or bootstrapped it into a resource pool.
There are many ways to social engineer your malware onto someone's computer. One common infection vector is through the use of Microsoft Office Macros. Microsoft Word, Excel, and PowerPoint have a built-in programming language for operating inside their respective file formats. Tell your victim to open a word document with an autorun event or ask them to click a button that will fire an event. A huge percentage of the world's total malware infections came from macro code during the early-2000s. This technique is not as stealthy as it used to be, but is still effective.
You can also trick people on P2P filesharing that your evil program is the latest movie or album for free. Deceiving people into thinking that your program is something they want is a very effective tactic and can be applied to any infection vector. This technique could also be leveraged to tailor a social engineering campaign to a certain person.
Malware developers often don't care about who they infect, they just care that they infect. Targeted attacks can be much more difficult, depending on the person. When targeting a specific individual, you utilize what is called "spear-phishing". Spear-phishing campaigns involve gathering information on your target and using it to build up a scam that will personally interest your target.
Security in 2019 is no joke
Trying to get into the malware or anti-malware game is no longer as easy as it was two decades ago. Many of the techniques and approaches to malware development are no longer effective nor viable. If you want anything you write to stand even the slightest of chances, you need to do a few things.
First off, you need to write your own code. Anything that is freely available online or that which can be bought on TOR forums or whatever has been heavily analyzed and has more than likely had an anti-virus signature created for it, thus making it easy to get caught. Writing your own code, without copy and pasting anything creates a program that anti-viruses haven't seen yet, and thus won't be alarmed,
Second, stay up to date on all trends and exploits. Leveraging exploits will make your job easier as a malware developer. You will be able to easily escalate privileges or bypass security protocols if your targets have vulnerable software. Finding exploits for Linux is very easy since they are constantly discovered due to the open nature of Linux. Windows exploits are somewhat uncommon on the more popular exploit sites such as ExploitDB because Microsoft does not allow their code to shown to the public. Reverse engineering Windows services is very time consuming and most people are not willing to put in the effort required to reap its benefits.
Third, don't be an idiot. Make sure that you've designed your software architecture well or you will not succeed. Plan out everything carefully.
Well, there you have it, that's how to get started with malware. Put in some effort into researching further and testing some techniques and soon you'll be able to create your own malware to entertain yourself or as a proof-of-concept. I also have articles on how to get started with hacking, some books you might find helpful and the laws concerning hacking. Please don't use this information to cause harm. I wish you safe travels and happy hacking.