What you see above, is the product of a pack of Newport cigarettes and a six pack of Southern Pecan beer (which I consumed while making this): The Charlie Sheen Project. I started writing this custom malware for the At-large Cyber Collegiate Cyber Defense Competition, of which I am a Red Team member. If you’re not familiar with CCDC, google it and check it out. In the picture, you see our logo for the Red Team (made by Wesley McGrew). We sometimes forgive, we occasionally forget, expect us to be #WINNING, @redteamsheen . The caption is a joke. It is a spoof on Anonymous’s slogan (“We do not forgive. We do not forget. Expect us”) blended with Charlie Sheen’s twitter (because Charlie Sheen is awesome): http://www.twitter.com/charliesheen. We even made our own twitter feed for this event at: http://www.twitter.com/redteamsheen.
As far as the purpose of this malware goes, this application was made for annoying the blue team. The dialog box with the picture of charlie sheen (shown above) sits in the middle of the desktop at all times, cannot be exited from by the task bar or by right clicking the window, and (if you notice from the picture) always stays on top of every window. In the picture above you can actually see how I have a folder open, and even though it is the window in focus charlie sheens picture still stays on top. This means (once we root any of the windows machines the blue team is working on) the blue team will have to drag their applications around the window in order to work on their business injects or waste time trying to get rid of our malware. Since there are no digital signatures for our malware for any spyware removal tools on the market, they have to take the time to reverse engineer the malware themselves. The application does not do anything malicious to the users computer. All it serves for is a perfect distraction for us to attack other machines while they’re busy trying to figure out why they have a window stuck in the middle of their desktop displaying charlie sheen.
This application is a lot more evil than it appears. There are actually three (windows) processes that execute when the charlie sheen project runs: charliesheen.exe, watchdog1.exe, and watchdog2.exe. Watchdog1.exe uses the Process Status API to get a list of all processes running on the machine. If watchdog1 does not see charliesheen.exe or watchdog2.exe running, it respawns them by using the Windows API function CreateProcessW. Likewise, watchdog2 is a clone of watchdog1, except it makes sure charliesheen.exe and watchdog1.exe continue to executing. Both watchdogs have a simple polling loop they run on that sleep for 30 milliseconds in between checks. The purpose of this is to make sure that users cannot kill the tasks individually. They have to figure out a way to kill both watch dogs at once in order to stop them from executing. Aside from checking to make sure the processes are still running, the watch dogs also make sure the executable files (placed in C:\watchdog1 and C:\watchdog2) stay in the directories. If they find any of their executables (watchdog1.exe, watchdog2.exe, charliesheen.exe) are missing, they will copy the executables from each others directories and replace them. This prevents users from deleting the application then killing the process to stop execution. The last feature of this malware is that all three programs are added to the windows registry on install so that they will start up upon reboot. Sorry windows users, restarting your computer won’t fix this problem. The downfall to this beautiful program is that the installers are Windows Setup and Deployment projects (because they were made in a rush). This means if the user has access to the add and remove programs wizard they can just uninstall the programs. Also, even though I tested silent installs of the .msi files generated by the setup and deployment projects (msiexec /qn /i <program.msi>) some versions of windows still require you to install from a GUI. This is undesirable for malware deployment because most times when you get a shell on a computer you cannot (and do not) want to use the desktop to install programs because the user can see you doing it on their screen. All in all, this simple annoying malware application is not a bad product of 12 hours of coding.
The biggest challenge of writing this piece of malware was writing it for a Win32 environment. We do not know which service packs or what versions of Microsoft Windows administrators will be installing for CCDC competitions, thus the dependencies for an application like this have to be kept to a minimum. It is not safe to assume they will have things like the .NET framework (or even the Microsoft Foundation Classes) installed on their computer, so writing this had to be done in old school C++ in a Win32 environment. Win32 has special data types and a lot of my time was wasted trying to figure out how to convert between unicode and ascii data structures of the Windows API. Otherwise I’d just be writing it in some more sophisticated language like C#, java, or python. The second challenge, which I addressed in the Software Architecture paragraph, is the deployment of said applications. I could not just copy and paste the executables onto the target machines I tested on and run them. This is why I deployed them as Windows Setup and Deployment projects (because windows takes care of packaging the dependencies needed with my project).
For next year, I have plans to make this application truly diabolical. Here are a list of features I would have loved to implement if I had time:
- Manipulate operating system data structures to hide all processes from the task manager
- Provide integrity checks to all executables (like md5 and sha1) to make sure the correct applications get replaced (if they are deleted) and if not, download new executables from a server
- Provide checks to make sure the registry key entries are not being removed that make the malware respawn upon reboot
- Make an installer that does not depend on windows setup and deployment projects so that it can be installed from the command line and do not show up in the add and remove programs wizard
- Randomize executable names periodically
Basically, I want to make it so that if blue team wants to get rid of my malware, they will have to revert their virtual machines or be Windows Sysinternals Gurus. Maybe that is not fair for such a short competition, but hey do you think the makers of Conficker or popular botnets are going to play fair with their malware in the real world?
I had a lot of fun making this application. It is not something I would like to do every day, but it is cool to get my name out there with it. I guess I would develop (legal) applications like this for money as well for future employers. If you would like a copy of the code, you can download it here (MD5SUM: 97097342dbb654d5e9697b491659f104). It was made in Microsoft Visual Studio 2008. Feel free to comment on my blog or email me with questions about it.
We are Red Team Sheen. We sometimes forgive. We occasionally forget. Expect us to be #WINNING.