How Does Viper Malware work?
Note: This post is for ethical purposes only.
Viper is a RAT based malware that was able to go undetected by almost all of today’s anti viruses, which includes Kaspersky, Avast, McAfee, Symantec and many more to name which is developed by http://neehack.com/ . It is a windows based RAT or windows 10 x32bit to be specific but it also works under x64 bit architecture, you simply have to specify to the compiler that it is a 32bit code.
How does the malware work?
Although there is a lot in the malware to explain but to make it precise, I will only explain the bullet points.
1 — Viper is written using c language but the payload is written using assembly Op Codes.
Op Codes are the second lowest language to a computer, The first is binary. To make it even worse, by default the payload is not fully functional by itself and parts of it is missing which are later crafted when the malware is executed. So, if you were to copy the payload as it is and run it without its parent code. It just wont work.
Technically speaking, the payload have all the parameters prepared for a function, but do not call the function until the execution, so if anti virus were to scan the binary for the functions that the malware uses, they wouldn’t find anything. In other words, I have “Hello, World!” stored in the memory, but do not call printf(). One of the reasons why it does that, is because windows kernel calls are not open standard and can be changed any time by Microsoft. Calling the kernel directly is not always effective. Hence, the malware creates a bunch of pointer that points to the function addresses it wants to execute and then passes it to the payload. This also benefits the malware to bypass windows ASLR and be very sneaky.
To make it simple to understand, let me put it this way. In the hard drive, this is what the payload says: “Hey zee”. Nothing scary in that quote right? but then when you execute it, that quote turn into “Hey zee punch that guy”.
2 — The payload is stored at heap segment of the memory rather than the code segment and If you are familiar with windows, you may say. Well, windows have DEP to prevent executing code from data segment of the memory. True, you are right, hence the malware calls for VirtualProtect and asks the CPU to give him read, write and execute permission on the segment of the memory that holds the payload. That helps it to bypass DEP.
3 — The payload function calls directly points to the function code. The way currently windows c function works is that, If you were to develop a program that call WSAStartup. At the back end what actually happens is that, your function points to a pointer or __imp__WSAStartup@8 which then points to the actual function code (Function>Pointer>Code).
But the payload in this malware directly points to Code escaping the first two parts.
What does the viper payload do?
Viper payload simply establishes a TCP socket and sends “AAAA” to the attacker, confirming that the connection have been established. After that anything that is sent by the attacker, is executed as a system command by the victim.
How to compile and execute the malware?
Source code of viper is stored at github here: https://github.com/MrMindKeeper/tcpf/blob/master/viper.c
You can compile the code using GCC as following: gcc -g -m32 -fno-stack-protector viper.c -o viper.exe -l ws2_32
By default viper connects to IP 127.0.0.1 on port 80 . If you want to change that, you are going to have to change the bytes of the payload that hold the IP by yourself. This is to disable script kiddies from miss using the malware without any knowledge.
Once you have the code compiled, open a listener using netcat on port 80 as following: nc -lnvp 80 on attacking machine and execute the malware binary in the victims machine.
How to detect such malware?
Detecting such malware would only be possible to scan the binary and even better to analyze its reaction while executing.
You are going to have to tell your scanning tools that if the program is calling for I.e socket , connect and system functions while execution, alert on it.
Aside from that, although it might indeed not the best idea, but if you have no other choice, you may also be able to analyze the parameters that is prepared in the memory rather than the functions that the program uses.
