How I created my very own Trojan malware today

Today I wrote a computer virus that could steal your passwords, drain your bank account, spy on your private emails and even let me peek at you with your own computer’s webcam. But don’t turn me into the cybercops just yet.

In an effort to show just how bad malware is spreading online and how easy it is to make, McAfee called in a group of journalists today for a demo. Using a couple of common virus-making programs, even a regular guy like me was able to put together a pretty malicious piece of malware — mine was actually nicknamed a Trojan, since a victim has to take an action to initiate its bad effects — within an hour.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":108500,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"B"}']

The process is so easy to learn that I can see why malware has spread exponentially around the globe. As millions of new Internet users come online, the malware writers see lots of easy targets and they’ve become adept at churning out new Trojans, viruses and worms using the automated software that the McAfee people trained me to use today. In the past few years, McAfee has seen its collection of malware grow from 5 million in 2007 to 20 million today. There were 4 million new additions to its malware library in the first quarter alone.

Under the supervision of some antivirus researchers at McAfee, we used laptops that simulated what the hacker sees on a server machine and what the victim sees on an ordinary PC. The machines were isolated from the Internet and we were not allowed to take our creations with us. We couldn’t even keep the scripts we used to create the malware.

“At no time should you attempt to connect any other devices to these machines,” the instructions said.

The first thing the McAfee folks directed me to do was to infect a client machine with a “remote access Trojan” (named after the Trojan horse myth, which works based on having the victim taking some action) dubbed Sub Seven, which can be used to take over a computer from afar. This so-called “back door” can retrieve information about an unprotected computer it is attacking almost instantaneously.

Once it was installed on the client machine, I got to see what a hacker would see, which was the name of the person or company that owned the computer, its location, and all sorts of technical data. I could use the simple console of the Sub Seven management tool to mess with the client. I could, for instance, change the date on the computer, operate its web cam, and capture passwords via a keystroke logger.

The keystroke logger basically captures anything the victim types on the screen. You could also see any of the web pages the victim was visiting. It was eye-opening how easy it is to do this.

Next up, after reading some arcane instructions, I managed to create a Trojan with a program called Shark. The Shark program was a little more fun than Sub Seven. It’s a tool created for “script kiddies,” or the untrained virus writers who simply follow the instructions of expert hackers to create lots of havoc. I called my creation “Dean’s Fake Trojan.” The file that my victims could click on was called Winlotsofcash.exe. And I put it in a folder called “Click here.”

The Shark interface wasn’t that pretty. It was like a spreadsheet. I basically picked the features, like what it could do to the machines that executed it. Then I clicked on the “compile” button to create it on the virtual server I was using. I tested it and it worked fine. Next, I distributed it. I sent it via Microsoft Outlook to a couple of (faux) email accounts. Then I switched over to the client machine, opened Outlook, and clicked on the file, Winlotsofcash. I switched back over to the server side and saw I had collected all of the data associated with the client machine.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":108500,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"B"}']

I found that I had taken over the client. I could activate a keystroke logger to see what was being typed. On the client side, I typed “This is my password.” On the server side, I saw the words being typed. I could see what web sites were being visited and was able to redirect the web browser for a real site to a fake site.

Jeff Green, senior vice president of McAfee’s Avert Labs group, said that we’ve seen an explosion in all sorts of malware created with tools like the ones I used. It is spreading to platforms such as Twitter and Facebook and the Mac, even as those platforms do their best to fight off malware.

For 2009, Green predicts that malware will grow by 115 percent. These range from password stealers to worms that clean out your online game accounts. On the black market, Green said the going rate to purchase a login and password for a bank account with $14,400 in it was $924. The tricks used by malware creators are meant to fool consumers. You could be enticed to click on files about the swine flu, for example. Within hours of David Carradine’s reported death, there were viruses and Trojans that aimed to entice people to click on a file based on the promise of getting more information about the incident.

Mike Gallagher, senior vice president at McAfee and chief technology officer for global threat intelligence, said that they only way to combat this flood of malware is through a multi-pronged approach. McAfee believes it has to put sensors out that capture the entire activity happening on the Internet. Every time a web site changes or a new one appears, the company has to log it. Then it has to analyze the patterns to root out suspicious activity. If a certain file is making its way around the globe fast, that’s a red flag. It will come to McAfee’s attention quickly, even if no one knows exactly what is in that file yet.

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":108500,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"B"}']

In the old days, McAfee could scan the Internet once a day. But now it finds that it must do so continuously using real-time scanners that store data of malware in live servers, or the cloud, which are instantly accessible. By doing this, the company can catch thousands of suspicious files in a day. It can rate sites by their reputations in terms of security preparedness and then act on partial information about potential threats more quickly. Much like a weather forecaster analyzes tons of data, so does McAfee when it makes predictions about global threats. It says it gets its predictions wrong about 0.00075 percent of the time.

Given the volume and sophistication of attackers out there, it’s likely going to be a long time before any security companies solve this problem. Big companies have to invest a lot of money (and buy a lot of McAfee protection) if they are going to make themselves safe from malware. It’s a self-serving argument coming from McAfee, but we should all be more concerned about security than we are.

For the record, before anyone calls the FBI on me, I did not take my malware with me. And McAfee has hopefully flushed the creation down the virtual toilet.

[aditude-amp id="medium3" targeting='{"env":"staging","page_type":"article","post_id":108500,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"B"}']