• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

EXE Binders: Be careful what you execute

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions

View previous topic :: View next topic  
Author Message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Wed May 18, 2005 9:44 pm    Post subject: EXE Binders: Be careful what you execute Reply with quote

We've recently had a post announcing a well known tool called an EXE binder.
Quote:
This exe binder now allows you to bind any files together. Executables, pictures, sounds, documents, etc.

You can bind as many together as you like too!

The post was removed by the Staff as we are in the business of sharing knowledge and securing systems, not in the business of divulging ready-made "download this to h4x0r teh noobs" tools.

However, for the benefit of the unaware, this may be a good chance to talk a bit about what an EXE binder is, and how it poses a threat to the unsuspecting user.

Basically, an EXE binder is a tool that lets someone take a bunch of files and bind them together, to produce an executable that, upon being launched, unpacks all the files to whatever destinations were specified by its creator. It can also run the files.

It's pretty much the same thing as a self-extracting ZIP file, for example. An EXE that, when launched, unpacks itself into a bunch of other files. The difference is the launcher will usually execute them. So, you can bind e.g. Tetris.exe along with virus.exe into a malicious executable called whatever (let's say tetrix.exe); then when the victim runs it, the two original programs get extracted and run. What does this mean? It means when the victim runs tetrix.exe, it will run the valid game Tetris.exe, but it will also run virus.exe behind the scenes. So you run the program, you see the Tetris game, but in the background you've also run the virus.

This is actually far from new... Binders have been used by wannabes to deploy their little tools for as long as there have been trojans out there to download.

It's not even that hard to make a binder, either. Any looser can make one in VB or whatnot and distribute it to 100,000 wannabes, who will worship him for giving them the tools to "0wn teh n00bs". Just take a stub EXE depacker/launcher, add in whatever files you want as resources, then when the EXE is run the stub depacker will write out the resources to files (in some configurable directory, or temp or whatever), launch some of them, or do whatever it wants.

So what's the moral here? Again, nothing new: be careful what you run. Even if what you run does launch some seemingly legitimate program, it doesn't mean that's the only thing it did; it may have copied some file somewhere as well, or launched another hidden program, etc. For example, one common (and ooooold) trick is to make the malware installer throw a bogus error message when you run it. Something unintelligible and official-looking like "The process threw an illegal status operation, missing link data layer" or just "missing DLL" or maybe an actual error message the malware maker copied from Windows. So, the victim runs the program, thinking it's some security patch, or some game, or whatnot, the program spits out an error message saying it couldn't find some DLL, the victim thinks nothing happened and deletes it. Little does he know that while the error was being shown, the trojan was installing itself; deleting the installer after the fact will accomplish nothing, you're already compromised.

You still need to run the program, though. A .JPG isn't going to magically depack itself and start running executables just because it's laying there on your hard drive. A program needs to be launched by the operating system in order to actually run code. That is, myths about binding an EXE to a picture, and expecting the picture to somehow infect the victim when it's opened, are all a bunch of bullspit. If you double-click a .BMP, the operating system will launch whatever program you have associated with that extension, and tell it to open the file. Nothing more, nothing less. Any code that might exist inside the BMP won't get run unless your picture viewer wants to run it for some reason (i.e. the picture viewer itself is malicious).

What is usually done is set up a .EXE launcher with a fake icon, or something of the sort. But appending code to the end of a .BMP, giving the bitmap to some victim, and somehow expecting it to infect anyone? Tough luck.
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Thu May 19, 2005 12:04 am    Post subject: Reply with quote

Nice story Capi!

Just one thing to add though: running a test.txt file from within windows will open notepad and show you the contents, but if you run it from within the commandline and it happens to be an executable then the executable WILL be executed as if it were an .exe file.

The same goes for .jpg, .bmp , .gif and all kinds of other extensions. the commandline (DOS emulator) will run the program as it is, not as the extension makes it look like... Keep this in mind as well!

I have written a custom binder myself a couple of days ago. This program doesn't take any input or whatever, but you would have to compile it using a backdoor and a real app. when compiled it will unpack both to the system32 folder, execute the backdoor and then overwrite the running file with the original one so that everything is cleaned up. This means that when you have a file containing 2 files and you run it once, you finally only have the original one left (which is getting executed as well btw). It basically is a binder, but i only needed it to do some testing, it won't have any use (except skiddies?) to release it so i won't, but just thought i should add it to make a point that executing the file once can be enough to erase all traces AND still install a backdoor...
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Tw1sted L0gic
Just Arrived
Just Arrived


Joined: 15 May 2005
Posts: 0


Offline

PostPosted: Fri May 20, 2005 6:18 pm    Post subject: Reply with quote

Some excellent points raised by both parties. Now it's my turn!

It looks like I've got some explaining to do.
I've been on this forum 5 minutes and already I'm some "looser" feeding script kiddies with malicious tools!

You are, however, partially correct. Malicious script kiddies can use tools by developers such as me to cause harm. But then what security tools can't be misused by skiddies? NMAP? Netcat? Retina? Even Install Shield can be configured not to show any dialogs when installing, which is far more dangerous to skiddies.

Many security experts, perhaps many who visit this forum, believe sharing information is the way to stop malicious attacks. The risk of malicious users getting hold of exploit information/security tools is worth taking, to make sure legitimate admins are educated and equipped enough to protect themselves. I noticed an admins sig on this forum:

"Share your knowledge, it's a
way to achieve Immortality. "

Also, releases of tools like this keep admins on their toes. My advertisement of this tool triggered this thread to be made, and has already been read by 90 people, who are now educated to the dangers of exe binders.

Having presented that (weak) argument, I am bizarrely in agreement.
People who release these tools often use them for malicious purposes themselves. It will be used to infect uneducated, unprotected users with trojans and the like, there's no doubt about that. But in my opinion, anyone who has a PC with no firewall or AV software, and accepts and runs executables isn't fit to own a computer.



-Tw1sted L0gic
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Fri May 20, 2005 6:47 pm    Post subject: Reply with quote

Hello Tw1sted l0gic,

Actually the looser remark was not meant at you; it was meant for what it says: coding an exe binder is not something hard, any monkey with rudimentary knowledge of VB and the ability to toss in code and debug it 'till it works will be able to code one, and offer it to the wannabe masses who will worship him as the "leet creator of the tools of 0wnage".

In fact, if you will notice, your identity was not revealed anywhere in the post, it was simply taken as an example.

Regarding sharing knowledge and exposing the dangers, you are preaching to the wrong guy; I am 100% in favor of releasing exploit code, divulging exploits and vulnerabilities in software, etc. As anyone who knows me will tell you, I am more a dark-greyish hat than anything else. However, there is a difference between offering knowledge (for example, "how to make a binder", or "how binders work") and just offering a pre-made compiled tool ("download this program to 0wn someone"). There is all to learn from the former, nothing to learn from the latter. That was the reason your post was removed.
Back to top
View user's profile Send private message
Tom Bair
SF Boss
SF Boss


Joined: 10 Aug 2002
Posts: 16776955
Location: Portland, Oregon USA

Offline

PostPosted: Fri May 20, 2005 8:56 pm    Post subject: Reply with quote

Tw1sted L0gic wrote:
Many security experts, perhaps many who visit this forum, believe sharing information is the way to stop malicious attacks. The risk of malicious users getting hold of exploit information/security tools is worth taking, to make sure legitimate admins are educated and equipped enough to protect themselves.

Also, releases of tools like this keep admins on their toes. My advertisement of this tool triggered this thread to be made, and has already been read by 90 people, who are now educated to the dangers of exe binders.


-Tw1sted L0gic


We do believe that sharing information is the way to stop malicious attacks. Sharing pre-made exploit tools with the open public is akin to the PC Security Community shooting themselves in the eye, thinking they can still use the other eye to keep abreast of malware developments.

Your logic in the second paragraph fails me. It is akin to saying it is good to teach people how to rob banks so that banks and police can better fine-tune their security methods to better catch people who rob banks so they can put them in prison for 20 years and then more new people will have to be found to rob banks so that banks and police can better fine-tune their security methods....

It is a recognized fact that one must develop these tools to stay current with developments in the field. It is also a recognized fact that many who code these tools wish to gain acknowledgement from their peers for their efforts. This is fine, but to provide unvented access to such tools is not only careless, but dangerous as well. As a responsible forum -- we must agonize over sharing the knowledge and remaining responsible and accountable to the Security Community.

Allow us to play Devil's Advocate here. Your advertisement of this tool, and your response to this thread could be viewed as your attempts to Socially Engineer us and the public into downloading your tool. Where is the benefit to the community in this? Of what benefit is it for a Professional to reverse engineer your program for some new tricky way of coding something? Better to just share that code up front and in the open if your interests remain in protecting the community, right?

I really wish to thank you for your comments. Remember, it was the link to a possible skiddy exploit tool which was removed from this site. The poster remains to have the staff's respect.
Back to top
View user's profile Send private message Visit poster's website
pdania
Just Arrived
Just Arrived


Joined: 28 Sep 2005
Posts: 0
Location: UK

Offline

PostPosted: Wed Sep 28, 2005 5:40 am    Post subject: My Contribution .... Reply with quote

Hi All, I just joined and I am still a novice in Computerworld, however I'm aspiring to be a Computer Security Guru.

There are a few rules I always stick to:

A good and regularly updated firewall (if it has an IDS that uses anomaly detection built in, even better)

A regularly updated AV Software

A good anti-spam

I use MS Office 2003 and set my email junk filter to allow safe senders only

And finally, I never never log into my machine as an administrator except when I want to fix or install stuff.
Back to top
View user's profile Send private message
Gvrv
Just Arrived
Just Arrived


Joined: 25 Oct 2005
Posts: 0


Offline

PostPosted: Tue Oct 25, 2005 8:18 am    Post subject: Reply with quote

About these exe binders, i seem to have two of them. But i have never launched them and they can't be removed. So if anyone can offer me any help on this, please, because my AV(Norton Systemworks) doesn't.
Back to top
View user's profile Send private message
jeshim
Just Arrived
Just Arrived


Joined: 19 Nov 2004
Posts: 0


Offline

PostPosted: Thu Jan 05, 2006 7:23 am    Post subject: Reply with quote

jpg binders? I suspect you could easily make a hello.jpg.exe, and ppl with file extensions hidden (ie 90% of the pop'n by default) will open it and the pic would be unpacked and viewed using window's set program.

meanwhile the rest of us will look at the strange .exe at the end and go 'huh?'

tho I think txt files would be an easier target as jpg can have various icons depending on the user.
Back to top
View user's profile Send private message
h_forge
Just Arrived
Just Arrived


Joined: 17 Sep 2006
Posts: 0


Offline

PostPosted: Sun Sep 17, 2006 9:06 pm    Post subject: Reply with quote

Gvrv wrote:
About these exe binders, i seem to have two of them. But i have never launched them and they can't be removed. So if anyone can offer me any help on this, please, because my AV(Norton Systemworks) doesn't.


I guess Avg Free Edition will help you to remove those.
Actually I think an AVG + Zone Alarm(or a better one) combination is always better then Norton(faster and safer).
Are there any better combinations you are using?
Back to top
View user's profile Send private message
Scr1ptK1dd13
Just Arrived
Just Arrived


Joined: 20 Oct 2006
Posts: 0
Location: Columbus, Ohio

Offline

PostPosted: Fri Oct 20, 2006 5:08 pm    Post subject: Reply with quote

Gvrv Wrote:
Quote:
About these exe binders, i seem to have two of them. But i have never launched them and they can't be removed. So if anyone can offer me any help on this, please, because my AV(Norton Systemworks) doesn't.


Surprisingly enough, I had a folder last night that I could not delete. It took me a bit of searching, but I finally found a way to do so (as long as you have windows).

Open up a command prompt window.
Go to the directory that the file you want deleted is in.

Open up task manager and click the processes tab
Click on the"explorer.exe", and click end process.
Your desktop and icons will disappear, but it is ok.

Back in the command prompt, use the 'del' command for files and the 'rmdir' command for directories (use the /s switch to delete everything within the directory including other directories). Delete them.

Type in cd c:\windows and hit enter. Type in explorer.exe and hit enter.
The desktop will refresh, and the file(s) should be gone.

-Scr1ptK1dd13

Ps Make sure that you have the command prompt open before you end the explorer.exe process
Back to top
View user's profile Send private message
miss_tokyo
Just Arrived
Just Arrived


Joined: 16 Nov 2007
Posts: 0


Offline

PostPosted: Fri Nov 16, 2007 4:37 pm    Post subject: uh-oh. Reply with quote

Back in the Win98 days, I used to LOVE to download all sorts of freeware. And guess what happened? It crashed! Razz
Back to top
View user's profile Send private message
OddOne
Trusted SF Member
Trusted SF Member


Joined: 24 May 2004
Posts: 0


Offline

PostPosted: Thu Jan 03, 2008 7:21 pm    Post subject: Reply with quote

Okay, this may be considered inappropriate so if it is please feel free to nuke it.

Here's how easy it is to make a program that could be called a "binder"...

1. Fire up your favorite IDE and create a standalone-executable Win32 application. Prepare the interface as you see fit.
2. Add code that will enumerate the resources attached to the file, and convert them into memory streams.
3. Use the API ShellEx to have Windows try to execute the memory streams as though they were regular files.

Then, during or after compile, simply add the files as embedded resources. The EXE would unpack them and try to run them, either executing code or triggering file handlers as needed.

I could probably code something like this in Delphi in about 10 minutes, including debug time and the time to build a basic resource packer.

oO
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Beginners // Misc. Computer Questions All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter