EXE Binders: Be careful what you execute

Networking/Security Forums -> Beginners // Misc. Computer Questions

Author: capiLocation: Portugal PostPosted: Wed May 18, 2005 9:44 pm    Post subject: EXE Binders: Be careful what you execute
    ----
We've recently had a post announcing a well known tool called an EXE binder.
Quote:
This exe binder now allows you to bind any files together. Executables, pictures, sounds, documents, etc.

You can bind as many together as you like too!

The post was removed by the Staff as we are in the business of sharing knowledge and securing systems, not in the business of divulging ready-made "download this to h4x0r teh noobs" tools.

However, for the benefit of the unaware, this may be a good chance to talk a bit about what an EXE binder is, and how it poses a threat to the unsuspecting user.

Basically, an EXE binder is a tool that lets someone take a bunch of files and bind them together, to produce an executable that, upon being launched, unpacks all the files to whatever destinations were specified by its creator. It can also run the files.

It's pretty much the same thing as a self-extracting ZIP file, for example. An EXE that, when launched, unpacks itself into a bunch of other files. The difference is the launcher will usually execute them. So, you can bind e.g. Tetris.exe along with virus.exe into a malicious executable called whatever (let's say tetrix.exe); then when the victim runs it, the two original programs get extracted and run. What does this mean? It means when the victim runs tetrix.exe, it will run the valid game Tetris.exe, but it will also run virus.exe behind the scenes. So you run the program, you see the Tetris game, but in the background you've also run the virus.

This is actually far from new... Binders have been used by wannabes to deploy their little tools for as long as there have been trojans out there to download.

It's not even that hard to make a binder, either. Any looser can make one in VB or whatnot and distribute it to 100,000 wannabes, who will worship him for giving them the tools to "0wn teh n00bs". Just take a stub EXE depacker/launcher, add in whatever files you want as resources, then when the EXE is run the stub depacker will write out the resources to files (in some configurable directory, or temp or whatever), launch some of them, or do whatever it wants.

So what's the moral here? Again, nothing new: be careful what you run. Even if what you run does launch some seemingly legitimate program, it doesn't mean that's the only thing it did; it may have copied some file somewhere as well, or launched another hidden program, etc. For example, one common (and ooooold) trick is to make the malware installer throw a bogus error message when you run it. Something unintelligible and official-looking like "The process threw an illegal status operation, missing link data layer" or just "missing DLL" or maybe an actual error message the malware maker copied from Windows. So, the victim runs the program, thinking it's some security patch, or some game, or whatnot, the program spits out an error message saying it couldn't find some DLL, the victim thinks nothing happened and deletes it. Little does he know that while the error was being shown, the trojan was installing itself; deleting the installer after the fact will accomplish nothing, you're already compromised.

You still need to run the program, though. A .JPG isn't going to magically depack itself and start running executables just because it's laying there on your hard drive. A program needs to be launched by the operating system in order to actually run code. That is, myths about binding an EXE to a picture, and expecting the picture to somehow infect the victim when it's opened, are all a bunch of bullspit. If you double-click a .BMP, the operating system will launch whatever program you have associated with that extension, and tell it to open the file. Nothing more, nothing less. Any code that might exist inside the BMP won't get run unless your picture viewer wants to run it for some reason (i.e. the picture viewer itself is malicious).

What is usually done is set up a .EXE launcher with a fake icon, or something of the sort. But appending code to the end of a .BMP, giving the bitmap to some victim, and somehow expecting it to infect anyone? Tough luck.

Author: White ScorpionLocation: The Netherlands PostPosted: Thu May 19, 2005 12:04 am    Post subject:
    ----
Nice story Capi!

Just one thing to add though: running a test.txt file from within windows will open notepad and show you the contents, but if you run it from within the commandline and it happens to be an executable then the executable WILL be executed as if it were an .exe file.

The same goes for .jpg, .bmp , .gif and all kinds of other extensions. the commandline (DOS emulator) will run the program as it is, not as the extension makes it look like... Keep this in mind as well!

I have written a custom binder myself a couple of days ago. This program doesn't take any input or whatever, but you would have to compile it using a backdoor and a real app. when compiled it will unpack both to the system32 folder, execute the backdoor and then overwrite the running file with the original one so that everything is cleaned up. This means that when you have a file containing 2 files and you run it once, you finally only have the original one left (which is getting executed as well btw). It basically is a binder, but i only needed it to do some testing, it won't have any use (except skiddies?) to release it so i won't, but just thought i should add it to make a point that executing the file once can be enough to erase all traces AND still install a backdoor...

Author: Tw1sted L0gic PostPosted: Fri May 20, 2005 6:18 pm    Post subject:
    ----
Some excellent points raised by both parties. Now it's my turn!

It looks like I've got some explaining to do.
I've been on this forum 5 minutes and already I'm some "looser" feeding script kiddies with malicious tools!

You are, however, partially correct. Malicious script kiddies can use tools by developers such as me to cause harm. But then what security tools can't be misused by skiddies? NMAP? Netcat? Retina? Even Install Shield can be configured not to show any dialogs when installing, which is far more dangerous to skiddies.

Many security experts, perhaps many who visit this forum, believe sharing information is the way to stop malicious attacks. The risk of malicious users getting hold of exploit information/security tools is worth taking, to make sure legitimate admins are educated and equipped enough to protect themselves. I noticed an admins sig on this forum:

"Share your knowledge, it's a
way to achieve Immortality. "

Also, releases of tools like this keep admins on their toes. My advertisement of this tool triggered this thread to be made, and has already been read by 90 people, who are now educated to the dangers of exe binders.

Having presented that (weak) argument, I am bizarrely in agreement.
People who release these tools often use them for malicious purposes themselves. It will be used to infect uneducated, unprotected users with trojans and the like, there's no doubt about that. But in my opinion, anyone who has a PC with no firewall or AV software, and accepts and runs executables isn't fit to own a computer.



-Tw1sted L0gic

Author: capiLocation: Portugal PostPosted: Fri May 20, 2005 6:47 pm    Post subject:
    ----
Hello Tw1sted l0gic,

Actually the looser remark was not meant at you; it was meant for what it says: coding an exe binder is not something hard, any monkey with rudimentary knowledge of VB and the ability to toss in code and debug it 'till it works will be able to code one, and offer it to the wannabe masses who will worship him as the "leet creator of the tools of 0wnage".

In fact, if you will notice, your identity was not revealed anywhere in the post, it was simply taken as an example.

Regarding sharing knowledge and exposing the dangers, you are preaching to the wrong guy; I am 100% in favor of releasing exploit code, divulging exploits and vulnerabilities in software, etc. As anyone who knows me will tell you, I am more a dark-greyish hat than anything else. However, there is a difference between offering knowledge (for example, "how to make a binder", or "how binders work") and just offering a pre-made compiled tool ("download this program to 0wn someone"). There is all to learn from the former, nothing to learn from the latter. That was the reason your post was removed.

Author: Tom BairLocation: Portland, Oregon USA PostPosted: Fri May 20, 2005 8:56 pm    Post subject:
    ----
Tw1sted L0gic wrote:
Many security experts, perhaps many who visit this forum, believe sharing information is the way to stop malicious attacks. The risk of malicious users getting hold of exploit information/security tools is worth taking, to make sure legitimate admins are educated and equipped enough to protect themselves.

Also, releases of tools like this keep admins on their toes. My advertisement of this tool triggered this thread to be made, and has already been read by 90 people, who are now educated to the dangers of exe binders.


-Tw1sted L0gic


We do believe that sharing information is the way to stop malicious attacks. Sharing pre-made exploit tools with the open public is akin to the PC Security Community shooting themselves in the eye, thinking they can still use the other eye to keep abreast of malware developments.

Your logic in the second paragraph fails me. It is akin to saying it is good to teach people how to rob banks so that banks and police can better fine-tune their security methods to better catch people who rob banks so they can put them in prison for 20 years and then more new people will have to be found to rob banks so that banks and police can better fine-tune their security methods....

It is a recognized fact that one must develop these tools to stay current with developments in the field. It is also a recognized fact that many who code these tools wish to gain acknowledgement from their peers for their efforts. This is fine, but to provide unvented access to such tools is not only careless, but dangerous as well. As a responsible forum -- we must agonize over sharing the knowledge and remaining responsible and accountable to the Security Community.

Allow us to play Devil's Advocate here. Your advertisement of this tool, and your response to this thread could be viewed as your attempts to Socially Engineer us and the public into downloading your tool. Where is the benefit to the community in this? Of what benefit is it for a Professional to reverse engineer your program for some new tricky way of coding something? Better to just share that code up front and in the open if your interests remain in protecting the community, right?

I really wish to thank you for your comments. Remember, it was the link to a possible skiddy exploit tool which was removed from this site. The poster remains to have the staff's respect.

Author: pdaniaLocation: UK PostPosted: Wed Sep 28, 2005 5:40 am    Post subject: My Contribution ....
    ----
Hi All, I just joined and I am still a novice in Computerworld, however I'm aspiring to be a Computer Security Guru.

There are a few rules I always stick to:

A good and regularly updated firewall (if it has an IDS that uses anomaly detection built in, even better)

A regularly updated AV Software

A good anti-spam

I use MS Office 2003 and set my email junk filter to allow safe senders only

And finally, I never never log into my machine as an administrator except when I want to fix or install stuff.

Author: Gvrv PostPosted: Tue Oct 25, 2005 8:18 am    Post subject:
    ----
About these exe binders, i seem to have two of them. But i have never launched them and they can't be removed. So if anyone can offer me any help on this, please, because my AV(Norton Systemworks) doesn't.

Author: jeshim PostPosted: Thu Jan 05, 2006 7:23 am    Post subject:
    ----
jpg binders? I suspect you could easily make a hello.jpg.exe, and ppl with file extensions hidden (ie 90% of the pop'n by default) will open it and the pic would be unpacked and viewed using window's set program.

meanwhile the rest of us will look at the strange .exe at the end and go 'huh?'

tho I think txt files would be an easier target as jpg can have various icons depending on the user.

Author: h_forge PostPosted: Sun Sep 17, 2006 9:06 pm    Post subject:
    ----
Gvrv wrote:
About these exe binders, i seem to have two of them. But i have never launched them and they can't be removed. So if anyone can offer me any help on this, please, because my AV(Norton Systemworks) doesn't.


I guess Avg Free Edition will help you to remove those.
Actually I think an AVG + Zone Alarm(or a better one) combination is always better then Norton(faster and safer).
Are there any better combinations you are using?

Author: Scr1ptK1dd13Location: Columbus, Ohio PostPosted: Fri Oct 20, 2006 5:08 pm    Post subject:
    ----
Gvrv Wrote:
Quote:
About these exe binders, i seem to have two of them. But i have never launched them and they can't be removed. So if anyone can offer me any help on this, please, because my AV(Norton Systemworks) doesn't.


Surprisingly enough, I had a folder last night that I could not delete. It took me a bit of searching, but I finally found a way to do so (as long as you have windows).

Open up a command prompt window.
Go to the directory that the file you want deleted is in.

Open up task manager and click the processes tab
Click on the"explorer.exe", and click end process.
Your desktop and icons will disappear, but it is ok.

Back in the command prompt, use the 'del' command for files and the 'rmdir' command for directories (use the /s switch to delete everything within the directory including other directories). Delete them.

Type in cd c:\windows and hit enter. Type in explorer.exe and hit enter.
The desktop will refresh, and the file(s) should be gone.

-Scr1ptK1dd13

Ps Make sure that you have the command prompt open before you end the explorer.exe process

Author: miss_tokyo PostPosted: Fri Nov 16, 2007 4:37 pm    Post subject: uh-oh.
    ----
Back in the Win98 days, I used to LOVE to download all sorts of freeware. And guess what happened? It crashed! Razz

Author: OddOne PostPosted: Thu Jan 03, 2008 7:21 pm    Post subject:
    ----
Okay, this may be considered inappropriate so if it is please feel free to nuke it.

Here's how easy it is to make a program that could be called a "binder"...

1. Fire up your favorite IDE and create a standalone-executable Win32 application. Prepare the interface as you see fit.
2. Add code that will enumerate the resources attached to the file, and convert them into memory streams.
3. Use the API ShellEx to have Windows try to execute the memory streams as though they were regular files.

Then, during or after compile, simply add the files as embedded resources. The EXE would unpack them and try to run them, either executing code or triggering file handlers as needed.

I could probably code something like this in Delphi in about 10 minutes, including debug time and the time to build a basic resource packer.

oO



Networking/Security Forums -> Beginners // Misc. Computer Questions


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group