1
00:00:00,090 --> 00:00:00,930
In this lesson,

2
00:00:00,930 --> 00:00:02,969
I want to perform a quick demonstration to show you

3
00:00:02,969 --> 00:00:04,140
how easy it is to create

4
00:00:04,140 --> 00:00:06,870
and use a virus and remote access Trojan.

5
00:00:06,870 --> 00:00:08,670
Now before we begin, it's important to note

6
00:00:08,670 --> 00:00:10,770
that I'm using an older legacy-style machine

7
00:00:10,770 --> 00:00:11,970
for this demonstration

8
00:00:11,970 --> 00:00:14,580
because these are known vulnerable Windows 7 machines

9
00:00:14,580 --> 00:00:16,860
that I'm using inside of my lab environment.

10
00:00:16,860 --> 00:00:18,630
Now this is a great operating system to use

11
00:00:18,630 --> 00:00:20,370
for these types of security demonstrations

12
00:00:20,370 --> 00:00:21,720
because they are vulnerable

13
00:00:21,720 --> 00:00:24,150
and there is no longer any new security patches

14
00:00:24,150 --> 00:00:26,580
for Windows 7 systems in existence.

15
00:00:26,580 --> 00:00:28,500
So if you're trying to replicate this demonstration

16
00:00:28,500 --> 00:00:31,770
on a more modern workstation like Windows 11 or Windows 10,

17
00:00:31,770 --> 00:00:32,940
it will usually be detected

18
00:00:32,940 --> 00:00:35,160
and blocked by your modern antivirus software

19
00:00:35,160 --> 00:00:36,540
like Windows Defender.

20
00:00:36,540 --> 00:00:37,860
But there are newer tools

21
00:00:37,860 --> 00:00:39,930
that are being developed by threat actors, attackers,

22
00:00:39,930 --> 00:00:42,810
and penetration testers all the time that you can use.

23
00:00:42,810 --> 00:00:44,130
Now I've had many students ask

24
00:00:44,130 --> 00:00:46,860
where they can download a tool like JPS Virus Maker

25
00:00:46,860 --> 00:00:48,480
that I'm going to be using in this demo,

26
00:00:48,480 --> 00:00:50,310
and you can find these things online.

27
00:00:50,310 --> 00:00:51,840
Now, because I did not create this tool

28
00:00:51,840 --> 00:00:53,490
and I don't own the copyright to it,

29
00:00:53,490 --> 00:00:54,690
I am not able to provide you

30
00:00:54,690 --> 00:00:56,970
a direct download link for this tool

31
00:00:56,970 --> 00:00:59,430
or tell you where you can actually go and download it.

32
00:00:59,430 --> 00:01:01,890
Making a virus is not considered a testable item

33
00:01:01,890 --> 00:01:02,850
for your exams,

34
00:01:02,850 --> 00:01:04,860
but I wanted to provide this quick demonstration

35
00:01:04,860 --> 00:01:06,120
so you can see what kind of things

36
00:01:06,120 --> 00:01:07,650
a virus like Trojan can do

37
00:01:07,650 --> 00:01:10,140
once they've compromised your targeted system.

38
00:01:10,140 --> 00:01:11,190
Now, if you move into the world

39
00:01:11,190 --> 00:01:13,110
of penetration testing later on in your career,

40
00:01:13,110 --> 00:01:15,000
you'll learn all about the different tools that we use

41
00:01:15,000 --> 00:01:17,820
in modern networks to be able to create viruses and Trojans

42
00:01:17,820 --> 00:01:19,200
to be able to break into corporate networks

43
00:01:19,200 --> 00:01:21,300
as part of your penetration testing assessments

44
00:01:21,300 --> 00:01:22,650
and engagements.

45
00:01:22,650 --> 00:01:24,870
Alright, let's jump into the demonstration.

46
00:01:24,870 --> 00:01:26,820
So I have two machines set up here,

47
00:01:26,820 --> 00:01:28,770
I have one on the left, which will be my attacker,

48
00:01:28,770 --> 00:01:31,710
and one on the right, which will be my victim.

49
00:01:31,710 --> 00:01:32,820
On the attacker's machine,

50
00:01:32,820 --> 00:01:37,320
I'm running a program called Virus Maker 3.0 or JPS.

51
00:01:37,320 --> 00:01:39,810
Here is basically a point-and-click options

52
00:01:39,810 --> 00:01:41,220
of all the things that I can do

53
00:01:41,220 --> 00:01:42,900
to that machine on the right.

54
00:01:42,900 --> 00:01:45,090
For our example, I'm going to do one that's easy to see.

55
00:01:45,090 --> 00:01:47,070
It's called Crazy Mouse.

56
00:01:47,070 --> 00:01:48,600
So I'll go ahead and click that

57
00:01:48,600 --> 00:01:49,710
and then I'm going to select

58
00:01:49,710 --> 00:01:52,050
what do I want it to be called after installation.

59
00:01:52,050 --> 00:01:54,240
We'll go ahead and call it the service host.

60
00:01:54,240 --> 00:01:56,280
And what do we want the server name to be called?

61
00:01:56,280 --> 00:01:57,180
The file name.

62
00:01:57,180 --> 00:02:00,210
And I'm going to go ahead and call it Explorer.exe.

63
00:02:00,210 --> 00:02:02,070
You could really choose whatever you want.

64
00:02:02,070 --> 00:02:04,770
It just depends on how sneaky you're trying to be.

65
00:02:04,770 --> 00:02:05,970
Now the next thing I'm going to do

66
00:02:05,970 --> 00:02:07,593
is I'm going to create that virus.

67
00:02:08,490 --> 00:02:10,139
At this point, that has been created

68
00:02:10,139 --> 00:02:12,420
and saved to my Downloads folder.

69
00:02:12,420 --> 00:02:13,253
Now at this point,

70
00:02:13,253 --> 00:02:15,780
I need my victim to be able to download this virus,

71
00:02:15,780 --> 00:02:17,460
and there's lots of ways to do that

72
00:02:17,460 --> 00:02:19,410
based on your social engineering,

73
00:02:19,410 --> 00:02:22,050
tying this virus into another program,

74
00:02:22,050 --> 00:02:24,060
using a spear phishing campaign,

75
00:02:24,060 --> 00:02:27,180
putting it as a rogue download, all sorts of things.

76
00:02:27,180 --> 00:02:28,530
For this particular example though,

77
00:02:28,530 --> 00:02:30,120
I'm just going to show you the effect

78
00:02:30,120 --> 00:02:33,150
if the person was able to download it and if they ran it.

79
00:02:33,150 --> 00:02:35,160
So at this point the user's been tricked,

80
00:02:35,160 --> 00:02:37,290
they've downloaded the file and now they run it

81
00:02:37,290 --> 00:02:39,900
because they think it's a game or whatever else it is.

82
00:02:39,900 --> 00:02:41,700
In this case, they think it's a picture.

83
00:02:41,700 --> 00:02:44,403
If we go ahead and run that, see what happens.

84
00:02:45,660 --> 00:02:47,640
And there you can see the mouse just starts going,

85
00:02:47,640 --> 00:02:49,230
jumping all over the screen

86
00:02:49,230 --> 00:02:50,910
so that if I wanted to try to open something

87
00:02:50,910 --> 00:02:51,810
like the trash can,

88
00:02:51,810 --> 00:02:53,180
I can't because every time I click on it,

89
00:02:53,180 --> 00:02:55,260
it jumps away someplace else.

90
00:02:55,260 --> 00:02:57,480
That's the idea of this very simple virus.

91
00:02:57,480 --> 00:02:58,500
It's just a nuisance.

92
00:02:58,500 --> 00:03:00,200
It's trying to a problem for them.

93
00:03:01,260 --> 00:03:02,790
Now let me show you an example

94
00:03:02,790 --> 00:03:06,390
of what a remote access Trojan or RAT looks like.

95
00:03:06,390 --> 00:03:08,310
Now, on the left is my attacking machine,

96
00:03:08,310 --> 00:03:10,690
and on the right is my victim machine.

97
00:03:10,690 --> 00:03:13,979
So I'm using a program called ProRat.

98
00:03:13,979 --> 00:03:18,157
So the first thing I want to do is create a ProRat server.

99
00:03:18,157 --> 00:03:19,650
I'm going to click on General Settings,

100
00:03:19,650 --> 00:03:20,483
and from here

101
00:03:20,483 --> 00:03:23,040
you can see the port it's going to operate on, 5110,

102
00:03:23,040 --> 00:03:25,200
which I can change to anything I want.

103
00:03:25,200 --> 00:03:28,140
The server password, in this case, 12345,

104
00:03:28,140 --> 00:03:29,850
again, not very secure,

105
00:03:29,850 --> 00:03:32,160
but for our lab purposes, it's just fine.

106
00:03:32,160 --> 00:03:34,530
And then the victim's name if we have it.

107
00:03:34,530 --> 00:03:37,170
From here, we can give them error messages,

108
00:03:37,170 --> 00:03:39,270
we can melt the server on install,

109
00:03:39,270 --> 00:03:40,590
which means once the ProRat

110
00:03:40,590 --> 00:03:42,540
has been installed on the victim computer,

111
00:03:42,540 --> 00:03:45,630
it will delete itself while still maintaining a connection.

112
00:03:45,630 --> 00:03:48,600
We can kill the antivirus and firewall on start,

113
00:03:48,600 --> 00:03:50,310
we can disable Security Center

114
00:03:50,310 --> 00:03:52,410
and all sorts of other things like that.

115
00:03:52,410 --> 00:03:54,510
I'm going to go ahead and give a fake error message here

116
00:03:54,510 --> 00:03:56,910
saying "You have been hacked."

117
00:03:56,910 --> 00:03:59,250
Now normally you wouldn't want to send a message to your user

118
00:03:59,250 --> 00:04:00,570
showing that they've been hacked,

119
00:04:00,570 --> 00:04:03,120
but I just want to show it to you for demonstration purposes.

120
00:04:03,120 --> 00:04:04,920
Maybe you're doing this as a ransomware

121
00:04:04,920 --> 00:04:06,150
and you've encrypted their files.

122
00:04:06,150 --> 00:04:07,500
This is a way to send them a message

123
00:04:07,500 --> 00:04:10,500
saying you need to pay me if you want access to it.

124
00:04:10,500 --> 00:04:11,866
And from there we'll just go down

125
00:04:11,866 --> 00:04:14,880
and we can go ahead and hit Create Server.

126
00:04:14,880 --> 00:04:17,380
From there, the server is going to be created for us.

127
00:04:18,360 --> 00:04:19,360
Go ahead and hit OK.

128
00:04:20,430 --> 00:04:22,110
So if we want to be a little trickier,

129
00:04:22,110 --> 00:04:24,090
we're going to go ahead and bind it with a file.

130
00:04:24,090 --> 00:04:25,770
So we're going to select a picture,

131
00:04:25,770 --> 00:04:27,210
in this case, the desert,

132
00:04:27,210 --> 00:04:29,010
go ahead, hit Open on that.

133
00:04:29,010 --> 00:04:31,770
And then we're going to give it another server extension here.

134
00:04:31,770 --> 00:04:36,770
We want to call it EXE, SCR, COM, PIF or BAT,

135
00:04:36,810 --> 00:04:38,490
EXE will be just fine.

136
00:04:38,490 --> 00:04:40,890
And for the icon, what do we want this to look like?

137
00:04:40,890 --> 00:04:42,840
Well, we want it to look like a photo.

138
00:04:42,840 --> 00:04:44,940
So we're going to go ahead and make it a JPEG

139
00:04:46,080 --> 00:04:48,903
and then we can go ahead and hit Create the Server.

140
00:04:51,660 --> 00:04:53,280
And this is going to be in our current directory.

141
00:04:53,280 --> 00:04:55,680
So if I look back in my current directory,

142
00:04:55,680 --> 00:05:00,000
I now have the binded server with a JPEG icon.

143
00:05:00,000 --> 00:05:01,911
And from here we can go ahead and rename it

144
00:05:01,911 --> 00:05:03,630
and let's call it Desert.

145
00:05:03,630 --> 00:05:06,570
So now they think they're getting a photo of the desert.

146
00:05:06,570 --> 00:05:09,180
At this point, again, we would use some form of trickery

147
00:05:09,180 --> 00:05:11,280
or social engineering to get it to them,

148
00:05:11,280 --> 00:05:13,473
and once we do, it'll be on their desktop.

149
00:05:14,340 --> 00:05:15,173
So at this point,

150
00:05:15,173 --> 00:05:17,640
I've tricked the user and they now have the file.

151
00:05:17,640 --> 00:05:19,500
They're going to go ahead and open that file,

152
00:05:19,500 --> 00:05:21,063
and when they run that file,

153
00:05:21,930 --> 00:05:24,660
you're going to see the error message that we told it to have.

154
00:05:24,660 --> 00:05:26,810
There's the picture and you've been hacked.

155
00:05:26,810 --> 00:05:29,130
Oh-oh, now what's going on?

156
00:05:29,130 --> 00:05:31,200
Let's go ahead onto our target machine

157
00:05:31,200 --> 00:05:34,020
and connect to that server that's now been installed.

158
00:05:34,020 --> 00:05:36,363
Again, we're going to use our password 12345.

159
00:05:37,206 --> 00:05:39,420
And at this point, we now have access to that machine.

160
00:05:39,420 --> 00:05:41,820
We can find out information about it.

161
00:05:41,820 --> 00:05:44,550
In this case, if we go ahead and get the system information,

162
00:05:44,550 --> 00:05:47,370
I know now the computer name is Bob Sales.

163
00:05:47,370 --> 00:05:49,170
I know what kind of machine it is.

164
00:05:49,170 --> 00:05:53,070
It's using English for its language, System 32 is its path.

165
00:05:53,070 --> 00:05:54,840
I find out what kind of users it has.

166
00:05:54,840 --> 00:05:57,210
I found out the date and time of the machine,

167
00:05:57,210 --> 00:05:58,800
all of that information.

168
00:05:58,800 --> 00:06:00,570
And if I close this on the right,

169
00:06:00,570 --> 00:06:01,920
that'll move out of the way.

170
00:06:01,920 --> 00:06:03,930
We can get all that information here

171
00:06:03,930 --> 00:06:07,200
from our attacking machine about our victim machine.

172
00:06:07,200 --> 00:06:10,140
We can also look at the last 25 websites they visited

173
00:06:10,140 --> 00:06:10,973
and maybe that would be something

174
00:06:10,973 --> 00:06:13,200
that would be helpful for us to be able to attack.

175
00:06:13,200 --> 00:06:15,930
We can take screenshots and we can actually open it

176
00:06:15,930 --> 00:06:17,160
and see what we're going to see.

177
00:06:17,160 --> 00:06:18,515
So if I do a screenshot,

178
00:06:18,515 --> 00:06:20,340
I see what's on their screen.

179
00:06:20,340 --> 00:06:24,480
So if they're on a website like Google here,

180
00:06:24,480 --> 00:06:25,313
which is not going to connect

181
00:06:25,313 --> 00:06:27,330
'cause I'm in a live environment here

182
00:06:27,330 --> 00:06:29,640
that's disconnected from the machine,

183
00:06:29,640 --> 00:06:30,840
I'll go ahead and hit Snapshot

184
00:06:30,840 --> 00:06:32,010
and now I can see that.

185
00:06:32,010 --> 00:06:34,470
If they had a webcam, I could view their webcam.

186
00:06:34,470 --> 00:06:35,910
Again, I have lots of access

187
00:06:35,910 --> 00:06:38,820
to do whatever it is we want to do on this machine.

188
00:06:38,820 --> 00:06:40,860
I can send them messages if I want,

189
00:06:40,860 --> 00:06:43,863
so I can do a message and say Test.

190
00:06:44,940 --> 00:06:46,590
And I'll say, "I don't work for you anymore."

191
00:06:46,590 --> 00:06:49,110
So we're going to go ahead and send that over there.

192
00:06:49,110 --> 00:06:51,840
And there it is, "I'm sorry, I don't work for you anymore."

193
00:06:51,840 --> 00:06:54,870
And so you can see the power of a remote access tool.

194
00:06:54,870 --> 00:06:57,930
And so this allows me to do all sorts of different stuff.

195
00:06:57,930 --> 00:06:59,940
Again, I can take their files,

196
00:06:59,940 --> 00:07:01,860
I can mess with their registry.

197
00:07:01,860 --> 00:07:03,720
I can go through and look at all their files,

198
00:07:03,720 --> 00:07:06,090
I can FTP over and grab their files.

199
00:07:06,090 --> 00:07:07,530
I can chat over to them.

200
00:07:07,530 --> 00:07:08,670
I can do some funny stuff.

201
00:07:08,670 --> 00:07:10,800
Maybe it's my friend and I'm just trying to show them

202
00:07:10,800 --> 00:07:12,330
that I have access to their machine.

203
00:07:12,330 --> 00:07:14,700
For instance, I can hide their desktop icons

204
00:07:14,700 --> 00:07:17,430
and now you should be able to see that that is gone.

205
00:07:17,430 --> 00:07:19,650
And I can show their icons and they're back.

206
00:07:19,650 --> 00:07:23,010
I can make the mouse go crazy and then I can fix it.

207
00:07:23,010 --> 00:07:26,400
I can flip their screen upside down and then I can fix it.

208
00:07:26,400 --> 00:07:29,910
So you can do all sorts of different things on this machine

209
00:07:29,910 --> 00:07:32,700
and take control and do whatever it is that we want

210
00:07:32,700 --> 00:07:35,190
because we have that remote access to them.

211
00:07:35,190 --> 00:07:37,200
I hope you found this demonstration insightful

212
00:07:37,200 --> 00:07:39,330
as you started to see what kind of effects a virus

213
00:07:39,330 --> 00:07:42,543
or a remote access Trojan can have on a victimized system.