h3adache
9
We want to..
- Show our skills.
- Prove that even an updated version of Windows can't fully protect its' users from a destructive virus.
- Show some serious security vulnerabilities in some very known Windows programs, firewalls & anti-viruses.
- Show that the creation of a massive virus which capable to infect hundreds of thousands of people is not that hard.
- Show that Facebook status-sharing system should be replaced.
So how does it start?
Our Goals
h3adache
Project
The
A Sophisticated .NET Virus Platform
Dror Versano
Shahar Albeck
Elad Gildnur
Itay Gozlan
Main Infection Algorithm
Facebook Status
h3adache Server-Side
Phishing Website
The "target" will see an 'innocent' Facebook status posted by one of his Facebook friends,
which contains a link to a 'Minecraft' website.
The target will be redirected from Facebook to a 'Minecraft-Like' website, which will offer him to download a free new Minecraft game.
Introduction
After the reboot, the virus will run itself at the opening of Windows. Since UAC has been canceled, the virus will automatically run as an Administrator. At the first boot, the virus will register the new victim in the server
Privilege Escalation
Hacked
Minecraft.exe File
After several minutes, the sub-process will run an attached exe, which will cause to a Privilege Escalation (based on a security vulnerability in one of Windows' kernel files)
After clicking on 'Download', a hacked (injected) Minecraft.exe file will be downloaded to the target's PC:
When the file will be executed, the game will start as usual, but another sub-process will be started as well.
+
h3adache is a sophisticated and highly modular .NET virus platform, which capable to infect hundreds of thousands of Windows OS-based PCs.
Server Confirmation
First-Talk With
The Server
New-Victim Registration
UAC Cancellation
The server will confirm the data that was
received from the virus, and will return a 'successfully added' message.
The server will register the new victim and will open him a folder with his ID.
At first, the virus will ask the server for a new ID for the just-infected victim.
Force Restart
The privilege escalation will elevate an authorize CMD windows, which will run the Exterminat0r, which will shutdown UAC & will download an updated version and his associate files (Watchd0g, etc..)
The user will be asked to restart his computer in order to finish the installation of some very "Important Updated".
h3adache's Lifetime
Divided into two main parts,
With total lifetime of 28 days.
Part 2
Part 1
Duration: 7 Days
Duration: 21 Days
In this part, at the first day of the final week the victim will be asked to pay for the removal of the virus.
If the victim will decide not to pay, h3adache will start ruin his computer, delete his files and eventually will completely disable his PC.
In this part, from the first day, h3adache will
collect important and personal data from the victim's PC: Password files, images, school assignments and many more types of personal data.
Moreover, the victim will be secretly photographed (using his webcam), and the data will be uploaded to the victim's folder in the server.
File Search Algorithm
Part 2 Utilities & Actions
Facebook Infection
In the last 7 days the virus will offer the victim to buy the anti-virus for a small amount of 100$.
If the user will decide to pay, the virus will delete itself from the victim's PC.
Smart Keylogger Triggering
Part 1 Utilities
h3adache
Project
The
Bitcoin Pool Mining
Anti-virus & Windows Security Canceling
Special Thanks
- Orit Itzhar
- Shlomi Oberman
- Anatoly Peymer
- Smadar Or
- Ort's Technological Entrepreneurship Project
- Pnina Glass