If you would like to read the other parts in this article series please go to
The problem of malware is neither a new one, nor is it one that is going to go away any time soon. There is far, far too much money involved for the criminals who use Trojans, viruses, and bot armies to simply give up using them. It is not only home users who are targeted with these malware attacks, but it is also the corporate end-user. That brings us to the point of this article series. It is only through education that this problem can be eradicated. Having an anti-virus program running on a user’s computer is great, just as it is to have a content checking program run on your Exchange server. Your best line of defense is an educated user. There will always be a new breed of malware that is able to slip past your defenses, be it a new trojan, or a new client side exploit in a web browser. By virtue of making your users aware of the problem you will have gone a long way towards mitigating the threat of malware in your corporate network environment.
This article is aimed squarely at the system administrator (sys admin) who works in any corporate network setting. The number of programs you have running on your network, be they anti-virus or Intrusion Prevention Systems (IPS) won’t factor in for this article series. We will take the approach that, to help secure our networks, we need to address the weakest link; the end-user. That is not meant as an insult to the salesman, accountant, or office staff. We all have differing skillsets, and in our case it is computer security savvy. It is through our knowledge of computer security, in its many forms, that will enable us to help the corporate network users do their work in as secure a fashion as possible.
What we shall now go about doing is to show our end-users just how malware gets grafted onto a legitimate looking program. Only by recreating exactly how this is done will our goal of educating them to the online threats aimed at them be realized. To do this we will be using a variety of tools, both legitimate, and illegitimate. For our scenario I shall use the binder program called YAB, the trojan called Optix Pro, and the game called Pong.exe. With these three programs alone, we will construct a trojan disguised as a game called Pong.exe. We shall go one step further in that we will also look at this malware at the byte level to recognize what it looks like. By viewing malware in a hex editor we are able to see certain indicators which tell us that something is amiss in a specific executable program. Viewing malware in a hex editor also has the added benefit of allowing you to see inside of it in a safe fashion, as you are not actually executing the program, but rather only looking at its contents.
Let’s get started
Please note that I have not linked to the malware binder called YAB, or the trojan called Optix Pro. It is not my intent to make this too easy for anyone reading this who may have malicious intent. You need only spend a minute or so with Google to find all of the programs mentioned above. On that note let’s get started. We will first configure the Optix Pro trojan. You may recall that this is a trojan I wrote about before. Should you wish to read more about it then please click here. I won’t dwell on detailed configuration of the trojan as we only need to do a few things to it for our purposes. Please see the screenshot below of how the folder for Optix Pro will look like once you have downloaded and uncompressed it.
Figure 1
We shall now go ahead and double-click on the “Builder” icon seen to invoke the server so that we can do some simple configuration changes. You should now be looking at a screen the same as the screenshot below.
Figure 2
From there we will click on the “Main Settings” menu. The only changes we will make to the trojan server shall be here as we are not going to be making a long or exhaustive presentation to our users on the dangers of malware. Now you can use the default port of TCP 3410 if you like or change it to another of your choice. The default language setting for Optix Pro is English as you may have noticed by now. If you want to make any other changes to the trojan server now is the time to do it. If not please press the “Build/Create Server” icon on the upper left hand side of the trojan GUI. It will prompt you for a name as seen in the screenshot below.
Figure 3
Pick any name that you like as well as the path to save it in. You may as well simply save it in the Optix folder itself for simplicity and to keep everything in one spot. Once you have finished naming it you will be presented with the below noted screenshot.
Figure 4
At this point you can go ahead and simply build the server or you can choose to have it compressed via the program UPX. What this will do is compress the trojan server to a smaller size. This is often done as a large file/program can make someone suspicious, especially if they have some computer security knowledge. They would realize that a certain file/program should not be as large as it appears to be. What I will do is have one server that is now compressed with UPX and another that isn’t. We will look at what the UPX compressed trojan server looks like later on in the article series. Once you have finished writing your settings simply press the “OK all done!”.
Wrap Up
Covered so far have been the tools that are required in the effort to put on a computer security session for our corporate users. Further to that we have configured and gone over Optix Pro the trojan or malware (malware is a generic term that is used to describe not only Trojans, but also viruses and other forms of malicious software) in this case that we will use. In part two of this article series we will go on to look at the malware binder called YAB and the legitimate game program called Pong.exe. Those will be the final two ingredients we need to cook ourselves up a tasty piece of malware. In reality this article series is not only for the users in our respective corporate network settings, but it is also for us. You cannot know everything as a computer security professional. I can honestly say that I did not know exactly how one goes about building such malware until I decided it would make for a good article series. Hopefully, for those of you who were in the same situation as me, this will help put theoretical knowledge into practice. It is only by doing something, that you actually understand. See you in part two.
If you would like to read the other parts in this article series please go to
