Binders and Malware (Part 2)


If you would like to read the other parts in this article series please go to

Of binders and malware

In part one we left off having configured the Optix Pro server as our piece of malware.  It is this trojan server that we will graft on to the legitimate game program called Pong.exe, using the binder program called YAB. A binder is a program that will take two executable files and combine them together. It is important to realize that by “combine” I do not mean mixing the two of them together, much as you would the ingredients for a cake. The binder YAB will take both the trojan server and the game Pong.exe and place them one after the other. Think of it like a 12 inch ruler being divided into two six inch parts that nonetheless make up a total of 12 inches. This will be clearly displayed a little later on in a screenshot, so don’t worry if you are still feeling a bit confused, as it is a confusing concept to understand.

The binder YAB

There are many different binders out there to be found on the Internet. One of the simplest and most fully featured ones to use is called YAB. That stands for “Yet Another Binder”. Once you have found and downloaded this program please go ahead and invoke it. You will be presented with the dialog box seen in the screenshot below.


Figure 1

You will note that the other little dialog box called “Icon Preview” is not seen in the screenshot above. That is because the software program that I use was not able to capture it as it was not active (by active I mean the border of the icon was greyed out). Now we also need the program called Pong.exe which will actually be our delivery vehicle for the malware, as we will be binding the trojan server to the Pong.exe game. Please click here for the Pong.exe game. Once you have found it on that page please go ahead and download it. Now that we have these tools we are ready to go ahead and begin the process of binding our malware to the Pong.exe game. The first step is to click on the “Command” menu and then click on “Add Command” as seen in the screenshot below.


Figure 2

I will now only comment on the information that we need to fill in, or change, in order to use YAB properly. What I don’t comment on directly please leave at their default settings. First step is to click on “Browse” under the “Bind File” box seen above. You will need to browse to the file you want to bind. In this case we will browse to the Optix Pro trojan server that we configured earlier on in part one. Please note in the screenshot below that I have browsed to the folder containing all of the Optix Pro trojan parts, and have chosen the server that I built in part one.


Figure 3

There are many options that you can play around with, and I would encourage you too, in YAB. To see more of them please click on the “Show Advanced” tab seen in Figure 2. Once you have clicked this option you should see the screenshot below.


Figure 4

You will note that the “Execution Method” by default is set to “Execute asynchronously”. This means that once the disguised malware is clicked on, the malware will install itself silently, with no visual cues to the user. Meanwhile the legitimate Pong.exe installs itself with the normal dialog boxes appearing to the user. In effect the malware will be invisible to the unsuspecting user who thinks they are only installing a game of Pong.exe to play with. Now I don’t want to get bogged down with explaining every feature of YAB so please experiment with it, as your time permits. With the information entered as described so far we are ready to move on. Please press the “OK” tab as seen in the screenshot above. You should now be presented with the screenshot below.


Figure 5

We will now go ahead and do the same thing, but this time we will do it for the Pong.exe game. So go ahead and press on the “Command” menu and then on the “Add Command” entry. From there the same steps described up above apply i.e.: click on the “Browse” tab and navigate to where your Pong.exe is located, then click on it. Once you have done that press the “OK” tab. With that done you should be presented with the same information as shown below in the screenshot.


Figure 6

We now have both programs waiting to be bound together via YAB. Our next step will be to choose an icon for our bound malware. It would be best to choose the Pong.exe icon itself so let’s do just that. You will need to click on the Change Icon button next to the magic wand icon seen in the screenshot above. If you hover your mouse over it there should be the words “Change icon (F8)”. Please click on this. You should see the same thing as what is displayed in the screenshot below.


Figure 7

From there you will need to search where your Pong.exe program is via the “Browse for icon files…” tab seen above. Once located you simply click on the icon as seen below.


Figure 8

Once you have chosen it press “Open”, and then press “Apply” in the dialog box. From here we now need to press on the “Tools” menu in the main YAB dialog box. From that menu please click on “Build:. This in turn will pop up another dialog box as seen below.


Figure 9

Now go ahead and give it a name. In our case it would be best to call it Pong.exe for that is what a person of ill intent would do, in an effort to fool a user into executing the program. Once you have entered the name press “Save”. YAB will now go ahead and do its job of binding the Optix Pro trojan server to the game Pong.exe. You should then be presented with the screenshot below.


Figure 10

Wrap Up

We have now successfully bound the malware onto the delivery vehicle ie: our game of Pong.exe. This is how people go about building their pieces of malware in an effort to compromise users both at their corporate and home settings. I have no doubt that you have read accounts, in your local paper or online, of how someone was shocked to discover that their bank account was emptied. What we have done so far is pretty much how one could go about doing it. What we shall cover in part three, of this article series, is what happens once the disguised malware is actually executed. We will then go on to study the piece of malware itself via a variety of means. See you in part three!

 If you would like to read the other parts in this article series please go to

1 thought on “Binders and Malware (Part 2)”

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top