Are you interested in creating SFX malware? Perhaps you have already written a virus or keylogger that is FUD and encrypted, but there's one problem: it's only a small .exe file that no one in their right mind would click on or download.
Binding your malware to a clean file is a potential solution, but it comes with problems, such as antivirus software easily detecting it. Fortunately, there is a legitimate way to bind your malware to a clean file for easier spreading: SFX archives.
An SFX archive is essentially an archive with an installer that does not require any software to unpack. While they were extremely popular in the past, they are now rarely used; however, many archiving programs, such as WinRAR, still support them. More interestingly, with a bit of knowledge, you can hide the installer and make your SFX archive execute some or all of its content after unpacking, which can be useful for executing your malware.
The easiest way to create a malicious SFX archive is by using a Windows program called iexpress. Simply type "iexpress" into the command line and you're ready to use it. Once the program is running, select "Create new SED" and click "Next." Then choose "Extract files and run an installation command" and click "Next" again. Choose a name for your archive, select "No prompt," "Do not display a license," and add both files that you want to bind. Set "install program" to run your legitimate program and post-install command to run your malware. Choose "hidden," "no message," and hide progress animation, and select "no restart." Use a program to change the icon, and you will have a legitimate-looking but backdoored software.
If you want more flexibility, you can create malicious SFX archives with compression software like WinRAR. When creating an archive, choose "Create SFX archive" from the "General" tab, then go to the "Advanced" tab and click "SFX options." There, you will have many tabs to customize your archive. My advice is to make it unpack to the temp folder (using the absolute path function), choose to run both malware and the legit file after unpacking, make everything hidden, use console mode, and switch off every possible prompt for users.
Remember that this technique will only work if your malware is already FUD. If an antivirus can detect it alone, it will detect it in the archive. This technique is not meant to increase undetectability but as a social engineering technique for easier spreading.
Detecting SFX malware
Even if malware is fully undetectable (FUD), SFX is not perfect. How can you determine if there's something hidden inside the file you just downloaded? It's simple, you just need to be cautious. There's no need for any program to check it or for file analysis - your Windows system (obviously, other systems may not have the same one-click installation feature) and compression software already recognize these types of archives. Check the file properties and you'll see an 'Archive' tab. Additionally, software like WinRAR can open it just like a normal archive.
Of course, this alone doesn't necessarily mean that your file is compromised. SFX archives can have legitimate uses (such as installer programs), so there's no need to panic. Simply check what's inside the archive using WinRAR or another compression software. Essentially, if it only contains two .exe files - one of which is what you downloaded and the other is a small, nondescript application - then it's likely that it's backdoored. If it contains many files and one of them is a small, nondescript application, then it's probably backdoored. If you're not sure, try comparing the CRC and MD5 checksums (if they're provided by the distributor, of course).
Detecting SFX Malware
Creating Plausible Malware SFX or Installers
While it may not be practical or even possible to achieve CRC and MD5 collision, you can make your malware look more plausible so that an experienced user won't notice it when examining the archive. It just takes a little bit of creativity. Here's my idea:
1. Download a program installer or video game disc image.
a) If it's an installer, proceed to the next step.
b) If it's a disc image, extract it and continue working with Setup.exe (or however it's named in your game).
2. Decompile the installer (you can use Universal Extractor).
3. Change the icon and filename of your malware to something relevant, and maybe increase the filesize a little bit.
4. Create a non-hidden SFX archive or installer (pay attention to how the original installer worked so that your software will work after the backdoor is installed). Make it so that it will run the malware after installation.
5. Change the installer's icon and filename to those of the original installer.
6. If it was from a disc image, replace the installer inside it with your backdoored installer and spread the now-backdoored ISO. If it was just an installer, spread the backdoored installer. Warez forums and P2P networks are good for spreading.
Now, the only way to detect it is by comparing the backdoored archive with the original one or by comparing the aforementioned checksums.
Binding your malware to a clean file is a potential solution, but it comes with problems, such as antivirus software easily detecting it. Fortunately, there is a legitimate way to bind your malware to a clean file for easier spreading: SFX archives.
An SFX archive is essentially an archive with an installer that does not require any software to unpack. While they were extremely popular in the past, they are now rarely used; however, many archiving programs, such as WinRAR, still support them. More interestingly, with a bit of knowledge, you can hide the installer and make your SFX archive execute some or all of its content after unpacking, which can be useful for executing your malware.
The easiest way to create a malicious SFX archive is by using a Windows program called iexpress. Simply type "iexpress" into the command line and you're ready to use it. Once the program is running, select "Create new SED" and click "Next." Then choose "Extract files and run an installation command" and click "Next" again. Choose a name for your archive, select "No prompt," "Do not display a license," and add both files that you want to bind. Set "install program" to run your legitimate program and post-install command to run your malware. Choose "hidden," "no message," and hide progress animation, and select "no restart." Use a program to change the icon, and you will have a legitimate-looking but backdoored software.
If you want more flexibility, you can create malicious SFX archives with compression software like WinRAR. When creating an archive, choose "Create SFX archive" from the "General" tab, then go to the "Advanced" tab and click "SFX options." There, you will have many tabs to customize your archive. My advice is to make it unpack to the temp folder (using the absolute path function), choose to run both malware and the legit file after unpacking, make everything hidden, use console mode, and switch off every possible prompt for users.
Remember that this technique will only work if your malware is already FUD. If an antivirus can detect it alone, it will detect it in the archive. This technique is not meant to increase undetectability but as a social engineering technique for easier spreading.
Detecting SFX malware
Even if malware is fully undetectable (FUD), SFX is not perfect. How can you determine if there's something hidden inside the file you just downloaded? It's simple, you just need to be cautious. There's no need for any program to check it or for file analysis - your Windows system (obviously, other systems may not have the same one-click installation feature) and compression software already recognize these types of archives. Check the file properties and you'll see an 'Archive' tab. Additionally, software like WinRAR can open it just like a normal archive.
Of course, this alone doesn't necessarily mean that your file is compromised. SFX archives can have legitimate uses (such as installer programs), so there's no need to panic. Simply check what's inside the archive using WinRAR or another compression software. Essentially, if it only contains two .exe files - one of which is what you downloaded and the other is a small, nondescript application - then it's likely that it's backdoored. If it contains many files and one of them is a small, nondescript application, then it's probably backdoored. If you're not sure, try comparing the CRC and MD5 checksums (if they're provided by the distributor, of course).
Detecting SFX Malware
Creating Plausible Malware SFX or Installers
While it may not be practical or even possible to achieve CRC and MD5 collision, you can make your malware look more plausible so that an experienced user won't notice it when examining the archive. It just takes a little bit of creativity. Here's my idea:
1. Download a program installer or video game disc image.
a) If it's an installer, proceed to the next step.
b) If it's a disc image, extract it and continue working with Setup.exe (or however it's named in your game).
2. Decompile the installer (you can use Universal Extractor).
3. Change the icon and filename of your malware to something relevant, and maybe increase the filesize a little bit.
4. Create a non-hidden SFX archive or installer (pay attention to how the original installer worked so that your software will work after the backdoor is installed). Make it so that it will run the malware after installation.
5. Change the installer's icon and filename to those of the original installer.
6. If it was from a disc image, replace the installer inside it with your backdoored installer and spread the now-backdoored ISO. If it was just an installer, spread the backdoored installer. Warez forums and P2P networks are good for spreading.
Now, the only way to detect it is by comparing the backdoored archive with the original one or by comparing the aforementioned checksums.