Friday, 29 April 2011

Tools and Softwares for Trojans and Backdoors

Tool: QAZ


  • It is a companion virus that can spread over the network.

  • It also has a "backdoor" that will enable a remote user to connect to and control the computer using port 7597.

  • It may have originally been sent out by email.

  • Rename notepad to note.com

  • Modifies the registry key:
    HKLM\software\Microsoft\Windows\Current Version\Run 
Hacking Tool:Tini


  • It is a very tiny trojan program which is only 3 kb and programmed in assembly language. It takes minimal bandwidth to get on victim's computer and takes small disk space.

  • Tini only listens on port 7777 and runs a command prompt when someone attaches to this port. The port number is fixed and cannot be customized. This makes it easier for a victim system to detect by scanning for port 7777.

  • From a tini client you can telnet to tini server at port 7777
Tool: Netcat



  • Outbound or inbound connections, TCP or UDP, to or from any ports

  • Ability to use any local source port

  • Ability to use any locally-configured network source address

  • Built-in port-scanning capabilities, with randomizer

  • Built-in loose source-routing capability
Tool: Donald Dick


The attacker uses the client to send command through TCP or SPX to the victim listening on a pre defined port.
Donald Dick uses default port either 23476 or 23477
Donald Dick is a tool that enables a user to control another computer over a network.
It uses a client server architecture with the server residing on the victim's computer.
Tool: SubSeven



  • SubSeven is a backdoor program that enables others to gain full access to Windows 9x systems through network connection.

  • The program consists of three different components : Client (SubSeven.exe), Server (Server.exe) and a Server configuration utility (EditServer.exe).

  • The client is a GUI used to connect to server through a network or internet connection.
Since its debut in February, 1999, SubSeven has become a favorite tool of intruders targeting Windows machines.
It is a RAT (Remote Administration Tool) that provides more options for attack than other Trojans like Back Orifice or NetBus. The SubSeven Trojan is consists of three programs: the SubSeven server, client and server editor. It has a DDoS potential and like other Trojans, SubSeven can be used as perfectly benign remote administration program.
The server must be run on the target computer to allow the attacker's computer to connect to the machine and have total access to it. The server editor (EditServer Program) helps configure the infection characteristics. This allows the hacker to specify whether the compromised system should send an email or ICQ notification to the attacker when the target is online, whether the program should "melt server after installation" and which ports the attacker can use to connect to the server. Once installed, SubSeven's friendly user-interface allows the attacker to easily monitor a victim's keystrokes, watch a computer's web cam, take screen shots, eavesdrop through the computer's microphone, control the mouse pointer, read and write files, and sniff traffic off the victim's local network.

Tool: Back Oriffice 2000
Back Orifice accounts for highest number of infestations on Microsoft computers.
The BO2K server code is only 100KB. The client program is 500KB.
Once installed on a victim PC or server machine, BO2K gives the attacker complete control of the system.
BO2K has stealth capabilities, it will not show up on the task list and runs completely in hidden mode.
BO2K was written by DilDog of the Cult of the Dead Cow. Many of the commands that B02K comes with were directly ported from Sir Dystic's original Back Orifice source code. The document says that it was written with a two-fold purpose: "To enhance the Windows operating system's remote administration capability and to point out that Windows was not designed with security in mind."
B02K is an almost complete rewrite of the original Back Orifice. By default, B02K comes with the capability to talk over TCP as well as UDP, and supports strong encryption through plug-ins. It has added functionality in the areas of file transfer and registry handling. It has hacking features, such as dumping certain cached passwords. It can be configured to be stealthy.
Like other Trojans, Back Orifice is a client/server application which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server. To communicate with the server, either the text based or GUI client can be run on any Microsoft Windows machine.
The B02K server installed without any plugins is ~100K and leaves a small footprint. The client software is ~500K. The whole suite will fit on a single 1.44MB floppy disk. B02K 1.0 will currently run on Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, and Windows XP systems. All of the various parts of the BO2K suite have been tested and found to be working on all of these platforms. It only runs on Intel platforms at the moment.
Back Oriffice Plug-ins


  • BO2K functionality can be extended using BO plug-ins.

  • BOPeep (Complete remote control snap in)

  • Encryption (Encrypts the data sent between the BO2K GUI and the server)

  • BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP)

  • STCPIO (Provides encrypted flow control between the GUI and the server, making the traffic more difficult to detect on the network)

BO Peep - This plugin gives you a streaming video of the machine's screen that the server is running on. Also provides remote keyboard and mouse accessibility.
Serpent Encryption - This is a very fast implementation of the non-export-restricted 256 bit-SERPENT encryption algorithm.
CAST-256 Encryption - This internationally available plugin provides strong encryption using the CAST-256 algorithm.
IDEA Encrypt - This internationally available plugin provides strong encryption using the IDEA algorithm. 128 Bit Encryption.
RC6 Encryption - This internationally available plugin provides strong encryption using the RC6 algorithm. Provides 384 bit encryption.
STCPIO - TCPIO communications plugin with an encrypted flow control system to make BO2K TCP traffic virtually impossible to detect.
Rattler notifies a specified user as to the whereabouts of a Back Orifice 2000 server via e-mail. Rattler will send an e-mail each time it detects an IP address addition/modification.
rICQ is a plugin for Back Orifice 2000 that operates in a similar fashion to Rattler except that the notification message is sent via ICQ's web pager service.
The Butt Trumpet 2000 plugin for BO2K, once installed and started, sends you an email with the host's IP address. A nice alternative to Rattler.
BoTool provides a graphical file browser and registry editor to the BO2K interface. Makes common tedious BO2K tasks point-and-click simple.

Tool: NetBus
NetBus was written by a Swedish programmer, Carl-Fredrik Neikter, in March 1998. Version 1.5 in English appeared in April. NetBus apparently received little media attention but it was in fairly wide use by the time BO was released on 3 August.
NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From the version 1.70 and higher the port be configured. If it is installed by a "game" called "whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) its name is "explore.exe". There is also a file called whackjob17.zip, which installs the server of NetBus 1.70 and uses the port 12631. Additionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actually is "explore.exe" located in the windows directory.
To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows.
The NetBus server is about 4 times as large as the Back Orifice server, and generally less "stealthy." Unlike BO, NetBus is not designed to attach virus-like to legitimate files or applications.
Like BO, the NetBus server can have practically any filename. The usual way it is installed is through simple deception; the program is sent to the victim, or offered on a website, and falsely represented as something it is not. Occasionally it may be included in a setup package for a legitimate application and executed in the process of that setup.
The unsuspecting victim runs the program either directly or by way of the application used as camouflage, and it immediately installs itself and begins to offer access to intruders.
NetBus will always reveal its presence by way of an open port, viewable with netstat.exe. Because of this, many intruders delete netstat.exe from the victim's hard drive immediately upon gaining access. Creating a copy or two of netstat using other names is a good precaution against its loss. A regular check for the presence of netstat.exe, including the file's size and date, is advisable and is one means of spotting intrusions. Attackers may use BO as a means of installing Netbus on the target system. This is because NetBus is sophisticated yet easy to use.
Once access is gained, the intruder will often install other backdoors, ftp or http daemons which open victim's drive(s) to access or he may enable resource sharing on the Net connection
The v1.53 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.
NetBus v1.53 is not extremely stealthy, but it is certainly functional and effective.
This utility also has the ability to scan "Class C" addresses by adding "+Number of ports" to the end of the target address. Example: 255.255.255.1+254 will scan 255.255.255.1 through 255.
By default, the v1.6o server is named Patch.exe. It may be renamed. Its size is 4 61K (472,576 bytes). When this program is run, it remains where it is and nothing appears to happen. Unlike v1.53, it can then be deleted uneventfully. However, it is functional. It copies itself to the Windows directory, extracts from within itself a file called KeyHook.dll and activates both programs.
Run without added parameters, v1.6o is persistent; that is, it will execute on its own when the computer is restarted. It makes changes to the Registry; it creates the keys
HKEY_CURRENT_USER\PATCH, where PATCH is the filename before the extension; and by default, it places a value in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Version 1.60, like v1.53, also creates the Registry keys
HKEY_CURRENT_USER\NETBUS; and HKEY_CURRENT_USER\NETBUS\Settings and places basically the same series of values in the Settings key.
The v1.60 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.
Among the new features are greatly expanded file-handling capabilities, an interactive message dialog, password setting and other server controls, and new ways to tamper with the keyboard. Most of its tricks are evident from this console display.
Netbus 1.7 was released to the public on 11/14/98. It is basically the same program as version 1.6, but with an ultra-fast port scanner, capable of redirecting data to another host and port, option to configure the server-exe with some options, like TCP-port and mail notification, ability redirect I/O from console applications to a specified TCP-port and restricting access to only a few IP-numbers.
By default, the v1.70 server is named Patch.exe. It may be renamed. Its default size is 483K (494,592 bytes). With configuration added, its size increases, usually by a couple of hundred bytes. By default, the v1.70 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number. It can however be readily configured to use any other virtual port from 1 to 65534. The port configuration can be pre-set by the sender, and/or it can be changed from remote. It will also open the next-numbered port in sequence, which it apparently uses for responses to the client.
NetBus 2.0 Pro", (often just called "NetBus 2.0") the latest version of this well known backdoor program has been released after Spector took over Netbus. Therefore the new version is a shareware and needs remote user's permission for installation. However, hackers have released variations such as Retail_10.exe which fakes the incomplete patch of ICQ. Instead it installs the "NetBus 2.0 Server" in the invisible and auto starting mode. It even deletes the data logged by the server.

No comments:

Post a Comment