Monthly Archives: June 2018

MODULE: 7.9.4 Trojan Construction Kits

Much as for viruses and worms, several construction kits are available that allow for the rapid creation and deployment of Trojans. The availability of these kits has made designing and deploying malware easier than ever before:

Trojan Construction Kit One of the best examples of a relatively easy-to-use but potentially destructive tool. This kit is command-line based, which may make it a little less accessible to the average person, but it is nonetheless very capable in the right hands. With a little effort, it is possible to build a Trojan that can engage in destructive behavior such as destroying partition tables, master boot records (MBRs), and hard drives.

Senna Spy Another Trojan-creation kit that provides custom options, such as file transfer, executing DOS commands, keyboard control, and list and control processes.

Stealth Tool A program used not to create Trojans but to assist them in hiding. In practice, this tool is used to alter the target file by moving bytes, changing headers, splitting files, and combining files.


Many attackers gain access to their target system through a backdoor. The owner of a system compromised in this way may have no indication that someone else is using the
system. When implemented, a backdoor typically achieves one or more of the following key goals:

  • Lets an attacker access a system later by bypassing any countermeasures the system owner may have placed.
  • Provides the ability to gain access to a system while keeping a low profile. This allows an attacker to access a system and circumvent logging and other detective methods
  • . Provides the ability to access a system with minimal effort in the least amount of time. Under the right conditions, a backdoor lets an attacker gain access to a system without having to rehack.

Some common backdoors that are placed on a system are of the following types and purposes:

  • Password-cracking backdoor—Backdoors of this type rely on an attacker uncovering and exploiting weak passwords that have been configured by the system owner.
  • Process-hiding backdoor—An attacker who wants to stay undetected for as long as possible typically chooses to go the extra step of hiding the software they are running. Programs such as a compromised service, a password cracker, sniffers, and rootkits are items that an attacker will configure so as to avoid detection and removal. Techniques include renaming a package to the name of a legitimate program and altering other files on a system to prevent them from being detected and running.

Once a backdoor is in place, an attacker can access and manipulate the system at will.



MODULE 7.9.3 Distributing Trojans

Once a Trojan has been created, you must address how to get it onto a victim’s system. For this step, many options are available, including tools known as wrappers.

Using Wrappers to Install Trojans

Using wrappers, attackers can take their intended payload and merge it with a harmless executable to create a single executable from the two. Some more advanced wrapper-style programs can even bind together several applications rather than just two. At this point, the new executable can be posted in a location where it is likely to be downloaded

Consider a situation in which a would-be attacker downloads an authentic application from a vendor’s website and uses wrappers to merge a Trojan (BO2K) into the application before posting it on a newsgroup or other location. What looks harmless to the downloader is actually a bomb waiting to go off on the system. When the victim runs the infected software, the infector installs and takes over the system.

Some of the better-known wrapper programs are the following:

  • EliteWrap is one of the most popular wrapping tools, due to its rich feature set that includes the ability to perform redundancy checks on merged files to make sure the process went properly and the ability to check if the software will install as expected. The software can be configured to the point of letting the attacker choose an installation directory for the payload. Software wrapped with EliteWrap can be configured to install silently without any user interaction.
  • Saran Wrap is specifically designed to work with and hide Back Orifice. It can bundle Back Orifice with an existing program into what appears to be a standard program using Install Shield.
  • Trojan Man merges programs and can encrypt the new package in order to bypass antivirus programs.
  • Teflon Oil Patch is designed to bind Trojans to a specified file in order to defeat Trojan-detection applications.
  • Restorator was designed with the best of intentions but is now used for less-thanhonorable purposes. It can add a payload to, for example, a seemingly harmless screen saver, before it is forwarded to the victim.
  • Restorator was designed with the best of intentions but is now used for less-thanhonorable purposes. It can add a payload to, for example, a seemingly harmless screen saver, before it is forwarded to the victim.


MODULE: 7.9.2 An In-Depth Look at BO2K

Whether you consider it a Trojan or a remote administrator tool, the capabilities of BO2K are fairly extensive for something of this type. This list of features is adapted from the manufacturer’s website:

  • Address book–style server list
  • Functionality that can be extended via the use of plug-ins
  • Multiple simultaneous server connections
  • Session-logging capability
  • Native server support
  • Keylogging capability
  • Hypertext Transfer Protocol (HTTP) file system browsing and transfer
  • Microsoft Networking file sharing
  • Remote registry editing
  • File browsing, transfer, and management
  • Plug-in extensibility Remote upgrading, installation, and uninstallation
  • Network redirection of Transfer Control Protocol/Internet Protocol (TCP/IP) connections
  • Ability to access console programs such as command shells through Telnet
  • Multimedia support for audio/video capture and audio playback
  • Windows NT registry passwords and Win9x screen saver password dumping
  • Process control, start, stop, and list Multiple client connections over any medium
  • GUI message prompts

BO2K is a next-generation tool that was designed to accept customized, specially designed plug-ins. It is a dangerous tool in the wrong hands. With the software’s ability to be configured to carry out a diverse set of tasks at the attacker’s behest, it can be a devastating tool.

BO2K consists of two software components: a client and a server. To use the BO2K server, the configuration is as follows:

  1.  Start the BO2K Wizard, and click Next when the wizard’s splash screen appears.
  2. When prompted by the wizard, enter the server executable to be edited.
  3. Choose the protocol over which to run the server communication. The typical choice is to use TCP as the protocol, due to its inherent robustness. UDP is typically used if a firewall or other security architecture needs to be traversed.
  4.  The next screen asks what port number will be used. Port 80 is generally open, and so it’s most often used, but you can use any open port.
  5.  In the next screen, enter a password that will be used to access the server. Note that passwords can be used, but you can also choose open authentication—that means anyone can gain access without having to supply credentials of any kind.
  6.  When the wizard finishes, the server-configuration tool is provided with the information you entered.
  7. The server can be configured to start when the system starts up. This allows the program to restart every time the system is rebooted, preventing the program from becoming unavailable.
  8.  Click Save Server to save the changes and commit them to the server.

Once the server is configured, it is ready to be installed on the victim’s system.

No matter how the installation is to take place, the only application that needs to be run on the target system is the BO2K executable. After this application has run, the previously configured port is open on the victim’s system and ready to accept input from the attacker.

The application also runs an executable file called Umgr32.exe and places it in the Windows system32 folder. In addition, if you configure the BO2K executable to run in stealth mode, it does not show up in Task Manager—it modifies an existing running process to act as its cover. If stealth was not configured, the application appears as a Remote Administration Service.

The attacker now has a foothold on the victim’s system.

MODULE: 7.9.1 Tools for Creating Trojans

A wide range of tools exists that are used to take control of a victim’s system and leave behind a gift in the form of a backdoor. This is not an exhaustive list, and newer versions of many of these are released regularly:

Let Me Rule A remote access Trojan authored entirely in Delphi. It uses TCP port 26097 by default.

RECUB Remote Encrypted Callback Unix Backdoor (RECUB) borrows its name from the Unix world. It features RC4 encryption, code injection, and encrypted ICMP communication requests. It demonstrates a key trait of Trojan software—small size—as it tips the scale at less than 6 KB.

Phatbot Capable of stealing personal information including email addresses, credit card numbers, and software licensing codes. It returns this information to the attacker or requestor using a P2P network. Phatbot can also terminate many antivirus and softwarebased firewall products, leaving the victim open to secondary attacks.

Amitis Opens TCP port 27551 to give the hacker complete control over the victim’s computer.

Zombam.B Allows the attacker to use a web browser to infect a computer. It uses port 80 by default and is created with a Trojan-generation tool known as HTTPRat. Much like Phatbot, it also attempts to terminate various antivirus and firewall processes.


Beast Uses a technique known as Data Definition Language (DDL) injection to inject itself into an existing process, effectively hiding itself from process viewers.


Hard-Disk Killer A Trojan written to destroy a system’s hard drive. When executed, it attacks a system’s hard drive and wipes it in just a few seconds. One tool that should be mentioned as well is Back Orifice, which is an older Trojancreation tool.

Most, if not all, of the antivirus applications in use today should be able to detect and remove this software. I thought it would be interesting to look at the text the manufacturer uses to describe its toolkit. Note that it sounds very much like the way a normal software application from a major vendor would be described. The manufacturer of Back Orifice says this about Back Orifice 2000 (BO2K): Built upon the phenomenal success of Back Orifice released in August 98, BO2K puts network administrators solidly back in control. In control of the system, network, registry, passwords, file system, and processes. BO2K is a lot like other major filesynchronization and remote control packages that are on the market as commercial products. Except that BO2K is smaller, faster, free, and very, very extensible. With the help of the open-source development community, BO2K will grow even more powerful. With new plug-ins and features being added all the time, BO2K is an obvious choice for the productive network administrator.


Linux Hacker Arrested After Traffic Stop

Linux Hacker Arrested After Traffic Stop
So it seems the alleged hacker has finally been caught, kinda by accident after being stopped for a traffic violation. It was quite a high profile hack, especially in the open source community as anyone downloading kernel files during that period could have theoretically been compromised. It’s unlikely the kernel code was actually…

Read the full post at

New feed

Create your own Virus using V-Maker

Every one wants to create a virus but virus creation is not a child’s play. It needs a good skill in programming and knowledge about system resources. Today i am going to post about a virus creating tool. This tool is Virus Matic 2010 or in short V-Maker. You don’t need to know any thing. Only select the option you want and it will create a virus for you.
Main Feature of V-Maker


You can create your own prank files/viruses with ease by V-Maker.
  1. Disable Mouse and Keyboard
  2. Disable Regedit
  3. Delete System32
  4. Block Site
  5. Disable Task Manager
  6. Take Screen Shot Of Victim  PC
  7. Message Box (When User Click on Virus)
  8. Automatically Download Start (When User click on virus download start automatic)
  9. USB Spread



Download Here

DBPwAudit – Database Password Auditing Tool

DBPwAudit is a Java database password auditing tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory.

DBPwAudit - Database Password Auditing Tool

Configuration is performed in two files, the aliases.conf file is used to map drivers to aliases and the rules.conf tells the application how to handle error messages from the scan.


The tool has been tested and known to work with:

– Microsoft SQL Server 2000/2005
– Oracle 8/9/10/11
– IBM DB2 Universal Database


The tool is pre-configured for these drivers but does not ship with them, due to licensing issues. The links below can be used to find some of the drivers. They should all be copied to the jdbc directory.


Links to JDBC Drivers:

Microsoft SQL Server 2005
Microsoft SQL Server 2000


Scan the SQL server (-s, using the specified database (-d testdb) and driver (-D MySQL) using the root username (-U root) and password dictionary (-P /usr/share/wordlists/nmap.lst):

You can download DBPwAudit here:

Nmap Port Scanner 7.25BETA2


Nmap is a utility for port scanning large networks, although it works fine for single hosts. Sometimes you need speed, other times you may need stealth. In some cases, bypassing firewalls may be required. Not to mention the fact that you may want to scan different protocols (UDP, TCP, ICMP, etc.). Nmap supports Vanilla TCP connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth) scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP fragments (bypasses some packet filters), TCP ACK and Window scanning, UDP raw ICMP port unreachable scanning, ICMP scanning (ping-sweep), TCP Ping scanning, Direct (non portmapper) RPC scanning, Remote OS Identification by TCP/IP Fingerprinting, and Reverse-ident scanning. Nmap also supports a number of performance and reliability features such as dynamic delay time calculations, packet timeout and retransmission, parallel port scanning, detection of down hosts via parallel pings.

Changes: Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a utf8 library, and native binary packing and unpacking functions. Added 2 NSE scripts, bringing the total up to 534. Integrated service/version detection fingerprints submitted from January to April (578 of them). Various other updates and improvements. 19th birthday release of nmap!



Download Here


DBPwAudit – Database Password Auditing Tool

DBPwAudit – Database Password Auditing Tool
DBPwAudit is a Java database password auditing tool that allows you to perform online audits of password quality for several database engines. The application design allows for easy adding of additional database drivers by simply copying new JDBC drivers to the jdbc directory. Configuration is performed in two files, the aliases.conf file is used…

Read the full post at

New feed