Oceninfo Trojans and Backdoor Tools 06


The Game "whackamole.exe" file size 314,636 credited to "John" alias <ecoli_@hotmail.com>, is actually the Netbus Trojan. It is contained within Whackjob.zip and installs "patch.exe",(the Netbus Server portion) within the install shield script for the game install. The program Netbus.exe is renamed Explore.exe during the install. This can arbitrarily be installed using the "DotLess IP address" (better known as the "Buffer Overrun" exploit). Version 2.0 runs on Port 20043 with the "added feature" of automatically clearing the log file every time the PC is rebooted.
REGISTRY KEYS ADDED:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_

REGISTRY KEY VALUES ADDED:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_\@="exefile"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_\ContentType="application/x-
msdownload"

It also adds Rundll32:Reg_SZ:rundll2.dl_to HKLM \SW\MSoft\Windows\CurrentVer\Run

Ken Williams noted in a post to bugtraq that "BoSniffer.zip" which the author claimed to be capable of blocking key points in the registry from BO as well as search for existing installs of the backdoor, was in fact a Trojan.
His detailed examination has revealed that this is actually a BO server with the "SpeakEasy" plug-in installed. If "BoSniffer.exe" is run, the BoSniffer executable (BO Server Trojan w/ SpeakEasy) will "attempt to log into a predetermined IRC server on channel #BO_OWNED with a random username. It then proceeds to announce its IP address and a custom message every few minutes." This program, "BoSniffer.zip" is being widely distributed as a "cure for Back Orifice infections". It is likely that it is being distributed with other software packages and under other names as well. Listed below are relevant details about this program.
File Sizes (in bytes) - 231068 BoSniffer.exe, 108573 BoSniffer.zip
Evidence that BoSniffer.zip is really BO Server with SpeakEasy Plug -in:
sector 0X028C38
irc.lightning.net:7000:Hey MASTER where are u!!!
sector 0x0303F0 - sector 0x0306D8
sector 0x031848
SpeakEasy.dll
sector 0x0318A8 - sector 0x031980
#BO_OWNED with IRC commands:
Own Me @ .NOTICE JOIN #BO_OWNED host server :Owned USERNICK BO
.QUIT Psssst...Speakeasy was told to shut down
.NOTICE #BO_OWNED :Psssst...Speakeasy just started up

Tools 
FireKiller, written by Iridium is a Trojan that on execution kills any resistant protection software on execution. For instance, if Norton Antivirus Auto-Protect option is running in the taskbar, and the AT Guard Firewall is activated, this program will kill both on execution, and make the installations of both unusable on the machine. To reuse it, the user will have to reinstall it.
It has been noted to work with all major protection software like AT guard, Conceal, Norton Antivirus, and McAfee Antivirus etc. Later patches detect this Trojan. It is typically used in conjunction with an .exe binder, which binds it to a Trojan before binding this file (Trojan and firekiller2000) to some other dropper.
The same author has written another Trojan called FireCracker. It automatically detects AT Guard, Zone Alarm and or McAfee Firewall, deactivates it and deletes it from the hard disk. The original Firewall Icons remain in the taskbar all the time, so it looks like nothing is happened. It also reloops the functions that the victim must reboot the CPU to reinstall the firewall(s).
Note 
 :The Internet Control Message Protocol is an adjunct to the IP layer. It is a connectionless protocol used to convey error messages and other information to unicast addresses . ICMP packets are encapsulated inside of IP datagram. The first 4-bytes of the header are same for every ICMP message, with the remainder of the header differing for different ICMP message types. There are 15 different types of ICMP messages.
The ICMP types we are concerned with are type ox8 and type 0x8. ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 0x8 indicates an ICMP _ECHO (the query). The normal course of action is for a type 0x8 to elicit a type 0x0 response from a listening server. (Normally, this server is actually the OS kernel of the target host. Most ICMP traffic is, by default, handled by the kernel). This is what the ping program does.
The concept of ICMP Tunneling involves arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets and using them to carry the payload.

Attack Methods 
Covert Channels are methods in which an attacker can hide the data in a protocol that is undetectable. Covert Channels rely on techniques called tunneling, which allows one protocol to be carried over another protocol. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange.
Therefore, as a matter of consequence, covert channels are impossible to detect and deter using a system's normal (read: unmodified) security policy. In theory, almost any process or bit of data can be a covert channel. In practice, it is usually quite difficult to elicit meaningful data from most covert channels in a timely fashion.
This makes it an attractive mode of transmission for a Trojan. The attacker can use the covert channel and install the backdoor on the target machine.
Concept 
The concept of ICMP Tunneling is simple: arbitrary information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets. This exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. They simply pass them, drop them, or return them. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. We can encapsulate (tunnel) any information we want.




Hacking Tool: Loki
Tools 
This program is a working proof-of-concept to demonstrate that data can be transmitted rather stealthily across a network by hiding it in traffic that normally does not contain payloads. The example code in the original Phrack magazine can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a UNIX system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past.
Although the payload of ICMP packet is often timing information, there is no check by any device as to the content of the data. So, as it turns out, this amount of data can also be arbitrary in content as well. Therein lies the covert channel. A covert channel is a vessel in which information can pass, but this vessel is not ordinarily used for information exchange. Therefore, covert channels are impossible to detect and deter using a system's normal security policy.
Loki exploits the covert channel that exists inside of ICMP_ECHO traffic. This channel exists because network devices do not filter the contents of ICMP_ECHO traffic. The Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. It can be used as a backdoor into a system by providing a covert method of getting commands executed on a target machine. The LOKI packet with a forged source IP address will arrive at the target (and will elicit a legitimate ICMP_ECHOREPLY, which will travel to the spoofed host, and will be subsequently dropped silently) and can contain the 4-byte IP address of the desired target of the Loki response packets, as well as 51-bytes of malevolent data.
The important aspect of Loki is that routers, firewalls, packet-filters, dual-homed hosts all can serve as conduits for Loki. A surplus of ICMP_ECHOREPLY packets with a garbled payload can be ready indication the channel is in use. The standalone Loki server program can be easily detected. However, if the attacker can keep traffic on the channel down to a minimum, and was to hide the Loki server inside the kernel, detection is almost impossible.
Stateful firewalls are the enhanced version of packet filters. It still does the same checking against a rule table and only routes if permitted, but it also keeps track of the state information such as TCP sequence numbers. Some pay attention to application protocols to ensure only legitimate traffic passes through. These filters can get UDP packets (e.g. for DNS and RPC) securely through the firewall to a great extent more so because UDP is a stateless protocol. And it is more difficult for RPC services. However, this does not solve the problem in case of ICMP covert channels as ICMP echo are also subject to firewall rules.
If there is no rule to allow ping, then all such packets get dropped. If the ping came over a tunnel and interface is not configured to force tunnel traffic up to the proxies, then the ping packets are sent unmodified.
There are a few countermeasures that may help keep Loki at bay.
Countermeasure 
Disable external ICMP_ECHO traffic entirely. This does have serious implications to normal network management since it does affect network communication management within the local segment. However, this can be configured to allow internal ping traffic and disable packets coming from the outside.
Countermeasure 
Disable ICMP_ECHO_REPLY traffic on a Cisco router. Security implications make this a prudent choice.
Countermeasure 
Ensure that the routers are configured to not send ICMP_UNREACHABLE error packets to hosts that do not respond to ARPs.
Attack Methods 
This Trojan can work through any firewall which allows users to access the Internet. It is the reverse of a straight HTTP tunnel. The program is run on the internal host, which spawns a child every day at a special time. The child program appears as a user to the firewall, which in turn allows it to access the Internet. However, this child program executes a local shell and connects to the web server owned by the attacker on the internet through a legitimate looking http request and sends it 'ready' signal. The legitimate looking answer of the web server owned by the attacker is in reality the commands the child will execute on its machine's local shell. All traffic will be converted into a Base64 like structure and given as a value for a cgi-string to prevent caching.
Example of a connection:
  • Slave
    GET /cgi-bin/order?M5mAejTgZdgYOdgIOoBgFfVYTgjFLdgxEdbiHe7krj HTTP/1.0
    
  • Master replies with
    g5mAlfbknz
    
For instance, The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the hacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER if needed; the child is spawned because if the shell hangs for whatever reason the attacker can check and fix it the next day.
In case the administrator sees connects to the attacker's server and connects to it himself he will just see a broken web server because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (e.g. squid) are supported; program masks it's name in the process listing. The programs are reasonably small with the master and slave program just one 260-lines perl file Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it is time that the slave tries to connect.
Sample of Reverse Http Shell:
                Http                         Http

|Internal|—------------>|PROXY|-->|FIREWALL|<---------->|Attacker|

 SLAVE                                                  MASTER

Countermeasure 
Countermeasure
It is clear that a tight application gateway firewall with a strict policy is essential. Ideally DNS resolving should be only done on the WWW/FTP proxies and access given to WWW with prior proxy authentication only. Mails should be on a separate server. A secure solution would be to set up a second network which is connected to the internet, and the real one kept separated.
Perhaps the old adage 'Prevention is better than cure' holds the greatest relevance here.
Countermeasure 
The first line of defense is to educate users regarding the dangers of installing applications downloaded from the Internet and to take great caution if they have to open any mail attachment.
Countermeasure 
The second line of defense can be antivirus products that are capable of recognizing Trojan signatures. Ensure that these updates are regularly applied over the network.
Countermeasure 
The third line of defense comes from keeping application version updated by following security patches and vulnerability announcements.
An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate 1000 types of backdoor programs and Trojans. Some of the other anti-Trojan software is:
Tools 
fport supports Windows NT4, Windows 2000 and Windows XP. fport reports all open TCP/IP and UDP ports and maps them to the owning application. This is the similar to the information seen using the 'netstat-an' command. However, it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. The applications are not shown by netstat -a command.
Usage:
C:\>fport
Pid Process Port Proto Path
392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
212 services -> 1026 UDP C:\WINNT\system32\services.exe
The program contains five (5) switches. The switches may be utilized using either a '/' or a ' -' preceding the switch. The switches are;
/? usage help,
/p sort by port,
/a sort by application,
/i sort by pid,
/ap sort by application path.
Tools 
TCPView is a Windows program that will show detailed listings of all TCP and UDP endpoints on the system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint.
TCPView provides a more informative and conveniently presented subset of the Netstat program that ship with Windows. TCPView works on Windows NT/2000/XP and Windows 98/ME. Using TCPView
When TCPView is run, it will enumerate all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. On Windows XP systems, TCPView shows the name of the process that owns each endpoint.
By default, TCPView updates every second. Endpoints that change state from one update to the next are highlighted in yellow; those that are deleted are shown in red, and new endpoints are shown in green. The user can close established TCP/IP connections (those labeled with a state of ESTABLISHED) and save TCPView's output window to a file as well.
A similar utility TDImon allows the user to monitor TCP and UDP activity on your local system. It is the most powerful tool available for tracking down network-related configuration problems and analyzing application network usage. On Windows NT and Windows 2000, simply execute the TDImon program file (tdimon.exe) and TDImon will immediately start capturing TCP/IP activity. As events are printed to the output, they are tagged with a sequence number.

Tools 
PrcView is a process viewer utility that displays detailed information about processes running under Windows. For each process it displays memory, threads and module usage. For each DLL it shows full path and version information.
PrcView comes with a command line version that allows the user to write scripts to check if a process is running, kill it, etc. The main window shows a list of running processes including information process Id, priority, and full path to the process module. The user can sort columns by clicking on the column header
With the Process Finder Tool one can find the process corresponding to a selected window. The Process Tree shows the process hierarchy for all running processes. The desired task can be selected by clicking on the process item in the Process Tree window.
Module Usage gives information about all loaded modules in the system including the module name, the module base address in process space, the module size and full to the loaded module path. Selecting a module from the module list shows only processes which use a selected module.
Kill process is just another way to kill a selected process. Note that killing a process can cause undesired results including loss of data and system instability. The process will not be given a chance to save its state or data before it is terminated. It is advisable to try the "Notify" button in the "Kill" dialog to close a GUI-based application first (via WM_SYSCOMMAND)

For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer 

COMMENTS

Name

©2012 Oceninfo.co.cc,2,10:29 IST,1,2012,1,Adfly Bot,2,AFCEH,1,Ajax security,1,all posts for education purpose only...www.facebook.com/princebhalani,1,Android,1,android developer,1,android phone,1,android phone-1,1,anonymous email,1,Anti-Trojan software,8,Antivirus,1,Apple,1,article marketing,1,at risk,1,attacks,1,australian federal police,1,Auto Clicker,1,Auto surfer,1,backtrack link,2,Bank Hacking,2,BCMSN,2,BIOS Update,1,Blockchain,1,Blog and tagged Ransomware,1,boot fast...,1,boot xp faster,1,Business Deals,1,Bypass Antivirus and Hack Window Systems,1,CCIE,2,CCNA,2,CCNP,2,CEH,2,challenge-response system,1,Changing Root Bridge Election Results,2,code,2,commands,1,company deals,1,Computer Hacking,3,Connect,1,cookie stealing,3,Country,1,Crack,1,Credit Card Fraud,2,credit cards,1,Cryptography,1,cyber cell updated,1,cyber security,1,DATA CARD TRICK,1,delhi,1,Digital Marketing,1,direct admission in any colleges,2,Direct Link,3,Directory Traversal Attacks,1,Dos and Ddos,1,DotNetNuke Remote File Upload Vulnerability,1,Earn Lots of money,3,EARN MONEY PART2,1,earnings in$,1,email hacking,4,email spoofing,2,Er Prince Bhalani jobs,1,Ethical Hacker job,1,ethical hacking,8,exploit,1,facebook autoliker,1,Facebook tricks,3,Fake Mail,1,fake sms,1,FB hackz,1,FBI,1,FBI HACKERS,2,FBI Jobs,2,featured,6,Finger scan,1,fingerprint Hacking,1,format without pain,1,Free Download,1,Free Flash Templates,1,free hacking book,5,Free Recharge,1,free sms,2,Freebeacon,1,friendship day,2,friendship day image,2,friendship image,1,Future Computer,2,future of hacking,1,Gadgets,1,good clean fun,1,google,3,Google Ads,1,google adsense account,1,Google hacking,3,google hacks,1,google search,1,hack,2,hack the world,2,HACK WEBSITES USING SQL INJECTION,2,hacker,1,hacker uni,1,hacker/LPT/etc,1,hackers,2,Hackerz info,1,hacking,4,hacking games,1,hacking matterial,1,HACKING OFER,1,hacking softwares,1,hacking tools,2,Hacking with Mobile phones,1,HackingTeacher Security Solutions,1,hacks,1,hijack,1,history of hacking,1,How to,8,How to Hack,37,how to play,1,How to sniff,1,html,1,HTTPS/SSL secured sites,1,I LOVE YOU VIRUS,1,i-phone hacking,1,ICITAM 2012,1,iCloud Era,1,In Flow,1,indian cyber cell,4,information security,1,interesting,1,inurl:fcklinkgallery.as,1,IP hacks,1,iphone,1,IT Act,1,IT Decision Maker,1,IT Implem_App/LOB Spec,1,IT Implem_Desktop/EndUser Spec,1,IT Implem_Infrastructure Spec,1,IT Implem_IT Generalist and IT Manager.,1,it security,1,java,1,jobs for ethical hacker,3,jobs in hacking,5,Joe job,1,Just for education purpose only,1,Kaspersky,1,kaspersky crack 2013,1,keyboard hacking,1,keyloggers,1,keywords,1,Laptop Tracking,1,Laws of computer crime,1,Learn Cracking,1,Learn Website Hacking,7,Linkbucks Bot,1,Macromedia Flash,1,make some rules...|||_|||,1,malicious code,1,Malware,1,malware analysis,1,man in the middle attack (LAN),1,master,1,master list,1,metasploit,3,Microsoft scams,1,mobile,1,mobile recharge,1,moblie phone hacking,1,munging,1,network hack,1,Network Sniffers,1,new command set,1,new projects,1,nmap,1,No Survey,1,not infrequent,1,online scanners,1,paisa live hack,1,panetration for educational purpose only,1,Parental Controls,1,password hacking,4,Password sniffing with arp poisoning,1,PC TIPS,1,PE_PARITE (Trend Micro),1,penetration testing,1,pharming,1,phishing,1,phone hacking charged,1,PHP,1,pin ball,1,Play WMV Files,1,Press Trust of India / New Delhi Aug 15,1,Prime minister,1,prince bhalani,1,princebhalani,1,Professional job in FBI,1,Professional Penetration Testing,1,Programming,1,Programming of virus,2,protect my pc against hackin,1,proxy list by http,1,Proxy SOCKS Port,1,R-Admin With Key,1,Radmin,1,RAW Jobs,1,Real Hackers vs fake ethical hackers. ..:),1,Register of Known Spam Operations (ROKSO),1,repair corrupt hard disk,1,RFT,1,Robbery,1,Rupert Murdoch,1,SAMPLE,1,Sample dynamic flash template from TM website,1,Scams,2,Scanned Vulnerabilities,1,SEA,2,search engine hacking,1,Search Operators,1,Security,2,Security breach,1,security code brack,1,SEM,4,SEO,112,SEO Mistakes,1,SEO TOOLS,1,SEO Tricks,3,SERM,1,SERP,1,Session Hijacking,4,SET,1,shell commands...,1,shell list with download,1,SITES,1,Smart Home,1,Smartphones,1,SMM,1,SMO,2,sms spoofing,1,SMTP Servers,1,Sniffing passwords,1,Sothink SWF Decompiler,1,spam cocktail (or anti-spam cocktail),1,spam trap,1,spear phishing,2,SQL hacking,2,SQL Injection Attacks by Example,2,SSL,1,SSL Analysis,1,starting of help,1,System Information,1,System Restore,1,Tablet in 1000,1,Tablets,1,Temporary Email Service,1,time need,1,timer,1,tracing,1,Traffic,3,tricks,5,Tricks and Tips,1,Trojan,1,Trojan tools,1,Trojans and Backdoors,2,trojon,7,Turbo C++,1,UK phone hacking,1,UK phone hacking arrest,1,USA JOBS,4,Virus,2,virus writing,2,VPN,1,vulnerabilities,1,vulnerability assessment,1,W32/Pate (McAfee),1,W32/Pinfi (Symantec),1,Washington,2,web hacking,6,web security,1,Website Development,1,Website Hacking,3,White House,1,wifi hacking,3,Win32 : parite (Avast),1,Win32.Parite (Kaspersky),1,Win32/Parite,1,windows,2,Windows 8 event for IT Professionals,1,wirless hack,1,WordPress,1,WordPress hacking,1,working with Virus and worm,9,XP Hacking,1,xp hacking-1,1,XP part 3,1,xss hacking,1,
ltr
item
Group Of Oceninfo: Oceninfo Trojans and Backdoor Tools 06
Oceninfo Trojans and Backdoor Tools 06
Group Of Oceninfo
https://oceninfo.blogspot.com/2012/04/oceninfo-trojans-and-backdoor-06.html
https://oceninfo.blogspot.com/
https://oceninfo.blogspot.com/
https://oceninfo.blogspot.com/2012/04/oceninfo-trojans-and-backdoor-06.html
true
6415817773321450103
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy