| Tools |
Donald Dick is a remote control system for workstations
running Windows 95, 98 or NT 4.0 First, it was implemented to replace well-known
Trojans, and to be invisible for existing antivirus. The first implementation
could only open and close CDROM tray.
|
Donald Dick consists of two parts - client and server. To install
server on the destination computer, the user must launch the executable file.
Running a Donald Dick server on a computer, gives full access to all resources
to the attacker. The attacker can control it with Donald Dick client via TCP or
SPX network protocol. He can also restrict access to the server with a
password.
Under Windows9X Donald Dick server becomes operational immediately
after rebooting. Under Windows NT the server is loaded as a service process.
With Donald Dick, the attacker has full access to the file system.
He can browse, create, and remove directories; erase, rename, copy, upload,
download files; set date/time of file. He can control the processes and threads
running on the system. He can choose to browse, terminate or run programs. He
can set priority for processes and suspend or resume threads. The Trojan gives
complete access to the registry where the attacker can browse, create, remove
keys and values or even set values.
Other things that he can do to affect the target system is to set
the system time, shutdown the machine, cause it to reboot or log off and even
switch the power off. He can query the system for information and even set
system parameters. With regard to the display, he can get a list of windows;
query and set system colors; get screenshot or the shot for particular window;
and even send messages to the window.
The Trojan lets the attacker read and write CMOS (Windows 9x);
simulate keystrokes, remap, disable keys, and view keyboard input (all features
except keystroke simulation are not implemented under Windows NT). Using the
services provided by the server and the GUI client the attacker can query
passwords for screensaver, BIOS and shared resources, and make folders sharable.
The Trojan can also cause deletion of the HKLM \software key from the registry.
If this is done, programs slowly fail and when system is restarted, it shows
installation screen and asks for a serial number. But the installation will not
proceed from there.
| Tools |
Since its debut in February, 1999, SubSeven has become a
favorite tool of intruders targeting Windows
machines.
|
It is a RAT (Remote Administration Tool) that provides more
options for attack than other Trojans like Back Orifice or NetBus. The SubSeven
Trojan is consists of three programs: the SubSeven server, client and server
editor. It has a DDoS potential and like other Trojans, SubSeven can be used as
perfectly benign remote administration program.
The server must be run on the target computer to allow the
attacker's computer to connect to the machine and have total access to it. The
server editor (EditServer Program) helps configure the infection
characteristics. This allows the hacker to specify whether the compromised
system should send an email or ICQ notification to the attacker when the target
is online, whether the program should "melt server after installation" and which
ports the attacker can use to connect to the server. Once installed, SubSeven's
friendly user-interface allows the attacker to easily monitor a victim's
keystrokes, watch a computer's web cam, take screen shots, eavesdrop through the
computer's microphone, control the mouse pointer, read and write files, and
sniff traffic off the victim's local network.
The address book feature makes it possible to check whether a
victim is presently online, the process manager feature allows aborting any
running process on the victim's computer, "text2speech" allows the attacker to
type any text which is then spoken on the victim's computer and the ability to
completely takeover a victim's ICQ account.
A SubSeven server can also be programmed to announce itself over
ICQ or Internet Relay Chat (IRC), and groups of servers can be remotely
controlled as one. That makes the program particularly useful for launching
distributed denial of service attacks (DDoS), in which constellations of systems
are simultaneously directed to flood a single site with an overwhelming volume
of traffic, as had happened to Yahoo!, CNN.com, and other online giants in
February 2000. More damaging features of SubSeven are the port redirector and
the port scanner. The port redirector allows an attacker to use the victim's
system to launch attacks into other systems by configuring ports on the infected
computer to point to new targets. The port scanner feature converts the infected
machine into a personal port scanner that can be used to gain access to the
corporate LAN and disguise the attacks.
The new version of SubSeven offers script kiddies increased
flexibility in the user interface, a revamped mechanism for customizing the
server, and for the first time runs smoothly on Windows NT and Windows 2000. The
client is not downward compatible with previous versions of the program.
SubSeven 2.2 signatures will likely be quickly be integrated into antivirus
updates.
| Tools |
BO2K was written by DilDog of the Cult of the Dead Cow. Many
of the commands that B02K comes with were directly ported from Sir Dystic's
original Back Orifice source code. The document says that it was written with a
two-fold purpose: "To enhance the Windows operating system's remote
administration capability and to point out that Windows was not designed with
security in mind."
|
B02K is an almost complete rewrite of the original Back Orifice.
By default, B02K comes with the capability to talk over TCP as well as UDP, and
supports strong encryption through plug-ins. It has added functionality in the
areas of file transfer and registry handling. It has hacking features, such as
dumping certain cached passwords. It can be configured to be stealthy.
Like other Trojans, Back Orifice is a client/server application
which allows the client software to monitor, administer, and perform other
network and multimedia actions on the machine running the server. To communicate
with the server, either the text based or GUI client can be run on any Microsoft
Windows machine.
The B02K server installed without any plugins is ~100K and leaves
a small footprint. The client software is ~500K. The whole suite will fit on a
single 1.44MB floppy disk. B02K 1.0 will currently run on Windows 95, Windows
98, Windows ME, Windows NT, Windows 2000, and Windows XP systems. All of the
various parts of the BO2K suite have been tested and found to be working on all
of these platforms. It only runs on Intel platforms at the moment.
To install, the server, the target must execute the server on his
machine. When the server executable is run, it installs itself and then deletes
itself, which makes it virtually hidden. Once the server is installed on a
machine, it will be started every time the machine boots. If the target is
running a server already, the attacker can simply upload the new version of the
server to the remote host, and use the Process spawn command to execute it. When
run, the server will automatically kill any programs running as the file it
intends to install itself as, install itself over the old version, run itself
from its installed position, and delete the updated exe that was run.
The attacker can choose to configure the server before
installation. This includes the filename that Back Orifice installs itself as,
the port the server listens on, and the password used for encryption using the
boconf.exe utility. If the server is not configured, it defaults to listening on
port 31337, using no password for encryption (packets are still encrypted), and
installing itself as ".exe" (space dot exe).
The client communicates to the server via encrypted UDP packets.
Back Orifice can communicate over any available port. Therefore, if the firewall
lets through any UDP packets at all, two-way communication can be established.
If packets are being filtered or a firewall is in place, it may be necessary to
send from a specific port that will not be filtered or blocked. Since UDP
communication is connectionless, the packets might be blocked either on their
way to the server or the return packets might be blocked on their way back to
the client. As for file transfers originating at the remote machine, Back
Orifice can use TCP to send data out through the firewall.
Actions are performed on the server by sending commands from the
client to a specific IP address. Back Orifice can sweep a range of IP addresses
and network blocks to hunt for installations of its server software. It can be
located by using the sweep or sweeplist commands from the text client, or from
the GUI client using the "Ping" dialog, or by putting a target IP. If by
sweeping a list of subnets, a server machine responds, the client will look in
the same directory as subnet list and will display the first line of the first
file it finds with the filename of the subnet.
It must be noted that Back Orifice does not rely on the user for
its installation. To install it, it simply needs to be run. It takes advantage o
f some actual exploits in the Windows OS functionality. This brings about
several ways the program could be run on a windows computer, not only without
the user's approval, but without the user's knowledge.
|
BO Peep - This plugin gives you a streaming video of the
machine's screen that the server is running on. Also provides remote keyboard
and mouse accessibility.
|
|
Serpent Encryption - This is a very fast implementation of
the non-export-restricted 256 bit-SERPENT encryption algorithm.
|
|
CAST-256 Encryption - This internationally available plugin
provides strong encryption using the CAST-256 algorithm.
|
|
IDEA Encrypt - This internationally available plugin
provides strong encryption using the IDEA algorithm. 128 Bit
Encryption.
|
|
RC6 Encryption - This internationally available plugin
provides strong encryption using the RC6 algorithm. Provides 384 bit
encryption.
|
|
STCPIO - TCPIO communications plugin with an encrypted flow
control system to make BO2K TCP traffic virtually impossible to
detect.
|
|
Rattler notifies a specified user as to the whereabouts of a
Back Orifice 2000 server via e-mail. Rattler will send an e-mail each time it
detects an IP address addition/modification.
|
|
rICQ is a plugin for Back Orifice 2000 that operates in a
similar fashion to Rattler except that the notification message is sent via
ICQ's web pager service.
|
|
The Butt Trumpet 2000 plugin for BO2K, once installed and
started, sends you an email with the host's IP address. A nice alternative to
Rattler.
|
|
BoTool provides a graphical file browser and registry editor
to the BO2K interface. Makes common tedious BO2K tasks point-and-click
simple.
For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer
|
COMMENTS