-  
 It is a companion virus that can spread over the network.
-  
 It also has a "backdoor" that will enable a remote user to connect to and control the computer using port 7597.
-  
 It may have originally been sent out by email.
-  
 Rename notepad to note.com
-  
 Modifies the registry key:HKLM\software\Microsoft\Windows\Current Version\Run 
-  
 It is a very tiny trojan program which is only 3 kb and programmed in assembly language. It takes minimal bandwidth to get on victim's computer and takes small disk space.
-  
 Tini only listens on port 7777 and runs a command prompt when someone attaches to this port. The port number is fixed and cannot be customized. This makes it easier for a victim system to detect by scanning for port 7777.
-  
 From a tini client you can telnet to tini server at port 7777
-  
 Outbound or inbound connections, TCP or UDP, to or from any ports
-  
 Ability to use any local source port
-  
 Ability to use any locally-configured network source address
-  
 Built-in port-scanning capabilities, with randomizer
-  
 Built-in loose source-routing capability
The attacker uses the client to send command through TCP  or SPX to  the victim listening on a pre defined port.
Donald Dick uses default port either 23476 or 23477
Donald Dick is a tool that enables a user to control  another  computer over a network.
It uses a  client server architecture with the server residing  on the victim's  computer.
-  
 SubSeven is a backdoor program that enables others to gain full access to Windows 9x systems through network connection.
-  
 The program consists of three different components : Client (SubSeven.exe), Server (Server.exe) and a Server configuration utility (EditServer.exe).
-  
 The client is a GUI used to connect to server through a network or internet connection.
| Since its debut  in February, 1999, SubSeven has become a  favorite tool of intruders  targeting Windows  machines. | 
It is a RAT (Remote Administration Tool) that provides more   options for attack than other Trojans like Back Orifice or NetBus. The  SubSeven  Trojan is consists of three programs: the SubSeven server,  client and server  editor. It has a DDoS potential and like other  Trojans, SubSeven can be used as  perfectly benign remote administration  program.
The server must be run on the target  computer to allow the  attacker's computer to connect to the machine and  have total access to it. The  server editor (EditServer Program) helps  configure the infection  characteristics. This allows the hacker to  specify whether the compromised  system should send an email or ICQ  notification to the attacker when the target  is online, whether the  program should "melt server after installation" and which  ports the  attacker can use to connect to the server. Once installed, SubSeven's   friendly user-interface allows the attacker to easily monitor a victim's   keystrokes, watch a computer's web cam, take screen shots, eavesdrop  through the  computer's microphone, control the mouse pointer, read and  write files, and  sniff traffic off the victim's local network.
Back Orifice accounts for highest number of infestations  on  Microsoft computers.
The BO2K server code is  only 100KB. The client program is  500KB.
Once  installed on a victim PC or server machine, BO2K gives the  attacker  complete control of the system.
BO2K has  stealth capabilities, it will not show up on the  task list and runs  completely in hidden mode.
| BO2K was written by DilDog of the  Cult of the Dead Cow. Many  of the commands that B02K comes with were  directly ported from Sir Dystic's  original Back Orifice source code.  The document says that it was written with a  two-fold purpose: "To  enhance the Windows operating system's remote  administration capability  and to point out that Windows was not designed with  security in mind." | 
B02K is an almost complete rewrite of the original Back  Orifice.  By default, B02K comes with the capability to talk over TCP  as well as UDP, and  supports strong encryption through plug-ins. It has  added functionality in the  areas of file transfer and registry  handling. It has hacking features, such as  dumping certain cached  passwords. It can be configured to be stealthy.
Like  other Trojans, Back Orifice is a client/server application  which  allows the client software to monitor, administer, and perform other   network and multimedia actions on the machine running the server. To  communicate  with the server, either the text based or GUI client can be  run on any Microsoft  Windows machine.
The B02K  server installed without any plugins is ~100K and leaves  a small  footprint. The client software is ~500K. The whole suite will fit on a   single 1.44MB floppy disk. B02K 1.0 will currently run on Windows 95,  Windows  98, Windows ME, Windows NT, Windows 2000, and Windows XP  systems. All of the  various parts of the BO2K suite have been tested  and found to be working on all  of these platforms. It only runs on  Intel platforms at the moment.
-  
 BO2K functionality can be extended using BO plug-ins.
-  
 BOPeep (Complete remote control snap in)
-  
 Encryption (Encrypts the data sent between the BO2K GUI and the server)
-   
 BOSOCK32 (Provides stealth capabilities by using ICMP instead of TCP UDP)
-  
 STCPIO (Provides encrypted flow control between the GUI and the server, making the traffic more difficult to detect on the network)
| BO  Peep - This plugin gives you a streaming video of the  machine's screen  that the server is running on. Also provides remote keyboard  and mouse  accessibility. | 
| Serpent Encryption - This is a very  fast implementation of  the non-export-restricted 256 bit-SERPENT  encryption algorithm. | 
| CAST-256 Encryption - This  internationally available plugin  provides strong encryption using the  CAST-256 algorithm. | 
| IDEA Encrypt - This internationally  available plugin  provides strong encryption using the IDEA algorithm.  128 Bit  Encryption. | 
| RC6 Encryption - This  internationally available plugin  provides strong encryption using the  RC6 algorithm. Provides 384 bit  encryption. | 
| STCPIO -  TCPIO communications plugin with an encrypted flow  control system to  make BO2K TCP traffic virtually impossible to  detect. | 
| Rattler  notifies a specified user as to the whereabouts of a  Back Orifice 2000  server via e-mail. Rattler will send an e-mail each time it  detects an  IP address addition/modification. | 
| rICQ is a plugin for Back  Orifice 2000 that operates in a  similar fashion to Rattler except that  the notification message is sent via  ICQ's web pager service. | 
| The  Butt Trumpet 2000 plugin for BO2K, once installed and  started, sends  you an email with the host's IP address. A nice alternative to  Rattler. | 
| BoTool  provides a graphical file browser and registry editor  to the BO2K  interface. Makes common tedious BO2K tasks point-and-click  simple. | 
| NetBus was  written by a Swedish programmer, Carl-Fredrik  Neikter, in March 1998.  Version 1.5 in English appeared in April. NetBus  apparently received  little media attention but it was in fairly wide use by the  time BO was  released on 3 August. | 
NetBus  consists of two parts: a client-program ("netbus.exe") and  a  server-program often named: "patch.exe" (or "SysEdit.exe" with version  1.5x),  which is the actual backdoor. Version 1.60 uses the TCP/UDP-Port  # "12345" which  can't be altered. From the version 1.70 and higher the  port be configured. If it  is installed by a "game" called "whackamole"  (file name is: "whackjob.zip"  (contains the NetBus 1.53 server) its  name is "explore.exe". There is also a  file called whackjob17.zip,  which installs the server of NetBus 1.70 and uses  the port 12631.  Additionally it is password protected (PW: "ecoli"). The NetBus  Server  is installed by "game.exe" during the setup routine; the name of the   server actually is "explore.exe" located in the windows directory.
To start the server automatically, there is an entry in  the  registry at:  "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run"   normally used with the option "/nomsg". If this entry is deleted, the  server  won't be started with windows.
The NetBus  server is about 4 times as large as the Back Orifice  server, and  generally less "stealthy." Unlike BO, NetBus is not designed to  attach  virus-like to legitimate files or applications.
Like  BO, the NetBus server can have practically any filename. The  usual way  it is installed is through simple deception; the program is sent to   the victim, or offered on a website, and falsely represented as  something it is  not. Occasionally it may be included in a setup package  for a legitimate  application and executed in the process of that  setup.
The unsuspecting victim runs the program  either directly or by way  of the application used as camouflage, and it  immediately installs itself and  begins to offer access to intruders.
NetBus will always reveal its presence by way of an  open port,  viewable with netstat.exe. Because of this, many intruders  delete netstat.exe  from the victim's hard drive immediately upon  gaining access. Creating a copy or  two of netstat using other names is a  good precaution against its loss. A  regular check for the presence of  netstat.exe, including the file's size and  date, is advisable and is  one means of spotting intrusions. Attackers may use BO  as a means of  installing Netbus on the target system. This is because NetBus is   sophisticated yet easy to use.
Once access is  gained, the intruder will often install other  backdoors, ftp or http  daemons which open victim's drive(s) to access or he may  enable  resource sharing on the Net connection
The v1.53  server opens two TCP ports numbered 12345 and 12346. It  listens on  12345 for a remote client and apparently responds via 12346. It will   respond to a Telnet connection on port 12345 with its name and version   number.
NetBus v1.53 is not  extremely stealthy, but it is certainly  functional and effective.
This utility also has the ability to scan "Class C"  addresses by  adding "+Number of ports" to the end of the target  address. Example:  255.255.255.1+254 will scan 255.255.255.1 through  255.
By default, the v1.6o server is named  Patch.exe. It may be  renamed. Its size is 4 61K (472,576 bytes). When  this program is run, it remains  where it is and nothing appears to  happen. Unlike v1.53, it can then be deleted  uneventfully. However, it  is functional. It copies itself to the Windows  directory, extracts from  within itself a file called KeyHook.dll and activates  both programs.
Run without added parameters, v1.6o is persistent; that  is, it  will execute on its own when the computer is restarted. It  makes changes to the  Registry; it creates the keys
HKEY_CURRENT_USER\PATCH,  where PATCH is the filename before the  extension; and by default, it  places a value in the key   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Version 1.60, like v1.53, also creates the Registry keys
HKEY_CURRENT_USER\NETBUS; and  HKEY_CURRENT_USER\NETBUS\Settings  and places basically the same series  of values in the Settings key.
The v1.60 server  opens two TCP ports numbered 12345 and 12346. It  listens on 12345 for a  remote client and apparently responds via 12346. It will  respond to a  Telnet connection on port 12345 with its name and version  number.
Among the new features are greatly expanded file-handling   capabilities, an interactive message dialog, password setting and other  server  controls, and new ways to tamper with the keyboard. Most of its  tricks are  evident from this console display.
Netbus 1.7 was released to the public on 11/14/98. It is  basically  the same program as version 1.6, but with an ultra-fast port  scanner, capable of  redirecting data to another host and port, option  to configure the server-exe  with some options, like TCP-port and mail  notification, ability redirect I/O  from console applications to a  specified TCP-port and restricting access to only  a few IP-numbers.
By default, the v1.70 server is named Patch.exe. It may  be  renamed. Its default size is 483K (494,592 bytes). With  configuration added, its  size increases, usually by a couple of hundred  bytes. By default, the v1.70  server opens two TCP ports numbered 12345  and 12346. It listens on 12345 for a  remote client and apparently  responds via 12346. It will respond to a Telnet  connection on port  12345 with its name and version number. It can however be  readily  configured to use any other virtual port from 1 to 65534. The port   configuration can be pre-set by the sender, and/or it can be changed  from  remote. It will also open the next-numbered port in sequence,  which it  apparently uses for responses to the client.
NetBus 2.0 Pro", (often just called  "NetBus 2.0") the latest  version of this well known backdoor program  has been released after Spector took  over Netbus. Therefore the new  version is a shareware and needs remote user's  permission for  installation. However, hackers have released variations such as   Retail_10.exe which fakes the incomplete patch of ICQ. Instead it  installs the  "NetBus 2.0 Server" in the invisible and auto starting  mode. It even deletes the  data logged by the server.
 
0 comments:
Post a Comment