- Posts: 1700
- Thank you received: 0
Reverse Trojans
20 years 3 months ago #2325
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Reverse Trojans
This discussion got me thinking about reverse connect for systems using dynamic ips. The situation obviously becomes more difficult because the trojan does not have a fixed IP to connect to.
So I've dug up the source of a really tiny client/server trojan type of program I wrote a couple of years ago called Perihelion (nope your antivirus scanner won't catch it
) in its original form it has no reverse connect jazz.
Anyway as a sort of proof of concept lets modify it to reverse connect but to a dynamic IP. I've been thinking of ways the trojan can learn the IP of its master. So far I'm working on the simple idea of a perl script, that is running on a website (maybe hosted at some free webspace provider) the master when run will automatically post its IP to this perl script, which in turn just writes it to a publicly accessible file. The trojan keeps monitoring this file and attempting to connect to that IP.
The other option is one that is used more frequently, where the trojan logs into an IRC channel and sits there broadcasting its ip and waiting for the master to join the channel, however this is not a strict reverse connect, and IRC ports may be blocked.
Anyway, being the free spirit I am, I'm providing the source of both the client and server for anyone who wants to try and figure out a proof of concept reverse connect trojan based on dynamic IPs.
I understand that a number of grade-A idiots would love to use the trojan for their own malicious purposes, so I've chucked out all the fancy code that hides it. in other words, the trojan will run in a nice dos box, and wont hide its process at all.. The way I see it, if you're smart enough to add that code yourself, you'd be able to write this in half an hour anyway and wouldn't find it useful.
Perihelion client
Perihelion server
To illustrate the point pertaining to our discussion, something as inane as this -- which cannot be detected by any virus scanner (either on the infected machine or at the MTA), can be wrapped to another legit program and then emailed around. Someone runs it, no alarms will be triggered... no IDS will be alerted, nothing... the attacker gets almost full command line access without having to resort to any exploits or misconfigurations.
So I've dug up the source of a really tiny client/server trojan type of program I wrote a couple of years ago called Perihelion (nope your antivirus scanner won't catch it
) in its original form it has no reverse connect jazz.Anyway as a sort of proof of concept lets modify it to reverse connect but to a dynamic IP. I've been thinking of ways the trojan can learn the IP of its master. So far I'm working on the simple idea of a perl script, that is running on a website (maybe hosted at some free webspace provider) the master when run will automatically post its IP to this perl script, which in turn just writes it to a publicly accessible file. The trojan keeps monitoring this file and attempting to connect to that IP.
The other option is one that is used more frequently, where the trojan logs into an IRC channel and sits there broadcasting its ip and waiting for the master to join the channel, however this is not a strict reverse connect, and IRC ports may be blocked.
Anyway, being the free spirit I am, I'm providing the source of both the client and server for anyone who wants to try and figure out a proof of concept reverse connect trojan based on dynamic IPs.
I understand that a number of grade-A idiots would love to use the trojan for their own malicious purposes, so I've chucked out all the fancy code that hides it. in other words, the trojan will run in a nice dos box, and wont hide its process at all.. The way I see it, if you're smart enough to add that code yourself, you'd be able to write this in half an hour anyway and wouldn't find it useful.
Perihelion client
Perihelion server
To illustrate the point pertaining to our discussion, something as inane as this -- which cannot be detected by any virus scanner (either on the infected machine or at the MTA), can be wrapped to another legit program and then emailed around. Someone runs it, no alarms will be triggered... no IDS will be alerted, nothing... the attacker gets almost full command line access without having to resort to any exploits or misconfigurations.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 3 months ago #2350
by Neon
Replied by Neon on topic Re: Reverse Trojans
sahirh,
you can also get a free domain name @ www.no-ip.com
Nice thing about it, is it's FREE also you can download a utility (Both Windows, *nix & MACs) to keep your dns up to date with a dynamic IP address. I use this alot to keep track of my computer when I'm away from home and I use dial up so the IP constantly changes.
And that also assumes that programs will be able to use DNS resolution, which I'm sure most of them can or be programmed to do
you can also get a free domain name @ www.no-ip.com
Nice thing about it, is it's FREE also you can download a utility (Both Windows, *nix & MACs) to keep your dns up to date with a dynamic IP address. I use this alot to keep track of my computer when I'm away from home and I use dial up so the IP constantly changes.
And that also assumes that programs will be able to use DNS resolution, which I'm sure most of them can or be programmed to do
20 years 3 months ago #2351
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Reverse Trojans
Very useful info Neon, thanks ! I'm just signing up. Yep the program can be changed to deal with the DNS really easily, just a simple gethostbyname call which I should have added anyway
This no-ip thing is quite neat ! Maybe I'll even host a wargame off my box, where I'll set up a system, and then everyone who wants to try and break into it can try (god why am I saying these things). Of course it would only be able to run during certain fixed hours in the day as I connect on dialup. Anyway its something to think about.. the firewall.cx wargame.
Well you basically solved the whole reverse connect using dynamic IP problem (lol without writing a single line of code)... and there I was.. trying to work out some incoherently complex way of working it out.
Neon wins the firewall.cx security forum gold star for this week.
This no-ip thing is quite neat ! Maybe I'll even host a wargame off my box, where I'll set up a system, and then everyone who wants to try and break into it can try (god why am I saying these things). Of course it would only be able to run during certain fixed hours in the day as I connect on dialup. Anyway its something to think about.. the firewall.cx wargame.
Well you basically solved the whole reverse connect using dynamic IP problem (lol without writing a single line of code)... and there I was.. trying to work out some incoherently complex way of working it out.
Neon wins the firewall.cx security forum gold star for this week.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.149 seconds