White Scorpion
Feb 8 2005, 08:20 PM
Hi all, I have just finished writing a basic backdoor for Windows NT/2000/XP. the backdoor listens to port 31337 and spawns a commandshell when connected. the backdoor makes itself automatically startup with Windows regardless of where you put it or how you might rename it. it is open source and it is available at my site here (source is included in the zipfile). **I'm not responsible for what you do with this program, i have written this program for people who are responsible and ethical, not for some crazy kiddie who thinks it is fun to take over (and destroy) someone's computer without the owners knowledge! **for the rest, have fun with it  regards, White Scorpion
ash^
Feb 8 2005, 10:01 PM
Works great, well done  if you could set a default password that would be alot more usefull for everyone i think to keep control over remote computers ( computers at work/home/friends/etc ) but still very nice.
vnet576
Feb 8 2005, 11:44 PM
White Scorpion, its a good post, just belongs in the windows section..not general security.
White Scorpion
Feb 9 2005, 06:48 AM
QUOTE White Scorpion, its a good post, just belongs in the windows section..not general security. sorry about that as for the default password, i had it in there at first, but i decided it would be better to let the user decide for himself, buf if you want i will attach a version WITH password. password is Access Grantedhave fun with it
Pro21
Feb 9 2005, 10:58 AM
Why do not use the windows service library to start the backdoor ? Put the backdoor in the registery run key is not very good  but it s a new asm code 
White Scorpion
Feb 9 2005, 11:31 AM
can you tell me more about the service library?
i don't think i ever heared of it before. all i can think for starting up are several registry keys, the autoexec.bat and the startup folder which each user has...
B3T4
Feb 9 2005, 11:37 AM
nice work man, and already got it into ASM...thumbs up !
btw, when i download the file i get an AV warning by NOd32 (see attachment) but when i scan the zipfile it cant find anything...
White Scorpion
Feb 9 2005, 11:41 AM
QUOTE(B3T4 @ Feb 9 2005, 06:37 AM) nice work man, and already got it into ASM...thumbs up ! btw, when i download the file i get an AV warning by NOd32 (see attachment) but when i scan the zipfile it cant find anything... can you try the download from my site here? it contains the same program but then without the password option. I hope it was just a mistake and that my program still isn't discovered by AV since that would be a real bummer (just got it online since 12 hours ago)!.
B3T4
Feb 9 2005, 11:46 AM
im sorry to say its also picked up there  but when i scan backdoor.exe it is undetected !
White Scorpion
Feb 9 2005, 11:52 AM
that really S*CKS! glad i still have a personal version which i do not make public ;-) perhaps it is time to pack the program so that it can be used again gimme 10 minutes and i will re-upload the non-password version with a simple encryption routine, try again then please  [edit] will take a bit longer.... have a mysterious problem with the encryption... after encrypted program starts, put registry settings, spawns shell but then closes itself..... must have done something wrong... also i'm at work so haven't really got the time to figure it out  ...
bjoernfun
Feb 9 2005, 12:47 PM
My Av didnt find your tool. (McAfee 8.0 +W2k Sp4
The Version without Password works fine, i only reorgnised, that the backdoor uses many cpu time, when you connect to it.
The Password Version crashed, when i try to enter the password. Take a look a the picture.
By the way, reassembling works without any problem.
ScuD
Feb 9 2005, 01:01 PM
thx mate gonna check it out and mod it a bit when i'm not glad with it grtz
White Scorpion
Feb 9 2005, 03:57 PM
QUOTE The Password Version crashed, when i try to enter the password. Take a look a the picture.
By the way, reassembling works without any problem. it doesn't crash.. if you enter the correct password you can continue, otherwise connection is closed... it was intended that way what did you mean by reorganizing, what did you change?
jead99
Feb 9 2005, 07:20 PM
First of all i want to thank you for sharing the source, however i do have a question. QUOTE gimme 10 minutes and i will re-upload the non-password version with a simple encryption routine, try again then please Just curious about what you're going to encrypt and why ?
White Scorpion
Feb 9 2005, 08:06 PM
the code itself (pack it), and because it then won't be found by AV anymore.
IDESpinner has wrote a nice video tutorial about manual packing, read it if your interested ...
JonJon
Feb 9 2005, 08:07 PM
very nice liked your site also... just to let you know.. there are a lot of AV guys hanging out around here that can get your backdoor detected in a couple of mins and when he said the service library i believe he meant Windows Services...
nolimit
Feb 10 2005, 04:03 AM
QUOTE(White Scorpion @ Feb 9 2005, 11:31 AM) can you tell me more about the service library? i don't think i ever heared of it before. all i can think for starting up are several registry keys, the autoexec.bat and the startup folder which each user has... The Windows Service Manager is the best way to run dedicated applications as it can run without a user logged in, and it attempts to keep the exe running even if it crashes etc. I run all my applications using it, however because your code is in asm it might be a bit difficult to modify your application to accept Server Control Events. Anyways, Just start reading here and have a ball http://msdn.microsoft.com/library/en-us/dl...e_functions.asp
bjoernfun
Feb 10 2005, 05:42 AM
QUOTE(White Scorpion @ Feb 9 2005, 03:57 PM) QUOTE The Password Version crashed, when i try to enter the password. Take a look a the picture.
By the way, reassembling works without any problem. it doesn't crash.. if you enter the correct password you can continue, otherwise connection is closed... it was intended that way I got no change to enter the pass correct Afte i enter "A" the connection closed ...(see the picture)
White Scorpion
Feb 10 2005, 06:41 AM
QUOTE I got no change to enter the pass correct smile.gif Afte i enter "A" the connection closed ...(see the picture) which OS are you running? i've tested the version that i have uploaded on windows 2000, XP and 2003 sever, works fine... please provide me with more details since then i might be able to solve your problem As for the service library, well i know i can start some App's as a service, but i am planning to add code to hook the API listing the registry keys. to make a long story short, i am working on code that can hide the registry key from being seen by regedit etc. this is why i choose for the registry.
SkitZZ
Feb 10 2005, 07:41 AM
hey white scorpion nice work just for the record tested the passworded backdoor on win 2000 sp4 and xp sp2 works just fine. SkitZZ
White Scorpion
Feb 10 2005, 11:37 AM
thanks for the info SkitZZ, i think he might be using Windows 98... and this can be a problem...
nolimit
Feb 10 2005, 02:12 PM
QUOTE(White Scorpion @ Feb 10 2005, 06:41 AM) As for the service library, well i know i can start some App's as a service, but i am planning to add code to hook the API listing the registry keys. to make a long story short, i am working on code that can hide the registry key from being seen by regedit etc. this is why i choose for the registry. Why hook the registry key when it only starts when a user is logged in to the computer. this backdoor on server farms or any other environment in which the user isn't logged in is useless. All you need to do really to make a service app work is get the function address of a function that handles the events, then pass it in the functions. It's actually probably not that hard even for asm. Cheers
Pro21
Feb 10 2005, 02:27 PM
Thx nolimit what can I add on service way ? nothing Hm With the service library you can set up directly the permissions on the service. So I think is the best way to start a backdoor but why do not add a function who start a new backdoor session when an user is logged on the system, like you can have the same rights that the user but it s little bit more difficult Good luck
White Scorpion
Feb 10 2005, 07:24 PM
those ideas are nice and perhaps a good idea for future backdoors (read more advanced), but i wanted to make this backdoor as simple as possible maybe soon i will release another which has more options and more power
fulvioo
Feb 11 2005, 03:36 AM
Looks great and simple. Perfect for people who wants to learn ASM from some code.
I changed some options I wanted here and it compiled just fine with masm32.
Since IDEspinner left some holes on his video tutorial (he did it for ppl don't get lazy and search for what is missing), and the code is pretty small as he used, we could make another manual packing tutorial example. What you think?
bjoernfun
Feb 11 2005, 05:28 AM
QUOTE(White Scorpion @ Feb 10 2005, 06:41 AM) QUOTE I got no change to enter the pass correct smile.gif Afte i enter "A" the connection closed ...(see the picture) which OS are you running? i've tested the version that i have uploaded on windows 2000, XP and 2003 sever, works fine... please provide me with more details since then i might be able to solve your problem windows 2000 Sp4 + current Patchlevel (08.02.05) + McAfee Enterprise Edition 8.0i
White Scorpion
Feb 11 2005, 07:06 AM
QUOTE Since IDEspinner left some holes on his video tutorial (he did it for ppl don't get lazy and search for what is missing), and the code is pretty small as he used, we could make another manual packing tutorial example. What you think? i was already thinking about that, but i do not want the tutorial to look like the one from IDESpinner since he deserves credit for that tutorial, no one else Bjoernfun, can you try it while disabling mcAffee? i have no experience with mcAffee but i've heared several times that it can be a pain in the ass for some programs....
nicolas9510
Feb 11 2005, 10:28 PM
well it looks good compiles fine but i get this error:
DNS fwd/rev mismatch: localhost != nicolas
localhost [127.0.0.1] 9510 (?): connection refused
sent 0, rcvd 0: NOTSOCK
didnt see anything about that in source any help?
searched forum didnt see anything
btw nice stuff white scorpion
setthesun
Feb 12 2005, 06:41 AM
It's Great !
what do ou think about putting some comments for asm beginners ?
White Scorpion
Feb 12 2005, 01:20 PM
QUOTE well it looks good compiles fine but i get this error:
DNS fwd/rev mismatch: localhost != nicolas
localhost [127.0.0.1] 9510 (?): connection refused
sent 0, rcvd 0: NOTSOCK
didnt see anything about that in source any help?
searched forum didnt see anything
btw nice stuff white scorpion my guess is you have a firewall which is a pain in the *ss. try disabling it. if that still doesn't work then i'd like to know more about your computers configuration i've almost finished a more powerful (more options) backdoor. this one does have a lot of comment in it. i will post it on the site when i've finished it
nicolas9510
Feb 12 2005, 05:40 PM
yup i think it was that works like a charm nice work
realloader
Feb 12 2005, 06:56 PM
Detected by Kaspersky!
untouchable
Feb 12 2005, 08:08 PM
thanks a lot for the tool but F-secure detect him.... i've got a question...how can me connect locally to the backdoor ? with netcat?
nicolas9510
Feb 12 2005, 09:25 PM
not detected by nod32
White Scorpion
Feb 12 2005, 11:41 PM
well, appearently AV's are starting to recognize my tool. try packing it to stay undetected.
you can connect to it via netcat or telnet and if you want to connect to your own computer type:
C:\>telnet 127.0.0.1 31337
or
C:\>nc 127.0.0.1 31337
Bilby
Feb 15 2005, 11:31 PM
QUOTE(bjoernfun @ Feb 10 2005, 05:42 AM) QUOTE(White Scorpion @ Feb 9 2005, 03:57 PM) QUOTE The Password Version crashed, when i try to enter the password. Take a look a the picture.
By the way, reassembling works without any problem. it doesn't crash.. if you enter the correct password you can continue, otherwise connection is closed... it was intended that way I got no change to enter the pass correct Afte i enter "A" the connection closed ...(see the picture) I get the exact same problem as soon as I type A it closes the connection. I'm running XP SP2 but I see that its been tested on that platform with SP2 so its got me beat...
SkitZZ
Feb 16 2005, 06:24 AM
had to turn off kaspersky but it still works dont know why its not working for you  CODE D:\>nc -v -n 127.0.0.1 31337
(UNKNOWN) [127.0.0.1] 31337 (?) open
Enter Password: Access Granted
Basic Backdoor - Written by White Scorpion (C) 2005
******* http://www.white-scorpion.nl ********
Close CommandPrompt with 'exit' <enter>.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>exit
D:\> SkitZZ
White Scorpion
Feb 16 2005, 06:43 AM
i figured out what the problem is. use netcat (nc) instead of telnet, this will solve it. telnet sends data one character at the time, while netcat waits until you press enter. try nc and you will see you can login fine
Bilby
Feb 16 2005, 07:44 AM
QUOTE(White Scorpion @ Feb 16 2005, 06:43 AM) i figured out what the problem is. use netcat (nc) instead of telnet, this will solve it. telnet sends data one character at the time, while netcat waits until you press enter. try nc and you will see you can login fine Thanks for the reply mate will start using nc to connect
cSb
Feb 17 2005, 05:26 AM
Have you thought about using cryptcat?
I just wrote a loader program to ask for a password and then it loaded cmd.exe using netcat's "-e" command. It works fine with netcat, but cryptcat was giving me a lot of problems.
White Scorpion
Feb 17 2005, 06:36 AM
QUOTE Have you thought about using cryptcat?
I just wrote a loader program to ask for a password and then it loaded cmd.exe using netcat's "-e" command. It works fine with netcat, but cryptcat was giving me a lot of problems. not directly, but i have thought about using encrypted traffic. but i'm still working on it.
TedOb1
Feb 18 2005, 10:26 PM
real nice work White Scorpion.
fulsik
Feb 19 2005, 03:27 AM
Works fine but it's abit buggy, e.g type dir c:\ lags abit but other than that it's ok, anyway to improve the lag would be nice. also an option to set port because my firewalls usually blockout most ports and i don't want to open
White Scorpion
Feb 19 2005, 11:26 AM
i saw it had a problem with large directories... i've fixed that in the new version, but i don't think i will be releasing it soon... here's the result of this backdoor: here. although it is nice to see a part of my nick in there, i don't want my new backdoor to be detected like this. i think the new one will be packed before i release it. btw, you can change the port very easily by reassembling it with masm32.
dw-chow
Feb 20 2005, 04:41 AM
AVG will find it and pick it up as:
BackDoor.Small.6.BT
tried google to find that string, had 0 hits.
White Scorpion
Feb 20 2005, 11:59 AM
i saw it, i did exactly the same ;-) i've tried uploading it to http://virusscan.jotti.org/but AVG already gave a complaint while trying to upload it... but if you manage to upload it, AVG won't recognize it on that site....
illwill
Feb 20 2005, 03:09 PM
invoke GetModuleFileNameA, 0, addr Dirbuff, 255
invoke GetShortPathNameA, addr Dirbuff, addr Dirbuff, 255
White Scorpion
Feb 20 2005, 06:32 PM
QUOTE(illwill @ Feb 20 2005, 10:09 AM) invoke GetModuleFileNameA, 0, addr Dirbuff, 255 invoke GetShortPathNameA, addr Dirbuff, addr Dirbuff, 255 i don't get it, what do you want to say with it? i used CODE
.DATA?
CommandLine LPSTR ?
.CODE
invoke GetCommandLine
mov CommandLine,eax
gives exactly the same result.... i really don't get it  CODE
.586
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
.DATA
AppName db "White Scorpion",0
.DATA?
CommandLine LPSTR ?
Dirbuff db 255 dup (?)
.CODE
start:
invoke GetModuleFileNameA, 0, addr Dirbuff, 255
invoke MessageBox,NULL,addr Dirbuff,addr AppName,MB_OK
invoke GetShortPathNameA, addr Dirbuff, addr Dirbuff, 255
invoke MessageBox,NULL,addr Dirbuff,addr AppName,MB_OK
invoke GetCommandLine
mov CommandLine,eax
invoke MessageBox,NULL,CommandLine,addr AppName,MB_OK
invoke ExitProcess,0
end start
DumpZ
Feb 21 2005, 10:35 AM
Well if i were you i would upload it to online virus scanners just install local an few AVs because i don't really trust those online things and i would be a shame to let and AV mess up your nice backdoor
illwill
Feb 21 2005, 04:23 PM
if you notice the dir name is DOS 8.3 compatible , i thought thats what you needed , the dirs with no spaces
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
