HOW TO BUILD A TROJAN by Wax

Chapter I : Getting Started Chapter II : The Client Chapter III : The Server Chapter IV : Colofon + Resources =================================================== CHAPTER I - GETTING STARTED First of all you need a pretty good basic knowledge of the language you are going to write the Trojan in, since I wrote my (1st) Trojan in VB this article will mostly describe the way on how to do it in VB, but since this does not provide source code, it can be used in Delphi as well (with some minor modifications) I also advice reading a book or some good quality articles on using the Windows API (David Appleman's API book e.g.) Every Trojan concists of 2 parts; The Server: This is the program that the victim runs, and the Client executes certain commands that the server sends to the program through an active connection The Client: This is the program that the 'administrator' has, it sends command strings to the server, so that it knows what to execute, e.g.: Should you press a button that would execute a function to open a CD-ROM, then the server would use the connection between the client and the server to send a string, e.g.: OPENCDROM and then the server would recognize the string, and issue the command u have defined or the one that is attached to the string (in this case: execute the API code to open the CD-ROM drive) OK, the best thing to do is start with the CLIENT first of all you have to make up a plan on which functions you want to have in the Trojan, and how u plan on using them, e.g. in Visual Basic there is a ActiveX (OCX) control that can play sound file or video files, but you can also use the Windows API to play a sound, the advantage of this is that you do not need to include that OCX seperatly, and it takes less code, should you want to use API, it would be somehting alike this: -- dim x x = mciexecute("play c:\sound.wax") -- But offcourse, u have to define the DLL u use (winmm.dll) with the Declare function in VB (read a book on API's) OK, in this article I will start with the CLIENT as well should u want to start with the SERVER first, head on to chapter III (The Server).

=================================================== CHAPTER II - THE CLIENT =================================================== Assuming you know your language well enough to be able to implent data structures and such I will describe WHY and HOW to use them. First you start of with your blank form, depending on how many functions you want you can create a number of buttons or a menu (or whatever you think suits best) Here's a sample GUI on how it could look like, I've used menu's (in the drawing they are unfolded) _________________________________________________________ |PROGRAM NAME______________________________________- [] x | |FILE_________ COMMANDS_____ HELP______________________| |Setup | |Shutdown | |About | | |Connect | |Reboot | |Help | | |Discconnect | |Open Cd-Rom | |------| | |Exit | |Close Cd-Rom | | |------------| |-------------| | | | | | | | | | | | |_________________________________________________________| Throughout this Chapter I will refer to menu functions, u can see it when I use the word in full capitals, and between apostrophes ( '..' ) At 'FILE' -> 'SETUP' you can make a setup dialog, at which users define the IP of the computer to connect to, as well as the PORT the server is opened to receive commands. ~ ~ ~ ___ ~ At 'FILE' -> 'CONNECT' the command to connect to the server ~ \_\\\\\/ o\ ~ is issued, make sure to keep the user informed of the connection ~ / /////\___/ ~ as well as connected process, by e.g. placing a label which ~ ~ ~ updates every 3 seconds with the current Winsock status, so that ~ aTm ~ they know wether they are connected or not. At 'FILE' -> 'DISCONNECT' the command to disconnect from the server is issued, at this one too make sure it is clearly noticable that you are disconnected from the server. And offcourse at 'FILE' -> 'EXIT' you can exit the program At 'COMMANDS' -> '...' You can add the commando to be executed but more of that at the technical part of the client. At 'HELP' -> 'ABOUT' you can put your own credits, and offcourse some credits for me, since u have used this guide to create your Trojan :) OK, now you know the basics on the GUI, offcourse you can always use graphics, or any other type of gui, but make sure it is a GUI, or optional GUI, since most users nowadays are Windows users. (There's a complicated GUI Drawing at the end of the file) Now for the 'Technical' Part of the Client; Sending the commands to the server. -- This will be done using Winsock's senddata command. Say you'd want to send the following string to the server: CD-ROMOPEN, then in VB you'll need to type winsock1.senddata "CD-ROMOPEN" To make sure there is an connection u can use an IF..THEN statement to check the winsock's satus, like this: -- If winsock1.state = sckConnected Then winsock1.senddata "CD-ROMOPEN" else msgbox ("You're not connected!"),vbCritical end if -- Ok, this is the client, it is not that hard, and by using the above system to send strings you can let the Trojan's Server recognize them and issue the attached code on the victim's computer.

=================================================== CHAPTER III - THE SERVER =================================================== Now for the server, the server is the hardest part of the Trojan since there a lot of things it has to match to, I will try to make a complete list of what it should, or should not do: * Not Visible on the users screen * Not Visible on the TaskList (CTRL-ALT-DEL list) * Have a name that is not easily recovered * Auto-Starting up at startup (thru registry e.g.) * Not use much system power (RAM) Below is the code for a registry file which will add it's key and value to the registry so that the server will be started everytime windows starts (exe has to be in windows or system

) -- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Trojan"="Trojan.exe" -- Offcourse in your own file you might want to change the name of the key from "Trojan" to e.g. Taskman or Word or something the user won't be suspicious about, the executable in the windows or system needs to have an insuspicious name too, u could make it _.exe or something, with a 100% transparant icon so users look over it. ? Now there's nothing much of a GUI for the server so I'll skip that ? ____ part. / \ ? Technical: / \ _ \ ( .o o. ) ___ A winsocket control on the server needs to have a certain port __/ ^ \/ \ specified and it must also be listening on it & accepting all / \___o____ incoming connections on that word, in VB that would be: -- winsock1.localport = "333" winsock1.listen -- Now comes the Core Engine of the Trojan, receiving and handling the incoming data from the client: On Winsock's Data Arrival you have to use the statement winsock1.getdata data, but offcourse first you must dim the data as a string, then you use a 'case select' on which on matches the incoming data, if they match it executes the attached command, below is a sniplet of code handling: -- Private Sub Winsock1_DataArrival(ByVal bytesTotal As Long) Dim data As String Winsock1.GetData data Select Case data Case "ABOUT" Call About1 End Select End Sub -- as you can see it dim's the data as a string, since the client sends it's command through strings, then it gets the data and matches it with the Case Data, in this case if you sent the string ABOUT it will call the private sub About1, which you can see below: -- Private Sub About1() msgbox ("U ARE INFECTED BY [YOURNAME'S] TROJAN!"),vbcritical End Sub -- The best thing would be to make a module in the project, go online and collect all usefull API codes you can find, I've listed a few things you might want to implent: - CDROM OPEN/CLOSE - SHUTDOWN WINDOWS - DISABLE KEYBOARD/MOUSE After you've read this article I'm sure you can be able to write your own trojan, since the core is described in here, and the source code provided within is the key to making trojans I wish you happy programming, and as the people on #coders always answer; IT'S JUST A SMOP (Simple Matter Of Programming)

=================================================== CHAPTER IV - COLOFON + RESOURCES =================================================== Writing of this guide is Copyright 1999 by Wax Eyewitness Archives 1999 Waxattacks own Trojan, which is written with Kilobyte from Synetic Industries can be found at: http://www.acornweb.com/synetic/ All code & writing in this guide are Copyright Wax ASCII Drawings however are Copyright 1999 by aTm from CLASS, freely taken from JTF 98 issues Resources: -- http://www.respect-inc.com/eyewitness EYEWITNESS ARCHIVES http://www.vb-world.net API CODES http://www.planet-source-code.com API CODES