by Nick
Written in C, compressed with UPX, source included
Released in July 20033
The Insider V1.0 -- Win32 reverse backdoor [email protected] , Jul 21 2003 ========================================== Introduction ============ This is a reference implementation of win32 reverse backdoor program called the Insider. Unlike many other backdoor programs, Insider is not server listening some tcp/udp port, it is a client program that communicates with the server part through http protocol. This design has some unique features: - Pass through almost any corporate firewall (it can automatically detect proxy settings if needed) - No listening services found with "netstat -an" - Easy to hide from IDS - communication seems like a normal web browsing Insider network consists of the following parts: - Client(s) on victim machine(s) - Server cgi script Client programs are distributed as the usual way - send some executable to victim, do some ActiveX tricks, whatever. The cgi part can be installed on any server that can execute cgi scripts - anonymous hosting service should be fine. All the communication is http POST commands, so the actual information is not visible in proxy logs. Of course, the information can be sniffed out as the messages are only base64 encoded (that might change in the future). The client looks for a specific string hidden inside the returned web page and executes any command it founds there. This message is defined with the compile time define PREFIX (you need this information later). This release is the reference implementation, it works but it requires some work in the server side to get things going. It includes no fancy features, such as keyloggers, sniffers, etc - just a plain command line interface. Operation ========= Clients are identified with a unique 32-chracter id which is sent to server every time the client has something to say. After the initial execution, client finds out some settings from registry and sends the following information to server: User: Login (Real name) Logon domain: Domainname Location: Company (Country) System: Operating system (Service pack) Connection: Connection type Cgi script "cc.cgi" included with the distribution stores each client it finds out in directory named as the id. The initial information is stored in file "info" in that directory. At this point, the server can send commands to client. Following commands are defined in reference implementation: i Send initial information x Shutdown t min-max Set the polling time random between min and max seconds f url file Fetch file from url and store it as file s command Run command with command interpreter (cmd.exe/command.com) cc.cgi reads the command from file "cmd" and writes the result in file "result". Example: 1. Client is installed on victim machine. 2. Clients unique id is "c1b5e2adc491459a05f8d1b164ab66f" 3. Client sends the initial information to server 4. Server makes a directory "c1b5e2adc491459a05f8d1b164ab66f" and stores the initial information as "c1b5e2adc491459a05f8d1b164ab66f/info" 5. Server reads command "s ipconfig /all" from file "c1b5e2adc491459a05f8d1b164ab66f/cmd" and send the command to client 6. Client executes the command and sends the results 7. Server stores the result as "c1b5e2adc491459a05f8d1b164ab66f/result" and looks for a new command... Installation ============ 1. Edit file insider.h (or use precompiled binary in.exe, see section 2.) - Change HOST, PORT and URL to that of your cgi: /* Default host and port */ #define HOST "someserver.com" #define PORT 80 /* Base URL */ #define URL "/cgi-bin/cc.cgi"; - Also, it might be a good idea to change the default prefix: /* Comment prefix */ #define PREFIX "StartJavaScript=" 2. Run compile.bat (you need MS Visual C to do this). - You should now have a binary insider.exe, size about 50K. Pack the file if feel like it (upx can squeeze it in 25K). NOTE: You can also use the precompiled binary file in.exe and configure the client using the following registry keys: HKCU\Software\Microsoft\TaskManager\Host HKCU\Software\Microsoft\TaskManager\Port HKCU\Software\Microsoft\TaskManager\URL HKCU\Software\Microsoft\TaskManager\Prefix In that case, you must write the above registry keys somehow in the installation process. You can always rename in.exe if you wish. 3. Prepare your cgi - Edit the variable PREFIX to fit your clients - Take some web page and cut that in two parts, called header.txt and footer.txt. The command is inserted as a base64-encoded message in comment field between the two parts: (header.txt) <!-- PREFIX --> (footer.txt) Of course, it could be as simple as a bare "<!-- PREFIX -->", but you might want to make look like someone is browing your web site with a real content. 4. Distribute - example binder/installer is included in directory "binder". 5. Wait for your clients to appear 6. Use your imagination......... Still in progress ================= - Proxy authentication - The cgi is very stupid, make something more useful - Message encryption - Some control cgi script so that the whole thing can be controlled through web interface. nick size: 24,064 bytes tested on Windows XP September 29, 2005MegaSecurity