LANfiltrator 1.1 fixed
(Backdoor.Win32.LanFiltrator.11.b)

by Read101

Written in Delphi

Released in August 2003

more versions


1.What is LANfiltrator.
2.How it works.
3.Why use?

What is LANfiltrator?
LANfiltrator is a remote access tool, designed to access the remote computer through a router, LAN or proxy server. RAT�s generally work by connecting to the remote computers IP address. But when the RC is behind another device, ie, router, proxy, then there is an internet IP, that the connecting device uses, and the computers own LAN IP. It�s impossible for a normal RAT to connect to the remote computer, in other words, as it can not possibly access the sub-IP. Enter LANfiltrator. 

How it works.
Well as most of you more experienced Trojan users will know if you send a server to someone that is on a LAN you will not be able to connect to them, because their IP is given to them by their local DHCP server (The computer that shares the internet with the other computers) which connects them to the internet. So, their IP is hidden behind the server and can not be easily accessed on the internet by you.
Well, with LANfiltrator it is now possible to do this. Well basically the server works like a client, but invisible, with server functions built into it.
So this means that the client will listen and wait for the server to connect, basically like SIN notification but more complex, so once the server connects to your client with your ip you can use the client as if it was a normal one. If you won�t to know more about how the server will connect to your ip there is more info in the edit server of the application on how this works.

Why use it?
A lot of people these days are set up on LAN�s, behind routers, etc. to stop the more nefarious uses of RAT�s. However, this makes remote administrative access exceedingly difficult. Using LANfiltrator, the remote computer can be accessed as easily as if it were directly connected to the internet. However, the downside to the reverse client/server action is that a computer on a LAN cannot use the program  to connect to a remote computer behind a LAN at all, ie, LAN cannot connect to LAN. The program is also intelligent, detecting LAN usage or not- say your remote computer is sometimes the internet server. You don�t need to use a separate program.


How SIN Client works.

Well once you send the server to a remote computer that is on a LAN you will need to
open and start the SIN client, it�s basically your ordinary SIN notification Client
were all the servers will connect and you get the relative information to connect to 
the remote computer.

Now to start the client you just need to click the Button named (Start Client).
Once that is finished just sit back and wait for your servers to connect to the client,
you should receive there IP, connection type, windows version, and the time they connected.
Now remember if you have a server that is on a LAN or Router you will need this as 
one of the notification methods. 
The client will auto detect wither the server is on a LAN, Router, Proxy or Dialup,
so all you have to do is double click and the client will do the rest for you.

Remember you need to put you IP or a DNS address in the IP section of the edit server
so the SIN Notification will work.

Ok once you see the remote computer the you wont to connect to then just double click
on them to connect, there is a small delay but that is just to make shore that the
server you won�t to connect to is the right one, there maybe a case were you may have
maybe 5 or 6 servers connected to the quarantine.

If you connected the memo should clear and a message should appear.

You can keep the SIN client open so if you see a more important computer come on line
then you can disconnect and connect to them. 
By default the information you need to connect to the server is auto put in to the
necessary places when you double click to connect to the remote computer. 
Don�t worry if you forget to disconnect from you current computer because it will
automatically disconnect for you before reconnecting to the new remote computer.

Read101


Server:
c:\WINDOWS\Csrss.exe 

size: 232.452 bytes

port: 888, 999 TCP

startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System" 

MegaSecurity