Full Disclosure mailing list archives
[ElectronicSouls] - Backdoor Project
From: es () hush com
Date: Fri, 29 Nov 2002 08:52:53 -0800
-----BEGIN PGP SIGNED MESSAGE----- Dear List, We at Electronic Souls are working on a new project for writing the ultimate rootkit, since t0rnkit no longer does what we need it to do. If you would like to help us out with this project, please let us know. # cat project1.txt /----------------------------/ / [Electronicsouls] / / ESBD Rootkit Project / / Idea: Burn-X / / Reason: Its Just a better / /----------------------------/ Part I - Introduction Well It's 11pm i'm tired sleepy, and slow so i'll be pretty short and choppy yet simple on this. Tc6 is nice, but it just seem's to be incomplete or just kinda weird to me and i seen other methods that look much superior yet i'm unable to produce it due to my lack of C knowledge. That is why i need the Rest of the ES to gimme an opinion on this and really make this a group project then 2-3 people making a crappy rootkit. Let me know... Part II - Idea Well as you know most backdoors involve additions or programs, modified configuration scripts, and file redirection for trojan/rootkit/backdoor. I want avoid having extra programs at all that are pointless and having as little productivity. I want to keep access for remote, local, etc.. limited with 1-2 modifyed existing GNU programs for root access. The other thing is i dont want to have lkm's that i thought of before, since they too can be detected pretty easily. That's why modified GNU programs(NOT Daemons) are important. Login/SSH are the main popint of entry nowadays, but are also common and can be checked for modifications, ex. ssh1 modified will need the user key's changed(rings a bell to teh sysadmin doesn't it), can be and discovered, therefore port based access is > * in my opinion. Now every backdoor has to be restarted when the system restarted, duh! Here's where the power of GNU applications come in. Instead of using those gay rc.local or lkm, we use syslogd the logger, seem's insane doesn it, but think about it. I'll explain this in whole thing in the next part(Part III - Construction). Part III - Construction 1) Tale of Syslogd and the ringer ;p Well here's how the syslogd need to be modified. Syslogd by default is started after the system reboots, that's a big advantage because it guarantees that out backdoor will alway's be on and in my opinion will certainly not be checked by the sysadmin. But why syslogd and not let's say klogd ? Simple here's the whole beauty of syslogd, syslogd also has port 514(udp) open unlike klogd for one of it's duties. This is a good thing! Here's where the ringer comes in(Ding! Ding!). The Ringer is just another apllication we will need to make that will send certain packet size to a specified UDP! port. Remember the old icmp backdoor that when u send ping -S packet-size host to a host it open a port-shell to a predefined port for root access ?? Yup you guessed it right! We use the same concept in syslogd since it already has port 514/udp open we send it a certain packet size that is predefined in source to open a port-shell on a predefined port(oh yeah, modified nestat will take care of hiding the established connection to the predefined port, i'll discuss that later). This method really seem's neat to me. But once again, i'm going a little further with this, although this can be optional. We also modify syslogd to use reverse port-shell access started as well to bypass firewalls if the system is running one. But then u gotta go into predefining hosts, etc... so this is optional unless someone knows how to make a good one that makes sense. 2) Netstat Well this is going to be pretty obvious. Since syslogd is using port 514 for udp and we have a predefined tcp port-shell for access, netstat needs to be modified hide any connections to these ports from being seen when you run netstat. 3) Zoro the Great Well remote root access is great, but lets say u have local legit access to the box you rooted. Well here's where another GNU program comes in. In this case we will be modifying "ls". So you ask why ? Well simple! 2 Reasons actually. First reason is getting root access, oh yeah! In ls we add a "-z your-pass" option that when it is executed it cause a chmod +s /bin/sh(making sh suid), then executing /bin/sh with a setuid(0), seteuid(0), setgid(0), cause you to be dropped to a root shell and then setting /bin/sh -s(not suid anymore). Neat eh ? Well here's the second nifty thing, we also use it to hide a directory(obvious!) like lets say "/bin/..." so when they do "ls -al /bin" they dont see the "..." In here you can hide your goodies ;p 4) ps Well in short u modify ps to not show what scanning/hacking utilities u'r running, dont block out syslogd from not being seen, because the admin will know he's hacked, syslogd has to look normal since it's our gopher. End of construction..... Part IV - Tools needed 1) ls source code 2) syslog source code 3) netsat source code 4) ps source code 5) Modify source codes to changes i specified 6) Make a setup Script 7) Test it! Part V - Conclusion Well after reading this far i'm sure your already tired of reading, so hopefully you'll take this idea seriously and start on it. I'm sure this backdoor/rootkit is much simpler/smaller/smarter. Let me know who's interested and give me a hand making it real. Thanks, - - BuRn-X EOF # We are looking for someone who knows C to patch ls, netstat, and syslogd sources for us. The Electronic Souls Crew [ElectronicSouls] (c) 2002 "Mmmm mmmm pussycat." -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlMEARECABMFAj3nm3cMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltwN0An18KjRyYyd86 wVQz5IhfEneGrXXKAJsH3Gztb5hvIo6pdlvIGVTM6XTB5A== =LHRj -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ElectronicSouls] - Backdoor Project es (Nov 29)