RE: Establish persistant outbound connection for covert application

["Beauford, Jason" <jbeauford () EightInOnePet com>]

There was a program similar to this called AckCMD.  Have a go with it
here:  http://ntsecurity.nu/toolbox/ackcmd/

It's detected by AV now as a backdoor, but you may be able to
disassemble it or get the source code and modify it to your liking.  I'm
not saying to use this tool, but maybe get some ideas from it for your
own program.

Good Luck!

-JMB 

     =|   -----Original Message-----
     =|   From: David Siles [mailto:ctowizkid () gmail com] 
     =|   Sent: Tuesday, August 23, 2005 6:17 PM
     =|   To: security-basics () securityfocus com
     =|   Subject: Establish persistant outbound connection for 
     =|   covert application
     =|   
     =|   Hello all,
     =|   
     =|   I am looking for some additional ideas for an 
     =|   application we are trying to use for a law 
     =|   enforcement application.
     =|   
     =|   We are currently using a product that allows us to 
     =|   install a software shim on a suspect's PC and then 
     =|   connect into the PC at any given time to perform 
     =|   forensic analysis.  While this works great, we 
     =|   consistently run into the problem of personal 
     =|   firewalls, NAT devices, SP2, and other ACLs that 
     =|   prevent us from connecting into the suspect machine.
     =|   
     =|   While we usually have the suspect full cooperation in 
     =|   the monitoring efforts and we can initally configure 
     =|   their network and/or PC configuration to allow this 
     =|   communication things get changed.  Also we run into 
     =|   the problem with dynamic addressing changing on us, 
     =|   which can be a pain to keep track off unless we 
     =|   install some type of dyn dns solution.
     =|   
     =|   To tackle this problem I have been able to setup SSH 
     =|   tunneling and making the suspects computer establish 
     =|   the SSH connection to our external facing test box 
     =|   and then having our forensic station connect in and 
     =|   use the SSH to redirect the tunneling, but I would 
     =|   like to come up with a better method.
     =|   
     =|   I am asking if anyone has ideas on this to either 
     =|   reply to the list for benefit of all or contact me directly.
     =|   
     =|   I am looking for something that will connect 
     =|   outbound, preferable covertly as a background/hidden 
     =|   process (e.g. fooing a netcat/cryptcat
     =|   connection) to awaiting connection server or service 
     =|   for redirection. 
     =|   SSH may be the best process here, but I don't like 
     =|   having to open an SSH tunnel for this.  The 
     =|   application we are using is already running encrypted 
     =|   traffic, so adding another layer of encryption also 
     =|   slows it down.
     =|   
     =|   The capability to make this application call home 
     =|   will be of great benefit to many in the LEO community 
     =|   and if your interested in what we are doing, please 
     =|   feel free to contact me offlist.
     =|   
     =|   Thanks,
     =|   
     =|   Dave Siles
     =|