RE: Creating a Custom Trojan after Social Engineering

["Todd Towles" <toddtowles () brookshires com>]

If you know the type of AV they use..you can find something that isn't
detectable. Try to run whatever you want to use thru www.virustotal.com
and see how it is detected.

It is a common practice to tweak the EXE a bit and bypass the search
string used by the AV. Hence why variants are so danger and common. 

> -----Original Message-----
> From: Ofer Shezaf [mailto:Ofer.Shezaf () breach com] 
> Sent: Saturday, January 15, 2005 5:24 AM
> To: Todd Towles; Eric McCarty; Slider Slider; 
> pen-test () securityfocus com
> Subject: RE: Creating a Custom Trojan after Social Engineering
>
>
> My personal favorite is netcat, but:
>
> The problem with using off the shelf tools is that anti-virus 
> software detects them: keyloggers are especially notorious as 
> are tunneling tools. 
>
> What ever you select try to check that the anti-virus used at 
> the organization does not detect the tool you use. 
>
> Ofer Shezaf
> CTO, Breach Security
>
> Tel: +972.9.956.0036 ext.212
> Cell: +972.54.443.1119
> ofers () breach com
> http://www.breach.com 
>
>
> > -----Original Message-----
> > From: Todd Towles [mailto:toddtowles () brookshires com]
> > Sent: Friday, January 14, 2005 1:02 AM
> > To: Eric McCarty; Slider Slider; pen-test () securityfocus com
> > Subject: RE: Creating a Custom Trojan after Social Engineering
> >
> > http://ntsecurity.nu/papers/acktunneling/
> >
> > NetCat can be set to call out to a pre-defined IP, I believe.
> >
> > Search for Rx.exe as well - Windows Universal Reverse Shell Trojan
> >
> > > -----Original Message-----
> > > From: Eric McCarty [mailto:eric () piteduncan com]
> > > Sent: Thursday, January 13, 2005 12:30 PM
> > > To: Slider Slider; pen-test () securityfocus com
> > > Subject: RE: Creating a Custom Trojan after Social Engineering
> > >
> > > VNC offers the option to reverse connect using the 
> -connect command 
> > > line.
> > >
> > > Here is an example of using SSH and VNC. Not quite a 
> remote access 
> > > Trojan but very simple.
> > >
> > > http://faq.gotomyvnc.com/fom-serve/cache/128.html
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Slider Slider [mailto:0bscur3 () gmail com]
> > > Sent: Wednesday, January 12, 2005 3:34 PM
> > > To: pen-test () securityfocus com
> > > Subject: Creating a Custom Trojan after Social Engineering
> > >
> > > In the middle of a pen test and I have sucessfully SE'd some 
> > > employees to visit a website that I created to download a 
> keylogger. 
> > > I was able to get a lot of information. I am working on 
> the firewall 
> > > and there are no open ports or services running, strictly 
> internet 
> > > access....so the thought....
> > >
> > > I want to exchange the executable keylogger for a trojan 
> that will 
> > > connect to me from the client giving me remote access control.  I 
> > > have sampled a few, but can't find any custom programs 
> where I can 
> > > tell it what to do and when to uninstall.
> > >
> > > Has anyone tried this?
> > >
> > > 0bscur3