[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200211291652.gATGqs5x050049@mailserver3.hushmail.com>
From: es at hush.com (es@...h.com)
Subject: [ElectronicSouls] - Backdoor Project
-----BEGIN PGP SIGNED MESSAGE-----
Dear List,
We at Electronic Souls are working on a new project for writing the
ultimate rootkit, since t0rnkit no longer does what we need it to do.
If you would like to help us out with this project, please let us know.
# cat project1.txt
/----------------------------/
/ [Electronicsouls] /
/ ESBD Rootkit Project /
/ Idea: Burn-X /
/ Reason: Its Just a better /
/----------------------------/
Part I - Introduction
Well It's 11pm i'm tired sleepy, and slow so i'll be pretty short and choppy
yet simple on this. Tc6 is nice, but it just seem's to be incomplete or
just kinda weird to me and i seen other methods that look much superior yet
i'm unable to produce it due to my lack of C knowledge. That is why i need
the Rest of the ES to gimme an opinion on this and really make this a group
project then 2-3 people making a crappy rootkit. Let me know...
Part II - Idea
Well as you know most backdoors involve additions or programs, modified
configuration scripts, and file redirection for trojan/rootkit/backdoor. I
want avoid having extra programs at all that are pointless and having as
little productivity. I want to keep access for remote, local, etc.. limited
with 1-2 modifyed existing GNU programs for root access. The other thing is
i dont want to have lkm's that i thought of before, since they too can be
detected pretty easily. That's why modified GNU programs(NOT Daemons) are
important. Login/SSH are the main popint of entry nowadays, but are also
common and can be checked for modifications, ex. ssh1 modified will need the
user key's changed(rings a bell to teh sysadmin doesn't it), can be and
discovered, therefore port based access is > * in my opinion. Now every
backdoor has to be restarted when the system restarted, duh! Here's where
the power of GNU applications come in. Instead of using those gay rc.local
or lkm, we use syslogd the logger, seem's insane doesn it, but think about
it. I'll explain this in whole thing in the next part(Part III -
Construction).
Part III - Construction
1) Tale of Syslogd and the ringer ;p
Well here's how the syslogd need to be modified. Syslogd by default is
started after the system reboots, that's a big advantage because it
guarantees that out backdoor will alway's be on and in my opinion will
certainly not be checked by the sysadmin. But why syslogd and not let's say
klogd ? Simple here's the whole beauty of syslogd, syslogd also has port
514(udp) open unlike klogd for one of it's duties. This is a good thing!
Here's where the ringer comes in(Ding! Ding!). The Ringer is just another
apllication we will need to make that will send certain packet size to a
specified UDP! port. Remember the old icmp backdoor that when u send ping -S
packet-size host to a host it open a port-shell to a predefined port for
root access ?? Yup you guessed it right! We use the same concept in syslogd
since it already has port 514/udp open we send it a certain packet size that
is predefined in source to open a port-shell on a predefined port(oh yeah,
modified nestat will take care of hiding the established connection to the
predefined port, i'll discuss that later). This method really seem's neat to
me. But once again, i'm going a little further with this, although this can
be optional. We also modify syslogd to use reverse port-shell access started
as well to bypass firewalls if the system is running one. But then u gotta
go into predefining hosts, etc... so this is optional unless someone knows
how to make a good one that makes sense.
2) Netstat
Well this is going to be pretty obvious. Since syslogd is using port 514 for
udp and we have a predefined tcp port-shell for access, netstat needs to be
modified hide any connections to these ports from being seen when you run
netstat.
3) Zoro the Great
Well remote root access is great, but lets say u have local legit access to
the box you rooted. Well here's where another GNU program comes in. In this
case we will be modifying "ls". So you ask why ? Well simple! 2 Reasons
actually. First reason is getting root access, oh yeah! In ls we add a "-z
your-pass" option that when it is executed it cause a chmod +s
/bin/sh(making sh suid), then executing /bin/sh with a setuid(0),
seteuid(0), setgid(0), cause you to be dropped to a root shell and then
setting /bin/sh -s(not suid anymore). Neat eh ? Well here's the second nifty
thing, we also use it to hide a directory(obvious!) like lets say "/bin/..."
so when they do "ls -al /bin" they dont see the "..." In here you can hide
your goodies ;p
4) ps
Well in short u modify ps to not show what scanning/hacking utilities u'r
running, dont block out syslogd from not being seen, because the admin will
know he's hacked, syslogd has to look normal since it's our gopher.
End of construction.....
Part IV - Tools needed
1) ls source code
2) syslog source code
3) netsat source code
4) ps source code
5) Modify source codes to changes i specified
6) Make a setup Script
7) Test it!
Part V - Conclusion
Well after reading this far i'm sure your already tired of reading, so
hopefully you'll take this idea seriously and start on it. I'm sure this
backdoor/rootkit is much simpler/smaller/smarter. Let me know who's
interested and give me a hand making it real.
Thanks,
- - BuRn-X
EOF
#
We are looking for someone who knows C to patch ls, netstat, and syslogd
sources for us.
The Electronic Souls Crew
[ElectronicSouls] (c) 2002
"Mmmm mmmm pussycat."
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlMEARECABMFAj3nm3cMHGVzQGh1c2guY29tAAoJEN5nGqhGcjltwN0An18KjRyYyd86
wVQz5IhfEneGrXXKAJsH3Gztb5hvIo6pdlvIGVTM6XTB5A==
=LHRj
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists