Written by Doc~
Released
3.29.02
New Startup Methods
www.megasecurity.org
This article and the oppinions
are the sole belief of the author, and not those of the website. The author
acknowledges that there maybe some false information, the author releasing
everything at this time fully believes everything to be true, and unless proved
otherwise, should be taken so. By reading and or distributing this information
you the user are responsible for any actions or responses that may occur.
This version is intended for programmers and rat authors. These are some newer startup methods all methods have been confirmed to work on 2k. Also included are new ways to hide and refer to files without giving their location away. Assume that these methods have not been tried on other versions unless noted. Enjoy please keep this version of this article to yourself I will release a less intensive one on Megasecurity some time later. If you have questions, e mail me and if it works on another os version let me know I m very intrested if this paper has relivance toward other OS versions.
Templated Directories
Windows for easy
refrencing uses variables for their most used folders e.g. %systemroot% refers
to c:\winnt that is a common one but try %webdir% or %userappdata% This will
help to make the actual path of the server
obsecure.
Example
%webdir%\server.exe
The average user wont know
where to find it. And if you use a common exe for example sol.exe or calc.exe,
it will make it hard when they do a search for the exe to distinguish them.
Running Server as a .htt file
In case you
aren't aware, .htt files are used as the code for example control pannel. There
of course is control.exe and the *.cpl files that go along with it then there is
c:\winnt\web\controlp.htt
Contents of controlp.htt
Heres a portion of the code
upclose
var L_Intro_Text = "Use the settings in Control Panel to personalize
your computer.";
var L_Prompt_Text = "Select an item to view its
description.";
var L_Multiple_Text = " items selected.";
If you run
control pannel you will see that text in on the left hand side of the window.
This may not be new information to you but lets move on. A simple way to ensure
your trojan is running. Is either create a program to check on the server or
just call the server itself. Code example below:
function Load()
{
Info.innerHTML = L_Intro_Text + L_Prompt_Text;
// fix styles
var
L_SystemFont1_Text = "MS Sans Serif";
var L_SystemFont2_Text = "MS Shell
Dlg";
var L_SystemFont_Text = "Tahoma, Verdana";
var tr =
document.body.createTextRange();
alert('executed code');
if
(navigator.cpuClass != "Alpha") {
tr.collapse();
var actualFont =
tr.queryCommandValue("FontName");
if (actualFont == L_SystemFont1_Text ||
actualFont == L_SystemFont2_Text)
document.body.style.fontFamily =
L_SystemFont_Text;
} else
document.body.style.fontFamily =
L_SystemFont_Text;
// call our Resize() function whenever the window gets
resized
window.onresize = Resize;
Resize();
}
Thats an example of injecting the code. Heres
where you will be privi to Kid Arcades best work yet.
Kid awhile back coded a godwill 1.06 but didn't release it because he wanted to keep the exploit private. Abou 4 people have this code. It compiles the exe on the victims hard driver and runs it, without requiring reboot. Truly a masterpiece. Thanks kid for letting me share it.
%SystemRoot%\web\printfld.htm execute c:\winnt\web\printfld.hm
file:///::{20D04FE0-3AEA-1069-A2D8-08002B30309D}/::{21EC2020-3AEA-1069-A2DD-08002B30309D}
cpl
= control pannel extension
HKEY_CURRENT_USER\Environment ->
%USERPROFILE%\Local Settings\Temp may execute
file
file://%userappdata%\Microsoft\Internet Explorer\Desktop.htt =
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet
Explorer HKEY_CLASSES_ROOT\CLSID\{00021400-0000-0000-C000-000000000046}
No one is perfect if there is false information or spelling and
grammatical errors please e mail me and help me correct them I am firmly against
false information and have gone to great lengths to verify everything mentioned
above -> E mail -> http://tnt2.ath.cx:5080/kernel32/xxx_drneo_xxx@yahoo.com?subject=false
info/error
Thanks goes to the following people in no special
order:
Cyberfly, M_R and Magus(Thanks for all your help and support :-) ),
weed(congrats bro), SilenceGold, dragnet for starting up the kazaa client when
needed =), #tnt, Connected, and ap0calaps. Also a huge thank you too Olympus(http://www.lithiumrat.org/)
for developing a program for my needs, and to mf4(areyoufearless.com) for also developing
code to help me, and for both of their constant programming help. If you have
been forgotten I m sure I was having a memory lapse thanks to you too.