» RAT

» RAT http://www.megapanzer.com Wed, 08 Sep 2010 12:49:12 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 Trj/Casper.A sources. http://www.megapanzer.com/2010/02/15/trjcasper-a-sources/ http://www.megapanzer.com/2010/02/15/trjcasper-a-sources/#comments Mon, 15 Feb 2010 07:12:30 +0000 carrumba http://www.megapanzer.com/?p=3468 Name Trj.Casper RAT

RAT

Type RAT Author Unknown Written in C Description This sourcecode dates back to 2004. It is quite old and its functionality is rather limited. The intresting part in this source code is the injection section which represents the biggest part of it. It contains an injection function based on the CreateRemoteThread call and all required functions to make it completely run in a remote process. You can use it as a basic example and extend it with your own functionality. Questions In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible. Downloads Source

]]> http://www.megapanzer.com/2010/02/15/trjcasper-a-sources/feed/ 0 FBI RAT source code. http://www.megapanzer.com/2010/01/24/fbi-rat-source-code/ http://www.megapanzer.com/2010/01/24/fbi-rat-source-code/#comments Sun, 24 Jan 2010 14:30:53 +0000 carrumba http://www.megapanzer.com/?p=3398 Name FBI RAT worm

worm

Type RAT Author Albinoskunk Written in C Description After calling for your submissions this is the first RAT source that reached me. It was coded by Albinoskunk. The source is based on Aryan v0.5, it was improved at some places and contains all relevant components of a RAT, client, server, GUI and what I consider as the most interesting part in this RAT is the process injection function. Albinoskunk already documented its features in the forum but to sum it up here the main characteristics :

File Manager
System Manager
Keylogger
Screen capture
Webcam
Packet Sniffer!

Questions In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible. Downloads Source Screenshot

]]> http://www.megapanzer.com/2010/01/24/fbi-rat-source-code/feed/ 3 Win32/Rbot source code. http://www.megapanzer.com/2009/10/16/win32rbot-source-code/ http://www.megapanzer.com/2009/10/16/win32rbot-source-code/#comments Fri, 16 Oct 2009 21:13:31 +0000 carrumba http://www.megapanzer.com/?p=3007 Name Win32/Rbot trojanhorse

trojanhorse

Malware type RAT, Worm Author Unknown Written in C Description Rbot is an IRC controlled backdoor (or “bot”) that can be used to gain unauthorized access to a victim’s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants. Most instances of Rbot are compressed and/or encrypted with one or more run-time executable packers.

Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically. Not all variants support all propagation mechanisms.

Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.

Via Network Shares (TCP ports 139 and 445)
Via LSASS buffer overflow vuln. (TCP port 445)
Via WebDav vuln. (TCP port 80)
Via RPC msgbuffer overflow vuln. (TCP ports 135, 445, 1025)
Via RPCSS DCOM msg buffer overflow vuln. (TCP port 135)
Via Exploiting weak passwords on MS SQL servers
Via UPnP NOTIFY buffer overflow (TCP port 5000)
…

Rbot’s main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim’s computer can be controlled. The IRC server, port number, channel and password differ with each variant.

Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers.

Once the victim’s computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit.

Questions In case you have a question just register at the Megapanzer forum and leave an entry in the according board. Your question will be answerd as soon as possible. Downloads Source Sources www.ca.com

]]> http://www.megapanzer.com/2009/10/16/win32rbot-source-code/feed/ 0