Trojan Horse (RAT) Configure and Use
Post date: Jun 28, 2011 3:30:54 AM
Have you watched movie Troy ? okay lets leave . Have your wallpaper ever changed automatically ? Have the programs ever started without your initiation ? Have the browser opened unexpected websites automatically ? Simply have you ever felt that someone else is controlling your computer ? NO ?
Congrats, you probably haven't been a victim of trojan yet :).
A trojan horse is a remote administration tool(RAT). This is some thing extremely dangerous. A trojan gives the full control of victim's PC to the attacker.
A trojan has two parts . One is client part (Control Panel) and other is server part (meant to be sent to victim).
The basic methodology of using a trojan is as follows:-
1. Attacker creates an executable file of size in kbs. This is server part of trojan and mostly called as server.exe
2.Attacker might hide this server.exe behind any genuine file like a song or image. Attacker gives this file to victim and victim is supposed to double click on it.
3.As victim run that server part , a port on victim's computer gets opened and attacker can control his PC sitting remotely in any part of the world through the control panel(client part). Attacker can do anything with victim's computer remotely that victim himself can do on his computer.
Note: Now I am assuming that you know a little bit about IP addresses that is lan/internal/private and wan/external/public IP.
Two different methods of working of Trojan.
1. Direct Connection : In this method, after the server part has been installed on victim's machine, the attacker enters the public IP address assigned to victim's computer for making a connection to it. But limitations of direct connection is that public IP address is most probably dynamic and gets changed everytime one disconnects and reconnects. So attacker needs to find out IP address of victim each time.Moreover the incoming connection like this is usually restricted by firewall.
The main limitation of direct connection is that you can not access the victim who is behind a router or a network beacuse victim's machine is not assigned public/external/wan IP. It is only assigned private/internal/lan IP which is useless or meaningless for computers outside that network.The wan IP belongs to his router.
It doesnt matter how attacker is connected to internet. Attacker can be connected to internet any of three means.
Victim is behind a router in this case. (havent inserted the picture of victim behind a network, imagine that )
2. Reverse Connection: In this method, attacker enters his own IP address in server part while configuring it .So when the server part is installed on victim's computer, it automatically makes connection with client part that is attacker. Also the firewall in victim's machine would not restrict to outgoing connections. Problem in this case is same that attacker's IP is also dynamic. But this can be over come easily. Attacker actually enters a domain name in server part which always points to his dynamic IP.
Reverse connection can bypass a router or a network.
There are many trojans available on internet for free. Some popular ones are Beast, Pro Rat, Netbus , Back Orifice, Girlfriend, Sub 7. I will be using Pro Rat in this tutorial.
Requirements
1. Prorat- Click here to download Trojan Prorat.
2. Hostname - Your IP address would probably be dynamic that it keeps changing everytime you disconnect and reconnect. You need a host name which always automatically keep pointing to your changing IP. Follow these steps -:
1. Log On to www.no-ip.com and register for an account.
2. Go to Hosts/Redirects -> Add Host and choose any free available hostname. Do not change any other option and simply click on Create Host.
3. Downloading and install their DNS update client available here http://www.no-ip.com/downloads.php Run it and enter your credentials. Update your host name and save it.
4. Lets check whether your IP has been associate with chosen host name or not. Go to command prompt and type 'ping yourhostname' (without quotes) , hopefully it should reply with your IP address.
Tutorial for configuring Trojan.
1. Open prorat.exe that you have downloaded.
2. Click on Create and then Create ProRat Server
3. Enter your host name in the ProRat Notification field as shown. Uncheck all other options.
4. Click on general settings Tab and have a look at server port,password, victim name. Remember these things.Check out and configure other options as per your need. You can bind server.exe with any genuine file, change its icon etc.
5. Finally click on create server and now its ready to be sent to victim. Once victim installs it, it would automatically disable antivirus/firewall.
Modes of sending-:
You must be thinking of sending this server.exe to victim through an email as an attachment but unfortunately you cant do so. The good option is to upload it on any uploading site like mediafire.com and give downloading link to victim.
What after victim has run the server part ?
1.Click on ProConnective Tab and start listening to connections. Allow firewall if it asks you to open a port.
2.You will start listening to connections, I mean you will get a notification as shown when victim would be online.
Note: If you know victim is online and still its not listening to any connections. Trace victim's IP,enter in IP field and hit connect. But its gonna work only if he is not behind any network and directly connected to internet. If you dont know how to trace IP, mention in comments.
What after successful connection ?
After you have managed to connect to victim's machine. There are numberless interesting things to do. I leave this part on you. Have Fun.
How to make it undetectable from antivirus ?
Though there isn't any hard and fast way to make it fully undetectable from all antiviruses. The real way to do it is modify the source code of open source trojans available. Its very challenging job. There are many crypters which claim to make it undetectable but unfortunately hardly one out every hundred works. I would try to write next article on the same.
Contermeasure against Trojans -
The obvious coutermeasure against trojans is that do not accept downloading links blindly. Keep your antivirus up to date.
Detecting and removing Trojan -
Though trojan once installed is very hard to remove . It would hide itself from the Task Manager . Install Process Explorer and it would hopefully show you all process running including trojan. Kill the process and remove it. One good thing is to carefully check the open ports and services running through 'netstat' command. Anyways , the best option is to reinstall the windows.