If you missed the other articles in this series please read:
We left off in part 1 where John had successfully installed the trojan server on the professor’s computer. He has also acknowledged the “disclaimer” that came with the trojan, and was now getting ready to start to configure the server for use.
Now John was going to start going through the menu’s to completely configure the trojan server the way he wanted it. John also wanted to do the least configuring possible, as time was very much of the essence. He did not want to have to come up with his lame sickness story, unless he had to.
John now quickly looked at the options for the “main settings” menu. He knew from previous experience what they were mostly, but had to go through them again. He did not make any changes to this screen, nor did he bother to password protect the server itself. In other words he was not concerned about anyone else connecting to it, whether it be his class mates or anyone else in another math class.
Now John needed to decide what icon the trojan server would be disguised as. He wanted something that a math professor probably would not be overly curious of. With that thought in mind he chose the registry icon that is seen in the pic below.
With that taken care of, and the minutes ticking by very quickly, John clicked on the “Startup & Installation” menu.
Looking quickly at the menu options, John chose to enable the second from the top as well – Registry – RunServices (2K/XP). He left everything else there with the default settings.
After having clicked on the notifications window he quickly looked at it. He remembered that he was going to access the professor’s computer from class so he didn’t need to be notified via any of the means shown in this menu. John was starting to have problems thinking as he was starting to panic. He had been on the professor’s computer now for about five minutes, and was very much afraid he would get caught. In retrospect his excuse of feigning sickness didn’t seem very plausible if he was caught at the computer. Then again he did not want to write the math exam either so he drove ahead with the trojan server configuration.
Now John remembered that Optix Pro had a built in feature that would disable almost every commercial firewall, and anti-virus product in existence today. Not only that but it would also disable most anti-trojan programs as well. This was not a feature that John had played with very much, so he decided to leave everything in default mode.
The ability of Optix Pro to disable most firewall, and anti-virus/trojan software out there today is what makes this trojan a rather lethal one. Especially so, for those who are only day to day users of a computer. Not many people that I know of actually look at their task bar for the firewall or anti-virus icon.
Now, John was satisfied that he had input all of the changes he required, for his caper to be pulled off successfully. At that point he was presented with the above noted pic prompting him for one of two options. He chose not to do any UPX packing as he was already on the local machine physically. To that end he simply chose “OK All done!” option.
John was now presented with the main menu again, but with the notice at the bottom left hand corner “SETTINGS WRITTEN SUCCESSFULLY!”. Excellent! John was quite ecstatic, he was almost done. With his now complete trojan server on the desktop disguised as a registry, he simply double clicked it, and let it install itself into the professor’s registry, amongst other places.
Now we can see from the above noted screen shot that Optix Pro is indeed alive and well on the professor’s computer. It has spawned a socket on port 3410, which if you recall is the default port for Optix Pro. A nice feature of the tool Active Ports, is that it will map on your computer where the program resides that has opened a socket. If you look on the right hand side of the above pic you will notice that the Optix Pro trojan server has installed itself into c:\winnt\system32\msiexec16.exe The “system32” folder is a favourite place, for such malware, as Trojans to install themselves.
With the trojan server now successfully installed John hid the registry icon in the same path as where the trojan itself was. John was pretty confident that the professor would not want to play around with a registry file. On that note John scurried out of the professor’s office, and back into the math class. No big surprise the professor was still droning on about something decidedly math like. John plugged his laptop into his CAT 5 jack, and brought up his trojan client interface by which he would connect to the computer.
Now John leisurely entered the professor’s IP address, which he already had from the handy network diagram distributed at the beginning of the school year. With great satisfaction he hit the connect button.
We can see from Active Ports once again that the trojan client has indeed connected to the professor’s computer. Now we will also look below, at what happened at the packet level. Several packets were chopped out so as to show the “money shot” as it were.
05/13-12:35:56.708391 0:D0:59:1C:75:30 -> 0:D0:59:2B:77:EE type:0x800 len:0x63 192.168.1.101:3410 -> 192.168.1.103:1061 TCP TTL:128 TOS:0x0 ID:3442 IpLen:20 DgmLen:85 DF***AP*** Seq: 0x7A677215 Ack: 0x4B3A4E4B Win: 0xFFF4 TcpLen: 20
0x0000: 00D0 592B 77EE 00D0 591C 7530 0800 4500 ..Y+w…Y.u0..E.
0x0010: 0055 0D72 4000 8006 6914 C0A8 0165 C0A8 [email protected]…i….e..
0x0020: 0167 0D52 0425 7A67 7215 4B3A 4E4B 5018 .g.R.%zgr.K:NKP.
0x0030: FFF4 D2B9 0000 3030 31AC 4F70 7469 7820 ……001.Optix
0x0040: 50 2 6F20 7631 2E33 3320 436F 6E6E 6563 Pro v1.33 Connec
0x0050: 7465 6420 5375 6363 6573 7366 756C 6C79 ted Successfully
0x0060: 21 0D 0A !..
We can clearly see now, that the trojan client has indeed connected to the trojan server. Not only that but it also shows it in the ascii payload of the packet. For those of you who administer intrusion detection systems it would be worthwhile to write up a quick rule looking for the “Optix Pro” ascii string. All of this was possible simply due to the network architecture of the classroom. That plus the fact that the college fostered an open door policy between their students and the professor’s who teach them. Not a very good policy at all as we can see from this case. In the third part of this article series we will see John search through the professor’s computer for the math exam. The much mentioned professor will also set into motion the events that bring about John’s capture unbeknownst to him. On that note I will see you in a little bit for part III.
If you missed the other articles in this series please read: