What I'm going to do in this 3 part blog is first download tini.exe which is a backdoor roughly 8 years old and submit it to Virus Total. This will be scanned by 33 different anti virus products and I will show the results. Then the fun bit, I will modify just the port that tini.exe listens on and its name then see how many report it as a backdoor!
Secondly I will show you how to wrap this backdoor into any application you want and have it install silently along with the real application. The third step will be a demonstration of a second machine connecting to this backdoor.
First download the tini installer. I will submit the default Tini.exe backdoor to virus total and see how many of the modern anti virus companies will detect this old backdoor.
All of the products have figured out that it is some kind of backdoor/trojan.
So now to crack tini open with a hex editor and find the default port value, 7777 in this case:
Now I have picked a random port of 39846 (9ba6) and I will edit the backdoor as shown below:
I saved the modified version as dave.exe and I will re-submit this Virus Total. The results are shown below:
You can see that only 21 of the products now reported this file as being malicious. So by just changing the listening port and the name of the backdoor 21/33 products detected this 8 year old backdoor (first scan was 32/33). It is hardly inspiring reading is it?
Part two of this post will show you how to wrap this modified backdoor with a genuine application to install it in stealth on the victims machine.
Please be patient for post two, I have commitments to meet for the OWASP Code Review guide for the next few days before I can put part two up.
Posts
