Programming C, C++, Java, PHP, Ruby, Turing, VB
Computer Science Canada 
Programming C, C++, Java, PHP, Ruby, Turing, VB  

Username:   Password: 
 RegisterRegister   
 Remote Administration Tool - VenomWare
Index -> Programming, C -> C Help
View previous topic Printable versionDownload TopicSubscribe to this topicPrivate MessagesRefresh page View next topic
Author Message
QuantumPhysics




PostPosted: Wed Apr 10, 2013 11:36 am   Post subject: Remote Administration Tool - VenomWare

Hello everyone, it's been a while since I have posted on this forum, I am happy to post here once again. I have come with a valuable question that I need to ask. I will get right to the point. So my team and I have constructed a RAT (remote administration tool). We have been working on it for almost 3 weeks now. It is now capable of monitoring a remote system, we have the remote mouse control and some key strokes implemented without triggering any AV or IDS. The RAT spreads through a private domain that we set up and injects from a remote ROP sys eval built under the HP system level exploit (portable for windows NT/2000, windows 7/sp2/3, Ubuntu and Debian). It hides itself within a Trojan horse and I got a good friend of mine to crypt the server. It uses a built-in Javascript to sequence to execute on the victims machine without kicking off an internet security module in their firewalls or any other squeakers of such to break the installation. Anyways, the problem that we are occurring now is the once the remote desktop connection establishes we are able to view and control the victims machine, except once we try to send processes to the other side. For example on my side when I try to start a process from my - lets say "control room(aka - A shell)" to their C:/ tray (an .exe file or .sh). It kicks off their AV (same error with every AV that we tried, EXCEPT for Norton, and Symantec), and says that "an unknown ?LFI? is trying to run existing processes on your machine. A system restart is necessary". Where would this cause of error be? Inside our code, or does it depend on the way we crypted it? I can give a small sample of my RDC override script so that you can analyze it if needed. Also, what are some "special" ways to restrict detection from AVs' that are monitoring remote connections from an unidentified source to the system?

P.S. We are making this project to present it for our speech that we will be holding at the DEFCON 21 hacking conference in august.
P.S.S. We are also going to cite this as an open source project under the GNU license for public use on our website, after presenting.

Disclaimer: This will NOT be used for any malicious purposes, all tests are run strictly through a VPS or remotely owned systems from
our friends, or fellow developers. The means of this tool will ONLY be used for educational purposes.

I got accepted to Stanford University for Networking and Information Technology Security so I would like to present this to my professor,
and possibly to everybody at the networking lab over there (just to flaunt a little bit). My team or the "developer team" that I mentioned
consists of 3 of my friends - including myself.

Sincerly,
~ QuantumPhysics
Sponsor
Sponsor
Sponsor
sponsor
Zren




PostPosted: Wed Apr 10, 2013 1:08 pm   Post subject: RE:Remote Administration Tool - VenomWare

Found this when googling "windows process lfi id". I thought the last letter was id as I assumed it was some sort of Windows process property name.

Quote:

Local File Inclusion (also known as LFI) is the process of including
files on a server through the web browser.
This vulnerability occurs when a page include is not properly
sanitized, and allows directory traversal characters to be injected.


It sort of sound like what your attack vector is.

Oh and grats on getting accepted.
Sly14Cat




PostPosted: Wed Apr 10, 2013 6:40 pm   Post subject: RE:Remote Administration Tool - VenomWare

I was getting a little freaked until the disclaimer. The project sounds like great work and I'm amazed you slapped that together in 3 weeks. Hope it goes well at DEFCON.
QuantumPhysics




PostPosted: Mon Apr 15, 2013 10:10 pm   Post subject: RE:Remote Administration Tool - VenomWare

Update this is just a follow up. For none disbelief - my group name is WHH and this post was made by VeNoMouS
Dan




PostPosted: Wed Apr 17, 2013 3:35 am   Post subject: Re: Remote Administration Tool - VenomWare

I am skeptical that anything you say is remotely true. Your post reads like something a TV script writer would BS after reading Wikipedia for 30 minutes.

I would love to see your code, proof that you are talking at DEFCON and your acceptance letter to Stanford. The Standford acceptance will be particularity interesting as Standford's CS department does not have a "Networking and Information Technology Security" track/specialization for undergrads and there CSE major which did have a "Networking Specialization" was deprecated in 2012. It is even more intresting that you did not list Standford in the list of unis you applied to (link).

Also talking at DEFCON is impressive for some one that can't install arch (link), does not know how to make a basic PHP+MySQL site (link), does not know how to debug basic C/C++ problems (link) and lacks and understanding of most basic concepts related to CS or programming (which is clear from your post history).

I have called you out on your bull shit before (saying you can break modern encryption, link) and you failed to deliver. I have know since you started posting on this site that you are likely a user I have banned in the past with a new account but I let it slide since you where not causing trouble but this is enough. Either you show me up and post some proof of all the claims made in that post or I will have to consider taking action against your account for a second time.
Computer Science Canada Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more!
[Gandalf]




PostPosted: Wed Apr 17, 2013 3:58 am   Post subject: Re: RE:Remote Administration Tool - VenomWare

QuantumPhysics @ 2013-04-15, 10:10 pm wrote:
Update this is just a follow up. For none disbelief - my group name is WHH and this post was made by VeNoMouS

For someone into security, you should know that this is hardly verification of identity, or anything else for that matter...
Dan




PostPosted: Wed Apr 17, 2013 4:01 am   Post subject: RE:Remote Administration Tool - VenomWare

My limited Google search shows that "VeNoMouS" was a group that posted a few (looks like 3-4) exploits in 2001-2004 and is now defunct (at least there webpage no longer works). My bet is he is just trying to impersonate them or got lucky that the name was acutely used once. After all he would have been in grade 2 in 2001.
Computer Science Canada Help with programming in C, C++, Java, PHP, Ruby, Turing, VB and more!
Display posts from previous:   
   Index -> Programming, C -> C Help
View previous topic Tell A FriendPrintable versionDownload TopicSubscribe to this topicPrivate MessagesRefresh page View next topic

Page 1 of 1  [ 7 Posts ]
Jump to:   


Style:  
Search: