EH-Net

Anyone know where I can find a decent windows trojan? I'm testing one out (in the lab). I've done it with a linux RAT before (rathole) but I couldnt find a... trustworthy one for windows. I was going to go for BO, but the CDC mirrors are all down.  I also found a tool called Pro Rat, but rumor is the free servers come with an additional backdoor... so yeah...

Trojans  ::)

Well.. I prefer using Dark Comet 4, it has been recently released and has fully undetectable features n stuff like that, there is a Mac version coming soon.
http://www.darkcomet-rat.com/

Hey SephStorm,

I wouldn't use Pro Rat since most AV suites know the signature for that one.  Many people use the same Trojans (Beast, Optix Pro, Pro Rat, etc..) as well as the same Packers (Mophine, PECompress, etc..) so pretty much all AV's have sigs for those and can detect them rather easily.  I'd suggest Googling and trying to find the not well known ones such as VX Heaven and VX Chaos. 

If you're going to use a popular or semi-popular trojan, toss on a Byte Adder. This basically adds garbage bytes to your trojan to confuse the AV. For this, check out StealthTools v2.

Finally, you could do some hex editing or make your own Trojan.  (lots of free trojan source code out there to recompile/decompile)

Thanks both of you for the info. I'll definatly try DC.

p0et, Thanks! thats actually one of the things i'll be testing, how well the AV on the vm detects the malware. Unfortunately I couldnt get MSE or AVG to install on the XP SP0 host... :(

Also thanks for the advice!

I would recommend you play with e.g. Meterpreter from Metasploit, which is capable of pretty much everything you need. You can always extend it to whatever you want it to do, and it also has a massive amount of scripts too :)

Making it persistent and more stealthy would of course require some work on your part  ;)

I will eventually, but im trying to get away from the point, click, exploit design of MSF, even through the console. I think im going to dl DC, use eLiTeWrap to wrap it with calc.exe and go from there. I'll need to find out how to install NMAP on the "remote" host via command line... Im sure ill figure it out. :)

Hello and the best solution fro u is here !!!

Majic ps , Prorat , Sub 7 are the best windows trojans majic ps is my recommended you search it in 4shared and download the latest version of it

you can also use them with an cryptor application and then no antivirus can against them

Go and enjoy! :)

Sub7, no. It's like 10 years old. Majic PS, sounds too much like it includes a hidden trojan. Prorat? It's usable and okay. Same with Poison Ivy.

If you really have to use any of these trojans, you could try Turkojan as well. And then use Thermida to pack it as that would make it a lot harder to disassemble.

You do however, not need to use a "cryptor application". That "no antivrus can against them" is also untrue, as most public "crypters" are usually highly detectable except completely new ones.

Let's say you want something that actually uses new methods, one that does this, is Abyssec's crypter: http://www.abysssec.com/blog/2011/09/25/bypassing-all-anti-virus-in-the-world-good-bye-detection-hello-infection/ (And they're even a real company.)

A decent trojan a lot of hacker groups used a while back was Shark:
http://forum.intern0t.net/hacking-tools-utilities/217-shark-3-1-a.html
(Please note the InterN0T community does not condone unethical hacking.)

And for the sake of this thread, here's a cool proof of concept that has nothing to do with regular RAT's:
http://forum.intern0t.net/hacking-tools-utilities/1324-skypetrojan.html


Edit / Update
Bypassing Anti-Virus Scanners like a Pro:
http://forum.intern0t.net/offensive-guides-information/2775-blackpaper-bypassing-anti-virus-scanners.html

That paper only shows how to bypass signature based scanners, but play enough with a detected executable file, and you'll eventually end up with a fully undetectable file and that's even WITHOUT encrypting, packing or encoding it.

Remember that simple ncx99.exe backdoor which spawns a netcat process listening on port 99? I made that completely undetectable once, even against heuristic scanners.

Not because I used it for anything, just for the research fun to see how long it would take. (Approximately 1½ evening after work.)

I just want to say that all of you guys are awesome, and I can only hope to be on your level one day.

I have no doubt you will, SephStorm...

Time, effort, dedication, and that ever-present will to 'try harder'!

the new version of majic ps is not old but i think its a trojan
beginners did you used this with a cryptor program???

Speaking of Trojan's..  just in case you missed it, here's a good example of an old one (PoisonIvy) which was modified to get around modern defenses, it seems. 

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,8095.msg43992/topicseen,1/#new

Wow, that's a name I haven't heard in a while. I'm surprised it's even still around. I remember the first time I played around with Sub7, back when I knew nothing about computers. :)

Now, this modified PoisonIvy has been causing quite a commotion, and I believe I read it could be deployed by attaching it to an Excel spreadsheet and emailing it. I'd love to try it out in a lab sometime, but I haven't had any spare time.

Good luck, let us know what you find, SephStorm. :)