Hackers are using remote maintenance tool NetWire as a trojan

Hackers are using remote maintenance tool NetWire, which can be used to monitor computers running Windows, Mac OS X, Linux and Solaris, as a trojan. Anti-virus software companies have responded by identifying the program as malware.

World Wired Labs describes its NetWire product as an extended remote maintenance application. The host application runs under Windows, various versions of Linux, Mac OS X and Solaris, while the "administrators workstation" client, from where a host can be controlled, runs under Windows only. The basic version costs $65, the Pro version, which can be extended using add-ons, is priced at $105. Prices for the Advanced version are available on request.

So far, so simple. But the line in the price list that says "undetected" hints that there's more to this than meets the eye – this amounts to a promise that the Windows version of NetWire Advanced will not be detected by anti-virus software. We find ourselves in a grey area.

The company calls NetWire a reliable tool for remote maintenance of business infrastructure, which is able to cross operating system barriers. The connection between the client and server is protected using AES encryption and is limited to a single TCP port. But the company also advertises "special remote access requirements", from monitoring to parental supervision. In this case, NetWire monitors all processes and even generates screenshots.

The program is advertised in a very different light on hacker forums. Here, the emphasis is on NetWire's ability to use reverse proxying to pass through any firewall or router, its ability to read browser passwords from any browser and the fact that its keylogger does not require administrator privileges. Extensions for sniffing out TrueCrypt passwords and logging instant messaging conversations are also in the pipeline. Seen from this angle, the remote maintenance tool starts to look a lot like a trojan toolkit.

The company behind the product is not at all happy about its product finding its way into some of the darker corners of the web. Each time a remote maintenance host is generated, NetWire displays a disclaimer which requires the user to confirm that he or she will not use NetWire to gain unauthorised access to another computer or to perform other illegal activities.

The hacker who had been promoting NetWire as a multi-platform trojan was quickly ejected from World Wired Labs' affiliate programme. That has not, however, stopped other hackers from offering special "crypters", which claim to be able to hide NetWire executables from anti-virus programs, on private hacking forums.

So it's no great surprise that the remote maintenance program now finds itself in the firing line from anti-virus software companies. Dr. Web describes NetWire as a password stealer and lists it as "BackDoor.Wirenet.1". Other companies have dubbed it "TrojanSpy", "NetWired" and "NetWeird". According to VirusTotal, the Standard version of NetWire for Windows is currently detected by 16 anti-virus programs, the Linux version by 6, the Solaris version by 4, and the Mac version by 9 scan engines. Bizarrely, the Windows client is detected more frequently than the hosts, with 26 of 42 programs raising the alarm. The toolkit is therefore viewed as being more malicious than its compiled code.

SOURCE: h-online

Learn how to hack a PC or remote system using Trojan & Backdoor: Download LOST DOOR RAT all versions here for free

Lost Door is a backdoor trojan horse family of more than 10 variants which can infect Windows operating systems from 95 to XP. It was created by OussamiO and built using Visual Basic. It uses the typical server, server builder, and client backdoor program configuration to allow a remote user, who uses client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor). The server component (75,053 bytes) when running, connects to a predefined IP address on TCP port 2185, awaiting commands from the remote user who uses the client component can execute arbitrary code at will on the compromised machine.

Features

Lost Door allows many malicious actions on the victim's machine. Some of its abilities include:

• Reverse connection
• Webcam shot
• Date and time manager
• printer
• Control panel
• PC control
• Executor
• Dos command
• Windows manager
• Screen shot
• Remote server manager
• Server remover
• Ip Grabber
• Server Downloader
• Icon Changer
• Audio Streaming
• Encrypt Settings
• Volume Control
• Connection Logs
• Installed Application
• Infect All USB
• Multilanguage
• Services Viewer
• Remote passwords
• MSN Controller
• Remote Shell
• Chat with server
• Send fake messages
• files manager
• Find files
• Change remote screen resolution
• Information about remote computer
• Clipboard manager
• Internet Explorer options
• Running Process
• Online key-logger
• Offline keylogger
• Fun Menu

Infection Method

Lost Door has a server creator with features that allow it to be undetected by antivirus and firewall software, and also allow it to stealthily run in the background. The software only runs completely (including rootkit) in Windows XP/2000. Such features include disabling security software, removing and disabling system restore points, and displaying a fake error message to mislead the victim.

CLICK HERE TO DOWNLOAD ALL AVAILABLE VERSIONS FOR FREE

Few of our reader reported us that the above link is down. Please click here to download PRORAT TROJAN and its demonstration tutorial

This version is now detectable by ESET NOD32 Antivirus. For other AV's, I have not checked.

Server

Dropped Files:

c:\WINDOWS\system32\dlllhost.exe

Size: 129,808 bytes

Added to Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Winupdate"

Data: C:\WINDOWS\system32\dlllhost.exe

REFERENCES

• http://www.checkpoint.com/defense/advisories/public/2009/cpai-30-Mar.html
• http://www.megasecurity.org/trojans/l/lostdoor/Lostdoor_all.html
• http://www.techmantras.com/content/lost-door-32-rat

Too lazy to say Thanks or comment here? Why not too lazy to read my post?? If you like this post and want us to post similar articles, Pls give us a feedback and leave a comment here.

Facebook Password Hacking Software: Download Trojans & Keyloggers

How to Hack Facebook Account Passwords Using Trojans & Keyloggers

Here I am demonstrating using PRORAT trojan. You can also check the list of trojans & Keyloggers here which I have already posted few months back. You can use any trojan or keylogger as per your ease. The basic functionality of all backdoors are same. Pls make note that all these hacking tools and softwares are detected by antivirus. You have to uninstall or close you running antivirus first. I strictly recommend you to try these trojans & keyloggerson some testing system first.

Step-1: Download latest version of ProRat v1.9 Fix2. CLICK HERE to download. The ZipPass is : pro

STEP-2: Creating the ProRat server. Click on the "Create" button in the bottom. Choose "Create ProRat Server".

STEP-3: Open Notifications. Select second option "Mail Notification". In the E-MAIL field you will see a mail

id: bomberman@yahoo.com. Remove this mail ID and give your own mail id here. You will receive a notification

email on this email id whenever you victim will be connected to internet from the infected system.

STEP-4: Open General settings. This tab is the most important tab. In the check boxes. here is a quick overview

of what they mean and which should be checked.

Key:

[ ] = dont check

[x] = check

[ ] Give a Fake Error Message. (when they open the file, it gives an error message.

[x] Melt server on install. (this will cause the server to ALWAYS connect to the internet when the victim gets

online)

[x] Kill AV - FW on Install. (this causes the anti-virus and firewalls to SHUT DOWN and stay off once installed

on the victim's computer.

[x] Disable Windows XP SP2 security center

[x] Disable Windows XP Firewall

[x] Clear Windows XP Restore Points

[ ] Dont send LAN notifications ( keeps other computers on the victim's network from knowing about you )

[ ] Protection for removing local server

In the Invisibility Box, check all 4 boxes.

STEP-5: Open Bind With File. You can bind your server\downloader server with a file that you want. You must

click on the ''Bind the server with a file'' button and then the file button will be activated. You can choose

a file to be binded with the server now. A good suggestion is a picture because that is a small file and its

easer to send to the people you need.

STEP-6: Open Server Extensions. I prefer using .exe files, because it is cryptable. Mostly crypters don't

support .bat/.pif/.com etc. So use .exe files.

STEP-7: Open Server Icon. You can select the one you want to use with the server from the small pictures on the

menu. You can use an icon from your computer also. Press the "Choose new icon" button.

STEP-8: After this, press "Create server", your server will be in the same folder as ProRat. A new file with

name "binded_server" will be created. Rename this file to something describing the picture.

[NOTE: PLS DO NOT OPEN THE FILE "binded_server" on your system.]

STEP-9: Sending this file "binded_server" to victim. You can send this trojan server via email, pendrive or if

you have physical access to the system, go and run the file.

From EMAIL, you can not send this file as it is because it will be detected as TROJAN OR VIRUS. Password protect this file with

ZIP and then email it. Once your victime download this ZIP file, ask him to unlock it using ZIP password. When

the victim will double click on the file, he will be in your control.

STEP-10: Connecting to the victim's computer. Once the server has been sent and the person has opened this ZIP

folder, they will now be infected with it. AND HAVE NO CLUE ABOUT IT!. On the top of the ProRat program you

will see a box in the upper left corner. Type in the victim's IP address and make sure the port is 5110. Now

press Connect. You should now see a pop-up box wanting to know a password. Remember the password you entered

while creating the server? that is what you need to type. By default, it is "123456" without quotes.

STEP-11: Check your email, (junk in needed), and find the “Your victim is online”. Copy and paste the IP

address onto ProRat where it says “IP:[127.0.0.1]“. Press CONNECT, DO NOT CHANGE THE PORT, if u did change it

back to 5110. Type in the password (default is usually 123456, it is in the email). Your done, now you can mess

with the buttons on the program. Especially the GIVE DAMAGE button. It will damage their pc by format, and will

make the computer useless.

Download latest version of ProRat v1.9 Fix2. CLICK HERE to download. The ZipPass is : pro

FAQ:

Q: Error message:Windows cannot access the specified deice, path, or file. You may not have the appropriate

permissions to access the item. What do I do?

A: Simple! Delete the ProRat program. Delete it. What happen was, your AV has altered the file. OR it could be m

alacious content. Either way, delete it. NEXT, remember the file you downladed? Un extract the file again and

re run. You will not need to remake a server file and such if it has been sent to the victim. Just open ProRat

and make sure your AV is shut off. Reconnect. There ya go.

Q: What operating systems are supported by ProRat?

A: Windows 95/95B

Windows 98/98SE

Windows ME

Windows NT 4.0

Windows 2000

Windows XP

Windows Vista

Q: When I have downloaded ProRat, my antivirus detect it as virus. What should I do?

A: Well, since RATs are hacktools, and all the hack tools are detected as viruses, ProRat is detected as virus

also. To download and install ProRat you will need to turn off your anti-virus.

Q: What should I do after I install my server?

A: After you install your server, you should spread it. Few years back I have installed my server manually on

1000's of cyber cafe in my city. I hacked almost the entire city cafe users secret information. This is the

best way. Go to nearest cyber cafe's and manually install your trojan server.

Q: I've created a server, but I don't see it in the directory. Why?

A: That's caused by your antivirus. The server is detected, and it won't let it. I suggest you to remove your

antivirus if you are going to use RATs.

Q: I've send my server to a friend on MSN, but he doesn't connect.

A: That's because he has an antivirus or firewall and it won't let him to connect in your RAT. To make it

FUD(Fully Undetectable), you should use a crypter.

Q: Is ProRat illegal?

A: No. ProRat is a legal RAT. The author of ProRat created his program for legitimate purposes. For example,

there are many legal activities. Parents can use keyloggers to protect their children from online abuse etc.

Some people use it for stealing passwords, credit cards and more but it's not a software which breaks the law,

but the person who uses it.

Q: Can ProRat be used for legitimate purposes?

A: Yes. You can monitor your children online activity.. to make sure they don't visit pornographic websites.

You can find out if someone uses your computer while you are away, ensure no one is accessing your personal

files while you are away and more.

Q: How do I make my server FUD?

A: You should use a binder or crypter. Also check the below links how to make trojan or keylogger fully undetectable from antivirus.

• Wrappers
• How to bypass antivirus

THIS TUTORIAL HAS BEEN CREATED WITH THE HELP OF AN UNDERGROUND HACKER flAmingw0rm. THANKS TO YOU MAN TO MAKE

THIS POSSIBLE.

Readers, we don't want any thing from you in return except a thanks. Pls comment here so that we can post

better contents and improve the stuff quality.

How to bypass anti virus? Make Keylogger and Trojan Fully Undetectable (FUD) using Xenocode

This article has been posted by our fellow members Mr.Amey Anekar, Mr.Rahul and Mr Sachin.

Well making a trojan is very easy now-a-days by using tools such as lostdoor, poisonivy, etc. But the real challenge is to pass the trojan a system's antivirus. Here's a post on the same. Here we used a virtual application creator, Xenocode, which is famous for creating portable applications. It kinda encrypts our trojan and further if we bind our trojan with another exe, it is bound to be executed by the victim. I'll surely post on binding in my next post.

The encrypted trojan does not match with the virus definitions in the antivirus and hence is rendered undetected.

Also I would like to tell you that we are working on making our own video tutorials. We have already downloaded Camtasia Studio for that purpose.. So very soon we'll be posting video tutes narrated in by me. I'll surely mail you the link as soon as we upload any such tut.

The video tutorial for how to use this tool is available here

Make Trojan Fully Undetectable (FUD) using Xenocode

A few weeks before, we had posted on how you can make your trojan using LostDoor. But the problem with the so formed trojan is it being detected by almost all AV softwares. We know that after learning to make your own trojan, the next thing you must've exhausted your bandwidth searching for is: "How to make a Trojan undetectable?" Well here is the answer.

First of all you'll have to download Xenocode (Never heard of it? Google it. This may help you..http://www.xenocode.com/Technology/)

Xenocode is a set of application virtualization and portable application creation technologies developed by Code Systems Corporation. Applications are packed into single executable files that can be executed instantly on any Windows desktop (so called "portable apps"). The technology therefore emulates only the operation system features that are necessary for the application to run. Applications can be deployed using existing infrastructure, software deployment tools, the web or USB keys. The virtualized application runs independently from other software that is installed on the host PC so there are no conflicts between different versions or DLL files.

Well, reading the above introduction must've got you acquainted you with xenocode application. You might be wondering, how this application will help you in making your Trojan undetectable.

Xenocode creates a virtual operating system for processing the files you have virtualized and hence it completely overwrites your code. As you may know, AV softwares use virus signatures to identify viruses. There are ways in which you can make a trojan undetectable by modifying the Hex code, but it is very tedious. Using xenocode alleviates the pain to a negligible level. The only pain you will have is to grab a full version of the application. Keep in mind that trial version xenocode does not create virtual applications. When you will click on the build button, it will prompt you to purchase license. We hope you understand what we mean to say implicitly.

After you download xenocode, give your trojan as the input. Now click on the build button and then specify the location where the output file must be saved. The so formed file is your undetecable Trojan. You can try scanning it with your local AV. Or if you wanna see how far you've gone, upload the file on http://scanner.novirusthanks.org/. It will provide you results after scannig your file with 20 different AV. Our score for this test was 0 outa 20. No AV detected it and the file still works fine.

Full Version Xenocode download link :- http://bit.ly/djy2ol

Mirror download link

The video tutorial for how to use this tool is available here

If you face any problem while using this tool OR find any broken link on this blog, report it to us on amarjit@freehacking.net. You can also leave a comment here.

Too lazy to say Thanks or comment here? Why not too lazy to read my post?? If you like this post and want us to post similar articles, Pls give us a feedback and leave a comment here.