Recent Events for foo.be MainPageDiary (Blog)

MetaTrojanDemo

The information contained in this page is for educational purpose but you are free to do what ever you want with it…

Author : Alexandre Dulaunoy

The purpose of the MetaTrojanDemo are :

[::Initial Trojan prototype ]

The code was made for a presentation in the Grand-Duchy of Luxembourg taking place the 24 March 2005

These subjects were covered during the presentation to non-technical people :

The prototype was coded by Alexandre Dulaunoy in less than 10 hours following a discussion with Fred Arbogast of a possible simple communication mechanism to bypass firewall.

[::Technical Detail of the Initial Trojan Prototype ]

The first prototype (v0.0.1) has been coded in Perl. The client was expected to be run on a proprietary Windows platform and the server on a GNU/Linux operating system. The client perl code was compiled with Active State PDK to avoid the dependency of the Perl interpreter on the client system.

The communication mechanism is XML-RPC over HTTP. The communication is always initiated by the client and the client is not listening to an UDP or an TCP port. For the firewall perspective, the communication is coming from the local PC only. The application layer is a "watch stock application" that means that the client need a connection to the Internet to update its stock list. The communication layer is composed of two parts, the application part (the visual functionnality of the application) and the trojan part. Of course, the two parts are encrypted (in TEA using a private shared key $PSK) like that nobody can easily see the two parts over the network.

Perl module required : RPC::XML::Server,Crypt::Mimetic,Digest::SHA1,String::Random,MIME::Base64

The server will start and listen to a TCP port for incoming XML-RPC requests. If a trojan is trying to connect, the server will generate a new unique identification (also sent to the client itself). After the trojan has sent his hello with the identification, there will be a directory per trojan in ../var/trojan/<id>. You can send commands by writing a 'command' file in the directory of the targeted trojan. The result will be print in a result file in the corresponding trojan directory.

The market-tr application is a small tray application displaying the quote received from the server. Behind the scene, the client is executing command sent by the server and push result at the next fetch of the quotes.

for the binary and all the Meta Trojan files

[::Possible evolution of the Meta Trojan ]