Malware protection can be deployed to reduce the likelihood of a Trojan attack. Within the Rogue VM, the Angry IP Scanner program is no longer able to detect the Client VM as having an open port. Within the Firewall, the ‘Service Firewall’ rules in the Inbound Rules can be disabled to stop access from the Rogue VM. The ini source file can be located through left-clicking the entry, and opening the ini.vbs in Notepad. Within the Client VM, in the start-up tab of the Task Manager, Odysseus has added an entry called ‘ini’ that executes when the user logs in. It was however unsuccessful as I was not logged in to the Client Admin user, which is the how this Trojan’s backdoor works, rather than at system or kernel level. I attempted to use the PuTTY access from Rogue to Client after restarting the Client VM. This command powered off the Client Vm, proving that the connection was enabled.
I was, however, able to prove the remote access from Rogue to Client through the command: shutdown /r. I attempted to create the diary.exe and reattempt the command through the Rogue VM, but was unable to do. Back within the Rogue VM, I attempted to input the command line, but was unable to do so as the diary.exe does also not exist. This too was immediately deleted by Windows Defender, until I turned it off. Instead, I created the test file within the Client VM. is nothing more than a text file that contains the text: This text is designed to output the message “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!” The file was unable to be downloaded as my antivirus recognized as a virus and removed it before it was able to fully download.
NETCAT WINDOWS BACKDOOR SOFTWARE
After a brief search online, I was able to determine that is a test file used to check whether an antivirus software is working. However, this command did not work, as the file was not present in the Client VM. The purpose of the command prompt was to input the following command:Ĭd \windows\system32 dir copy c:\GTSLABS\ %homepath%\documents\diary.exe shutdown /r This then connects to the Client command prompt:
The Client’s IP address, 10.1.0.130, is used in the Host name box, and the connection type is set to raw. The terminal emulation client called PuTTY is used to connect to the Client from the Rogue VM.
As there are three VMs within the network, the scan finds three alive hosts, with the Client host (underlined) containing the open port. For this lab, the scanner settings are for local subnets with port 4450 open as this is the port that Trojan is using. Within the Rogue VM, there is the network scanning tool, called Angry IP Scanner. The program allows remote machine access to command prompt on Client. The ‘nc’ task is the backdoor application known as Netcat, that holds the same privileges as the looged-in user, which for this case is administrative privilege.
0 kommentar(er)
