Malware 201
- In the next screen, enter a password that will be used to access the server. Note that
passwords can be used, but you can also choose open authentication—that means any-
one can gain access without having to supply credentials of any kind. - When the wizard finishes, the server-configuration tool is provided with the informa-
tion you entered. - The server can be configured to start when the system starts up. This allows the pro-
gram to restart every time the system is rebooted, preventing the program from becom-
ing unavailable. - Click Save Server to save the changes and commit them to the server.
Once the server is configured, it is ready to be installed on the victim’s system.
No matter how the installation is to take place, the only application that needs to be run
on the target system is the BO2K executable. After this application has run, the previously
configured port is open on the victim’s system and ready to accept input from the attacker.
The application also runs an executable file called Umgr32.exe and places it in the
Windows system32 folder. Additionally, if you configure the BO2K executable to run
in stealth mode, it does not show up in Task Manager—it modifies an existing running
process to act as its cover. If stealth was not configured, the application appears as a
Remote Administration Service.
The attacker now has a foothold on the victim’s system.
Distributing Trojans
Once a Trojan has been created, you must address how to get it onto a victim’s system. For
this step, many options are available, including tools known as wrappers.
Using Wrappers to Install Trojans
Using wrappers, attackers can take their intended payload and merge it with a harmless
executable to create a single executable from the two. Some more advanced wrapper-style
programs can even bind together several applications rather than just two. At this point,
the new executable can be posted in a location where it is likely to be downloaded.
Consider a situation in which a would-be attacker downloads an authentic application
from a vendor’s website and uses wrappers to merge a Trojan (BO2K) into the application
before posting it on a newsgroup or other location. What looks harmless to the downloader
is actually a bomb waiting to go off on the system. When the victim runs the infected
software, the infector installs and takes over the system.
Some of the better-known wrapper programs are the following:
■ EliteWrap is one of the most popular wrapping tools, due to its rich feature set that
includes the ability to perform redundancy checks on merged files to make sure
the process went properly and the ability to check if the software will install as
expected. The software can be configured to the point of letting the attacker choose
an installation directory for the payload. Software wrapped with EliteWrap can be
configured to install silently without any user interaction.■ Saran Wrap is specifically designed to work with and hide Back Orifice. It can bundle
Back Orifice with an existing program into what appears to be a standard program
using Install Shield.