Kadir Basol Devastator - A Trojan

bwaqas · 07-30-2005

Has anyone heard about this trojan?

The details of this Trojan are

KBD Program was invented at the end of the 1999.It has used to control many Web
Servers & IT computers.
At the end of the 2001 the program has served on personal computers.
Now , it has passed many Trojan programs like Sub7 , Netbus & so on...
Because the program is capturing any computer without sending any file.
It uses ActiveX technology for Windows systems.For the Linux systems , it
is using normal jar files & when the program infects on Linux systems , it
cannot be stopped by the system administrator & It is the first Trojan for cell
phone systems.We put some limits this program to prevent some potential dangers.

The abilities of this program is shown below :

- You can access the file system of the infected computer.
- You can zip or extract any file on host's computer.
- You can access any computer behind proxy or behind any network.
- You don't need to know what ip address is the infected computer using.
- Applet uzerinden taninmama.
- You can capture any packets that is on local network or local computer.
- You can send fake mails & can mail bomb at any user on any Pop3 or Web server.
- Protocol resolvers.
- Encyrpted chat.
- You can
- You can send fake UDP packets on behalf of any ip address.
- You can capture computers which are not only Windows machines.
(Linux,Machintosh,Solaris,Cell phones etc... Java Supported Platforms)
- Firewalls cannot detect the connections on Applets.
- For now , it cannot be detected from any Anti Virus program.

Restrictions of the program :
- Skipping Virtual Machine security
- Jumping any firewalls security
- Infecting on local network like a virus.(NETBIOS Only)
- Detecting the users telephone number who is using modem connection.

System requirements for good performance :
- 700 Mhz CPU
- 128 MB Ram
The Client musn't be behind a proxy or behind network.
If client is behind a network or behind a proxy , the user must use
Bridge program.We will explain the usage of the program later.

The usage of the program :
When you extract the files in the KBD.zip file.At least there will be 8 files in it.
All files name's are shown below :
1-) KBDClient.jar ( Programin Client bolumu )
2-) Winpcap.exe ( Client icin yuklenmesi gereken plug-in )
3-) Macromedia.class ( Server bolumu )
4-) tt2.html ( Server bolumu )
5-) tt.html ( Server bolumu )
6-) index.html ( Server bolumu )
7-) RegistryAPI.class
8-) Monk.class

If you don't have Sun Java 2 Virtual Machine 1.4 or higher you must first install the Virtual Machine
in order to use the KBD Client & protect your system from Vandals.
It is more secure then Microsoft Java Virtual Machine.

I am giving you Java 2 Virtual Machine link which you must have it :
http://www.czilla.org/DOWNLOAD/j2re-1_4_0-win-i.exe

After you have installed the Virtual Machine , extract the KBD.zip file then first execute
winpcap.exe file & install it to your computer.The file named as KBDClient.jar is the Client file
JAR files work as a exe files for Java.They are interpreted by Java Virtual Machine.
Extract the KBDClient.jar file and double click on it.The program must be opened between
5-15 seconds.If it don't open you must restart computer & try it again.
Although you restarted your computer and the jar file is not working so you must do some DOS works )

---IF THE PROGRAM DID NOT WORK ON DOUBLE CLICKING IT---

C:\WINDOWS>_
For example the KBDClient.jar file is in C:\KBD Directory

so we are trying to apply these commands :
--COMMANDS--
C:\WINDOWS>cd..
C:\>cd KBD
C:\KBD>java -jar KBDClient.jar
--END OF COMMANDS--

WARNING : "java -jar KBDClient.jar" this command is case sensitive do not write KBDClient.jar
as kbdclient.jar or KBDCLIENT.JAR!

After you have successfully made these commands.
This message will appear on DOS Screen :

JVM Invoked.
Please wait...

If the error message will appear like this :
Exception in thread "main" java.lang.NoClassDefFoundError: KBDClient
Execute program by using this command "java -classpath . -jar KBDClient.jar"

Then the program will start to work between 5-15 seconds.
----END----

We have learned how to start the Client file.

Now , I am explaining you how to configure Server File :
Open the KBD Client then at the top menu click on Edit then click on

Edit HTML ,
You will see new dialog.This dialog encyrpts your ip address & ports in HTML file so the victim
cannot see your ip address & other important configurations in HTML code.

Your ip adresss : You must enter your current ip address to this place.

Select port : You must give a number between 1-65535.I recommend you to use between 1024-65535 except
number 80.Port 80 and 8080 recommended to use & remember the number you have given.You will use this number later

Redirect to : After the user go into web site where will the user will goto website:
Example : http://www.google.com
When the user goto your website , he/she will be redirected to www.google.com

Auto Control URL : This is the best ability of KBD Vandal.If you have a static ip address ,
AutoController can be disabled if you are using dial-up modem or dynamic ip address , you can enable
AutoController.If you enable it the TextField also will be enabled.You will write an URL(Website)
to this TextField.This URL can be controlled by your self.
For example :
Your website is : http://www.geocities.com/tr_melis
You can write to TextField : http://www.geocities.com/tr_melis/Control.txt
or http://www.geocities.com/tr_melis/AAA.txt
or http://www.geocities.com/tr_melis/PPP.dat
it is your opinion what file you will want to use.

What is that? Why we use this URL ?
You will enter your computer current ip address to these files.When the victim any time connect to
internet they get your current ip address from this website & they try to connect your computer.
They look this URL every 2 minutes until you have connected to them.

WARNING : You must write your ip address when you want to connect
the user & AutoController is selected as true

By using this technique , although you have dynamic ip address , you can catch the victim any time
he/she connected to the internet.

After you have done all the configurations.
Click on convert button then the encyrpted code will appear in text area
Select all codes then press ctrl+c key to copy the code then paste these codes into
tt2.html file by opening tt2.html in notepad.

Then send these files to your website :
tt.html
tt2.html
index.html
Macromedia.class
Monk.class
RegistryAPI.class
For example your website is : http://www.geocities.com/tr_melis
Send these files to this web sites main site then open the KBD Client.
At the top of the menu click on Edit then select Connect option.
Select your mode as "Super Devastator" write your port which you have given
in server configuration & click on ok.
Then send your victim to this web site.
When the victim enters to your website at the right list
there will be appeared the user name of the victim & ip address of the user.
Any one who enter to your website will be added to right of the list.
When you want to enter the victim's computer right click on the user which you
want to connect then click on connect this host.
After you connnected to user's computer the left side of the program will show
victim's computer , right side shows yours one.
Now you are ready to control the user's computer.
If you want to transfer file(download,upload) , you can do it by
using drag & drop utility.If you want to make faster time downloads , you
can do it by compressing files on host's system before downloading them directly.
You can do zip,unzip files by right clicking on the file at the left side.

If you are under proxy or behind any network , you must use Bridge in order to use KBD Vandal.
You can also use BridgeW in order to use someone's(victim's) computer as a Proxy.
From now on , try to solve other things by your self.I have no time to explain more & more functions of
the program.

If you have any problems on connecting people's computer try to use
AutoController disabled.

Have fun ;o)

KADIR & KERIM BASO

alexander · 07-30-2005

I am very skeptical about this, Windows, I wont argue, but Linux and Mac I will.
Perhaps you dont know how anal Linux and BSD people are about the security of their OS, I'm sure that there was a patch a few days after the release of the virus that blocked at least some of its effects, and there have been a lot of patches to the JRE as well, so I'd be really surprizes if it still works, oh and lastly .jar files are not something common on any of my systems, so...
But perhaps the most skepticism is towards the "administrators cant disable the effects" part of that, perhaps the writers do not know the OS all that well, but in linux root is God and can do anything and everything, and there is no greater power then root. Plus it might work on OS 9, but I'll be very surprized if it was anywhere near working on OS X, it is a completely different and new OS that is BSD-based, and is the most secure OS or one of the two of 2004.
And I wonder whether it effects blackdown Java engine...

C1ay · 07-30-2005

Quote:

Originally Posted by bwaqas

For the Linux systems , it
is using normal jar files & when the program infects on Linux systems , it
cannot be stopped by the system administrator......

It would need root access to accomplish this so only those with root access like the system administrator could even install it. It looks like some script kiddy's imagination to me.

Turtle · 07-30-2005

___Thanks Alexander & C1ay! This is the kind of stuff that I don't understand & yet it fuels my paranoia to the point that I might delete all my graphs on this machine becaue I thought somebody is having their way with them. I have done so before for less.
___You Kadir Basol Devastator guys better step off!

alexander · 08-01-2005

here is the best way to protect your box from all of this stuff:
way #1: dismantle your machine, and burry all the pieces 2 miles beneath desert floor each attatched to a motion, temperature and vibration triggered nukes.
way #2: for those that still need to use their computer and just cant resort to way one:
1) trash Windows and setup a Gentoo stage 1 install with SE patch set, propperly setup firewall and preferably as little services running as possible (ssh should be fine, as long as you setup public key private key)
2) dont be stupid and open random email attachments from anyone
3) update your box every day
4) run 3-4 rootkit sniffers
5) redownload and rebuild core system packages completely with a cron job, every week
6) oh and keep track of md5 summs on your other built packages and check those once a week to make sure nothing is compromised

Quote:

Originally Posted by clay

It would need root access to accomplish this so only those with root access like the system administrator could even install it. It looks like some script kiddy's imagination to me.

well, one, it might have a rootkit that comes with the package, so the root access problem will be solved, or two i think that it might try to use impropperly setup privilages to try to accomplish its installation tasks, once again bypassing the security measures, but in both cases, it is your fault to get infected, as most linux machines dont have many running services, so the only way for the virus to make it into your system is by the user downloading it him/her self and running it, chances are that you'd be told to run it as root, in which case the program uses the biggest system volnurability, which is people. Oh and i still stand by the fact that system admins can do things to kill the virus, worse comes to worse, removing and reinstalling the java runtime environment should fix the problem... (oh and here you strike nothingness with servers as most dont run java ansyways so... I'll stand by what i said in my other thread and say that if you want to get into someones computer, why dont you learn to do it the real way, confined only by your imagination, not through a program that confines you in a small, black box that you can do nothing to...)

nemo · 08-01-2005

Quote:

Originally Posted by bwaqas

Has anyone heard about this trojan?

Yep.

Quote:

Now , it has passed many Trojan programs like Sub7 , Netbus & so on...

Nope. This little nasty wasn't quite as powerful as it's creators had hoped. Turns out that if you have to specifically configure your machine to be as vulnerable as possible in order to infect it with this program, something better will have already 0wned the machine.

Quote:

It uses ActiveX technology for Windows systems.For the Linux systems , it
is using normal jar files & when the program infects on Linux systems , it
cannot be stopped by the system administrator & It is the first Trojan for cell
phone systems.

We desperately need an emoticon of Smiley saluting a brown flag.

Quote:

- Firewalls cannot detect the connections on Applets.

This would be because they use the force to communicate, as opposed to Internet Protocol?

Quote:

- Jumping any firewalls security

...in a single bound. It's because of the yellow sun.

Quote:

- Infecting on local network like a virus.(NETBIOS Only)

Many people consider NetBIOS to be a virus. I like to think of it as a Welcome mat.

Quote:

System requirements for good performance :
- 700 Mhz CPU
- 128 MB Ram