Information Security, Web, Networks and Systems

Saturday, July 7, 2012

How to create a simple trojan horse (with ProRat)

1:28 PM Posted by Deepal , , 7 comments
Trojan horse is a malicious software which can come into your computer with a face of friendly or useful software appearance. It can be a setup program of a useful software or another file that seems to be a useful, but with a hidden spy or another malicious program in it. There is a bunch of software tools that can be used to create a trojan horse like malicious programs using them. One example is ProRat which is a RAT (Remote Administration Tool) can be used for Windows.

Required tools :
  1. ProRat Remote Administration Tool
  2. VirtualBox (or any other software that virtual machines can be created.) for simulation   purposes.

Step 1: Download ProRat
Download ProRat tool:
    You can download it from following URL as a compressed file. Extract it using the password "pro".
    Download : http://www.prorat.net/downloads.php


Step 2: Open ProRat
Open ProRat with an icon of a horse, but most antivirus programs will warn you this to be a malicious software. You may need to disable your anivirus program to continue running ProRat.
After opening ProRat you should see an interface like this.

       


In this post I hope to simulate the trojan horse using a local network connection with a virtual machine of Windows XP. Create a virtual machine of Windows XP using VirtualBox or any other software you use.

 You can download VirtualBox for Windows here,  
 http://download.virtualbox.org/virtualbox/4.1.18/VirtualBox-4.1.18-78361-Win.exe


 Step 3 : Create a ProRat Trojan Horse
     Click on the "Create" button at the bottom left of the ProRat user interface. And then select Create ProRat Server item.


  Then a window will appear like this.



 This Trojan Horse you are creating will act as a server run on the victims machine. It is like a network with you as the client and with the victim as the Server.When trojan is running on victim's machine, you can communicate with the victim's machine across the network using your machine with ProRat software. 


In the above window, you'll see a text box called IP(DNS) Address. This is the IP address of your client machine. In our case we use virtual network to simulate this, and we have to fill this box with the IP address of your virtual network adapter. Type ipconfig in your command prompt and enter the IP address of the virtual network adapter in the above text box.
    And you can enter your email address to get the notification when the victim gets infected. Leave other options alone.

Step 4 : General Settings
Then click on General Settings button at the left. You will see it as follows,


This window will allow you to choose the port through which you can communicate with the sever, and a password which is used to connect to victims machine. And there are many options that can be used to keep the server invisible on victim's machine and hidden from the task manager . In this case leave these data as they are and click on the button Bind with file.

Step 5 : Bind With file

The facility Bind with file will allow you to bind the server with a file that the victim sees as a useful file such as a setup file or another file. Select the checkbox and Select a file by clicking on the button to be bound with the server.(I use a setup file).



Step 6 : Server extentions
 Then click on the button Server Extensions on the left and you will see as the following. You can choose the final extension of your server file. Since I hope to create a trojan horse as a setup file I choose this as EXE.


Step 6 : Choose a server icon
As the final step of creating the server, you can choose an icon for the server from the list or browse for an icon. You can use an attractive icon that the server can disguise.


Finally click on the Create Server button to create the server file which is bound with the file you chose at step 5. You will be asked a question as follows. Click Yes and continue.(This message is because we use a local connection for testing purpose)



The file will be created in the ProRat folder.

Step 7 : Simulate the server (Trojan horse)
Start your windows xp virtual machine and copy the created file into that. Then run the infected setup file as a normal setup file. You may not notice any difference and the setup program will launch without any problem. But, when you run the infected setup file, prorat server will be installed in the background without giving any suspicious behavior.

Now go to your real machine and go to the ProRat user interface.


You'll see a box to fill and IP address, which is the IP address of the victim. Go to your virtual machine and get the ip address of the virtual network adapter and fill it in here. (You must make sure you can communicate with the virtual machine across the virtual network. Make the both ip addresses mentioned in this post are in the same network). And click Connect.

If all are ok, your computer will be connected to the victim's machine (here, virtual machine).

Now look at the options at the left in the ProRat window. Let's send a message to the victim.

Click on the button Messege.


Now type a message and click Send.


Now look at the victim's machine. :-o


There are many options given in the ProRat window. Try those and check the outputs. :-) Enjoy !