Monday, January 18, 2010

Guptachar 2.0 (Remote Administration Tool)

A RAT or remote administration tool allows an admin to remotely administer a remote machine on the same IP network, including the internet. Other RAT tools include VNC viewer, Microsoft remote desktop, backorfice, Netbus etc. While all these tools are similar in many ways and some having more features than the other they all require their own client software to administer the remote machines. Guptachar doesn't. Well it does but you already have it installed on your machine without actually doing so. It uses any webrowser as its client software. You just point your browser to the IP/port combo of the remote machine and you're good to go. Also, Guptachar can only be installed a Windows machinel, however, you can still administer the windows machine with any linux web browser.

Download: http://packetstormsecurity.org/trojans/gupt2.zip

Download and unzip the contents. Open up a command prompt window and run makeqinst.exe and answer the accompanying questions. The program makes a server excuteable that when run would install as a backdoor. It provides some basic authentication and the listening port is custamizable. The resulting executable would be copied to the target machine and then run.

Effects:
Opens up a port on the machine(confirm with a netstat -an).
Name of executable in task manager is GPTCR2.exe.
Creates the following files in C:\WINDOWS directory: GPTCRKL folder, GPTCR.nfo and GPTCR2.exe
Creates a registry entry: HKCU/Sofware/Microsoft/Windows/CurrentVersion/Run/GPTCR2 //please note that the path created is broken and does not link directly to the executable. Im not sure why this was not fixed but the registry key becomes useless unless you manually channge it to the correct path of the GPTCR2.exe executable. This makes the backdoor start up when the machine is rebooted.
Update: It turns out that in the c code, the author used a fixed length of the string path of 14, which results in "c:\windows\gpt". The fix would be to use a length of 21 of let the c code find the length of the path instead of using a fixed length
There maybe one or two other registry entries, just search for them using "GPTCR" as the search query.
The keylogger log file is also created at c:\WINDOWS\GPTCRKL\ directory called LOGFILE.key.

That all the setup required. Now point your web browser to the ip/port combo of this machine and commence your admin duties.


Resources/Good reading:
http://packetstormsecurity.org/trojans/gupt2.zip
http://www.megasecurity.org/trojans/g/guptachar/Guptachar2.0.html

1 comment: