<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
So when writing remote access tools like INNUENDO, you have to
throw out all the parts of your brain that try to do normal RPC
("remote procedure call"). <br>
<br>
For example, I just wrote a module (yes, I can still write code,
sorta), which sits on the client taking screengrabs every ten
seconds. If the screengrab is 10% different from the last one, it
stores it into a list (which has a maximum size of 100 images to
avoid filling all of ram - images are compressed but still largish).
Then when the command comes in to pull the list down, it serializes
it, encrypts it to the server using RSA (to annoy incident response
people doing memory forensics) and stores it in the data store
(which can be disk, registry, memory, etc.) Then it gets trickled up
to the server using INNUENDO's weird data transfer protocol and
displayed to the user on request.<br>
<br>
The end result is that you can see a sample of everything the user
did during the day, which is pretty awesome if that user is editing
interesting documents. <br>
<br>
The downside is that while your brain is thinking "STREAMING
IMAGES", this has to become "Start, Stop, Query, Collect". And this
is true for almost all operations that are ongoing. <br>
<br>
In other words, people think of doing things with trojans like
moving their arms. I make the request, it moves. But modern trojans
are more like dealing with children. You make the request, you make
the request again, it maybe moves, it moves, it maybe tells you it
moves, it maybe tells you it already moved, so stop yelling at it!<br>
<br>
But deep down, if your trojan still supports portforwarding then you
are failing.<br>
<br>
-dave<br>
(reminder, we have a talk coming up at <a
href="http://www.infiltratecon.com/">INFILTRATE </a>about this.
Tickets on sale now!)<br>
</body>
</html>