Trojan Reverse Connection
I've been researching writing a trojan in C, and I want to verify that the information I have gathered is correct, and I haven't misunderstood anything. I understand the basic premise of a trojan and how they work, but the reverse connection part is what I want to clarify.
I have read that a trojan using a reverse connection is able to bypass firewall restrictions because it acts (from the firewall's perspective) in the same manner that a web browser would by opening a connection to a remote address and then waiting for a response. Does this imply that the executable won't be flagged by AV as a threat? Or do I have an incorrect understanding of the concept? Or maybe the user will have to authorize the program access to the internet?
I also have looked into implementing the reverse connection through an IRC bot. Could I implement this by "packaging" the trojan with an IRC bot? By packaging I mean having the program connect to some IRC channel from the infected computer, and then use the IRC bot (via private messages), which is also a trojan, to execute commands on the infected computer. Sorry if that doesn't make any sense, or it needs further clarification.
dopeboimag1k wrote: I've been researching writing a trojan in C, and I want to verify that the information I have gathered is correct, and I haven't misunderstood anything. I understand the basic premise of a trojan and how they work, but the reverse connection part is what I want to clarify.
I have read that a trojan using a reverse connection is able to bypass firewall restrictions because it acts (from the firewall's perspective) in the same manner that a web browser would by opening a connection to a remote address and then waiting for a response. Does this imply that the executable won't be flagged by AV as a threat? Or do I have an incorrect understanding of the concept? Or maybe the user will have to authorize the program access to the internet?
I also have looked into implementing the reverse connection through an IRC bot. Could I implement this by "packaging" the trojan with an IRC bot? By packaging I mean having the program connect to some IRC channel from the infected computer, and then use the IRC bot (via private messages), which is also a trojan, to execute commands on the infected computer. Sorry if that doesn't make any sense, or it needs further clarification.
if you code it yourself, provided its coded well it won't be picked up by AV scans.
a reverse connection is handy if you dont know the targets address, and saves you connecting to it each time they reboot.
if you get it to just visit a webpage and check for new commands is one way to do it, but it will still be flagged by firewalls as any attempt to reach the outside world is caught. however i bet this would be flagged as lower risk that a trojan that was going to be connecting to IRC….. i could be wrong though, it's been a while since i've played around with trojans.
dopeboimag1k wrote: I have read that a trojan using a reverse connection is able to bypass firewall restrictions because it acts (from the firewall's perspective) in the same manner that a web browser would by opening a connection to a remote address and then waiting for a response.
As far as I know, the default Windows firewall settings block incoming connections but allow outgoing connections, so yes, a reverse connection would help you to bypass the firewall. A reverse connection would also be needed if the victim is behind a NAT (like most home routers).
http://en.wikipedia.org/wiki/Reverse_connection
dopeboimag1k wrote: Does this imply that the executable won't be flagged by AV as a threat? No.
As far as I know, the default Windows firewall settings block incoming connections but allow outgoing connections, so yes, a reverse connection would help you to bypass the firewall. A reverse connection would also be needed if the victim is behind a NAT (like most home routers).
http://en.wikipedia.org/wiki/Reverse_connection
[quote]dopeboimag1k wrote: Does this imply that the executable won't be flagged by AV as a threat? No.[/quote]
I guess my next area of research will need to be in the area of bypassing AV. I have successfully been able to use an IRC bot to act as a middle man between my computer and my test machine, and it bypasses Windows firewall with no problems.