Bandook
From Wikipedia, the free encyclopedia
| Common name | Bandook Rat |
|---|---|
| Technical name | Bandook Remote Administration Tool |
| Aliases | Backdoor.Win32.Bandok.bd , Troj/Bandok-J , Backdoor.Bandook , BDS/Bandok.R.2 |
| Family | Bandook Rat |
| Classification | Trojan |
| Type | Windows NT, Windows 2000, Windows XP, Windows Server 2003 Windows Vista |
| Subtype | Backdoor |
| Isolation | 2005 - present (new variants being released) |
| Point of Isolation | Unknown |
| Point of Origin | Lebanon |
| Author(s) | Princeali |
Bandook Rat (short for Bandook Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003, Vista). It uses a server creator, a client and a server to take control over the remote computer. It uses process hijacking / Kernel Patching to bypass the firewall, and allow the server component to hijack processes and gain rights for accessing the internet.
in another Term :
Bandook RAT is a secure remote control software or a Trojan that enables you to work on a remote computer as if you were sitting in front of it. This program is the ideal remote access solution. You can access the remote computer from multiple places and view its Screen , Camera , Listen on its Microphone , retrieve Passwords from it and more .
The server component (28,200 bytes) is dropped under Windows, System32 or Program Files , Applications folders, the default name is ali.exe. Once the server component is run, it tries to connect to its client, that listen for incoming connections on a configurable port, to allow the attacker to execute arbitrary code from his computer.
The server editor component has the following capabilities:
- Create the server component
- Change the server component's port number and/or IP address / DNS, Persistence , Rootkit , SDT Restore and more
- Change the server component's executable name, installation folder, target process hijacking
- Change the name of the Windows registry startup entry or activex key
- Enable Offline Keylogger , Offline Instant Messengers Spy
Features list of the Program
- Firewall bypass method: FWB#++ (Code Injection , API Unhook , Kernel Patch)
- reverse connection, all traffic through one port
- Safe Thread Based Client
- Persistence (Irremovable)
- Rootkit
- Plugins Based Server (30 KB Packed)
- Very Friendly Graphical User Interface
- Different Installation Pathes
- PNG / JPEG Compressions for screencapture and webcam
Managing Features
- Filemanager with all types of functions, including Folder Mirror , Rar Folder/Files , File Search , Infect Files , Multiple Files Download / Upload , Download / Upload manager
- Registry Editor with all type of Functions
- Process manager (Shows Full path , and Modules Manager)
- Windows Manager (including a Send Key Function)
- Services Manager
Connection Features
- Socks 4 proxy
- HTTP / HTTPS proxy
- Port Redirection
- TCP TUNNEL
- HTTP WEB Server
- FTP Server
- Remote Shell
- Flooding ( Mailbomb , DDOS attacks)
Spying Features
- Screen manager with Screen Clicks
- Cam manager that Supports system with Multiple Cams
- Mic Manager (Record voice from Mic)
- Ims Spy (MSN,YAHOO,AIM)
- Keylogger ( live One )
- Offline keylogger (Colored HTML) , Live Passwords , IMS Spy with Automatic Delivery to FTP
- Cached PWS Fetcher [6 embended PWS Plugins]
- VNC (Remote Desktop Live Control)
- Site Detection : Check all ur vics and know which one visits a specific site
- Clipboard manager
- Information about the remote machine
- Cache Reader
- Screen Recorder ( Record the user activities on the Screen into AVI Movies)
Others
- Shutdown Menu
- Nuclear Fun Agent (Fun)
- Download from WEB / Mass Download / Seclection Download
- Visit Site
Older versions of this malware had ability to change their look through using skinnable windows.
[edit] External links
- Bandook RAT All Versions, by MegaSecurity security database
- Nuclear Winter Crew, Bandook RAT creator's page
