Last update: 29/05/2007

Afficher cette page en français

Demonstrations videos of x90re's backdoors
This page contains some videos which present the simulation of a targeted attack on a virtual company called "Victim", based on the tools "x90re's backdoors":
  • The first video presents the various tools used and summarizes the principle of the attack.
  • The others videos show the attack itself.

Videos access
The XviD codec is required to play the videos.
Presentation of the principle of the attack of "Victim"
Presentation of the principle of the attack - 6.70 Mo - 9:52
This video presents the context and the tools used during the attack, I thus advise you strongly to start by watching it (available only in English).  
Simulation of the attack of "Victim"
The following videos display the whole attack. Each represents a particular step. They are classified chronologically.
Part I : Creation of the forwarder
Generation of the backdoor - 15.35 Mb - 3:56
  • Creation of Fratus and Injecter shellcodes
  • Concatenation of shellcodes
  • Infection of an application
Execution of the backdoor on a private computer - 8.17 Mb - 1:45
  • User starts infected application
  • Backdoor runs and connects to BlackMoon
Transformation of the backdoor into forwarder - 8.30 Mb - 2:34
  • Upload of modules/resources required to transform the backdoor into forwarder
  • Modules activation
Part II : Attack of "Victim"
Generation of the backdoor - 15.57 Mb - 4:23
  • Creation of Parsifal and Injecter2 shellcodes
  • Concatenation of the shellcodes
  • Concatenated shellcodes dissimulation in jpeg
  • Execution and configuration of Metasploit
Execution of the backdoor on internal computer - 5.80 Mb - 1:31
  • User’s connection on the fake web site
  • Introduction of the backdoor through the image
  • Redirection of browser to Metasploit
  • Sending of the exploit by Metasploit
  • Execution of the backdoor
Communication with BlackMoon established - 11.85 Mb - 2:11
  • User runs IE for web access
  • Backdoor gets connection parameters
  • Backdoor gets connected to BlackMoon
Browsing of the computer with a remote "cmd" - 5.52 Mb - 2:06
  • Upload of "cmd" module into memory
  • Initialization of the module
  • Module opens access to a remote "cmd"
  • Browsing of the computer files
Stealing of confidential documents - 9.75 Mb - 2:56
  • Upload into memory and activation of "cps" module, allowing compression of transferred files
  • Upload into memory of the "fif" module and start of a recursive search of confidential documents
Encoding of strategic documents - 10.14 Mb - 1:57
  • Upload and activation of "cryptfile" module
  • Encoding of strategic documents and wiping of original files by this module
Stealing of web credentials - 4.22 Mb - 1:34
  • Interception of web credentials during an HTTPS connection using an intrinsic Parsifal functionality
Stealing of POP/IMAP credentials - 2.73 Mb - 0:54
  • Interception of POP/IMAP credentials using an intrinsic Parsifal functionality
Stealing of Administrator credentials - 2.93 Mb - 0:56
  • Interception of administrator credentials during a "Run as" execution using an intrinsic Parsifal functionality
Spying e-mails - 2.83 Mb - 0:50
  • Spying of e-mails by using an intrinsic Parsifal functionality adding an e-mail address in bcc
Installation of a backdoor persistent despite reboot - 5.67 Mb - 1:44
  • Generation of a new version of Parsifal by WiShMaster
  • Backdoor installation (upload + adding of an entry under "Run" key) through "install" command
Rootkit in user-land functionality - 3.13 Mb - 1:02
  • Parsifal intrinsic functionality allowing to hide directories and entries in registry
Bugs / remarks
If you have any comments or suggestions, please send them to Benjamin CAILLAT