Harvesting a Bot Army (Part 3)

We left off in part two with John having checked the compromised test computer's time. This would allow him to know what time the exploited computer was in relation to his, and that of potential future customers who bought one of his shells. This time was crucial as he needed to know when to modify the AT command to send the reverse shell to his hopefully plentiful customers, at a time of their choice. The next step for him to take was to hide both the nc.exe and nc.bat files that were on the practice victim computer elsewhere. It was unlikely that the average home computer user would ever venture into a DOS prompt or browser to explore their computers contents. In the unlikely event that it would happen, he decided to hide both those files in c:\winnt. He knew that very few people ever bothered looking there, and this was the reason it was a favorite hiding place for malware. Shells for Sale! (Part 3)

Linked by shanmuga Thursday, 10th November 2005 12:44PM