Security Basics mailing list archives
RE: Traces
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 17 Dec 2003 16:15:49 -0800
I haven't kept up with that end of my profession. But in the early/mid 90's I made a two small program that would run in the background of Win95 boxes. Ghost Program 1.) Upon starting up it would constantly try and ping a remote host to detect if it was connected to the Internet. 2.) Upon connecting to the Internet it would FTP into a server (I think I used a free host of some kind, Xoom or Geocities) with its node name and IP address. 3.) It would open up a TCP socket and sit in a wait cycle for traffic. 4.) Upon receiving traffic it would look for a control package. A control package contained a password, mother and sister information. A mother is the control system and a sister is another ghost program. 5.) Upon receiving this information it would create a table with the sister order information (which is next in line for transmit, etc). 6.) If a data package was received from the mother node it would transfer it to the next sister node. If a data package was received from a Sister node it was passed to the next sister node down, or the mother node if it was the last one. Mother Program 1.) Upon starting up it would download all the files in a FTP directory and read the IP addresses in them into memory. 2.) It would then sort the nodes randomly. 3.) When you gave it a password it would send out a control package to all daughter nodes. 4.) When activated it would hook to the load system and transfer ALL outbound traffic through the lowest daughter node. It would keep a table of traffic it sent out, where it originated from protocol and port, think of a proxy. The packet would be packaged and sent to the daughter node as the payload for the packet (i.e. like a VPN just not encrypted). 5.) When the last (highest) daughter node received the packet it would send it out on the Internet by its connection. When it received a response it would package it up and send it back down the line. I did a lot of work on peoples PC's in those days and had physical access to the system to load the program, so I didn't develop a deployment scheme. But in those days it could be delivered like a virus, seaming most people were not even remotely computer-savvy. Transit times (latency) was horrible and sometimes the traffic would die in transit. Also some people would logoff and you would have to re-organize your daughter node information. There was a little more to the programs but that was their basic functional operations. They were written in C++ with some help, well a lot, from a friend of mine. I've long since lost the code, design papers and theory of operation. There is not much too it, but it is a fair amount of work. As far as I know these types of programs are a closely guarded secret and operate just like what the spammers are using now a days to send spam and hide their website. You could look in the newgroups and usenet maybe some website might have some 'older' information. Note: I CC'ed this to the list due to relevancy. Shawn Jackson Systems Administrator Horizon USA 1190 Trademark Dr #107 Reno NV 89521 www.horizonusa.com Email: sjackson () horizonusa com Phone: (775) 858-2338 (800) 325-1199 x338 -----Original Message----- From: Devilscrow Sr [mailto:devilscrow () gawab com] Sent: Wednesday, December 17, 2003 2:13 PM To: Shawn Jackson Subject: Re: Traces Hi Shawn, Can you send me some good pointers on setting up ghost-notes or non-me-speak slave systems.... how to set them up, how to use them. are there any tools that can automate this etc. ?? thanks in advance. -dev Shawn Jackson wrote:
tunneling their traffic through ghost-nodes, or in non-me-speak slave
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Traces Gerson Sampaio (Dec 16)
- SV: Traces Kim Guldberg (Dec 16)
- <Possible follow-ups>
- RE: Traces Shawn Jackson (Dec 17)
- RE: Traces Shawn Jackson (Dec 18)