Theef: BackDoor Trojan

This, Theef: BackDoor Trojan, is the title of a web document I happened on when I was investigating traffic on a network I manage.

Some computers were sending traffic across network boundaries to TCP port 2800. This struck me as curious, and so I did some investigation. The possiilities were that

  1. The traffic was innocent, harmless and useless.
  2. The traffic was innocent,and useful.
  3. Some malware is doing something bad.
    1. In the first case, I might cease logging traffic in some circumstances.

      In the second, I might change firewall rules to allow the traffic. In my circumstances, that's my call.

      The third case is the most concerning, so I went to google to see what it's used for. Google knew of two uses, one harmless but, to us, useless. We don't do RAID over the network.

      The other is Theef. I strongly urge you not to do those things recommended on that site, as if you do (to other peoples' computers), you stand to do a considerable mount of time when caught.

      Here are some quotes. Possibly, Google can find the source, should you be interested, but on the other hand the site might be closed down.

      Theef is definitely among the best hacking tools I have ever used. It is easy to use and intuitive, but best of all it gives you a great deal of options. This is why you will be learning to use it today.

      Theef is a Windows based application for both the client and server end This cheered me up, the computers concerned don't run Windows.

      The Theef server is a virus that you install on your victims computer, Actually, it's s trojan.
      The biggest problem with using Theef is that most Anti-Virus programs will pick it upI guess that's good news for some of us,
      Now you need to convince your victim to turn off their Anti-Virus if they have any Unfortunately, this request is all too common, even with legitimate software.
      Convincing someone to turn off their Anti-Virus is not often a difficult task, most of the time you can just tell them something along the lines of, Your Anti-Virus says Awesome Game is a virus, but it isn’t so don’t worry about it. People are gullible, they want to believe you will cause them no harm, they want to trust you. Use this to your advantage Ain't that the truth! And, of course, one has to be administrator to use it.

      To make it look plausible that Awesome Game is indeed a game and not a virus we need to setup a false error message. The idea here is that, the easiest way to disguise the fact the program isn't what the ungodly claimed it is, is for the installer to pretend the installation failed. The victim just thinks it a waste of time.

      You will need to get your victims IP address at this point so that you can connect to their computer. This is an easy task to do, and there are numerous ways to accomplish it. One interesting technique I've seen is to use the ifconfig command (this on Linux) to get the IP address of eth0 and email it to someone@hotmail. The IP address happened to be a private one, and so of no use at all. If you have some kind of firewall in place, then the technique describe gets the public IP address, but the firewall has not been trained to direct traffic to the victim's PC, so this will probably fail at this point.

      There are other ways though. And, a Windows PC with a public IP address would be vulnerable.

      Let's keep going:

      One of the most useful features of Theef is the key-logger... After you click the Start button on this window you will begin to see everything that they type on their computer. This is very useful as it shows you ever password they enter. It is a one stop shop to getting their passwords to everything and things such as their bank account numbers, etc.

      Now, who's to say this Trojan isn't a double Trojan? It could get your details while you're trying to perpetrate evil on others, nd not only that, the details you get could also be forwarded to someone else. Maybe they will clean out the bank accounts before you get to them!

      Who yuh gunna call... TrojanBusters!