Master Paradise
SYNOPSIS:
A German programmer named Dan Lehman has released a Windows95/98 Trojan horse program
named "Master's Paradise." Master's Paradise consists of a client
program called Master's Paradise which is run on a remote computer to gain access to any
computer connected to a TCP/IP network or the internet. An executable server program is
required to be installed on the victim's computer to permit the remote site access to the
victim's computer in a manner similar to Cult of the Dead Cow's "Back Orifice"
program. As is the case with "Back Orifice," this program exploits
security vulnerabilities in the Windows95 and Windows98 platform and does not function on
Windows NT systems at the time of this advisory.
Reported delivery modes include transfer through IRC
and AOL chat rooms, email file attachments, exploits of security holes in browsers and
email programs and physical installation on machines. The server program for
the Master's Paradise Trojan horse is presently delivered embedded within a legitimate
program. It was first encountered it within a file called GAME.EXE which contained the
popularly-used parody game called "Pie Bill Gates." In this
configuration, the server was delivered and installed as
SYSEDIT.EXE along with a Dynamic Link Library file called KeyHook.DLL which is also
modified from the original form as it exists in several shareware programs. In
the GAME.EXE distribution received, it was provided as a self-installing executable
embedded in an unlicensed copy of the TurboSFX file extractor.
Other victims of this Trojan horse program have received it in files called "PICS.EXE" which purported to contain picture files. In this case, the program appeared to not execute at all but did install the server for these victims.
Experimentation with the client program also proved troublesome and resulted in numerous
errors. However the server itself was found to be minimally compatible with a number
of other Trojan horse clients and did work properly.
Privacy Software Corporation's "BOClean version 2.01" software, designed to
detect and defeat the "Back Orifice" Trojan horse program, is fully effective in
removing the Master's Paradise server regardless of the filename or manner of delivery
and, as is the case with "Back Orifice," can also disable this program instantly
upon detection. BOClean version 2.01 will also remove the files and registry
hooks without
the need to disconnect from the internet or reboot the victim's machine. This
precludes the risks of registry editing and possible loss of data and permits the victim
to remove the program and continue their use of a TCP/IP connection without loss of work
or time.
The server program can also be removed manually if it is delivered in its native state
with the default filename of "SYSEDIT.EXE." In Windows95 and Windows98 machines,
this server replaces the SYSEDIT utility, which would normally give the user access to a
Microsoft supplied utility that permits editing of the system configurations, and deletes
the original SYSEDIT.EXE file. Since the server program can be given any name,
the registry will have to be examined to determine the name of the server program. A
KeyHook.DLL file is also placed in the \WINDOWS or \WINDOWS\SYSTEM directory which
replaces any copies of this file which may have been installed with other shareware
legitimately. Both standard copies of these files will need to be replaced
once removed. The proper SYSEDIT.EXE file can be recovered from the Windows setup disk(s)
and the KeyHook.DLL file can be replaced from the original copy of the shareware which
contained the proper DLL. There is no means of restoring the original files
even with the use of BOClean version 2.01.
A knowledge of legitimate registry entries in the particular machine is required in order
to determine the key which contains the pointer to the Master's Paradise server
program. Once the added file is determined, the registry entry can be
removed and the machine rebooted to permit deletion of the server file.
While the server is a completely different design from "Back Orifice," its
behaviors are similar as is the means of exploitation of the victim's machine.
The server is similar to but not the same as the server used in the
"Netbus" exploit.
CAPABILITIES:
The Master's Paradise server permits anyone using the Master's Paradise client to remotely
control the victim's machine. The capabilities of the Master's Paradise program are not as
significant as "Back Orifice" but Privacy Software Corporation has already
received reports of this and similar Trojan horse programs from BOClean customers in
actual operation on their machines. The Master's Paradise server has many of
the same capabilities of the "Netbus" program but is not quite as sophisticated.
Open/close the CD-ROM once or in intervals (specified in seconds).
Show optional image. If no full path of the image is given it will look for it in the
installed directory. The supported image-formats is BMP and JPG.
Swap mouse buttons the right mouse button gets the left mouse button's functions and vice
versa.
Start optional application.
Play optional sound-file. If no full path of the sound-file is given it will look for it
in the installed directory. The supported sound-format is WAV.
Point the mouse to optional coordinates. You can even navigate the mouse on the target
computer with your own!
Send a message dialog to the victim's computer screen.
Shutdown the system, logoff the user etc.
Go to an optional URL within the default web-browser.
Send keystrokes to the active application on the target computer! The text in the field
Message/text will be inserted in the application that has focus. (| represents enter).
Listen for keystrokes and send them back to you!
Get a screen dump! (should not be used over slow connections)
Return information about the target computer.
Upload any file from you to the target computer.
Increase and decrease the sound-volume.
Record sounds from the computer's microphone.
Make click sounds every time a key is pressed.
Download and deletion of any file from the target.
Keys (letters) on the keyboard can be disabled.
Password-protection management.
Show, kill and focus windows on the system.
The ability to turn on a microphone is particularly threatening as this could permit the
perpetrator the ability to listen to room audio and in effect "bug" the victim's
room without detection. The ability to monitor keystrokes is also of concern
as is the ability to read and write files or possibly destroy the operating system.
MANUAL REMOVAL OF MASTER'S PARADISE SERVER:
The Master's Paradise server will install its program in the registry under the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key.
The registry entry will point to the name of the file
as the subkey name and will have as its value a pointer to the location where the server
is installed. Unlike the similar "Master's Paradise" trojan horse program, there
are no telltale command switches in the pointer registry entry.
It is necessary to remove the registry subkey first. It will not be possible to remove the
program file while the server is running and you may also be prevented from shutting down
the computer. A reboot will be required in order to restart the machine without the
Master's Paradise server being reloaded at which time the file pointed to in the registry
can be removed without further risk.
As a result, care should be taken to back up your registry first as well as your programs
and files in the event that removal of the registry entry results in damage to your
system. Use of Privacy Software Corporation's "BOClean version 2.01" program
will safeguard against this possibility by removing the program and its registry entries
automatically without risk of damage.