The methods used within this project should not be utilized for illegal or unethical activities. Please use responsibly!
The Flanders trojan was developed for my computer engineering final thesis, driven by a curiosity for cybersecurity and a desire to delve deeper into operating system knowledge. It is developed specifically for Windows using C++, showcasing a blend of technical challenge and academic exploration.
Flanders, a character from The Simpsons, is known for his peaceful and innocent nature. However, this character harbors something dark within him. This behavior perfectly defines how the developed trojan operates, hence the name.
The Flanders trojan is primarily composed of three components, each playing a pivotal role in its operation:
The Loader is the initial component, responsible for setting the stage for the trojan's activities. Its functionalities include:
- VM Detection: Identifying virtual machines through hypervisor signature.
- Debugging Detection: Utilizing
NtQueryInformationProcess
to detect debugging environments. - Privilege Escalation: Bypassing User Account Control (UAC) to gain higher privileges.
- Persistence: Achieving persistence through Windows Registry modifications or Scheduled Tasks.
- DLL Injection: Injecting the payload, a DLL file, into
explorer.exe
.
Following the Loader, the Payload component is responsible for executing a series of malicious actions:
- File Encryption: Utilizing AES encryption to lock files.
- Keylogging: Recording keystrokes to capture sensitive information.
- Screen Capturing: Taking screenshots to monitor user activity.
- Command Execution: Running malicious commands or scripts.
- DDoS Attack: Launching HTTP flood attacks to disrupt targeted services.
This payload communicates with a server to send victim information, further facilitating malicious operations.
The Server acts as the command and control (C2) center for the Flanders trojan:
- Receiving Requests: Handling incoming communications from victim machines.
- Management: Orchestrating the network of infected devices, effectively creating a botnet for coordinated attacks or information theft.