Overview |
Vendor Notes: |
from the doc: 'Aladino Server 0.6 & Aladino Client 0.41 (c) 2001 Topo[LB] & Ethdra http://int80h.dhs.org Aladino is a client/server application that allows remote machine controlling and runs on any Windows version (w95,w98,wMe,NT y 2000). The Aladino server is a 38KB executable file which after executing, copies itself to the Windows' system directory and adds a registry entry to guarantee its execution for the next time the computer is switched on (logged on in NT or 2000). It opens de 5005 TCP port for listening to client connections. The client-server communication is cyphered with the XTEA algorithm and a random 64 bits password that changes on each connection. At the beginning of each connection, the client validates the identification with which both client and server will authenticate each other, and establishes the password that will be used to cypher the connection. The server provides 4 functionalities implemented as separated processes: * BOUNCER: multiuser bouncer service that listens to in a certain port and redirects the connection to the specified destination host and port. This is done transparently so that there is no validation of the identification or connection cypher. * TELNET SERVER: multiuser shell service that listens to in a certain port and opens a shell redirected to that port. * MINI FTP: file transfer multiuser service that allows sending and receiving binary files from or to the machine. * KEYLOGGER: process that logs keystrokes in the remote machine to the specified file. Also, there are other 14 additional functions witch are listed below: * Message sending as a popup window * Machine rebooting * Logon session closing * General system info requesting * Remote screen capturing * BMP viewing * Process listing * Process killing * Extern program executing * Keystroke pushing * Visible window list * Registry entry deleting * Registry entry restoring * Aladino server death If the server is run with "actualize" parameter will be a delay of 20 secs after wich aladino will force its copy to the system directory (overwritting an old version) and start offering the services normally. This function has been included for making easier the remote server update, the only thing that is had to be done is to upload by FTP the new version of the aladino server, run it with the "actualize" parameter and send the order of death to the actual server. After 30 secs, the new server will overwrite the old one and the update will be complete. The client is like a text-mode shell. It has different parameters for each service of the server it wants to connect to: usage: aclient [/ntsh | /ftp ] Examples: aclient 10.0.0.1 This will connect the user to the control console of the aladino server at host 10.0.0.1 aclient 10.0.0.1 /ntsh 6000 This will connect the user to the telnet service that listens for incoming connections at port 6000 of the host 10.0.0.1 aclient 10.0.0.1 /ftp 7000 This will connect the user to the miniFTP service that listens for incoming connections at port 7000 of the host 10.0.0.1 The HELP command provides a listing of all available command's syntax. If you need a detailed info about a command you can use HELP . It's necessary to keep in mind that \ must be duplicated while especifing paths and that \ followed by a space avoids using that space as parameter separator. Examples: SCREEN_CAPTURE c:\\temp\\myscreen.bmp MESSAGE this\ is\ the\ title This\ is\ the\ text For a detailed info about the 35 client commands, examples of use, faq and that kind of things, we suggest the "Aladino manual for dummies". Both client and server are at beta stage. |
Alias: |
Backdoor.Aladino.a, Backdoor.Aladino.a [Kaspersky], Backdoor/Aladino [Computer Associates], Backdoor/Aladino.0_6.Server [Computer Associates], BackDoor-NL [McAfee], Bck/Aladino [Panda], security risk or a "backdoor" program [F-Prot], Win32/Aladino trojan [Eset] |
Category: |
RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker. Key Logger: (Keystroke Logger). A program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a key logger will reveal the contents of all e-mail composed by the user. Keylog programs are commonly included in rootkits and RATs (remote administration trojans). Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs. |
Similar Pests: |
RAT · Backdoor · Key Logger · Trojan |
Origins |
Author: |
Ethdra, |
Group: |
LB |
Date of Origin: |
March, 2001 |
Operation |
Default Port: |
5005 TCP More info about ports. |
Storage Required: |
Aladino: at least 89 KB |
Restart: |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Autostarting Pests |
Risks |
Detection Issues: |
Difficult to detect by design. May hide from process list. May install with variable names in variable locations. |
Detection and Removal |
Automatic Removal: |
 PestPatrol detects this.
PestPatrol removes this.
|
Manual Removal: |
Follow these steps to remove Aladino from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake. |
|
Stop Running Processes:
Kill these running processes with Task Manager:
|
|
Remove Files:
Remove these files (if present) with Windows Explorer:
|
Research |
File Analyses: |
|
More Info: |
AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo! |
Research By: |
PestPatrol's Pest Research Center |
Last Revised: |
October 29, 2004 |