Amitis 1.1
|
· Overview ·
|
Overview |
|
Vendor Notes: |
1.1: From the doc: '1 ) Server can pass the Zone alarm and norton firewalls 2 ) If server wond be able to pass these firewalls then it will close 'em 3 ) Server will make 5 copies of itself into windows and some other directories 4 ) Server will replace itself if the main file get deleted 5 ) Server will run on windows startup and will connect to NET automatically if the victim get connected 6 ) Server will disable the ALT+CTRL+DEL for more security 7 ) Server wont write any strings to registery so you the victim wont be able to find it in registery 8 ) Server is only 110 KB and 29 KB in ZIP mode 9 ) Server is able to send email to the controller and tell the victim's IP and other necessary informations 10 ) Server is hidden in ALT+CTRL+DEL list , so if the victim enable by force or some program , he/she wont be able to find it there 11 ) Server is fully workable in Win 9x/Me/2000/XP without anybugs and fully error handled 12 ) Cllient is fully skinnned with easy to use GUI 13 ) Edit server is available to edit the controller email and email server , so it can modify the server ' 1.2: In early January 2003, a released version of the Amitis Trojan provides an intruder with over 400 ready-to-use options. Small in size, the Amitis Trojan is a 110kb zipped file, while its uncompressed format is 450kb. It can be configured to run additional Java and VB Script on a compromised computer system. What makes this Trojan unique is that it comes with a Live Update feature. The author, Stacked_expletive, claims that this Trojan automatically updates itself via the main console of the client module. This Trojan also uses a simulated server module as a decoy, although it has very limited functionality. Amitis also provides a Weekly Tips option that an intruder can use to garner a weekly helpful tip on how to use the server and client modules. Like variants of the popular SubSeven Trojan, the Amitis client provides an intruder with a very user friendly and highly functional Graphical User Interface (GUI). Another feature of Amitis includes an editor module, which allows an intruder to remotely change the server module file properties. The editor module can also manipulate the server module port it uses to listen for client module connections. This module also allows an intruder to send a series of false error messages. With the RAT being able to change the server module port it uses to listen for client module connections, it adds an additional concern for systems administrators who are trying to secure their systems. It becomes extremely important for SAs to read log files to note any unusual activity on various ports instead of relying on routine port usage normally connected with malicious activity. In addition, the use of false messages could possibly convince the legitimate user of the system to take actions they would not have to take. Responding to a false error message could lead to a decision to reboot the system, attempt unnecessary repairs, or stop using the system altogether. Rebooting the system or making unnecessary repairs may be the actual intention of the Trojan, so that through the process of rebooting or repairing, the Trojan is actually installed on the system. In addition, the purpose of the Trojan may be to stop work that would be accomplished if everyone received and heeded an error message indicating the system should be shutdown. On the server module side, the author of Amitis 1.2 claims that Zone Labs Zone Alarm application firewall cannot detect the Trojan. In addition, the author claims the server module of Amitis has the capability to shutdown Norton AntiVirus without being detected as a Trojan or a virus. The server module also reportedly has the same Live Update feature found in the client module part of the Amitis Trojan application. The author states that the Live Update to the server side module will be available on a weekly basis. As a survival mechanism, the Amitis server module makes several copies of itself in the Windows directory structure so that if the primary server module is corrupted or deleted, the system will remain compromised. The server module also disables the CTRL ALT DEL key combination. Once deployed, Amitis is configured to have the server automatically send information requested by an intruder when the compromised system is connected to the Internet.' 1.2 from the doc: 'Amitis 1.2 Client Information 1) It has got more than 400 ready to use options 2) As far as some bugs maybe found it , there is a bug report future made for it . so peoples can report the bugs to me 3) It has got all the usual options of a trojan and so many more 4) There is a programming section designed for the client and server so the peoples that know about javascript or Vbscript can make and run their scripts on Victim's PC 5) Amitis 1.2 is the only trojan that has got the LIVE UPDATE future it means that there is no need to go to sites and search for the updates of amitis 1.2 server file - you can simply update it from the main program consul 6) There is a WEEKLY TIPS option in it that you can click on it and get the weekly tip about amitis 1.2 7) Full help and tips has been provided for amitis 1.2 client side . you can simply move your mouse over the options you dont know about and get help about it . 8) Amitis 1.2 client side has been fully skined with an easy to use GUI Amitis 1.2 Server file information 1) Server is undetectable by zonealarm and is able to pass it 2) As norton antivirus can detect a programs that are sending a mail in silence - so the server closes the norton antivirus - but that doesnt help it not to get detected as a trojan by norton antivirus 3) As norton virus list is updated weekly so there would be a new server file every week in my site 4) Complete information about live server updates have been provided in client side informations text file 5) Server file wont be listed in Alt+Ctrl+Del list no matter what OS The victim Has - 9x/ME/NT/2000/XP . so if the victim get that list enabled , he/she wont find it there 6) Server is about 450 KB in unziped mode and 110 KB in ziped mode 7) Server wont save any string into the registery for startup method 8) Server has been set to be able to send IP# notifications to EMAIL and ICQ and msn 9) Server will make a copy of itself into the windows directory so if the main file get deleted the victim is still infected 10) Server disables the ALT+CTRL+DEL key combination 11) Server will auomatically send the requested notification as soon as The victim get connected to internet 12) Edit Server file is provided to modify the server settings 13) Server file will be updated weekly so antiviruses wont be able to detect it as a virus or backdoor . for updating the server file you can open the amitis 1.2 client side and goto LIVE UPDATE stacked_shit' |
Alias: |
Backdoor.Amitis.11, Backdoor.Amitis.12, Backdoor.Amitis.13 |
Category: |
RAT: A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment. Firewall Killer: Any hacker tool intended to disable a user's personal firewall. Some will also disable resident anti-virus software. |
Variants: |
|
Similar Pests: |
RAT · Firewall Killer |
Origins |
|
Author: |
stacked_shit, |
By This Author: |
Amitis 1.1 · Amitis 1.2 · Amitis 1.3 · Amitis 1.4 |
Programming Language: |
1.1, 1.2, 1.3: Visual Basic; Amitis 1.3 Server update: Delphi |
Date of Origin: |
Variants from September, 2002 to December, 2003 |
Distribution |
|
Prevalence: |
|
Clot Factor: |
The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone. |
Operation |
|
Default Port: |
1.1, 1.2, 1.3: 27551 TCP Amitis 1.3 Server update: 3547, 7823, 13173, 17146, 33229, 44280, 44390, 47387, 64429 TCP More info about ports. |
Storage Required: |
|
Restart: |
1.1, 1.2: c:\windows\win.ini, [windows] "load" 1.3: HKEY_CLASSES_ROOT\.dlI HKEY_CLASSES_ROOT\dlIfile\shell\open\command "(Default)" Amitis 1.3 Server update: HKEY_CLASSES_ROOT\.dlI HKEY_CLASSES_ROOT\dlIfile\shell\open\command "(Default)" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Kernel" Autostarting Pests |
ScreenShot: |
|
Amitis 1.1
Amitis 1.1
Amitis 1.2
Amitis 1.2
Amitis 1.3
Amitis 1.3
Risks |
|
Detection Issues: |
Difficult to detect by design. May hide from process list. May install with variable names in variable locations. |
Detection and Removal |
|
Automatic Removal: |
|
Manual Removal: |
Follow these steps to remove Amitis from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake. |
| Stop Running Processes: Kill these running processes with Task Manager: | |
| Clean Registry: Remove these registry items (if present) with RegEdit: | |
| Remove Files: Remove these files (if present) with Windows Explorer: | |
Research |
|
File Analyses: |
|
More Info: |
|
Research By: |
|
Last Revised: |
April 14, 2005 |
PestPatrol detects this.