Evil-VNC: A VNC Server Injector

There has been countless trojan/back door viruses made over the last decade, some more complex than others, but all unnerving nonetheless. There is one in particular though that I’ve always found to be a good example of how hackers can sometimes run ideas off of normal legitimate software.

Back in early 2000 remote access software known as RealVNC was released. Since then it has become widely used by many people. Basically it allows a computer to be remotely controlled by another computer. The server part is installed on the remote computer and then the computer accessing it would use the client part. RealVNC is meant for legitimate purposes. It doesn’t really present a security threat since it requires the cooperation of the remote computer and can have a password set for the server.

An example screenshot running of the client viewing two other remote computers:

In around 2004 a hacker known by matiteman created a vnc server injector. He named it Evil-VNC. It can secretly install an vnc server on remote host and run it automatically. The victim would not see anything or even know it would be running. After installation the hacker would be notified immediately by the server with the remote ip and password for connection sent to a preset cgi or php logger.

When it was first released it only had few features, but eventually was updated to include a whole bunch more, like even file transferring and built in file binding.

The hacker can use RealVNC client to view his victims, but since the Evil-VNC server features a JavaViewer Applet, it allows for remote control without any viewer application. This means the hacker could use any computer that has an internet browser with java and watch/control their victims from there!

Although Evil-VNC is well detected by anti-viruses nowadays, it’s source code was released. Thus anyone with the know how could crypt it with a crypter of their own or one that hasn’t been used by other people.