Presentation on theme: "Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited."— Presentation transcript:
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne
An alternative entryway No fancy authentication needed Maintains access on a system Usually access is needed initially Still works when front door is closed B ack D oors
An attacker with back door access “owns” the system Attackers might make the system more secure to keep ownership The attacker does the work of the administrator B ack D oors
Application-level Trojan Horse Backdoors Traditional RootKits Kernel-level RootKits B ack D oors M elded into T rojan H orses
Adds a separate application to the system Made up of a server and client part server is installed on victims machine client is installed on attackers machine Victim must install the server portion Once installed the attacker “owns” the victims machine A pplication- L evel T rojan H orse B ackdoor T ools
Most popular Windows backdoors: Back Orifice 2000(BO2K) Sub7 Hack-a-tack The Virtual Network Computer(VNC)* *remote administration tool often used as a backdoor A pplication- L evel T rojan H orse B ackdoor T ools
Back Orifice 2000 Original Back Orifice released 1998 Works on Windows 95/98/ME/NT/2000 Open source Server portion is only 112KB Client portion is 568KB Product of the Cult of the Dead Cow (cDc) A pplication- L evel T rojan H orse B ackdoor T ools
Log Keystrokes Gather system information Get passwords from the SAM database Control the file system Edit the registry Control applications and services Redirect Packets A pplication- L evel T rojan H orse B ackdoor T ools
Application redirection Any DOS application can be spawned useful for setting up command-line backdoors Multimedia control View files in a browser Hidden mode Encryption between client and server A pplication- L evel T rojan H orse B ackdoor T ools
Plug-ins: Streaming video from server machine More encryption methods Blowfish, CAST-256, IDEA, Serpent, RC6 Stronger security than a lot of commercial products! Stealthier methods for transport A pplication- L evel T rojan H orse B ackdoor T ools
Most Anti-virus programs will notice and remove the tools mentioned Update virus definitions regularly Don’t run programs downloaded from untrusted sources Don’t auto-run ActiveX controls D efenses against A pplication- L evel T rojan B ackdoors
Hidden Backdoors Attacker takes over your system and installs a backdoor to ensure future access Backdoor listens, giving shell access How do you find a backdoor listener? Sometimes, they are discovered by noticing a listening port Nmap port scan across the network Running "netstat –na" locally Running lsof (UNIX) or Inzider (Windows) Network Backdoor listens on port ABC SQL Server Hack!
Sniffing Backdoors Who says a backdoor has to wait listening on a port? Attackers don't want to get caught They are increasingly using stealthy backdoors A sniffer can gather the traffic, rather than listening on an open port Non-promiscuous sniffing backdoors Grab traffic just for one host Promiscuous sniffing backdoors Grab all traffic on the LAN
Non-Promiscuous Backdoor – Cd00r Written by FX http://www.phenoelit.de/stuff/cd00r.c Includes a non-promiscuous sniffer Gathers only packets destined for the single target machine Several packets directed to specific ports (where there is no listener) will trigger the backdoor Sniffer grabs packets, not a listener on the ports Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports
Non-Promiscuous Backdoor – Cd00r in Action The idea has been extended to eliminate even port 5002 Netcat can push back a command shell from server, so no listener ever required Connection goes from server back to client Server SYN to port X Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z SYN to port Y SYN to port Z After Z is received, activate temporary listener on port 5002 Connection to root shell on port 5002
Promiscuous Backdoor Can be used to help throw off an investigation Attacker sends data for destination on same network But the backdoor isn't located at the destination of the backdoor traffic Huh? How does that work?
Promiscuous Backdoor in Action Backdoor is located on DNS server All packets sent to WWW server DNS server backdoor sniffs promiscuously In switched environment, attacker may use ARP cache poisoning Confusing for investigators Firewall DNS WWW Internet Sniffer listens for traffic destined for WWW server
Sniffing Backdoor Defenses Prevent attacker from getting on system in the first place (of course) Know which processes are supposed to be running on the system Especially if they have root privileges! Not easy, but very important Beware of stealthy names (like "UPS" or "SCSI") Look for anomalous traffic Look for sniffers
Your consent to our cookies if you continue to use this website.