Backdoors, Trojans and Rootkits - PowerPoint PPT Presentation

1 / 16

About This Presentation

Title:

Backdoors, Trojans and Rootkits

Description:

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. – PowerPoint PPT presentation

Number of Views:584

Avg rating:3.0/5.0

Slides: 17

Provided by: DrSte83

Category:

more less

Transcript and Presenter's Notes

Title: Backdoors, Trojans and Rootkits

1
Backdoors, Trojans and Rootkits

CIS 413
This presentation is an amalgam of presentations
by Mark Michael, Randy Marchany and Ed Skoudis.
I have edited and added material.
Dr. Stephen C. Hayne

An alternative entryway
No fancy authentication needed
Maintains access on a system
Usually access is needed initially
Still works when front door is closed

An attacker with back door access owns the
system
Attackers might make the system more secure to
keep ownership
The attacker does the work of the administrator

Application-level Trojan Horse Backdoors
Traditional RootKits
Kernel-level RootKits

Adds a separate application to the system
Made up of a server and client part
server is installed on victims machine
client is installed on attackers machine
Victim must install the server portion
Once installed the attacker owns the victims
machine

Most popular Windows backdoors
Back Orifice 2000(BO2K)
Sub7
Hack-a-tack
The Virtual Network Computer(VNC)
remote administration tool often used as a
backdoor

Back Orifice 2000
Original Back Orifice released 1998
Works on Windows 95/98/ME/NT/2000
Open source
Server portion is only 112KB
Client portion is 568KB
Product of the Cult of the Dead Cow (cDc)

8
(No Transcript)
9

Log Keystrokes
Gather system information
Get passwords from the SAM database
Control the file system
Edit the registry
Control applications and services
Redirect Packets

Application redirection
Any DOS application can be spawned
useful for setting up command-line backdoors
Multimedia control
View files in a browser
Hidden mode
Encryption between client and server

Plug-ins
Streaming video from server machine
More encryption methods
Blowfish, CAST-256, IDEA, Serpent, RC6
Stronger security than a lot of commercial
products!
Stealthier methods for transport

Most Anti-virus programs will notice and remove
the tools mentioned
Update virus definitions regularly
Dont run programs downloaded from untrusted
sources
Dont auto-run ActiveX controls

13
Hidden Backdoors
SQL Server Hack!
Backdoor listens on port ABC

Attacker takes over your system and installs a
backdoor to ensure future access
Backdoor listens, giving shell access
How do you find a backdoor listener?
Sometimes, they are discovered by noticing a
listening port
Nmap port scan across the network
Running "netstat na" locally
Running lsof (UNIX) or Inzider (Windows)

Network
14
Sniffing Backdoors

Who says a backdoor has to wait listening on a
port?
Attackers don't want to get caught
They are increasingly using stealthy backdoors
A sniffer can gather the traffic, rather than
listening on an open port
Non-promiscuous sniffing backdoors
Grab traffic just for one host
Promiscuous sniffing backdoors
Grab all traffic on the LAN

15
Non-Promiscuous Backdoor Cd00r

Written by FX
http//www.phenoelit.de/stuff/cd00r.c
Includes a non-promiscuous sniffer
Gathers only packets destined for the single
target machine
Several packets directed to specific ports (where
there is no listener) will trigger the backdoor
Sniffer grabs packets, not a listener on the
ports
Backdoor root shell starts to listen on TCP port
5002 only when packets arrive to the trigger ports

16
Non-Promiscuous Backdoor Cd00r in Action
Sniffer analyzes traffic destined just for this
machine, looking for ports X, Y, Z
Server
SYN to port X
SYN to port Y
SYN to port Z
After Z is received, activate temporary listener
on port 5002
Connection to root shell on port 5002