Backdoors, Trojans, and Rootkits

1. Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

2. An alternative entryway No fancy authentication needed Maintains access on a system Usually access is needed initially Still works when front door is closed B ack D oors B ack D oors

3. An attacker with back door access “owns” the system Attackers might make the system more secure to keep ownership The attacker does the work of the administrator B ack D oors B ack D oors

4. Application-level Trojan Horse Backdoors Traditional RootKits Kernel-level RootKits B ack D oors M elded into T rojan H orses B ack D oors M elded into T rojan H orses

5. Adds a separate application to the system Made up of a server and client part server is installed on victims machine client is installed on attackers machine Victim must install the server portion Once installed the attacker “owns” the victims machine A pplication- L evel T rojan H orse B ackdoor T ools A pplication- L evel T rojan H orse B ackdoor T ools

6. Most popular Windows backdoors: Back Orifice 2000(BO2K) Sub7 Hack-a-tack The Virtual Network Computer(VNC)* *remote administration tool often used as a backdoor A pplication- L evel T rojan H orse B ackdoor T ools A pplication- L evel T rojan H orse B ackdoor T ools

7. Back Orifice 2000 Original Back Orifice released 1998 Works on Windows 95/98/ME/NT/2000 Open source Server portion is only 112KB Client portion is 568KB Product of the Cult of the Dead Cow (cDc) A pplication- L evel T rojan H orse B ackdoor T ools A pplication- L evel T rojan H orse B ackdoor T ools

9. Log Keystrokes Gather system information Get passwords from the SAM database Control the file system Edit the registry Control applications and services Redirect Packets A pplication- L evel T rojan H orse B ackdoor T ools A pplication- L evel T rojan H orse B ackdoor T ools

10. Application redirection Any DOS application can be spawned useful for setting up command-line backdoors Multimedia control View files in a browser Hidden mode Encryption between client and server A pplication- L evel T rojan H orse B ackdoor T ools A pplication- L evel T rojan H orse B ackdoor T ools

11. Plug-ins: Streaming video from server machine More encryption methods Blowfish, CAST-256, IDEA, Serpent, RC6 Stronger security than a lot of commercial products! Stealthier methods for transport A pplication- L evel T rojan H orse B ackdoor T ools A pplication- L evel T rojan H orse B ackdoor T ools

12. Most Anti-virus programs will notice and remove the tools mentioned Update virus definitions regularly Don’t run programs downloaded from untrusted sources Don’t auto-run ActiveX controls D efenses against A pplication- L evel T rojan B ackdoors D efenses against A pplication- L evel T rojan B ackdoors

13. Hidden Backdoors Attacker takes over your system and installs a backdoor to ensure future access Backdoor listens, giving shell access How do you find a backdoor listener? Sometimes, they are discovered by noticing a listening port Nmap port scan across the network Running "netstat –na" locally Running lsof (UNIX) or Inzider (Windows) Network Backdoor listens on port ABC SQL Server Hack!

14. Sniffing Backdoors Who says a backdoor has to wait listening on a port? Attackers don't want to get caught They are increasingly using stealthy backdoors A sniffer can gather the traffic, rather than listening on an open port Non-promiscuous sniffing backdoors Grab traffic just for one host Promiscuous sniffing backdoors Grab all traffic on the LAN

15. Non-Promiscuous Backdoor – Cd00r Written by FX http://www.phenoelit.de/stuff/cd00r.c Includes a non-promiscuous sniffer Gathers only packets destined for the single target machine Several packets directed to specific ports (where there is no listener) will trigger the backdoor Sniffer grabs packets, not a listener on the ports Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

16. Non-Promiscuous Backdoor – Cd00r in Action The idea has been extended to eliminate even port 5002 Netcat can push back a command shell from server, so no listener ever required Connection goes from server back to client Server SYN to port X Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z SYN to port Y SYN to port Z After Z is received, activate temporary listener on port 5002 Connection to root shell on port 5002

17. Promiscuous Backdoor Can be used to help throw off an investigation Attacker sends data for destination on same network But the backdoor isn't located at the destination of the backdoor traffic Huh? How does that work?

18. Promiscuous Backdoor in Action Backdoor is located on DNS server All packets sent to WWW server DNS server backdoor sniffs promiscuously In switched environment, attacker may use ARP cache poisoning Confusing for investigators Firewall Firewall DNS DNS WWW WWW Internet Sniffer listens for traffic destined for WWW server

19. Sniffing Backdoor Defenses Prevent attacker from getting on system in the first place (of course) Know which processes are supposed to be running on the system Especially if they have root privileges! Not easy, but very important Beware of stealthy names (like "UPS" or "SCSI") Look for anomalous traffic Look for sniffers