1 / 38

Trojans, Backdoors, and Sniffers

Trojans, Backdoors, and Sniffers. BAI514 – Security I. Trojans, Backdoors, and Sniffers. Trojans have been around since ancient times. Trojans are malicious pieces of software used to install hacking software on a target system.

kara
Download Presentation

Trojans, Backdoors, and Sniffers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Trojans, Backdoors, and Sniffers BAI514 – Security I

  2. Trojans, Backdoors, and Sniffers • Trojans have been around since ancient times. • Trojans are malicious pieces of software used to install hacking software on a target system. • Trojans and their counterparts (backdoors and sniffers) are important pieces of the hacker’s toolkit

  3. Trojans and Backdoors • A trojan is a program that performs functions unwanted by the target. • Three accepted definitions • An unauthorized program contained within a legitimate program that performs functions unknown and unwanted by the user • A legitimate program that has been altered by the placement of unauthorized code within it and that performs functions unknown and unwanted by the user

  4. Trojans and Backdoors • Three accepted definitions (cont.) • Any program that appears to perform a desirable and necessary function but that, because of hidden and unauthorized code, performs functions unknown and unwanted by the user

  5. Trojans and Backdoors • A backdoor in a computer system secures remote access to the system for an attacker and allows the attacker to bypass normal authentication

  6. Trojans and Backdoors • Trojan types • Remote Access Trojan (RAT) • Keystroke logger or password sending trojan • Software detection killers • Purely destructive or service denying trojans • FTP trojans

  7. Trojans and Backdoors • Remote Access Trojans (RATs) • A program that surreptitiously allows access to a computer’s resources via a network connection • Generally consist of two parts • Client • Server – must be installed on the victim machine • Once installed, typically opens a port for communication and waits for the client to connect

  8. Trojans and Backdoors • Remote Access Trojans (RATs) (cont.) • Common Remote Access Port Numbers • Back Orifice 31337 UDP • BO2K 54320/54321 TCP/UDP • Beast 6666 TCP • Citrix ICA 1494 TCP/UDP • Donald Dick 23476/23477 TCP • Masters Paradise 40421-40426 TCP • Netmeeting R/C 49608/49609 TCP • NetBus 12345 TCP

  9. Trojans and Backdoors • Remote Access Trojans (RATs) (cont.) • Common Remote Access Port Numbers (cont.) • Netcat Various TCP • PCAnywhere 5631/5632/65301 TCP • Reachout 43188 TCP • Remotely anywhere 2000/2001 TCP • Remote 135-139 TCP/UDP • Timbuktu 407 TCP/UDP • VNC 5800/5801 TCP/UDP

  10. Trojans and Backdoors • Trojan Attack Vectors • Trojans employ attack vectors to install its payload on the target • Email and attachments • Deception and social engineering • Web bugs and driveby downloads • NetBIOS remote plants • Physical access • Attacks that exploit Windows and IE vulnerabilities • Web pages that install spyware and adware • Instant messaging and IRC • P2P networks

  11. Trojans and Backdoors • Trojan Attack Vectors (cont.) • Example: “Sepuc” • Delivered by email • Victims have no idea they’re being spied on • Email has no subject line and no visible text in the body • When opened, hidden code attempts to exploit a vulnerability in IE to force a download from a remote machine

  12. Trojans and Backdoors • Wrappers • A program used to combine two or more executables into a single packaged program. • The wrapper attaches a harmless executable, like a game, to a trojan’s payload • When run, the game is launched as expected, but the trojan is also launched, unknown to the user

  13. Trojans and Backdoors • Wrappers (cont.) • ELiTeWrap • Advanced executable wrapper for Windows • Can be used for archiving or secretly installing and running programs • Silk Rope • Easy to use GUI • Binds BO installer with the attackers program of choice

  14. Trojans and Backdoors • Wrappers (cont.) • Other wrappers • Saran Wrap • PE Bundle • Teflon Oil Patch (TOVB4) • AFX File Lace • Exe2vbs

  15. Trojans and Backdoors • Covert Communication • Utilize covert channels • A way of transmitting data by using a path differently from its original intention.

  16. Trojans and Backdoors • Covert Communication (cont.) • Covert storage channel • Conveys information by changing a system’s stored data • E.g. Changing the characteristics of a file • Covert timing channel • A covert channel in which one process signals information to another by modulating its own use of system resources in such a way that this manipulation affects the real response time observed by a second process

  17. Trojans and Backdoors • Covert Communication (cont.) • Covert communication tools • Rely on a technique called tunneling • Allows one protocol to be carried over another protocol • E.g. Loki – provides shell access over ICMP

  18. Trojans and Backdoors • Port Redirection • Listening on preconfigured port then redirecting all packets to a secondary destination • Some tools used for port redirection • Netcat • Reverse telnet • Datapipe • Fpipe • Rinetd

  19. Trojans and Backdoors • Port Redirection (cont.) • NetCat • Port redirection tool for both Unix and Windows • Uses either TCP or UDP • Datapipe • Unix redirection tool • Must be run on both ends of the attack • Fpipe • TCP port forwarder and redirector • Creates a TCP stream with a source port of your choice • Rinetd • Redirects TCP connections from one IP and port to another

  20. Trojans and Backdoors • Trojan tools and creation kits • Tini • Very small trojan backdoor (3KB) • Programmed in assembly language • Only listens on port 7777 • Runs a command prompt when someone attaches to this port • QAZ • Companion virus that can spread over a network • Has a backdoor using port 7597 to allow remote control • Renames the notepad program to note.exe

  21. Trojans and Backdoors • Trojan tools and creation kits (cont.) • Donald Dick • Remote access tool • Uses a client-server architecture • Uses TCP or SPX • Default ports are 23476 or 23477

  22. Trojans and Backdoors • Trojan tools and creation kits (cont.) • NetBus • Remote access tool • Created in 1998, translated to Swedish means “NetPrank” • Client-server architecture • Server has names like Patch.exe or SysEdit.exe • Uses ports 12345 or 12346

  23. Trojans and Backdoors • Trojan tools and creation kits (cont.) • Back Orifice 2000 • Spawned many imitators • Once installed on system, gives attacker complete control of the system • Has stealth capabilities • Will not show up in task list • Server is only 100KB • Client is only 500KB

  24. Trojans and Backdoors • Trojan tools and creation kits (cont.) • Back Orifice 2000 (cont.) • Plug-ins available • BOPeep – complete remote control snap-in • Encryption – encrypts all traffic between client and server • BOSOCK32 – allows use of ICMP rather than TCP • STCPIO – encrypts traffic between client and server

  25. Trojans and Backdoors • Trojan tools and creation kits (cont.) • SubSeven • Backdoor to allow full access to the system • Senna Spy • Trojan code generator • Hard Disk Killer • Can permanently destroy all data on any given DOS or Windows HD • FireKiller 2000 • Will kill any virus protection software • Disables personal firewalls • Beast • Very powerful RAT

  26. Trojans and Backdoors • Anti-Trojan Software and Countermeasures • Awareness works best! • Educate users • Develop effective policies • Cleaner (www.moosoft.com) can identify and remove 1000 types of backdoors and trojans • Windows File Protection (WFP) • Protects files installed by Windows setup • Generates hashes of all system files for comparison

  27. Trojans and Backdoors • Anti-Trojan Software and Countermeasures (cont.) • Tripwire • Automatically creates hashes of all key system files or any files you choose • Creates a baseline of the system • Periodically scans and compares baseline hashes for changes • Fport • Identifies unknown open ports and their associated applications

  28. Trojans and Backdoors • Anti-Trojan Software and Countermeasures (cont.) • TCPView • GUI showing all TCP and UDP endpoints • Process Viewer • GUI process viewer • Displays detailed information about processes running under Windows • Inzider • Tracks processes and ports • Not stable

  29. Sniffers • Sniffing is the process of gathering traffic from a network by capturing data as it passes and storing it to analyze later • A sniffer is a piece of software that captures the traffic flowing into and out of a computer attached to a network.

  30. Sniffers • Commonly used to gather login credentials • Attacks can include • Man-in-the-middle attacks • Session hijacking • Attacks commonly performed as a result of MAC flooding and ARP spoofing

  31. Sniffers • Sniffing exploits • Passive • Requires the introduction of a hub or network tap • Only packets passing through the hub or tap are captured • Active involved routing the traffic through the attacker’s computer • Two methods of active sniffing • ARP spoofing • MAC flooding

  32. Sniffers • ARP Spoofing (ARP poisoning) • Attacker configures IP forwarding on their computer • Attacker sends a fake ARP response to remap the default router’s IP to the attacker’s IP • Victim sends traffic destined for the outside world based on a poisoned ARP table entry • Victim’s redirected packets are forwarded through the switch to the attacker • Attacker sniffs the traffic • Victim’s packets are forwarded from the attacker’s computer to the actual gateway

  33. Sniffers • MAC Flooding • The act of attempting to overload the switch’s Content Addressable Memory (CAM) table • If the CAM table becomes full of entries, switches often fail open • All frames start flooding out all ports of the switch • MAC flooding may draw attention • Overall performance decreases

  34. Sniffers • DNS Spoofing or Poisoning • Occurs when a DNS entry points to another IP instead of the legitimate IP address • Also known as DNS cache poisoning • Process of distributing incorrect IP address information for a specific host with the intent to divert traffic from its true destination

  35. Sniffers • Sniffing Tools • Snort • Very powerful IDS • General purpose sniffer • Dsniff • Collection of tools for network auditing and penetration testing • Wireshark • Free network protocol anlyzer • Powerful

  36. Sniffers • Mac Flooding Tools • Etherflood • Floods a switched network with Ethernet frames containing random hardware addresses • SMAC 2.0 MAC Address Changer • Allows users to change MAC addresses for almost any NIC on Windows Vista, XP, 2003, and 2000 • Macof • Floods the local network with random MAC addresses

  37. Sniffers • ARP Poisoning Tools • Ettercap • Suite designed to facilitate man-in-the-middle attacks on a LAN • Features include sniffing and real-time content filtering, among others… • Cain • Multipurpose tool • Can perform ARP spoofing

  38. FIN

More Related