Companion Virus

Using network neighborhood Spreads over the network

Backdoor on TCP port 7597 QAZ

Remote access capability Motivation and Study Techniques to help Cisco
Renames notepad to note.com you learn, remember, and pass your
CISSP
technical exams!
Modifies the registry CEH
Only 3kb in size More coming soon...
Very simple Windows backdoor

Opens a backdoor on TCP 7777

Visit us www.mindcert.com
Provides a remote command prompt Tini
Attacker just needs to telnet to
Remote command prompt attacked host on port 7777

Network swiss army knife Subscribe via RSS

C:\nc -L -p 5000 -t -e cmd.exe
This would set up a Windows backdoor Easy to set up back doors
Netcat
Listening on Port 5000
Contained within a legitimate program
TCP or UDP An unauthorized program
Performs unknown functions
Can create inbound or outbound connections
From and to any port
That has been altered by the
Remote control system for Windows 95, 98 or NT4 placement of unauthorized code
GUI based A legitimate program New code performs unknown functions
A Trojan Horse Is
Remote control
Passwords But has unauthorized code

Processes Has a lot of functionality A program that appears to be legitimate Unauthorized code performs unknown
Client Donald Dick functions
Registry Two parts
Keylogging
Normally have a client/server model

TCP/IP or IPX/SPX Attacker gains access to the trojaned system Sometimes the trojaned system notifies
Server the attacker when they are online
Workings on Trojans when the trojaned system goes online
Provides full access to the file system
Attacker normally has access to
Remote access trojan multiple trojaned systems
File controls Provide remote access of the infected
Monitoring Functionality machine to the attacker
Remote Access Trojans
Network control Very prevalent and often reported on by the media

SubSeven.exe Sometimes use keyloggers

SubSeven Password Sending Trojans
Contains an address book function to Client Sole aim is to capture passwords and
check if the victim is online send these to the attacker

server.exe Three parts Capture keystrokes on the victim

Server
Keyloggers Normally looking for passwords or
EditServer.exe other sensitive information
Server configuration utility
Only function is to destroy files
Windows 95 Destructive
The worst sort but not really seen
Windows 98
Install backdoors that enable the
Windows ME Currently runs on victim to be controlled and used for a
Updated version of the original Back Orifice
Windows NT DoS and DDoS attack
DoS Trojans
Windows XP Trojan Genre A lot of newer viruses install this trojan

Talks over TCP and UDP with strong encryption The trojan makes the machine a proxy
server
Client is GUI or CLI Client/Server application Installs a simple web proxy on the machine
Proxy Trojans
The machine can then be used to launch
Client is 500kb Server code is 100Kb web attacks against other victims

Attacker has complete control over the Back Orifice 2000 Enables an FTP server on the victim
system Normally used to transfer large files or
Once server is installed FTP Trojans
Server must be installed on the target system a FTP Bounce scan
Subtopic
BO2K functionality can be improved with plug-ins
Complete remote control Software that can kill software running on the
BoPeep
box
Encryption Sometimes included with other virus functions
Plug Ins Software Detection Killers
Provides stealth capabilities by using Kill Zone Alarm
ICMP rather than TCP or UDP BOSOCK32 Certified Ethical Examples
Kill AV Product

Provides encrpyted flow between the GUI and server STCPIO

Trojan and Backdoor Tools Hacker ICQ
Module 6 - Trojans and IRC
One of the first remote control trojans BackDoors Email Attachments
netbus.exe Client
Trojans and Backdoors Modes of Transmission Physical Access

Two parts Browser and Software Bugs

Or sysedit.exe patch.exe
Server NetBIOS File Sharing
Freeware and Fake Applications
TCP/UDP 12345
NetBus A wrapper attaches a .exe application
Unless it is installed after v 1.7 with
whackjob.zip Uses port to the trojan executable
the whack-a-mole program
Cannot be altered You can attach a game or other
Then uses TCP 12631 desirable freeware app to a trojan
Wrappers
Also less stealthy Two programs are wrapped into a single file Both installed at the same time
4 times larger than BO2K

Contains a lot of functionality User only sees the desirable application

Wrapper for trojans Can use wordpad

Graffiti Packaging
Using OLE
EXE wrapper
Modes of Infection You can make CDs autostart
For Windows CDROM
EliteWrap Therefore you can run malicious code
Creates a setup program that can be from the CDROM
used to wrap trojans
Uses a covert channel to hide data in
Used to change icons in .exe files an undetectable protocol
IconPlus ICMP Tunneling
Handy in fooling people about the Tunnels with ICMP
wrapped application for trojan delivery
Uses TCP port 80
Skin editor for windows applications
Reverse WWW Shell Looks like a machine browsing the web
Images
Trojaned machine communicates outbound
icons
Most commercial AV products will
text
AV catch all trojans
sounds Can change Restorator
videos Cleaner Can identify and eradicate over 1000 trojans
dialogs
menus Windows NT4

Can totally modify the application to hide the trojan Supports Windows 2000
Windows XP
Simple came where you have to hit a mole fPort
Whack-A-Mole Shows what ports are open and what
Installs NetBus in the background
applications are listening on them
BoSniffer is an application that claims Windows CLI application
to check for the BO server
Displays very detailed information
it actually infects the machine with BO BoSniffer about open ports
Countermeasures Tools
Then announces itself on IRC channel #BO_OWNED TCPView
Similar to fPort but a lot more powerful
Kills any resident protection software
PrcView
Works with all major AV vendors Firekiller 2000 Process Viewer Displays detailed information about
Handy to use before you infect with a trojan processes running on your machine

Provides shell access over ICMP Windows CLI application

Harder to detect than TCP and UDP backdoors Inzider Lists processes and what ports they
Loki
are listening on
DNS Requests Can also run over UDP Port 53
File based Protection
Trojan generator Looks at hashes of key files to see if
Tripwire
Creates VB source code for trojans they have changed
Senna Spy
Makes the trojan customized but uses Very handy anti-rootkit tool
common trojan functions

Once run, starts filling up the hard drive and

then reboots in a matter of seconds
After reboot, the Hard Drive is formatted very
Hard Disk Killer
quickly and all the data is gone
Very nasty!

Remote administration tool

Client and Server in same application All in one application
Beast
Created in Delphi 7
Injects itself into winlogon.exe

CEH 6 - Trojans and BackDoors.mmap - 25/06/2008 - Andrew Mason