Trojan and Backdoor Countermeasures
Apply Your Knowledge
The best way to learn more about Trojans and malicious programs is to search for them on a system and look at the ways that they hide themselves.
Exercises
6.1. Finding Malicious Programs
In this exercise, you will look at some common ways to find malicious code on a computer system.
Estimated Time: 30 minutes.
- Unless you already have a Trojan installed on your computer, you will need something to find. Go to www.vulnwatch.org/netcat and download Netcat for Windows.
- Next, start up a Netcat listener on your computer. This can be done by issuing the following command from the command prompt: nc -n -v -l -p 80.
- Now that you have Netcat running and in listening mode, proceed to the task manager. You should clearly see Netcat running under applications.
- Let's now turn our attention to netstat. Open a new command prompt and type netstat -an. You should see a listing similar to the one shown here:
C:>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING
- Your results should include a listing similar to the first one shown, indicating that port 80 is listening. Did you notice anything else unusual on your listing? Did you notice anything unusual on the listing shown previously? The preceding listing shows a service listening on port 12345, which is the default port for NetBus.
- Now proceed to www.sysinternals.com/Utilities/TcpView.html and download TCPView. This free GUI-based process viewer shows you information on running processes in greater detail than netstat. It provides information for all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. You should be able to easily spot your Netcat listener if it is still running.
- Close TCPView and proceed to www.teamcti.com/pview; from there, you can download another process viewer tool known as ProcessViewer. You will find that it is similar to TCPView.
- Finally, let's review a Trojan removal tool. It's titled "The Cleaner" and is a system of programs designed to keep your computer and data safe from Trojans, worms, key loggers, and spyware. It can be downloaded from www.moosoft.com/products/cleaner/faq. After installation, let the program run and see if it flags Netcat or any other files.
- Afterward, you can remove Netcat or any of the other programs installed during this exercise that you no longer desire to use.
6.2. Using a Scrap Document to Hide Malicious Code
In this exercise, you will use Notepad as a basic wrapper. Notepad will allow you to embed objects that can be executed simply by double-clicking on them.
Estimated Time: 15 minutes.
- Make a copy of Notepad.exe and place it on your desktop.
- Open Wordpad.
- Click and drag the copy of Notepad.exe you placed on the desktop into the open Wordpad document.
- Next, click on Edit, Package Object, Edit Package.
- Then click on Edit, Command Line.
- At the command-line prompt, type a command such as dir c: /p; then click on OK.
- You can now change the icon if so desired.
- Exit from the edit window, and the document will be updated.
- Click and drag Notepad.exe back to the desktop.
- The file will have taken the name Scrap; rename it ImportantMessage.txt.
- Click on ImportantMessage.txt and observe the results. You should notice that the scrap produced a directory listing of the C drive. If you were a malicious hacker, you could have just as easily set up the command to reformat the hard drive or erase all the system files.
Exam Questions
1. |
You have just completed a scan of your servers, and you found port 31337 open. Which of the following programs uses that port by default? |
2. |
Which of the following programs can be used for port redirection? |
3. |
Which of the following best describes a covert communication? |
4. |
Which of the following best describes Netcat? |
5. |
One of your user's Windows computers has been running slowly and performs erratically. After looking it over, you found the following file "watching.dll" that look suspicious. Which of the following programs uses that file? |
6. |
Jane has noticed that her system is running strangely, yet when she ran netstat, everything looked fine. What should she do next? |
7. |
You overheard a co-worker who is upset about not getting a promotion threaten to load FakeGina on to the boss's computer. What does FakeGina do? |
8. |
Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80? |
9. |
What does the following command accomplish: nc -n -v -l -p 25 |
10. |
What is datapipe used for? |
11. |
Dale watches his firewall setting closely and leaves off all unused ports. He has been told by several employees that some individuals are using services that are blocked. What technique might these employees use to accomplish this prohibited activity? |
12. |
Which of the following is the correct type for a ping request? |
13. |
What does the following command accomplish when issued from a victim's computer: fpipe -l 69 -r 53 -u 10.2.2.2? |
14. |
What does the following command accomplish: nc -u -v -w 1 10.2.2.2 135-139 |
15. |
Gil believes one of his workers is performing illegal activities on his work computer; he wants to install software key loggers on all employees' systems. What should be his number one concern? |
16. |
Which of the following Trojans uses port 6666? |
17. |
Which of the following best describes a wrapper? |
18. |
Loki uses which of the following by default? |
19. |
You have become concerned that one of your work stations might be infected with a malicious program. Which of the following netstat switches would be the best to use? |
20. |
You have just completed a scan of your servers, and you found port 12345 open. Which of the following programs uses that port by default? |
Answers to Exam Questions
A1: |
1. B. BOK uses port 31337 by default. All other answers are incorrect, as Donald Dick uses port 23476, SubSeven uses port 6711, and NetBus uses port 12345. |
A2: |
2. D. FPipe is a source port forwarder/redirector. It can create a TCP or UDP stream with a source port of your choice. Answer A is incorrect, as Loki is a covert channel program. Answer B is incorrect because Recub is a Trojan. Answer C is incorrect, as Girlfriend is also a Trojan. |
A3: |
3. C. Covert communications can be described as sending and receiving unauthorized information or data between machines without alerting any firewalls and IDSes on a network. Answer A is incorrect because it describes a Trojan. Answer B is incorrect because it describes a backdoor. Answer D is incorrect because it more accurately describes a virus or worm. |
A4: |
4. B. Netcat is a network utility for reading from and writing to network connections on either TCP or UDP. Because of its versatility, Netcat is also called the TCP/IP Swiss army knife. Answers A, C, and D are incorrect because Netcat is not a more powerful version of Snort and can be used on both Windows and Linux. |
A5: |
5. B. Watching.dll is one of the files that is loaded when SubSeven is installed. Answers A, C, and D are incorrect because none of the other Trojans install that file. NetBus installs KeyHook.dll. Donald Dick installs pmss.exe, and Loki is a Linux-based program. It does not run on Windows. |
A6: |
6. B. Jane should use a third-party tool that is known good. One way to ensure this is to download the file only from the developer's website and to verify that the fingerprint or MD5sum of the tool has remained unchanged. Answer A is incorrect, as the default install file for NetBus is patch.exe. Loading this on her computer will only compound her problems. Answer C is incorrect because if the computer does have a Trojan, it might be hard to determine when the point of infection occurred. Therefore, the recent backup might also be infected or corrupt. Answer D is incorrect because although the Trojan might have installed something in the startup folder, there are many other places that the hacker could hide elements of the tool, including the registry, system folders, and .ini files. |
A7: |
7. D. FakeGina captures login usernames and passwords that are entered at system startup. Answers A, B, and C are incorrect because FakeGina does not send out passwords by email, is not a hardware keystroke capture program (it is software based), and it only captures username and login information at startup. |
A8: |
8. B. ACKCMD uses TCP ACK packets to bypass ACLs that block incoming SYN packets. Answer A is incorrect, as Loki uses ICMP. Answer C is incorrect because Stealth Tools is used to alter the signature of a known Trojan or virus. Answer D is incorrect, as Firekiller 2000 is used to disable Norton antivirus or software firewall products. |
A9: |
9. D. Nc -n -v -l -p 25 opens a listener on TCP port 25 on the local computer. Answers A, B, and C are incorrect, as it does not allow the hacker to use a victim's mail server to send spam, it does not forward email, and it will not block traffic on port 25. (Actually, it listens on the port for incoming connections.) |
A10: |
10. A. Datapipe is a Linux redirector. It can be used for port redirection. This form of tool is useful when certain ports are blocked at the firewall. Answer B is incorrect because it is not a remote control Trojan. Answer C is incorrect, as it does not report open processed, and answer D is incorrect because it is not a Windows redirecting program; it is used for Linux and UNIX systems. |
A11: |
11. D. Tunneling software acts as a socks server, allowing you to use your Internet applications safely despite restrictive firewalls. Answer A is incorrect because systems infected with spyware would not behave in this manner. Spyware infected systems typically run slower and tend to go to URLs not requested or suffer from a barrage of pop-up ads. Answer B is incorrect because seeing that Dale watches his firewall closely, it is unlikely that they successfully attacked his firewall. Answer C is incorrect, as backdoor programs are used to bypass authentication. |
A12: |
12. D. An ICMP Ping request is a type 8. Answer A is incorrect, as a type 0 is a Ping reply. Answer B is incorrect, as a type 3 is a destination unreachable, and answer C is incorrect because a type 5 is a redirect. |
A13: |
13. D. Fpipe is used for port redirection: a technique that is useful behind a firewall. This command redirects traffic from UDP port 69 to port 53. The syntax is -l listen, -r redirect -u UDP, and the IP address is the IP address to bind to this command. Answers A, B, and C, are incorrect, as they do not properly define the syntax of the command. |
A14: |
14. C. The command nc -u -v -w 1 10.2.2.2 135-139 performs a UDP port scan, in verbose mode, and waits one second between scanning ports 135 to 139 on IP address 10.2.2.2. Answers A, B, and D are incorrect because they do not properly define the syntax that is given. |
A15: |
15. B. Gil should primarily be concerned that he has proper policy and procedures in place that address keystroke logging. He must also make sure that employees understand that they have no expected level of privacy when using company computers and might be monitored. Answers A and C are incorrect, as most of these programs are hard to detect. Answer D is incorrect because these programs can allocate a buffer big enough to store millions of keystrokes, so storage should not be a problem. |
A16: |
16. D. Beast uses port 6666 and is considered unique, as it uses injection technology. Answer A is incorrect because SubSeven uses port 6711. Answer B is incorrect because NetBus uses port 12345; and Answer C is incorrect, as Amitis uses port 27551. |
A17: |
17. D. Wrappers are used to package covert programs with overt programs. They act as a type of file joiner program or installation packager program. Answer A is incorrect, as wrappers do not tunnel programs; an example of a tunneling program would be Loki. Answer B is incorrect because wrappers are not used to cause a Trojan to execute when previewed in email; the user must be tricked into running the program. Answer C is incorrect, as wrappers are not used as backdoors. A back-door program allows unauthorized users to access and control a computer or a network without normal authentication. |
A18: |
18. A. Loki is a Trojan that opens and can be used as a backdoor to a victim's computer by using ICMP. Answer B is incorrect because Loki does not use UDP port 69 by default. Answer C is incorrect because Loki does not use TCP port 80 by default. Answer D is incorrect because Loki does not use IGRP. |
A19: |
19. A. Netstat -an would be the proper syntax -a displays all connections and listening ports. -n displays addresses and port numbers in numerical form. Answer B is incorrect, as -r displays the routing table. Answer C is incorrect because -p shows connections for a specific protocol, yet none was specified in the answer. Answer D is incorrect, as -s displays per-protocol statistics. By default, statistics are shown for TCP, UDP, and IP. |
A20: |
20. D. NetBus uses port 12345 by default. Answers A, B, and C are incorrect because Donald Dick uses 23476, BOK uses port 31337, and SubSeven uses port 6711. |
Suggested Reading and Resources
www.giac.org/certified_professionals/practicals/gcih/0512.phpNetcat is your friend
www.vulnwatch.org/netcat/readment.txtNetcat readme
www.bo2k.comBack Orifice official site
www.windowsecurity.com/faqs/TrojansTrojan FAQ
www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlTrusted Computer System Evaluation Criteria (TCSEC)
www.phrack.org/show.php?p=49&a=6Loki
www3.ca.com/Solutions/Collateral.asp?CID=37734&ID=Backdoor programs defined
searchsecurity.techtarget.com/tip/1,289483,sid14_gci1076172,00.htmlThe Nasty Truth About Spyware
http://russelltexas.com/malware/faqhijackthis.htmHijackthis FAQ
Sniffers, Session Hijacking, and Denial of Service
|