Chapter 10 Phase 4: Maintaining Access Trojan Horses

Chapter 10 Phase 4: Maintaining Access

Trojan Horses

• Software program containing a concealed malicious capability but appears to be benign, useful, or attractive to users

Backdoor

• Software that allows an attacker to access a machine using an alternative entry method

• Installed by attackers after a machine has been compromised

• May Permit attacker to access a computer without needing to provide account names and passwords

• Used in movie “War Games”

• Can be sshd listening to a port other than 22

• Can be setup using Netcat

Netcat as a Backdoor

• A popular backdoor tool

• Netcat must be compiled with “GAPING_SECURITY_HOLE” option

• On victim machine, run Netcat in listener mode with –e flag to execute a specific program such as a command shell

• On attacker’s machine run Netcat in client mode to connect to backdoor on victim

Running Netcat as a Backdoor on Unix

Running Netcat as a Backdoor on WinNT/2000

Trojan Horse Backdoors

• Programs that combine features of backdoors and Trojan horses

• Not all backdoors are Trojan horses
• Not all Trojan horses are backdoors

• Programs that seem useful but allows an attacker to access a system and bypass security controls

Categories of Trojan Horse Backdoors

• Application-level Trojan Horse Backdoor

• A separate application runs on the system that provides backdoor access to attacker

• Traditional RootKits

• Critical operating system executables are replaced by attacker to create backdoors and facilitate hiding

• Kernel-level RootKits

• Operating system kernel itself is modified to allow backdoor access and to help attacker to hide

Application-level Trojan Horse Backdoor

• User must be tricked into installing this application which gives attacker backdoor access and complete control over victim’s machine

• List of Application-level Trojan horse backdoor tools and default ports used http://www.simovits.com/nyheter9902.html

• Sub7 http://subseven.slak.org

• Back Orifice 2000 http://www.bo2k.com

• Hack-a-tack http://www.crokket.ce/hatboard/cgi-bin/pinboard.pl

• VNC www.uk.research.att.com/vnc

Figure 10.1 Attacker controls the Application-level Trojan horse backdoor on the victim across the network

Back Orifice 2000 (BO2K)

• Trojan horse backdoor http://www.bo2k.com

• May be legitimately used for system administration

• Product of Cult of the Dead Cow hacker group

• Released at DefCon 7 conference in 1999

• Video at http://www.uberspace.com

• Can undermine Windows 9x/ME and Windows NT/2000

• BO2K server code 100Kb

• Can listen to any TCP or UDP port
• Original Back Orifice listens to UDP port 31337

• BO2K GUI client code 500Kb

BO2K Capabilities

• Create popup dialog boxes

• Log keystrokes

• List detailed system information

• Gather passwords and dump SAM database

• View, copy, rename, delete, search, or compress any file on the system

• Edit, add, or remove any system or program configuration by changing the registry

• List, kill, or start any process

• Packet redirection to any other machine and port (relay)

• DOS-based application redirection (allows creation of Netcat backdoor)

• Multimedia control (allows attacker to view victim’s screen and control keyboard)

• HTTP file server (for viewing victim’s files via web browser)

Figure 10.2 BO2K in use

Tricking Users to install Trojan Backdoors

• embed backdoor application in another innocent looking program via “wrappers”

• Wrapper creates one Trojan EXE application from two separate EXE programs

• When Trojan EXE is run, both underlying EXE programs will run
• Eg. Embed BO2K inside an electronic greeting card
• Eg. Embed BO2K inside ActiveX programs on web servers

• Wrappers

• Silk Rope http://www.netninja.com/bo/index.html
• SaranWrap
• EliteWrap

Figure 10.3 Make your own Trojan horse applications with Silk Rope

BO2K Plug-Ins

• Used to extend functionality of BO2K

• http://www.bo2k.com/warez.html

• BOPeep

• Provides streaming video of victim’s screen to attacker and allows attacker to hijack victim’s keyboard and mouse

• Serpent, Blowfish, Cast256, IDEA, RC6 Encryption

• Encrypts data between BO2K GUI and server

BO2K Plug-Ins (cont.)

• BOSOCK32

• Provides stealth capabilities by using ICMP for transport instead of TCP or UDP

• Rattler, BT2K

• Notifies attacker via email regarding location of BO2K servers

• Sniffer

• Allows attacker to capture network traffic on victim ‘s LAN

Defenses against Application-Level Trojan Horse Backdoors

• Use antivirus tools

• Can detect fingerprints (by checking filenames, registry key settings, services) of attack tools
• Update virus definition files weekly

• Don’t use single-purpose BO2K checkers

• Application itself may be a Trojan horse which installs BO2K but tells user that machine is clean

Defenses against Application-Level Trojan Horse Backdoors (cont.)

• Know your software

• Only run software from trusted developers
• Software should include a digital fingerprint to allow checking for trojanized program
• http://www.rpmfind.net contains MD5 fingerprints of applications that can be checked via md5sum on Linux
• Programs may be digitally signed by developer

• Educate your users

• Web browsers should be configured not to run unsigned ActiveX controls
• Block ActiveX controls without proper, trusted digital signatures at firewalls
• Block Java applets that are signed by untrusted sources

Figure 10.4 MD5 hash of tcpdump helps ensure it hasn’t been trojanized

Figure 10.5 Internet Explorer’s security settings

Traditional RootKits

• A suite of tools that allow an attacker to maintain root-level access via a backdoor and hiding evidence of a system compromise

• More powerful than application-level Trojan horse backdoors(eg. BO2K, Netcat) since the latter run as separate programs which are easily detectable

• a more insidious form of Trojan horse backdoor than application-level counterparts since existing critical system components are replaced to let attacker have backdoor access and hide

Figure 10.6 Comparing Application-level Trojan horse backdoors with traditional RootKits

Centerpiece of Traditional RootKits on Unix: /bin/login Replacement

• /bin/login program invoked to authenticate user whenever user logs in locally via keyboard or remotely (eg telnet )

• A RootKit replaces /bin/login with a modified version that includes a backdoor password for root access

• Modified /bin/login is a backdoor since attacker still can get in even if the legitimate root password is changed
• Modified /bin/login is a Trojan horse because is appears to be a normal login program
• Facilitates hiding from “who” by not recording login into wtmp and utmp files if backdoor password is used

Figure 10.7 Behavior of /bin/login before (background) and after (foreground) installation of Linux RootKit “lrk5”

Detecting Traditional Rootkits

• Host-based IDS eg. Tripwire

• Strings command

Sniffing using Traditional RootKit

• Includes a sniffer that captures and writes into a file the first several characters of all sessions

• Good for capturing userid/passwords in ftp, telnet, and login sessions

• Ifconfig on most Unix systems (except Solaris) will indicate whether NIC is in promiscuous mode

• Facilitates hiding of sniffer by including a trojanized ifconfig that lies about PROMISC flag

Figure 10.8 ifconfig indicates sniffer use by showing PROMISC flag (except Solaris)

Programs typically replaced by RootKits

• du : Does not include disk space used by attacker

• find : Lies about presence of attacker’s files

• ifconfig : Masks promiscuous mode

• login : Contains backdoor root-level password for attacker

• ls : Lies about presence of attacker’s files

• netstat : Masks ports that are used by attacker

• ps : Lies about any process attacker wishes to hide

• inetd : modified to provide backdoor access

• syslogd : does not log attacker’s actions

Traditional RootKits in Use

• http://packetstorm/security.com/UNIX/penetration/rootkits

• Linux RootKit 5 (krk5)

• Contains Trojan horse versions of chfn,chsh, crontab, du, find, ifconfig, inetd, killall, login, ls, netstat, passwd, pidof, ps, rshd, syslogd, tcpd, top, sshd, su

• T0rnkit for Linux and Solaris

• Contains Trojan horse versions of login, ifconfig, ps, du, ls, netstat, in.fingerd, find, top

Defending against Traditional RootKits

• don’t let attacker get root in the first place

• Use difficult to guess passwords
• Apply patches
• Close unused ports

• File integrity checkers

• Create a read-only database of cryptographic hashes for critical system files, store these off line, and regularly compare hashes of the active programs to the stored hashes looking for changes
• Tripwire http://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire
• Sun’s Solaris Fingerprint Database containing hases of critical Solaris executables http://sunsolve.Sun.com/pub-cgi/show.pl?target=content/content7

Recovering after being RootKitted

• Manually cleaning up after a RootKit installation is difficult

• May miss finding all files that were changed

• Use most recent Tripwire-checked backup

• Reinstall all operating system components and applications

Kernel-Level RootKits

• More sinister, devious, and nasty than traditional RootKits

• Operating system kernel replaced by a Trojan horse kernel that appears to be well-behaved but in actuality is rotten to the core

• Critical system files such as ls, ps, du, ifconfig left unmodified

• Trojanized kernel can intercept system calls and run another application chosen by atttacker

• Execution request to run /bin/login is mapped to /bin/backdoorlogin
• Tripwire only checks unaltered system files

• If the kernel cannot be trusted, nothing on the system can be trusted

Figure 10.9 Comparing traditional RootKits with kernel-level RootKits

Kernel-Level RootKits (cont.)

• File Hiding

• Attacker can hide specific subdirectories and files

• Process Hiding

• Attacker can be running Netcat listener but the kernel will not report its existence to ps

• Network Hiding

• Attacker can tell kernel to lie to netstat about network port being used by a backdoor program

Implementing Kernel-Level Rootkits

• Easiest way to modify kernel is to use the Loadable Kernel Module capability of operating system to extend the kernel

• To install the Knark RootKit on Linux, type “insmod knark.o” ; no reboot required

• Adore LKM RootKit for Linux

• Plasmoid LKM RootKit for Solaris

• http://www.infowar.co.uk/thc/slkm-1.0html

• Kernel-level RootKit for WindowsNT

• http://www.rootkit.com
• A kernel patch not a LKM

Defending against Kernel-Level RootKits

• Don’t let attacker gain root in the first place

• Apply all relevant security patches

• Disable all unneeded services and ports

• Harden operating system

• Look for traces of kernel-level RootKits

• Eg. Activate sniffer and check for presence of PROMISC flag in ifconfig

• Install chkrootkit ftp.pangeia.com/pub/seg/pac

• Install host-based IDS

• Build Linux kernels that don’t accept LKM