Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM Keamanan Jaringan 2012/2013 KOM Keamanan Jaringan 2012/2013.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Week 6-1 Week 6: Trojans and Backdoors What is a Trojan Horse? Overt and Covert.
System Security Scanning and Discovery Chapter 14.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.
Forces that Have Brought the world to it’s knees over the centuries.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
CS Nathan Digangi.  Secret, undocumented routine embedded within a useful program  Execution of the program results in execution of secret code.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Web server security Dr Jim Briggs WEBP security1.
Remote Desktop Security Raghav Chawla, Jon Ussery Group 20.
COEN 252: Computer Forensics Router Investigation.
The Five Most Popular Attacks on the Internet Peter Mell, National Institute of Standards and Technology Computer Security Division.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 Backdoors and Trojans. ECE Internetwork Security 2 Agenda Overview Netcat Trojans/Backdoors.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Sales Kickoff - ARCserve
JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Live Forensics Investigations Computer Forensics 2013.
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
CIS 450 – Network Security Chapter 3 – Information Gathering.
COEN 350 Security Threats. Network Based Exploits Phases of an Attack  Reconnaissance  Scanning  Gaining Access  Expanding Access  Covering Tracks.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
COEN 250 Computer Forensics Windows Life Analysis.
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Linux Networking and Security
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
CHAPTER 9 Sniffing.
Chapter 8 Phase3: Gaining Access Using Network Attacks
Network Attacks Bharatha Yajaman ISQS Outline Sniffing  Passive Sniffing  Active Sniffing IP Address Spoofing  Changing the IP address  Undermining.
COEN 250 Computer Forensics Windows Life Analysis.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
TCOM Information Assurance Management System Hacking.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
Hands-On Ethical Hacking and Network Defense
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
SECURE SHELL MONIKA GUPTA COT OUTLINE What is SSH ? What is SSH ? History History Functions of Secure Shell ? Functions of Secure Shell ? Elements.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Network and System Security Risk Assessment
An Introduction To ARP Spoofing & Other Attacks
Hacking Windows.
Port Scanning James Tate II
CITA 352 Chapter 5 Port Scanning.
I have edited and added material.
Backdoor Attacks.
Packet Sniffers Lecture 10 - NETW4006 NETW4006-Lecture09.
Remote Control and Advanced Techniques
Overview of Networking & Operating System Security
Crisis and Aftermath Morris worm.
Presentation transcript:

Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen C. Hayne

An alternative entryway No fancy authentication needed Maintains access on a system Usually access is needed initially Still works when front door is closed B ack D oors

An attacker with back door access “owns” the system Attackers might make the system more secure to keep ownership The attacker does the work of the administrator B ack D oors

Application-level Trojan Horse Backdoors Traditional RootKits Kernel-level RootKits B ack D oors M elded into T rojan H orses

Adds a separate application to the system Made up of a server and client part server is installed on victims machine client is installed on attackers machine Victim must install the server portion Once installed the attacker “owns” the victims machine A pplication- L evel T rojan H orse B ackdoor T ools

Most popular Windows backdoors: Back Orifice 2000(BO2K) Sub7 Hack-a-tack The Virtual Network Computer(VNC)* *remote administration tool often used as a backdoor A pplication- L evel T rojan H orse B ackdoor T ools

Back Orifice 2000 Original Back Orifice released 1998 Works on Windows 95/98/ME/NT/2000 Open source Server portion is only 112KB Client portion is 568KB Product of the Cult of the Dead Cow (cDc) A pplication- L evel T rojan H orse B ackdoor T ools

Log Keystrokes Gather system information Get passwords from the SAM database Control the file system Edit the registry Control applications and services Redirect Packets A pplication- L evel T rojan H orse B ackdoor T ools

Application redirection Any DOS application can be spawned useful for setting up command-line backdoors Multimedia control View files in a browser Hidden mode Encryption between client and server A pplication- L evel T rojan H orse B ackdoor T ools

Plug-ins: Streaming video from server machine More encryption methods Blowfish, CAST-256, IDEA, Serpent, RC6 Stronger security than a lot of commercial products! Stealthier methods for transport A pplication- L evel T rojan H orse B ackdoor T ools

Most Anti-virus programs will notice and remove the tools mentioned Update virus definitions regularly Don’t run programs downloaded from untrusted sources Don’t auto-run ActiveX controls D efenses against A pplication- L evel T rojan B ackdoors

Hidden Backdoors Attacker takes over your system and installs a backdoor to ensure future access Backdoor listens, giving shell access How do you find a backdoor listener? Sometimes, they are discovered by noticing a listening port Nmap port scan across the network Running "netstat –na" locally Running lsof (UNIX) or Inzider (Windows) Network Backdoor listens on port ABC SQL Server Hack!

Sniffing Backdoors Who says a backdoor has to wait listening on a port? Attackers don't want to get caught They are increasingly using stealthy backdoors A sniffer can gather the traffic, rather than listening on an open port Non-promiscuous sniffing backdoors Grab traffic just for one host Promiscuous sniffing backdoors Grab all traffic on the LAN

Non-Promiscuous Backdoor – Cd00r Written by FX Includes a non-promiscuous sniffer Gathers only packets destined for the single target machine Several packets directed to specific ports (where there is no listener) will trigger the backdoor Sniffer grabs packets, not a listener on the ports Backdoor root shell starts to listen on TCP port 5002 only when packets arrive to the trigger ports

Non-Promiscuous Backdoor – Cd00r in Action The idea has been extended to eliminate even port 5002 Netcat can push back a command shell from server, so no listener ever required Connection goes from server back to client Server SYN to port X Sniffer analyzes traffic destined just for this machine, looking for ports X, Y, Z SYN to port Y SYN to port Z After Z is received, activate temporary listener on port 5002 Connection to root shell on port 5002

Promiscuous Backdoor Can be used to help throw off an investigation Attacker sends data for destination on same network But the backdoor isn't located at the destination of the backdoor traffic Huh? How does that work?

Promiscuous Backdoor in Action Backdoor is located on DNS server All packets sent to WWW server DNS server backdoor sniffs promiscuously In switched environment, attacker may use ARP cache poisoning Confusing for investigators Firewall DNS WWW Internet Sniffer listens for traffic destined for WWW server

Sniffing Backdoor Defenses Prevent attacker from getting on system in the first place (of course) Know which processes are supposed to be running on the system Especially if they have root privileges! Not easy, but very important Beware of stealthy names (like "UPS" or "SCSI") Look for anomalous traffic Look for sniffers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.