1. CIS 450 – Network Security Chapter 15 – Preserving Access

2. Backdoor – a way for an attacker to get back into a network or system without being detected Common ways to install backdoors By opening a port and using a listening agent Vision Port Scanner http://linuxpr.com/releases/5354.html Netcat Tini – When I went to download the file I received a message from my virus scanner that the.exe file has a virus which was cured Tini Through the use of a Trojan program Contains overt and covert programs QAZ

3. Rootkits What is it http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html Trojanize key system files on the operating system File-Level Rootkits The legitimate program is replaced with the Trojan version The legitimate program becomes the overt program and the backdoor becomes the covert function Programs replaced are the ones that a UNIX administrator would use – page 548 Attacker can get back into system and hide his tracks Operate at the application (user) level Defending against File-level rootkits can be discovered by looking for changes in binary programs  Tripwire Tripwire  Aide Aide

4. Rootkits Kernel-Level Rootkits Operate at the kernel (operating system level) By altering the heart of the operating system, kernel-level rootkits enable attackers to create a system that appears normal to users and administrators. In reality, the underlying kernel is riddled with attacker modifications, all masked by the manipulated kernel. Kernel-level rootkits usually include the ability to redirect system calls, so when a user wants to run one program--say, ps, netstat or ifconfig--a Trojanized version is executed. These tools can also hide processes, files, sniffer usage and network port usage by altering the kernel so that it "lies" to you. Attackers are using numerous kernel-level rootkits for Linux, Solaris and Windows, among others.

5. Rootkits Kernel-level rootkits – continued Defending Against Techniques used to defend against file-level rootkits don't work as well on a system with a kernel-level rootkit, as all requests for information go through the rotten kernel itself While AIDE may show you that your login binary is intact, the kernel- level rootkit redirects execution to the attacker's backdoor Defeating kernel-level rootkits requires hardening the kernels of critical systems  Saint Jude Project monitors the integrity of a Linux kernel by looking for modifications of the system call table Saint Jude Project Can deploy machines with monolithic kernels created by building a kernel that doesn't support loadable kernel modulesmonolithic Hardening the kernel itself  Pittbull Pittbull Hardened versions of Unix and Unix-like OSes such as such as SELinux3 and Sun Microsystems Trusted Solaris include additional kernel protections  Note: Kernel-hardening solutions can be unwieldy if widely deployed, because they alter the fundamental operation of the kernel, complicating system administration and possibly breaking third-party tools

6. UNIX Rootkits File-level Rootkits TrojanIT - http://www.rishabhdara.com/link.php?currentgrp=30 http://www.rishabhdara.com/link.php?currentgrp=30 Lrk5 - http://www.ossec.net/rootkits/lrk.phphttp://www.ossec.net/rootkits/lrk.php Ark, Rootkit (This has a Trojan embedded in it, received message from anti-virus software even though I did not download it or open it), and Tk - http://www.antiserver.it/Backdoor-Rootkit/ http://www.antiserver.it/Backdoor-Rootkit/ Kernel-level rootkits Knark - http://www.rishabhdara.com/link.php?currentgrp=30 http://www.rishabhdara.com/link.php?currentgrp=30

7. Wrappers A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. Examples SilkRope 2000 - http://www.pestpatrol.com/pestinfo/s/silk_rope.asp http://www.pestpatrol.com/pestinfo/s/silk_rope.asp Saran Wrap - http://pestpatrol.com/zks/pestinfo/s/saran_wrap_1_0.asp http://pestpatrol.com/zks/pestinfo/s/saran_wrap_1_0.asp