Professional Documents
Culture Documents
intended for? CO U N T M E I N !
Obviously,hackershaveavarietyofmotivesforinstallingmalevolent
software(malware).Thesetypesofsoftwaretendtoyieldinstantaccessto
thesystemtocontinuouslystealvarioustypesofinformationfromitfor LATEST PODCAST
example,strategiccompanysdesignsornumbersofcreditcards.Insome
TechGenixXtreme
Share
cases,theyusecompromisedmachinesaslaunchpointsformassiveDenial Implicationsof
ofServiceattacks.Perhapsthemostcommonreasonhackerstendtosettleon
anothersystemisthepossibilityofcreatinglaunchpadsthatattackother
computerswhiledisguisedasinnocentcomputeraddresses.Thisisacertain Cookie policy
kindofspoofingwheretheintrusionlogsfoolthetargetsystemintobelieving
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
thatitiscommunicatingwithanother,legitimatecomputerratherthanthatof NO COMMENT
anintruder.
SUBSCRIBE TO
PODCAST
Undernormalconditions,itishardlytocompromiseLANsecurityfromthe
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
Internet,becauseinmostcasesLANsaretiedtotheInternetviareserved SUBSCRIBE
addressessuchastype10.0.0.0or192.168.0.0(formoredetails,seethe
RFC1918documentavailableathttp://www.faqs.org/rfcs/rfc1918.html).
Thus,ahackercannothavedirectaccessfromtheInternet,whichpresentsa
certainproblemforhim.Installingshellprograms(e.g.Telnet)onany
Internetaccessiblecomputerwillallowtheintrudertogainaccesstothe
LANandspreadhiscontrolovertheinfrastructure.Suchtypesofattacksare
prevalentonUnixcomputers,becausetheyusemorecommonremoteaccess
shellservices(SSH,ormorerarely,Telnet)andnoadditionalinstallationis
required.Thisarticlewill,however,focusonMicrosoftWindowsbased
systems.
FEATURED FREEWARE
Anintelligenthackerwillnottrytoputhisprogramonaserverthatis
monitoredandcheckedregularly.Hewillsecretly,withouttheknowledgeof
Free Active
anylegitimateuser.Therefore,hisattemptstogetinwillcertainlynotbe Directory Auditing
networktrafficmonitoredandwilldetectanyalterationsimmediately.Of
course,everythingdependsontheobservanceofthesecuritypolicyandasis
wellknown,networkadministratorsarenotalwaysscrupulousinperforming
theirwork.Nevertheless,ahostthatplaysnokeyroleinthenetworkmakesa
perfecttargetforahacker.Beforecommencingtheselectionprocess,a
successfulhackertendstotransferthezoneandthereafteridentifyprobable
rolesofindividualhostswithinadomainbydeducingtheknowledgefrom
theirnames.Apoorlysecuredworkstation,isolatedfromthemainnetwork,
mayideallybeusedforhackingpurposesbecausetherewouldbealittle
chancetodetectsignsofaninstalledbackdoor.
Backdoors
HackingTool
BackdoorVirus
RemoveTrojanVirus
Abackdoorisaprogramorasetofrelatedprogramsthatahackerinstallson
thevictimcomputertoallowaccesstothesystematalatertime.A
backdoorsgoalistoremovetheevidenceofinitialentryfromthesystems
log.Butanicebackdoorwillallowahackertoretainaccesstoamachineit
haspenetratedeveniftheintrusionfactorhasinthemeantimebeendetected
bythesystemadministrator.Resettingpasswords,changingdiskaccess
permissionsorfixingoriginalsecurityholesinthehopeofremedyingthe
problemmaynothelp.
AtrivialexampleofabackdoorisdefaultBIOS,routerorswitchpasswords
seteitherbycarelessmanufacturersorsecurityadministrators.
RECOMMENDED
Ahackercouldsimplyaddanewuseraccountwithadministratorprivileges
andthiswouldbeasortofbackdoor,butfarlesssophisticatedandeasy
detectable.
FOLLOW US
Addinganewserviceisthemostcommontechniquetodisguisebackdoorsin
theWindowsoperatingsystem.Thisrequiresinvolvingtoolssuchas
Srvany.exeandSrvinstw.exethatcomeswiththeResourceKitutilityand
alsowithNetcat.exe[1].Theprincipleofthisoperationisthatthesrvany.exe
toolisinstalledasaserviceandthenpermitsnetcat.exetorunasaservice.
Thelatter,inturn,listensonanappropriateportforanyconnection.Once
connected,itwillhavespawnedaremoteshellontheserver(usingcmd.exe)
andfromthismomentonwards,ahackerhasfreereign.
Justbeforecommencingtheinstallationofabackdoor,ahackermust
investigatewithintheservertofindactivatedservices.Hecouldsimplyadda
newserviceandgiveitaninconspicuousname,buthewouldbebetteroff
choosingaservicethatnevergetsusedandthatiseitheractivatedmanually
orevencompletelydisabled.Itissufficienttoremoveitusingthe
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
Srvinstw.exeutilityandagaintoinstallanewservicewiththesamename.
Bydoingso,thehackerconsiderablyreducespossibilitythatthe NO COMMENT
administratorwilldetectthebackdoorduringalaterinspection.Wheneveran
eventoccurs,thesystemadministratorwillfocusonlookingforsomething
oddinthesystem,leavingallexistingservicesunchecked.Fromthehacker
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
pointofview,itisessentialtohidefilesdeeplyinsystemdirectoriesto
protectthemfrombeingdetectedbythesystemadministrator.Intime,a
hackerwillthinkofnamingthetoolstobeplantedontheserverdisk.
Netcat.exeandSrvany.exeareutilitiesthatarerequiredtoruncontinuously
andwillbeseeninthetaskmanager.Hackersunderstandthatbackdoor
utilitiesmusthavenamesthatwillnotattractanyundueattention.Theyuse
thesameapproachwhenchoosinganappropriateportforabackdoor.For
example,port5555doesnotseemtobebackdooredforthereasonthatit
couldimmediatelytipoffthesystemadministrator.
Thetechniquepresentedaboveisverysimplebutefficientatthesametime.
Itallowsahackertogetbackintothemachinewiththeleastamountof
visibilitywithintheserverlogs(weareobviouslynotspeakingabout
situationswhereextrasoftwareisusedtomonitortrafficandthereisan
efficienteventloggingsysteminstalled).Moreover,thebackdooredservice
allowsthehackertousehigherprivilegesinmostcasesasaSystem
account.Thismaycausesomeproblemsforanintruderbecause,
notwithstandingthehighestpermissions,theSystemaccounthasnopower
outsidethemachine.Underthisaccount,diskmappingoraddinguser
accountsisnotpossible.Instead,passwordscanbechangedandprivileges
maybeassignedtoexistingaccounts.Withabackdoorthathascapturedthe
systemadministratoraccount,nosuchrestrictionsexist.Theonlyproblem
thatremainsisrelatedtothechangeofuserpassword,becauseapassword
updateisrequiredtorestarttherelatedservice.Anadministratorwill
undoubtedlystartnoticinglogerrors,oncecareforeventloggingand
monitoringisprovided.Theexamplegivenabovedescribesabackdoorthat
isthemostdangerousonefromthevictimsystempointofview,because
anyonecanconnecttoitandobtainthehighestpermissionswithno
authenticationrequired.Itmaybeanyscriptkiddieusingaportscanningtool
againstcomputersrandomlyselectedfromtheInternet.
HackerdedicatedWebsitesgiveexamplesofmanytoolsthatservetoinstall
backdoors,withthedifferencethatonceaconnectionisestablishedthe
intrudermustloginbyenteringapredefinedpassword.iCMD[2],Tini[3],
RemoteNC[4]orWinShell[5](Fig.1)areexamplesoftoolsresembling
YOU ARE READING
Telnet. SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
NO COMMENT
Fig.1WinShellprogrammaybeusedtoinstallcertainsimplebackdoors
IoncesawaveryinterestingscriptnamedCGIbackdoor[6].Iconsidered
thistobeinterestingbecauseanattackercouldexecuteremotecommandson
theserverviaWWW.Itwasaspecificallycreatedtotallydynamic.aspsite
writteninVBScript(availablealsoinPerl,PHP,JavaandC)thatenabledone
toexecutecommandsontheserverusingthedefaultcommandprocessor
cmd.exe.AhackercanexploitthistoconfigurethereverseWWWscripton
thevictimssystembutcanonlypermittedbydefaultwithsufficient
privilegestotheIUSR_MACHINEaccount.Thisscriptcanbeusedwithout
loggingatall,thusnotracesareleftonthesystem.Itsadditionaladvantageis
thatitdoesnotlisteninonanyportbuttranslatesbetweentheHTMLusedin
WWWpagesandtheserverthatrunsinteractivewebsites.
Inordertocreatebackdoors,hackerscanusecommerciallyavailabletools
suchasRemoteAdministrator[7],orfreeavailableTightVNC[8],thatapart
fromafullcontroloverthecomputeralsoallowonetooperatearemote
console.
TrojanhorsesorRemoteAdministrationTrojans(RATs)areaclassof
backdoorsthatareusedtoenableremotecontroloverthecompromised
machine.Theyprovideapparentlyusefulfunctionstotheuser,andatthe
sametime,openanetworkportonavictimcomputer.Then,oncestarted,
sometrojansbehaveasexecutablefiles,interactwithcertainkeysofthe
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
registersresponsibleforstartingprocessesandsometimescreatetheirown NO COMMENT
systemservices.
Contrarytocommonbackdoors,Trojanhorseshookthemselvesintothe
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
victimoperatingsystemandalwayscomepackagedwithtwofilesthe
clientfileandtheserverfile.Theserver,asitsnameimplies,isinstalledin
theinfectedmachinewhiletheclientisusedbytheintrudertocontrolthe
compromisedsystem.Somewellknowntrojanfunctionsinclude:managing
filesonthevictimcomputer,managingprocesses,remoteactivationof
commands,interceptingkeystrokes,watchingscreenimagesandalso
restartingandclosingdowninfectedhostsjusttonameafewoftheir
features.Someareevenabletoconnectthemselvestotheiroriginator.Of
course,thesepossibilitiesvaryamongindividualTrojanhorses.The
followingareconsideredthemostpopular:NetBus,BackOrifice2000,
SubSeven,Hackatack,andoneofPolishorigin,namedProsiak.
Inmostcases,Trojanhorsespropagateviaemail.Theyareusuallyfound
withinattachments,becausetheirauthorsexploitvulnerabilitiesoftheemail
client.Anothertechniquereliesonthefactthattheyboundintoother
programs.TherearemanyprogramsintheWebthatmaltsfilestocreatea
singleexecutablefile.
Trojanhorses(alsocalledtrojans)typicallyoperateinasomewhatschematic
manner.Incontrasttopreviouslydescribedbackdoors,whereboth
implementationandfunctionarelimitedonlybyintrudersingenuity,the
behaviorhereisquitewelldefined.Theylisteninonspecificports(for
example,12345istheNetBusTrojandefaultport),settingspecificreferences
instartfilesandregisters,therebybeingrelativelysimpletodetectand
identify.Inmostcases,problemswithTrojanhorsescanbesolvedbyusing
anantivirus(AV)software(updated!)tocheckforpossibleinfections.
Toaccomplishhisgoal,ahackermustinstallabackdoorthatisnoteasily
detectable.Thisishisprimarytask.Hackersuseavarietyofmethodsforthis
purpose,placingtheirtoolsatthedeepestlevelofcompromisedsystemsand
renamingfilessoasnottoarousesuspicions.Howeverthatisnotenough
sincetheprocessesarestillvisibleanditissosimpletodiscoverany
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
unexpectedprogramthatlistensinonacertainportusingnetstatforchecking NO COMMENT
informationaboutthatport.Therefore,hackerscanalsouseRootKits.
Asmostreadersknow,arootkitisgenerallyaUnixconceptthatisspreading
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
tootherplatformsinitsincreasinglysophisticatedforms.Thisisacollection
oftoolsusedbyanintrudertohidehispresenceinanattackedsystem.
Typicalgoalsincludereplacingorinfectingbinariessuchasps,find,ls,top,
kill,passwd,netstat,hidingdirectories,filesandeventheirportionsfor
example,in/etc/passwd.Moreover,catchingpasswords,deletingloginsof
attackersactivity,placingbackdoorsinspecificservices(forexample,
Telnet),togetinwithoutauthorizationatanytime.Thereareplentyof
rootkitsintheUnixenvironment,andeachnewreleaseismoreforward
thinkingintermsofitsfunctions.TheyarealsoavailabletoattackWindows
systemslesssophisticatedbutstillpowerfulandalsotrendy.Somehandy
rootkitsolutionsdealwithhidingoralteringnetstatcommands,thereby
makingapreviouslyplantedbackdoorinvisiblewhilelisteninginonany
port.
AsimplescriptputinPerlsstringcontext,compiledandnamednetstat.exe
maybeanexampleofatrivialrootkit.Arealsystemnetstatcouldbenamed
oldnetstat.exe.Theprincipleofoperationofthenewnetstatisthatoncethe
commandlinewillcalltherealnetstat(nowoldnetstat.exe),itwillbe
directedtoatemporarytextfile.Thentherootkitsearchesthatfileforany
informationaboutthelisteningporttoremoveit(accordingtotheprocedure
predefinedintherootkitcode).Aftermodification,theresultisdisplayedon
thescreenandtheoldfileisremoved.Thisprincipleisbothsimpleand
efficientandprovidesaninterestingpossibilityitmaybeusedtospoof
outputdataactingfromanyothertoolavailablethroughthecommandline
forexample,tlist,ordir.Therearemanyprogramsofthistypeavailableon
theWeb.TheonesthatIencountereddidnotdisplay,forexample,
informationonlisteningportssuchas666,27374,12345,31337i.e.well
knownTrojanhorseports.
TheideaofafirstenhancedrootkitfortheWindowsenvironmentwasbornin
duetime.TheoriginatorwasGregHoglund,whilsttheprogressofthisidea
couldbeseenonwww.rootkit.com(unfortunatelynolongeravailable).From
whatIknow,thedevelopmentgotstuckafterthe0.44version[9].However
belowyouwillfindadescriptionofasomewhatolderversion,namely0.40
[10].
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
NO COMMENT
Thisrootkithasbeendesignedasakernelmodedriverthatrunswithsystem
privilegesrightatthecoreofthesystemkernel.Giventhisfact,ithasaccess
toallresourcesoftheoperatingsystem,thushavingabroadfieldofaction.
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
Inordertoinstallitonerequirestheadministratorspermissionswhilst
simplenetstart/netstopcommandsaresufficienttoactivate/disactivateit
respectively.
Oncetherootkithasbeenloaded,thehackercanhidedirectoriesandfileson
thevictimsdisk.Thismethodisefficientprovidedthattheobjecttobe
hiddenhasanameprefixedwith_root_forexample,
_root_directory_name.Howdoesthiswork?Therootkit,bypatchingthe
kernel,interceptsallsystemcallsforthelistingofthediskcontentandall
objectsbeginningwiththesequence_root_arehiddenfromdisplay.The
sameappliestothesearchingprocessallfilesanddirectorieswiththe
abovesequenceofcharactersarehiddenfromthesearch.
Thisrootkitfeaturecanalsobeusedtohideprocessesrunningaswellasto
dothesamewiththesystemregistryentries,byprefixingallkeysandentries
with_root_.Thisenablesthehackertoinstall,forexample,serviceswhich
willbecomeabackdoor,thusbeingasinvisibleforthesystemadministrator
asservicesorregistryentriesorprocessesrunninginthesystemmemory.
Therootkitcanalsointerceptallkeystrokestypedatthesystemconsole.
Thismaybecarriedoutbyhookingintothekeyboarddriverandissuingthe
sniffkeyscommand.
Thisisnotthelastfeatureofthedescribedrootkit.Itsnewestversion(0.44)
offerssomeotherfunctionssuchasahardcodedbackdoor(Fig.2)that
allowsaremoteattackertoconnectwiththeinfectedmachineandgainthe
topprivilegedshell.
Fig.2Abackdooredrootkitallowsahackertoactivateasniffer
Moreover,newimplementationsareforeseen,forexampletohaveafunction
thatredirects.EXEfilestootherprograms.Startingacompletelydifferent
toolaftertherootkithasdetectedtheexecutionofafilenamethatstarted
with_root_willdothis.Nootherdetailshavebeenpublishedsofar.
Everythingiscurrentlyintheproofofconceptstageandhackerscannotuse
thisfunctionality.
Aningenioushackerwillbesmartenoughtohidehistrackforever.Hewill
useallavailablemeanstooutwithisvictimandoftenhasabigchanceof
reachingthatgoal.Howeversystemadministratorsarenotdefenseless
againstmaliciousattacks.Therearemanyknowntechniquesandprocedures
todetectanysuspectedinstallationwithinsystems.Atafirstglancearootkit
seemstobeapowerfultoolandundoubtedlyitis.Luckily,rootkitsarea
doubleedgedswordwiththeirdesign.AsIalreadymentioned,akernel
basedrootkitmonitorscallsforobjects(files,directories,registersor
processes)thenamesofwhichbeginwithastring
Luckilymanycrackersarecarelessandportionsoftheirrootkitcanbe
detected.Thetrojanedfilesaboveoftenhaveconfigurationfilesthatlist
whichprogramstohideandwhichtodisplay.Oftentheyforgettohidethe
configurationfilesthemselves.Since/devisthedefaultlocationformanyof
theseconfigurationfiles,lookinginthereforanythingthatisanormalfileis
oftenagoodidea.
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
Arootkit,however,cannotaffectprocessesthathave_root_intheirnames. NO COMMENT
Inotherwords,whenasystemadministrator,isanalyzingthesystemlog
usingRegedit.exe,hecannotseehiddenentries,butjustbychangingitsname
to_root_regedit.exe,itwillbeenoughforhimtoseeallofthemaswellas
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
hiddenkeysandregistryentries.Thisistrueforallprogramsforexample,
TaskManager(seeFig.3).
Fig.3TaskManagerafterchangingitsnameto_root_taksmgr.exe,you
canseehiddenprocessesrunninginyoursystem
Nextvulnerabilityofarootkit:objectsareonlyhiddenfromthe
environmentofthecompromisedmachineandtheycaneasilybeseenfrom
anothercomputer.MappingaNetworkDriveremotelyfromanothermachine
(orusingnetusecommand)isameanstoseeeverything,whichhasbeen
hiddenforalocaluser.Thisisbecausetheremotemachineisusingaclean
kerneltoviewthefilesanddirectoriesonthecompromisedmachine,
avoidingtherootkitsfiltrationprocess.
Anothertrickistousedrivers.exetools(seeFig.4)availableintheResource
Kitpackage,orWinmsd.exe.
Fig.4Usedrivers.exeutilityfromtheResourceKitforlistingalldrivers
eventhosewheretherootkitisinvolved
Usingtheprogramsmentionedabove,thesystemadministratorcangetthe
listingoffalldrivers,includingthe_root_.sys,thatis,therootkitdevice
driveritself.Thisisanexceptionalcase,inwhichaprocessnamedwitha
prefix_root_isnothidden.Iwouldliketostressthatthenameofthedriver
asaboveisrelatedtothespecificrootkitdescribedhereandnotnecessarilyto
otherrootkits.ButasfarasIknow,morerecentversionsoftheWindows
rootkitarenotavailableasyet.
AninterestingantirootkitsolutionhasbeendevelopedbyPedestalSoftware.
ThecompanyhascreatedaprogramcalledIntactIntegrityProtectionDriver
[11]thatblockschangesandadditionstoregistrykeysandvalues.It
effectivelyprohibitstheServiceControlManageroruserapplicationsfrom
changingserviceanddriverkeys,andvaluesintheregistryandalsofrom
addingtoorreplacingexistingdriverbinaries.
Isyoursystemsecure?Howdoyouknow?Amachineisveryrarelytargeted
foranattackforanyotherreasonthanbecauseitwasvulnerable.Oneofthe
firststepsinbeingproactiveistoassessyourbasicsecuritypolicyrulesand
requirements.Ithinkthathavinganuptodateantivirussoftwareinstalledis
aprimaryconcern,andevenitwontfullyprotectyourmachineitself,itcan
bealifesaver,providinggoodprotectionagainstmostvirusesandtrojans.
discovernew,oddservicesorprocesses.Administrationscriptsarevery
usefultoolsinthisregard,particularlywhendealingwithmultiplesystems.
Onemightalsowishtoconsiderhostscanningonyournetworkfromtimeto
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
time.Ifyoususpectthatthereisanopenportatyourcomputer,givea
snapshottocheckwhetheritisauthorizedorno.Youmayusenetwork,
applicationdiagnosisandtroubleshootingprogramssuchasTCPview(Fig.5)
[12],FPort[13],Inzider[14],ActivePorts(Fig.6)[15],orVision[16].
Fig.5TCPviewtoolallowstolocatewhichapplicationopenedaportin
yourcomputer.LikeActivePorts,ittellsyouwhatisrunningonwhichport.
Thesetoolsprovideameanstoidentifythespecificapplicationopeningthe
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
port.Moreover,theyletoneavoidusingNetstat,ifitsuspectsthatishasbeen
replacedorinfected.Thisbringsmetoanotherinterestingconsideration:
whichevertoolisused,itisagoodpracticetouseoriginaltoolspreviously
uploadedonatrustydisketteorCDROMwhenattemptingtomakeacheck
ofthesystem.Ifanydoubtexistswhetherindividualtoolsareoriginalones,
checksumthemtocheckiftheymatchtheinstallationCDROM.
Inthisregard,ListDlls[17]andProcessExplorer[18](Fig.7)cancertainly
beusefuliffindinganysuspectsignsoftrojaninfectedorbackdoored
processes.
Fig.7ProcessExplorerthatdisplaysobjectprocessesandrelatedDLL
libraries
TheseprogramswiththeirDLLlibrariesgivesomeassistanceandprovide
additionalinformationonhandlingincidents,investigationsandconducting
analysistogatherlegalevidenceinviewofcriminalprosecution.
MayIalsosuggestthatonepaycloserattentiontotheregistrykeysthatare
responsibleforstartingprogramsonthesystemstartup.Inmostcases,these
registryelementsusuallycontainsomeindicationofhowtheintrudergained
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
access,fromwhere,when,etc.Theseare:
NO COMMENT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows(run)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru
nServices
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows(run)
HKEY_CLASSES_ROOT\exefile\shell\open\command
Itisextremelyimportanttoestablishconsistentaccesspermissionsonthese
keysandactivateinspectiontoolstocontinuouslymonitorforanymalicious
attempts.Thesameappliestothosesystemdirectoriesandfilesthatare
securitycritical.Acommonlyacceptedcomputersecuritypolicyusually
startswithasoundfirewallasaguardagainstbackdoors.Evenifthe
intrudermanagestoinstallabackdoor,thefirewallwillblockhimfrom
gettingtothelisteningport.
Infact,bypassingafirewallisnotaplugnplaything,butItakelibertyto
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
serveanicedoseofpessimism.Thereareknownhackertoolsthatcanget
througheventhemosthardenedfirewalls. NO COMMENT
Howeverthisisbeyondthescopeofthisarticle,soIwouldrecommend
readingthedocumentavailableattheaddress:
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
http://www.spirit.com/Network/net0699.txt.
Finally,Iwouldliketoraiseyourawarenessaboutacertainissue.Onceyour
machinehasbeencompromisedandthehackerhasgainedtotal
administrativeaccess,beverycarefulinrecoveringthesystemfromthe
backupcopyorthediskimage!Ihavepersonallyexperiencedasituation,
wheresomeonereplacedaWWWsite.Thesystemadministratorhad
retrievedthesystemfromabackupcopy,patchedthesystem,updatedthe
accessdatabaseandchangedpasswords.Thus,hehasconsideredtheserver
perfectlysafe.Butheoverlookedthefact,thattheintrusionhadbeenmade
longbeforehemadethecopycontainingabackdooredversion.So,Iwould
stronglyrecommendcheckingthesystemwheneveritisbackedup.
Hackersincreasinglythreatenthenetworkcommunitywiththeirnew
techniques,backdoorsandTrojanhorses.Thereforewemusttakestepsto
guardagainstknownmethodsofhacking,eventhoughtheirwillstillbea
largenumberofworryingfactorswedontknowabout.Theonlythingis
absolutelyobviousyouneverknowhowlongyourimmunesystemcan
holdoutbeforebreakingdown.
Tools:
[1]Netcathttp://www.hackerscor.com/km/files/hfiles/ncnt090.zip
[2]iCMDhttp://go8.163.com/lmqkkk/mytools/iCmd.exe
[3]RemoteNChttp://go8.163.com/lmqkkk/mytools/remotenc.zip
[4]Tinihttp://go8.163.com/lmqkkk/mytools/tini.exe
[5]WinShellhttp://go8.163.com/lmqkkk/mytools/Winshell4.0.zip
[6]CGIbackdoorhttp://go8.163.com/lmqkkk/mytools/cgi.zip
[7]RemoteAdministratorwww.radmin.com
[8]TightVNChttp://www.tightvnc.com/download.html
[9]Rootkitv.0.44www.ndsafe.com/fires/rk_044.zip
[10]IIPDriverhttp://www.pedestalsoftware.com/intact/iipdriver.htm
[11]TCPviewwww.winternals.com
[12]Fporthttp://www.foundstone.com/knowledge/proddesc/fport.html
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
[13]Inziderhttp://ntsecurity.nu/toolbox/inzider/ NO COMMENT
[14]ActivePortshttp://www.ntutility.com/freeware.html
[15]Visionhttp://www.foundstone.com/knowledge/proddesc/vision.html
[16]ListDllshttp://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
[17]ProcessExplorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
[18]LANguardNetworkSecurityScanner
Additional information:
1.RootKit
http://www.crackinguniversity2000.it/Paper/__==__%20rootkit%20
__==__.htm
http://packetstorm.decepticons.org/UNIX/penetration/rootkits
2.IntactIntegrityProtectionDriver
http://www.pedestalsoftware.com/intact/iipdriver.htm
3.PreventingandDetectingMalwareInstallationsonNT/2K
http://www.securitystorm.net/mobile/securityfocus
articles/preventing_and_detecting_malware.htm
4.Detectingrootkits
http://r00t.h1.ru/texts/detectrk.php
5.HackersRootkitforNT
http://webbuilder.netscape.com/webbuilding/07532848775671.html
6.Rootkit:AttackerundercovertoolsBySalimanManap
http://www.niser.org.my/resources/rootkit.pdf
7.StopWindowshackers
http://webbuilder.netscape.com/webbuilding/07532849969851.html
8.UnderstandingandGuardingAgainstRootkits
http://rr.sans.org/threats/rootkits2.php
9.Hackinglexicon
http://www.robertgraham.com/pubs/hackingdict.html
10.SecuringacompromisedMicrosoftWindowsNTor2000Server
http://www.utexas.edu/computer/security/news/iis_hole.html
11.WindowsbackdoorsupdateII
http://www.ciac.org/ciac/bulletins/j032.shtml
12.BackdoorsContinued
http://www.themanagementor.com/EnlightenmentorAreas/it/SW/1202_4.htm
13.Attherootofrootkits
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment