NO COMMENT

TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

Hidden Backdoors, Trojan Horses FEATURED PRODUCT

and Rootkit Tools in a Windows

Environment
Bartosz Bobkiewicz 0 2Views 0

POSTED ON JANUARY 23, 2003

SHARE ON FACEBOOK TWEET IT

Get expert tech

NoteverycaseofasuccessfulintrusioniscrownedwithareplacedWeb reports and guides
siteontheserver,datatheftordamage.Oftenelectronicintrudersdonotwish for FREE!
tocreateaspectaclebutprefertoavoidfamebyhidingtheirpresenceon
Join 500,000 fellow IT Pros...
compromisedsystems,sometimesleavingcertainunexpectedthings.They
usesophisticatedtechniquestoinstallspecificmalware(backdoors)tolet and be among the rst to learn
about new security threats, system
theminagainlaterwithfullcontrolandinsecret.
optimization tricks, and the hottest
technologies in the industry.

What is malevolent software Email address

intended for? CO U N T M E I N !

Obviously,hackershaveavarietyofmotivesforinstallingmalevolent
software(malware).Thesetypesofsoftwaretendtoyieldinstantaccessto
thesystemtocontinuouslystealvarioustypesofinformationfromitfor LATEST PODCAST
example,strategiccompanysdesignsornumbersofcreditcards.Insome
TechGenixXtreme
Share
cases,theyusecompromisedmachinesaslaunchpointsformassiveDenial Implicationsof

ofServiceattacks.Perhapsthemostcommonreasonhackerstendtosettleon
anothersystemisthepossibilityofcreatinglaunchpadsthatattackother
computerswhiledisguisedasinnocentcomputeraddresses.Thisisacertain Cookie policy

kindofspoofingwheretheintrusionlogsfoolthetargetsystemintobelieving
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
thatitiscommunicatingwithanother,legitimatecomputerratherthanthatof NO COMMENT

anintruder.
SUBSCRIBE TO
PODCAST
Undernormalconditions,itishardlytocompromiseLANsecurityfromthe
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

Internet,becauseinmostcasesLANsaretiedtotheInternetviareserved SUBSCRIBE
addressessuchastype10.0.0.0or192.168.0.0(formoredetails,seethe
RFC1918documentavailableathttp://www.faqs.org/rfcs/rfc1918.html).
Thus,ahackercannothavedirectaccessfromtheInternet,whichpresentsa
certainproblemforhim.Installingshellprograms(e.g.Telnet)onany
Internetaccessiblecomputerwillallowtheintrudertogainaccesstothe
LANandspreadhiscontrolovertheinfrastructure.Suchtypesofattacksare
prevalentonUnixcomputers,becausetheyusemorecommonremoteaccess
shellservices(SSH,ormorerarely,Telnet)andnoadditionalinstallationis
required.Thisarticlewill,however,focusonMicrosoftWindowsbased
systems.

FEATURED FREEWARE

Who will become a victim?

Anintelligenthackerwillnottrytoputhisprogramonaserverthatis

monitoredandcheckedregularly.Hewillsecretly,withouttheknowledgeof
Free Active
anylegitimateuser.Therefore,hisattemptstogetinwillcertainlynotbe Directory Auditing

throughthemaindomaincontrollerwhichhasitslogfrequentlyexamined, with Netwrix

networktrafficmonitoredandwilldetectanyalterationsimmediately.Of
course,everythingdependsontheobservanceofthesecuritypolicyandasis
wellknown,networkadministratorsarenotalwaysscrupulousinperforming
theirwork.Nevertheless,ahostthatplaysnokeyroleinthenetworkmakesa
perfecttargetforahacker.Beforecommencingtheselectionprocess,a
successfulhackertendstotransferthezoneandthereafteridentifyprobable
rolesofindividualhostswithinadomainbydeducingtheknowledgefrom
theirnames.Apoorlysecuredworkstation,isolatedfromthemainnetwork,
mayideallybeusedforhackingpurposesbecausetherewouldbealittle
chancetodetectsignsofaninstalledbackdoor.

Backdoors

YOU ARE READING

SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
 Adsby Google
NO COMMENT
Trojan

HackingTool

TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

WindowsAdmin

BackdoorVirus

RemoveTrojanVirus

Abackdoorisaprogramorasetofrelatedprogramsthatahackerinstallson
thevictimcomputertoallowaccesstothesystematalatertime.A
backdoorsgoalistoremovetheevidenceofinitialentryfromthesystems
log.Butanicebackdoorwillallowahackertoretainaccesstoamachineit
haspenetratedeveniftheintrusionfactorhasinthemeantimebeendetected
bythesystemadministrator.Resettingpasswords,changingdiskaccess
permissionsorfixingoriginalsecurityholesinthehopeofremedyingthe
problemmaynothelp.

AtrivialexampleofabackdoorisdefaultBIOS,routerorswitchpasswords
seteitherbycarelessmanufacturersorsecurityadministrators.

RECOMMENDED
Ahackercouldsimplyaddanewuseraccountwithadministratorprivileges
andthiswouldbeasortofbackdoor,butfarlesssophisticatedandeasy
detectable.
FOLLOW US

Addinganewserviceisthemostcommontechniquetodisguisebackdoorsin
theWindowsoperatingsystem.Thisrequiresinvolvingtoolssuchas
Srvany.exeandSrvinstw.exethatcomeswiththeResourceKitutilityand
alsowithNetcat.exe[1].Theprincipleofthisoperationisthatthesrvany.exe
toolisinstalledasaserviceandthenpermitsnetcat.exetorunasaservice.
Thelatter,inturn,listensonanappropriateportforanyconnection.Once
connected,itwillhavespawnedaremoteshellontheserver(usingcmd.exe)
andfromthismomentonwards,ahackerhasfreereign.

Justbeforecommencingtheinstallationofabackdoor,ahackermust
investigatewithintheservertofindactivatedservices.Hecouldsimplyadda
newserviceandgiveitaninconspicuousname,buthewouldbebetteroff
choosingaservicethatnevergetsusedandthatiseitheractivatedmanually
orevencompletelydisabled.Itissufficienttoremoveitusingthe
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
Srvinstw.exeutilityandagaintoinstallanewservicewiththesamename.
Bydoingso,thehackerconsiderablyreducespossibilitythatthe NO COMMENT

administratorwilldetectthebackdoorduringalaterinspection.Wheneveran
eventoccurs,thesystemadministratorwillfocusonlookingforsomething
oddinthesystem,leavingallexistingservicesunchecked.Fromthehacker
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
pointofview,itisessentialtohidefilesdeeplyinsystemdirectoriesto
protectthemfrombeingdetectedbythesystemadministrator.Intime,a
hackerwillthinkofnamingthetoolstobeplantedontheserverdisk.
Netcat.exeandSrvany.exeareutilitiesthatarerequiredtoruncontinuously
andwillbeseeninthetaskmanager.Hackersunderstandthatbackdoor
utilitiesmusthavenamesthatwillnotattractanyundueattention.Theyuse
thesameapproachwhenchoosinganappropriateportforabackdoor.For
example,port5555doesnotseemtobebackdooredforthereasonthatit
couldimmediatelytipoffthesystemadministrator.

Thetechniquepresentedaboveisverysimplebutefficientatthesametime.
Itallowsahackertogetbackintothemachinewiththeleastamountof
visibilitywithintheserverlogs(weareobviouslynotspeakingabout
situationswhereextrasoftwareisusedtomonitortrafficandthereisan
efficienteventloggingsysteminstalled).Moreover,thebackdooredservice
allowsthehackertousehigherprivilegesinmostcasesasaSystem
account.Thismaycausesomeproblemsforanintruderbecause,
notwithstandingthehighestpermissions,theSystemaccounthasnopower
outsidethemachine.Underthisaccount,diskmappingoraddinguser
accountsisnotpossible.Instead,passwordscanbechangedandprivileges
maybeassignedtoexistingaccounts.Withabackdoorthathascapturedthe
systemadministratoraccount,nosuchrestrictionsexist.Theonlyproblem
thatremainsisrelatedtothechangeofuserpassword,becauseapassword
updateisrequiredtorestarttherelatedservice.Anadministratorwill
undoubtedlystartnoticinglogerrors,oncecareforeventloggingand
monitoringisprovided.Theexamplegivenabovedescribesabackdoorthat
isthemostdangerousonefromthevictimsystempointofview,because
anyonecanconnecttoitandobtainthehighestpermissionswithno
authenticationrequired.Itmaybeanyscriptkiddieusingaportscanningtool
againstcomputersrandomlyselectedfromtheInternet.

HackerdedicatedWebsitesgiveexamplesofmanytoolsthatservetoinstall
backdoors,withthedifferencethatonceaconnectionisestablishedthe
intrudermustloginbyenteringapredefinedpassword.iCMD[2],Tini[3],
RemoteNC[4]orWinShell[5](Fig.1)areexamplesoftoolsresembling
YOU ARE READING
Telnet. SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
 NO COMMENT

TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

Fig.1WinShellprogrammaybeusedtoinstallcertainsimplebackdoors

IoncesawaveryinterestingscriptnamedCGIbackdoor[6].Iconsidered
thistobeinterestingbecauseanattackercouldexecuteremotecommandson
theserverviaWWW.Itwasaspecificallycreatedtotallydynamic.aspsite
writteninVBScript(availablealsoinPerl,PHP,JavaandC)thatenabledone
toexecutecommandsontheserverusingthedefaultcommandprocessor
cmd.exe.AhackercanexploitthistoconfigurethereverseWWWscripton
thevictimssystembutcanonlypermittedbydefaultwithsufficient
privilegestotheIUSR_MACHINEaccount.Thisscriptcanbeusedwithout
loggingatall,thusnotracesareleftonthesystem.Itsadditionaladvantageis
thatitdoesnotlisteninonanyportbuttranslatesbetweentheHTMLusedin
WWWpagesandtheserverthatrunsinteractivewebsites.

Inordertocreatebackdoors,hackerscanusecommerciallyavailabletools
suchasRemoteAdministrator[7],orfreeavailableTightVNC[8],thatapart
fromafullcontroloverthecomputeralsoallowonetooperatearemote
console.

The Fall of Troy, the wooden horse

and all events thereafter

TrojanhorsesorRemoteAdministrationTrojans(RATs)areaclassof
backdoorsthatareusedtoenableremotecontroloverthecompromised
machine.Theyprovideapparentlyusefulfunctionstotheuser,andatthe
sametime,openanetworkportonavictimcomputer.Then,oncestarted,
sometrojansbehaveasexecutablefiles,interactwithcertainkeysofthe
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
registersresponsibleforstartingprocessesandsometimescreatetheirown NO COMMENT

systemservices.

Contrarytocommonbackdoors,Trojanhorseshookthemselvesintothe
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

victimoperatingsystemandalwayscomepackagedwithtwofilesthe
clientfileandtheserverfile.Theserver,asitsnameimplies,isinstalledin
theinfectedmachinewhiletheclientisusedbytheintrudertocontrolthe
compromisedsystem.Somewellknowntrojanfunctionsinclude:managing
filesonthevictimcomputer,managingprocesses,remoteactivationof
commands,interceptingkeystrokes,watchingscreenimagesandalso
restartingandclosingdowninfectedhostsjusttonameafewoftheir
features.Someareevenabletoconnectthemselvestotheiroriginator.Of
course,thesepossibilitiesvaryamongindividualTrojanhorses.The
followingareconsideredthemostpopular:NetBus,BackOrifice2000,
SubSeven,Hackatack,andoneofPolishorigin,namedProsiak.

Inmostcases,Trojanhorsespropagateviaemail.Theyareusuallyfound
withinattachments,becausetheirauthorsexploitvulnerabilitiesoftheemail
client.Anothertechniquereliesonthefactthattheyboundintoother
programs.TherearemanyprogramsintheWebthatmaltsfilestocreatea
singleexecutablefile.

Trojanhorses(alsocalledtrojans)typicallyoperateinasomewhatschematic
manner.Incontrasttopreviouslydescribedbackdoors,whereboth
implementationandfunctionarelimitedonlybyintrudersingenuity,the
behaviorhereisquitewelldefined.Theylisteninonspecificports(for
example,12345istheNetBusTrojandefaultport),settingspecificreferences
instartfilesandregisters,therebybeingrelativelysimpletodetectand
identify.Inmostcases,problemswithTrojanhorsescanbesolvedbyusing
anantivirus(AV)software(updated!)tocheckforpossibleinfections.

RootKit hiding presence

Toaccomplishhisgoal,ahackermustinstallabackdoorthatisnoteasily
detectable.Thisishisprimarytask.Hackersuseavarietyofmethodsforthis
purpose,placingtheirtoolsatthedeepestlevelofcompromisedsystemsand
renamingfilessoasnottoarousesuspicions.Howeverthatisnotenough
sincetheprocessesarestillvisibleanditissosimpletodiscoverany
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
unexpectedprogramthatlistensinonacertainportusingnetstatforchecking NO COMMENT

informationaboutthatport.Therefore,hackerscanalsouseRootKits.

Asmostreadersknow,arootkitisgenerallyaUnixconceptthatisspreading
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

tootherplatformsinitsincreasinglysophisticatedforms.Thisisacollection
oftoolsusedbyanintrudertohidehispresenceinanattackedsystem.
Typicalgoalsincludereplacingorinfectingbinariessuchasps,find,ls,top,
kill,passwd,netstat,hidingdirectories,filesandeventheirportionsfor
example,in/etc/passwd.Moreover,catchingpasswords,deletingloginsof
attackersactivity,placingbackdoorsinspecificservices(forexample,
Telnet),togetinwithoutauthorizationatanytime.Thereareplentyof
rootkitsintheUnixenvironment,andeachnewreleaseismoreforward
thinkingintermsofitsfunctions.TheyarealsoavailabletoattackWindows
systemslesssophisticatedbutstillpowerfulandalsotrendy.Somehandy
rootkitsolutionsdealwithhidingoralteringnetstatcommands,thereby
makingapreviouslyplantedbackdoorinvisiblewhilelisteninginonany
port.

AsimplescriptputinPerlsstringcontext,compiledandnamednetstat.exe
maybeanexampleofatrivialrootkit.Arealsystemnetstatcouldbenamed
oldnetstat.exe.Theprincipleofoperationofthenewnetstatisthatoncethe
commandlinewillcalltherealnetstat(nowoldnetstat.exe),itwillbe
directedtoatemporarytextfile.Thentherootkitsearchesthatfileforany
informationaboutthelisteningporttoremoveit(accordingtotheprocedure
predefinedintherootkitcode).Aftermodification,theresultisdisplayedon
thescreenandtheoldfileisremoved.Thisprincipleisbothsimpleand
efficientandprovidesaninterestingpossibilityitmaybeusedtospoof
outputdataactingfromanyothertoolavailablethroughthecommandline
forexample,tlist,ordir.Therearemanyprogramsofthistypeavailableon
theWeb.TheonesthatIencountereddidnotdisplay,forexample,
informationonlisteningportssuchas666,27374,12345,31337i.e.well
knownTrojanhorseports.

TheideaofafirstenhancedrootkitfortheWindowsenvironmentwasbornin
duetime.TheoriginatorwasGregHoglund,whilsttheprogressofthisidea
couldbeseenonwww.rootkit.com(unfortunatelynolongeravailable).From
whatIknow,thedevelopmentgotstuckafterthe0.44version[9].However
belowyouwillfindadescriptionofasomewhatolderversion,namely0.40
[10].
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
 NO COMMENT

Thisrootkithasbeendesignedasakernelmodedriverthatrunswithsystem
privilegesrightatthecoreofthesystemkernel.Giventhisfact,ithasaccess
toallresourcesoftheoperatingsystem,thushavingabroadfieldofaction.
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
Inordertoinstallitonerequirestheadministratorspermissionswhilst
simplenetstart/netstopcommandsaresufficienttoactivate/disactivateit
respectively.

Oncetherootkithasbeenloaded,thehackercanhidedirectoriesandfileson
thevictimsdisk.Thismethodisefficientprovidedthattheobjecttobe
hiddenhasanameprefixedwith_root_forexample,
_root_directory_name.Howdoesthiswork?Therootkit,bypatchingthe
kernel,interceptsallsystemcallsforthelistingofthediskcontentandall
objectsbeginningwiththesequence_root_arehiddenfromdisplay.The
sameappliestothesearchingprocessallfilesanddirectorieswiththe
abovesequenceofcharactersarehiddenfromthesearch.

Thisrootkitfeaturecanalsobeusedtohideprocessesrunningaswellasto
dothesamewiththesystemregistryentries,byprefixingallkeysandentries
with_root_.Thisenablesthehackertoinstall,forexample,serviceswhich
willbecomeabackdoor,thusbeingasinvisibleforthesystemadministrator
asservicesorregistryentriesorprocessesrunninginthesystemmemory.

Therootkitcanalsointerceptallkeystrokestypedatthesystemconsole.
Thismaybecarriedoutbyhookingintothekeyboarddriverandissuingthe
sniffkeyscommand.

Thisisnotthelastfeatureofthedescribedrootkit.Itsnewestversion(0.44)
offerssomeotherfunctionssuchasahardcodedbackdoor(Fig.2)that
allowsaremoteattackertoconnectwiththeinfectedmachineandgainthe
topprivilegedshell.

YOU ARE READING

SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
 NO COMMENT

TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

Fig.2Abackdooredrootkitallowsahackertoactivateasniffer

Moreover,newimplementationsareforeseen,forexampletohaveafunction
thatredirects.EXEfilestootherprograms.Startingacompletelydifferent
toolaftertherootkithasdetectedtheexecutionofafilenamethatstarted
with_root_willdothis.Nootherdetailshavebeenpublishedsofar.
Everythingiscurrentlyintheproofofconceptstageandhackerscannotuse
thisfunctionality.

Guarding against the rootkit

Aningenioushackerwillbesmartenoughtohidehistrackforever.Hewill
useallavailablemeanstooutwithisvictimandoftenhasabigchanceof
reachingthatgoal.Howeversystemadministratorsarenotdefenseless
againstmaliciousattacks.Therearemanyknowntechniquesandprocedures
todetectanysuspectedinstallationwithinsystems.Atafirstglancearootkit
seemstobeapowerfultoolandundoubtedlyitis.Luckily,rootkitsarea
doubleedgedswordwiththeirdesign.AsIalreadymentioned,akernel
basedrootkitmonitorscallsforobjects(files,directories,registersor
processes)thenamesofwhichbeginwithastring

Luckilymanycrackersarecarelessandportionsoftheirrootkitcanbe
detected.Thetrojanedfilesaboveoftenhaveconfigurationfilesthatlist
whichprogramstohideandwhichtodisplay.Oftentheyforgettohidethe
configurationfilesthemselves.Since/devisthedefaultlocationformanyof
theseconfigurationfiles,lookinginthereforanythingthatisanormalfileis
oftenagoodidea.
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
Arootkit,however,cannotaffectprocessesthathave_root_intheirnames. NO COMMENT

Inotherwords,whenasystemadministrator,isanalyzingthesystemlog
usingRegedit.exe,hecannotseehiddenentries,butjustbychangingitsname
to_root_regedit.exe,itwillbeenoughforhimtoseeallofthemaswellas
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

hiddenkeysandregistryentries.Thisistrueforallprogramsforexample,
TaskManager(seeFig.3).

Fig.3TaskManagerafterchangingitsnameto_root_taksmgr.exe,you
canseehiddenprocessesrunninginyoursystem

Nextvulnerabilityofarootkit:objectsareonlyhiddenfromthe
environmentofthecompromisedmachineandtheycaneasilybeseenfrom
anothercomputer.MappingaNetworkDriveremotelyfromanothermachine
(orusingnetusecommand)isameanstoseeeverything,whichhasbeen
hiddenforalocaluser.Thisisbecausetheremotemachineisusingaclean
kerneltoviewthefilesanddirectoriesonthecompromisedmachine,
avoidingtherootkitsfiltrationprocess.

Anothertrickistousedrivers.exetools(seeFig.4)availableintheResource
Kitpackage,orWinmsd.exe.

YOU ARE READING

SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
 NO COMMENT

TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

Fig.4Usedrivers.exeutilityfromtheResourceKitforlistingalldrivers
eventhosewheretherootkitisinvolved

Usingtheprogramsmentionedabove,thesystemadministratorcangetthe
listingoffalldrivers,includingthe_root_.sys,thatis,therootkitdevice
driveritself.Thisisanexceptionalcase,inwhichaprocessnamedwitha
prefix_root_isnothidden.Iwouldliketostressthatthenameofthedriver
asaboveisrelatedtothespecificrootkitdescribedhereandnotnecessarilyto
otherrootkits.ButasfarasIknow,morerecentversionsoftheWindows
rootkitarenotavailableasyet.

AninterestingantirootkitsolutionhasbeendevelopedbyPedestalSoftware.
ThecompanyhascreatedaprogramcalledIntactIntegrityProtectionDriver
[11]thatblockschangesandadditionstoregistrykeysandvalues.It
effectivelyprohibitstheServiceControlManageroruserapplicationsfrom
changingserviceanddriverkeys,andvaluesintheregistryandalsofrom
addingtoorreplacingexistingdriverbinaries.

Detecting and guarding against

backdoors

Isyoursystemsecure?Howdoyouknow?Amachineisveryrarelytargeted
foranattackforanyotherreasonthanbecauseitwasvulnerable.Oneofthe
firststepsinbeingproactiveistoassessyourbasicsecuritypolicyrulesand
requirements.Ithinkthathavinganuptodateantivirussoftwareinstalledis
aprimaryconcern,andevenitwontfullyprotectyourmachineitself,itcan
bealifesaver,providinggoodprotectionagainstmostvirusesandtrojans.

YOU ARE READING

SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
Anothergoodpracticeistolookroutinelyatanymodificationofprogramsto NO COMMENT

discovernew,oddservicesorprocesses.Administrationscriptsarevery
usefultoolsinthisregard,particularlywhendealingwithmultiplesystems.
Onemightalsowishtoconsiderhostscanningonyournetworkfromtimeto
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

time.Ifyoususpectthatthereisanopenportatyourcomputer,givea
snapshottocheckwhetheritisauthorizedorno.Youmayusenetwork,
applicationdiagnosisandtroubleshootingprogramssuchasTCPview(Fig.5)
[12],FPort[13],Inzider[14],ActivePorts(Fig.6)[15],orVision[16].

Fig.5TCPviewtoolallowstolocatewhichapplicationopenedaportin
yourcomputer.LikeActivePorts,ittellsyouwhatisrunningonwhichport.

YOU ARE READING

SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
Fig.6ActivePortsinaction NO COMMENT

Thesetoolsprovideameanstoidentifythespecificapplicationopeningthe
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
port.Moreover,theyletoneavoidusingNetstat,ifitsuspectsthatishasbeen

replacedorinfected.Thisbringsmetoanotherinterestingconsideration:
whichevertoolisused,itisagoodpracticetouseoriginaltoolspreviously
uploadedonatrustydisketteorCDROMwhenattemptingtomakeacheck
ofthesystem.Ifanydoubtexistswhetherindividualtoolsareoriginalones,
checksumthemtocheckiftheymatchtheinstallationCDROM.

Inthisregard,ListDlls[17]andProcessExplorer[18](Fig.7)cancertainly
beusefuliffindinganysuspectsignsoftrojaninfectedorbackdoored
processes.

Fig.7ProcessExplorerthatdisplaysobjectprocessesandrelatedDLL
libraries

TheseprogramswiththeirDLLlibrariesgivesomeassistanceandprovide
additionalinformationonhandlingincidents,investigationsandconducting
analysistogatherlegalevidenceinviewofcriminalprosecution.

MayIalsosuggestthatonepaycloserattentiontotheregistrykeysthatare
responsibleforstartingprogramsonthesystemstartup.Inmostcases,these
registryelementsusuallycontainsomeindicationofhowtheintrudergained
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
access,fromwhere,when,etc.Theseare:
 NO COMMENT

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current
Version\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows(run)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current
Version\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru
nServices
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows(run)
HKEY_CLASSES_ROOT\exefile\shell\open\command

Itisextremelyimportanttoestablishconsistentaccesspermissionsonthese
keysandactivateinspectiontoolstocontinuouslymonitorforanymalicious
attempts.Thesameappliestothosesystemdirectoriesandfilesthatare
securitycritical.Acommonlyacceptedcomputersecuritypolicyusually
startswithasoundfirewallasaguardagainstbackdoors.Evenifthe
intrudermanagestoinstallabackdoor,thefirewallwillblockhimfrom
gettingtothelisteningport.

Infact,bypassingafirewallisnotaplugnplaything,butItakelibertyto
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
serveanicedoseofpessimism.Thereareknownhackertoolsthatcanget
througheventhemosthardenedfirewalls. NO COMMENT

Howeverthisisbeyondthescopeofthisarticle,soIwouldrecommend
readingthedocumentavailableattheaddress:
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT

http://www.spirit.com/Network/net0699.txt.

Finally,Iwouldliketoraiseyourawarenessaboutacertainissue.Onceyour
machinehasbeencompromisedandthehackerhasgainedtotal
administrativeaccess,beverycarefulinrecoveringthesystemfromthe
backupcopyorthediskimage!Ihavepersonallyexperiencedasituation,
wheresomeonereplacedaWWWsite.Thesystemadministratorhad
retrievedthesystemfromabackupcopy,patchedthesystem,updatedthe
accessdatabaseandchangedpasswords.Thus,hehasconsideredtheserver
perfectlysafe.Butheoverlookedthefact,thattheintrusionhadbeenmade
longbeforehemadethecopycontainingabackdooredversion.So,Iwould
stronglyrecommendcheckingthesystemwheneveritisbackedup.

Hackersincreasinglythreatenthenetworkcommunitywiththeirnew
techniques,backdoorsandTrojanhorses.Thereforewemusttakestepsto
guardagainstknownmethodsofhacking,eventhoughtheirwillstillbea
largenumberofworryingfactorswedontknowabout.Theonlythingis
absolutelyobviousyouneverknowhowlongyourimmunesystemcan
holdoutbeforebreakingdown.

Tools:

[1]Netcathttp://www.hackerscor.com/km/files/hfiles/ncnt090.zip
[2]iCMDhttp://go8.163.com/lmqkkk/mytools/iCmd.exe
[3]RemoteNChttp://go8.163.com/lmqkkk/mytools/remotenc.zip
[4]Tinihttp://go8.163.com/lmqkkk/mytools/tini.exe
[5]WinShellhttp://go8.163.com/lmqkkk/mytools/Winshell4.0.zip
[6]CGIbackdoorhttp://go8.163.com/lmqkkk/mytools/cgi.zip
[7]RemoteAdministratorwww.radmin.com
[8]TightVNChttp://www.tightvnc.com/download.html
[9]Rootkitv.0.44www.ndsafe.com/fires/rk_044.zip
[10]IIPDriverhttp://www.pedestalsoftware.com/intact/iipdriver.htm
[11]TCPviewwww.winternals.com
[12]Fporthttp://www.foundstone.com/knowledge/proddesc/fport.html
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment
[13]Inziderhttp://ntsecurity.nu/toolbox/inzider/ NO COMMENT

[14]ActivePortshttp://www.ntutility.com/freeware.html
[15]Visionhttp://www.foundstone.com/knowledge/proddesc/vision.html
[16]ListDllshttp://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
TOPICS TECH NEWS TUTORIALS REVIEWS NEWSLETTERS ABOUT
[17]ProcessExplorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
[18]LANguardNetworkSecurityScanner

Additional information:

1.RootKit
http://www.crackinguniversity2000.it/Paper/__==__%20rootkit%20
__==__.htm
http://packetstorm.decepticons.org/UNIX/penetration/rootkits
2.IntactIntegrityProtectionDriver
http://www.pedestalsoftware.com/intact/iipdriver.htm
3.PreventingandDetectingMalwareInstallationsonNT/2K
http://www.securitystorm.net/mobile/securityfocus
articles/preventing_and_detecting_malware.htm
4.Detectingrootkits
http://r00t.h1.ru/texts/detectrk.php
5.HackersRootkitforNT
http://webbuilder.netscape.com/webbuilding/07532848775671.html
6.Rootkit:AttackerundercovertoolsBySalimanManap
http://www.niser.org.my/resources/rootkit.pdf
7.StopWindowshackers
http://webbuilder.netscape.com/webbuilding/07532849969851.html
8.UnderstandingandGuardingAgainstRootkits
http://rr.sans.org/threats/rootkits2.php
9.Hackinglexicon
http://www.robertgraham.com/pubs/hackingdict.html
10.SecuringacompromisedMicrosoftWindowsNTor2000Server
http://www.utexas.edu/computer/security/news/iis_hole.html
11.WindowsbackdoorsupdateII
http://www.ciac.org/ciac/bulletins/j032.shtml
12.BackdoorsContinued
http://www.themanagementor.com/EnlightenmentorAreas/it/SW/1202_4.htm
13.Attherootofrootkits
YOU ARE READING
SHARE
Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment