DETECTING BACKDOORS
A good
number of backdoors are implemented by a type of malicious code called a Trojan
horse. In fact many rootkits contain “Trojanized” versions of commonly used
programs and system utilities. Two popular Trojan horse applications are
BackOrifice and SubSeven, with both operating as a server on the system they
infect. This server opens a backdoor, making access from the outside possible,
and this permits the infected system to be accessed by hackers who can then do
virtually anything on a system, including stealing or deleting files. Some of
the capabilities possessed by backdoor Trojans are listed here:
- Upload or download files
- Move, copy, rename, or delete files
- Erase hard drives and other data disks
- Execute programs
- See your screen as you see it
- Log key presses (even the entry of hidden passwords)
- Open, close, and move windows
- Move the mouse cursor
- See all open connections to and from your computer
- Close connections
There
are numerous backdoor Trojans circulating in the wild. While most are detected
by antivirus products, it proves helpful to know a little about each of them.
Following is a short list of backdoor Trojans:
- BackOrifice/BackOrifice 2000(BO2K). Back Orifice (or BO2K) is probably the most advanced Trojan in circulation and requires a steep learning curve, making it the most difficult to put in place.
- Back Construction. This very rare backdoor lets the hacker have access to a system’s hard disks. It always runs on port 5400, so it is advised that users simply block that port on their firewalls.
- Barok. This Trojan gathers dialup passwords and sends them to the hacker. The simple way to defend against the Barok: Don’t select the option “Always remember my password” in password boxes.
- Blade Runner. This sophisticated Trojan is geared more toward the abilities of savvy system crackers as it contains components that are beyond the skills of average hackers.
- Cyn. This particular Trojan is similar in form and features to the SubSeven; however it includes an additional feature that allows a hacker to reset the system CMOS.
- Deepthroat. Deepthroat is a simple-to-use Trojan and has almost as many options as the SubSeven.
- Girlfriend. There isn’t much to distinguish this Trojan, as it contains the standard features common to most Trojan backdoors. Most respectable firewalls can block Girlfriend.
- Hack’a’Tack. This easy-to-use and colorful remote-control Trojan is actually quite rare. Since this Trojan always runs on port 31787, it is relatively easy to defend against by just blocking access to port 31787 at the firewall.
- SchoolBus. This common Trojan is powerful despite its simplicity. It even boasts a builtin scanner and operates using port 54321 by default.
- SubSeven (a.k.a. Backdoor-G). With its small learning curve and numerous features, SubSeven is probably the most popular (from the hacker’s standpoint) and powerful Trojan horse. The SubSeven Trojan can be configured to inform someone when the computer it has infected connects to the Internet. The hacker (who infected the system with the SubSeven) is then provided with information he or she may use against the system or organization.
- Given that backdoors are accessed from a remote location outside an organization’s network, detecting them is achieved by monitoring connections to various system ports. Since firewalls are supposed to monitor and limit port activities, they are the natural choice for detecting the presence of a backdoor. However, since Trojan horse applications often masquerade as legitimate applications, using a firewall does not guarantee that the presence of a backdoor will be detected.
DETECTING BACKDOORS WITH THE NETSTAT COMMAND
The
netstat command is a useful tool for checking network configuration and activity.
By using netstat, you can find out which ports on your computer are open, which
in turn helps determine if your computer has been infected by a Trojan horse.
The netstat command lists all the open connections to and from your PC. Unix,
Linux, and Windows all support the netstat command. To use it under Windows,
open a command (DOS) prompt and enter the command netstat –a, which lists all
open connections going to and from your PC. If you discover any connection that
you don’t recognize, you need to track down the process that is using that
connection. You can use a handy freeware program
called
TCPView to do this. TCPView is a Windows program that provides detailed
listings of all TCP and UDP endpoints (for example, clients, servers, and so
on) on your system, including the local and remote addresses and the state of
TCP connections.
Removing Rootkits and Trojans
Once
it’s been discovered that a computer is infected by a rootkit or backdoor
Trojan, removal of the offending program is the next logical step. Due to the
flood of rootkits and backdoor Trojans in the wild, it is impossible to list
the removal procedures for them all; however, the general guidelines for
removal are as follows. The steps necessary for removing a Trojan:
- Identify the Trojan horse file on your system hard disk.
- Find out how it is being initiated (for example, via Registry, Startup Folder, and so on) and take the action(s) necessary to prevent it from being restarted after a reboot.
- Reboot your machine and delete the Trojan horse.
- The basic steps involved in recovering from a rootkit are:
- Isolate the affected machine. (Disconnect it from the network and/or Internet.)
- Determine the severity of the compromise. (Are other networked computers also infected?)
- Begin the cleanup by reinstalling the operating system and applications from a trusted (clean) backup.