Trojan and Backdoor Countermeasures

Apply Your Knowledge

The best way to learn more about Trojans and malicious programs is to search for them on a system and look at the ways that they hide themselves.

Exercises

6.1. Finding Malicious Programs

In this exercise, you will look at some common ways to find malicious code on a computer system.

Estimated Time: 30 minutes.

  1. Unless you already have a Trojan installed on your computer, you will need something to find. Go to www.vulnwatch.org/netcat and download Netcat for Windows.
  2. Next, start up a Netcat listener on your computer. This can be done by issuing the following command from the command prompt: nc -n -v -l -p 80.
  3. Now that you have Netcat running and in listening mode, proceed to the task manager. You should clearly see Netcat running under applications.
  4. Let's now turn our attention to netstat. Open a new command prompt and type netstat -an. You should see a listing similar to the one shown here:

     C:>netstat -an
     Active Connections
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
    TCP 0.0.0.0:12345 0.0.0.0:0 LISTENING
    
  5. Your results should include a listing similar to the first one shown, indicating that port 80 is listening. Did you notice anything else unusual on your listing? Did you notice anything unusual on the listing shown previously? The preceding listing shows a service listening on port 12345, which is the default port for NetBus.
  6. Now proceed to www.sysinternals.com/Utilities/TcpView.html and download TCPView. This free GUI-based process viewer shows you information on running processes in greater detail than netstat. It provides information for all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. You should be able to easily spot your Netcat listener if it is still running.
  7. Close TCPView and proceed to www.teamcti.com/pview; from there, you can download another process viewer tool known as ProcessViewer. You will find that it is similar to TCPView.
  8. Finally, let's review a Trojan removal tool. It's titled "The Cleaner" and is a system of programs designed to keep your computer and data safe from Trojans, worms, key loggers, and spyware. It can be downloaded from www.moosoft.com/products/cleaner/faq. After installation, let the program run and see if it flags Netcat or any other files.
  9. Afterward, you can remove Netcat or any of the other programs installed during this exercise that you no longer desire to use.

6.2. Using a Scrap Document to Hide Malicious Code

In this exercise, you will use Notepad as a basic wrapper. Notepad will allow you to embed objects that can be executed simply by double-clicking on them.

Estimated Time: 15 minutes.

  1. Make a copy of Notepad.exe and place it on your desktop.
  2. Open Wordpad.
  3. Click and drag the copy of Notepad.exe you placed on the desktop into the open Wordpad document.
  4. Next, click on Edit, Package Object, Edit Package.
  5. Then click on Edit, Command Line.
  6. At the command-line prompt, type a command such as dir c: /p; then click on OK.
  7. You can now change the icon if so desired.
  8. Exit from the edit window, and the document will be updated.
  9. Click and drag Notepad.exe back to the desktop.
  10. The file will have taken the name Scrap; rename it ImportantMessage.txt.
  11. Click on ImportantMessage.txt and observe the results. You should notice that the scrap produced a directory listing of the C drive. If you were a malicious hacker, you could have just as easily set up the command to reformat the hard drive or erase all the system files.

Exam Questions

1.

You have just completed a scan of your servers, and you found port 31337 open. Which of the following programs uses that port by default?

A. Donald Dick

B. Back Orifice

C. SubSeven

D. NetBus

2.

Which of the following programs can be used for port redirection?

A. Loki

B. Recub

C. Girlfriend

D. Fpipe

3.

Which of the following best describes a covert communication?

A. A program that appears desirable, but actually contains something harmful.

B. A way of getting into a guarded system without using the required password.

C. Sending and receiving unauthorized information or data by using a protocol, service, or server to transmit info in a way in which it was not intended to be used.

D. A program or algorithm that replicates itself over a computer network and usually performs malicious actions.

4.

Which of the following best describes Netcat?

A. Netcat is a more powerful version of Snort and can be used for network monitoring and data acquisition. This program allows you to dump the traffic on a network. It can also be used to print out the headers of packets on a network interface that matches a given expression.

B. Netcat is called the TCP/IP Swiss army knife. It works with Windows and Linux and can read and write data across network connections using TCP or UDP protocol.

C. Netcat is called the TCP/IP Swiss army knife. It is a simple Windows-only utility that reads and writes data across network connections using TCP or UDP protocol.

D. Netcat is called the TCP/IP Swiss army knife. It is a simple Linux-only utility that reads and writes data across network connections using TCP or UDP protocol.

   
5.

One of your user's Windows computers has been running slowly and performs erratically. After looking it over, you found the following file "watching.dll" that look suspicious. Which of the following programs uses that file?

A. NetBus

B. SubSeven

C. Donald Dick

D. Loki

6.

Jane has noticed that her system is running strangely, yet when she ran netstat, everything looked fine. What should she do next?

A. Install patch.exe

B. Use a third-party tool with a verified fingerprint

C. Restore from a recent backup

D. Remove any entries from the Windows Startup folder

7.

You overheard a co-worker who is upset about not getting a promotion threaten to load FakeGina on to the boss's computer. What does FakeGina do?

A. It's a password Trojan that emails password and usernames to a predetermined email address.

B. It is a hardware keystroke capture program.

C. It captures all keystrokes entered after the system starts up.

D. It captures login usernames and passwords that are entered at system startup.

8.

Which covert communication program has the capability to bypass router ACLs that block incoming SYN traffic on port 80?

A. Loki

B. ACKCMD

C. Stealth Tools

D. Firekiller 2000

9.

What does the following command accomplish: nc -n -v -l -p 25

A. Allows the hacker to use a victim's mail server to send spam.

B. Forwards email on the remote server to the hacker's computer on port 25.

C. Blocks all incoming traffic on port 25.

D. Opens up a Netcat listener on the local computer on port 25.

   
10.

What is datapipe used for?

A. It is a Linux redirector.

B. It is a remote control Trojan.

C. It is similar to netstat and can report running processes and ports.

D. It is a Windows redirector.

11.

Dale watches his firewall setting closely and leaves off all unused ports. He has been told by several employees that some individuals are using services that are blocked. What technique might these employees use to accomplish this prohibited activity?

A. They have systems that have become infected with spyware.

B. They have been able to compromise the firewall and change the rulesets without Dale's knowledge.

C. They are using a backdoor program to gain access that they should not have.

D. They are using tunneling software to allow them to communicate with protocols in a way that they were not designed.

12.

Which of the following is the correct type for a ping request?

A. Type 0

B. Type 3

C. Type 5

D. Type 8

13.

What does the following command accomplish when issued from a victim's computer: fpipe -l 69 -r 53 -u 10.2.2.2?

A. This command redirects traffic from UDP port 53 to port 69.

B. This command redirects traffic from TCP port 69 to port 53.

C. This command redirects traffic from TCP port 53 to port 69.

D. This command redirects traffic from UDP port 69 to port 53.

   
14.

What does the following command accomplish:

nc -u -v -w 1 10.2.2.2 135-139
 

A. Performs a UDP port scan on all ports except 135139

B. Resets any active connection to ports 135139

C. Performs a UDP port scan on ports 135139

D. Resets any active connection to all ports except 135139

15.

Gil believes one of his workers is performing illegal activities on his work computer; he wants to install software key loggers on all employees' systems. What should be his number one concern?

A. That the users will be able to run a software program to detect the keystroke program

B. That he has a monitoring policy in place and has provided adequate warning to employees about monitoring and acceptable use

C. That users will find and remove the keystroke monitoring program

D. That because his employees are in online customer sales and process hundreds of orders, the keystroke monitor buffer will overflow and thereby erase the critical information

16.

Which of the following Trojans uses port 6666?

A. Subseven

B. NetBus

C. Amitis

D. Beast

17.

Which of the following best describes a wrapper?

A. Wrappers are used as tunneling programs.

B. Wrappers are used to cause a Trojan to self execute when previewed within email.

C. Wrappers are used as backdoors to allow unauthenticated access.

D. Wrappers are used to package covert programs with overt programs.

18.

Loki uses which of the following by default?

A. ICMP

B. UDP 69

C. TCP 80

D. IGRP

   
19.

You have become concerned that one of your work stations might be infected with a malicious program. Which of the following netstat switches would be the best to use?

A. netstat -an

B. netstat -r

C. netstat -p

D. netstat -s

20.

You have just completed a scan of your servers, and you found port 12345 open. Which of the following programs uses that port by default?

A. Donald Dick

B. Back Orifice

C. SubSeven

D. NetBus

Answers to Exam Questions

A1:

1. B. BOK uses port 31337 by default. All other answers are incorrect, as Donald Dick uses port 23476, SubSeven uses port 6711, and NetBus uses port 12345.

A2:

2. D. FPipe is a source port forwarder/redirector. It can create a TCP or UDP stream with a source port of your choice. Answer A is incorrect, as Loki is a covert channel program. Answer B is incorrect because Recub is a Trojan. Answer C is incorrect, as Girlfriend is also a Trojan.

A3:

3. C. Covert communications can be described as sending and receiving unauthorized information or data between machines without alerting any firewalls and IDSes on a network. Answer A is incorrect because it describes a Trojan. Answer B is incorrect because it describes a backdoor. Answer D is incorrect because it more accurately describes a virus or worm.

A4:

4. B. Netcat is a network utility for reading from and writing to network connections on either TCP or UDP. Because of its versatility, Netcat is also called the TCP/IP Swiss army knife. Answers A, C, and D are incorrect because Netcat is not a more powerful version of Snort and can be used on both Windows and Linux.

A5:

5. B. Watching.dll is one of the files that is loaded when SubSeven is installed. Answers A, C, and D are incorrect because none of the other Trojans install that file. NetBus installs KeyHook.dll. Donald Dick installs pmss.exe, and Loki is a Linux-based program. It does not run on Windows.

   
A6:

6. B. Jane should use a third-party tool that is known good. One way to ensure this is to download the file only from the developer's website and to verify that the fingerprint or MD5sum of the tool has remained unchanged. Answer A is incorrect, as the default install file for NetBus is patch.exe. Loading this on her computer will only compound her problems. Answer C is incorrect because if the computer does have a Trojan, it might be hard to determine when the point of infection occurred. Therefore, the recent backup might also be infected or corrupt. Answer D is incorrect because although the Trojan might have installed something in the startup folder, there are many other places that the hacker could hide elements of the tool, including the registry, system folders, and .ini files.

A7:

7. D. FakeGina captures login usernames and passwords that are entered at system startup. Answers A, B, and C are incorrect because FakeGina does not send out passwords by email, is not a hardware keystroke capture program (it is software based), and it only captures username and login information at startup.

A8:

8. B. ACKCMD uses TCP ACK packets to bypass ACLs that block incoming SYN packets. Answer A is incorrect, as Loki uses ICMP. Answer C is incorrect because Stealth Tools is used to alter the signature of a known Trojan or virus. Answer D is incorrect, as Firekiller 2000 is used to disable Norton antivirus or software firewall products.

A9:

9. D. Nc -n -v -l -p 25 opens a listener on TCP port 25 on the local computer. Answers A, B, and C are incorrect, as it does not allow the hacker to use a victim's mail server to send spam, it does not forward email, and it will not block traffic on port 25. (Actually, it listens on the port for incoming connections.)

A10:

10. A. Datapipe is a Linux redirector. It can be used for port redirection. This form of tool is useful when certain ports are blocked at the firewall. Answer B is incorrect because it is not a remote control Trojan. Answer C is incorrect, as it does not report open processed, and answer D is incorrect because it is not a Windows redirecting program; it is used for Linux and UNIX systems.

A11:

11. D. Tunneling software acts as a socks server, allowing you to use your Internet applications safely despite restrictive firewalls. Answer A is incorrect because systems infected with spyware would not behave in this manner. Spyware infected systems typically run slower and tend to go to URLs not requested or suffer from a barrage of pop-up ads. Answer B is incorrect because seeing that Dale watches his firewall closely, it is unlikely that they successfully attacked his firewall. Answer C is incorrect, as backdoor programs are used to bypass authentication.

A12:

12. D. An ICMP Ping request is a type 8. Answer A is incorrect, as a type 0 is a Ping reply. Answer B is incorrect, as a type 3 is a destination unreachable, and answer C is incorrect because a type 5 is a redirect.

A13:

13. D. Fpipe is used for port redirection: a technique that is useful behind a firewall. This command redirects traffic from UDP port 69 to port 53. The syntax is -l listen, -r redirect -u UDP, and the IP address is the IP address to bind to this command. Answers A, B, and C, are incorrect, as they do not properly define the syntax of the command.

A14:

14. C. The command nc -u -v -w 1 10.2.2.2 135-139 performs a UDP port scan, in verbose mode, and waits one second between scanning ports 135 to 139 on IP address 10.2.2.2. Answers A, B, and D are incorrect because they do not properly define the syntax that is given.

   
A15:

15. B. Gil should primarily be concerned that he has proper policy and procedures in place that address keystroke logging. He must also make sure that employees understand that they have no expected level of privacy when using company computers and might be monitored. Answers A and C are incorrect, as most of these programs are hard to detect. Answer D is incorrect because these programs can allocate a buffer big enough to store millions of keystrokes, so storage should not be a problem.

A16:

16. D. Beast uses port 6666 and is considered unique, as it uses injection technology. Answer A is incorrect because SubSeven uses port 6711. Answer B is incorrect because NetBus uses port 12345; and Answer C is incorrect, as Amitis uses port 27551.

A17:

17. D. Wrappers are used to package covert programs with overt programs. They act as a type of file joiner program or installation packager program. Answer A is incorrect, as wrappers do not tunnel programs; an example of a tunneling program would be Loki. Answer B is incorrect because wrappers are not used to cause a Trojan to execute when previewed in email; the user must be tricked into running the program. Answer C is incorrect, as wrappers are not used as backdoors. A back-door program allows unauthorized users to access and control a computer or a network without normal authentication.

A18:

18. A. Loki is a Trojan that opens and can be used as a backdoor to a victim's computer by using ICMP. Answer B is incorrect because Loki does not use UDP port 69 by default. Answer C is incorrect because Loki does not use TCP port 80 by default. Answer D is incorrect because Loki does not use IGRP.

A19:

19. A. Netstat -an would be the proper syntax -a displays all connections and listening ports. -n displays addresses and port numbers in numerical form. Answer B is incorrect, as -r displays the routing table. Answer C is incorrect because -p shows connections for a specific protocol, yet none was specified in the answer. Answer D is incorrect, as -s displays per-protocol statistics. By default, statistics are shown for TCP, UDP, and IP.

A20:

20. D. NetBus uses port 12345 by default. Answers A, B, and C are incorrect because Donald Dick uses 23476, BOK uses port 31337, and SubSeven uses port 6711.

Suggested Reading and Resources

www.giac.org/certified_professionals/practicals/gcih/0512.phpNetcat is your friend

www.vulnwatch.org/netcat/readment.txtNetcat readme

www.bo2k.comBack Orifice official site

www.windowsecurity.com/faqs/TrojansTrojan FAQ

www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlTrusted Computer System Evaluation Criteria (TCSEC)

www.phrack.org/show.php?p=49&a=6Loki

www3.ca.com/Solutions/Collateral.asp?CID=37734&ID=Backdoor programs defined

searchsecurity.techtarget.com/tip/1,289483,sid14_gci1076172,00.htmlThe Nasty Truth About Spyware

http://russelltexas.com/malware/faqhijackthis.htmHijackthis FAQ

Sniffers, Session Hijacking, and Denial of Service





Certified Ethical Hacker Exam Prep
Certified Ethical Hacker Exam Prep
ISBN: 0789735318
EAN: 2147483647
Year: 2007
Pages: 247
Authors: Michael Gregg
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net