|< Day Day Up >|
In this section we will be using Scan2.log that was provided by the Honeynet Research Alliance as part of the Honeynet Project Scan of the Month challenge. Scan2.log is located on the accompanying CD-ROM in the /captures directory. We will also be using our own, lab-created backdoor packet captures called subseven_log and netbus_log, also located on the
SubSeven Legend (also referred to as SubSeven) is one of the most common Windows backdoor trojans. It is an older program and most virus software can detect it, but there are many variations of it floating around the Internet. SubSeven is smart enough to notify the intruder, via Internet Relay Chat (IRC), e-mail, or some other method, that the victim computer is online. It runs over a TCP connection with a default port of 27374, although this port is configurable. SubSeven has
Figure 8.6 shows a packet capture of a SubSeven Legend client-server interaction. SubSeven Legend is the anniversary edition of SubSeven. The intruder is running the client on 192.168.1.1, which is connected to the server on the victim computer at 192.168.1.200. You will notice that the server is running on the default port 27374 and data is being
Figure 8.6: SubSeven Legend Backdoor Trojan
Using the Follow TCP Stream feature of Ethereal will show what is going on between the SubSeven server and client. Figure 8.7 shows the connection day and time and the version of the SubSeven server. Next, it shows that the intruder performed a directory listing of C:\, and downloaded the file secret.txt. However, the data for this file is obscured.
Figure 8.7: SubSeven Client-Server Interaction
The NetBus backdoor trojan is also one of the older and more common Windows backdoor trojans. It is easily detectable using antivirus software, but like SubSeven, many variations exist. It runs over a TCP connection with default ports of 12345 and 12346, but is configurable. Like SubSeven it has numerous features that allow the intruder to completely control the victim computer.
Figure 8.8 shows a packet capture of a NetBus client-server interaction. The intruder is running the client on 192.168.1.1, which is connected to the server on the victim computer at 192.168.1.200. You will notice that the server is running on the default ports 12345 and 12346 and data is being pushed between the client and server. The two separate source ports
Figure 8.8: NetBus Backdoor Trojan
Using the Follow TCP Stream feature of Ethereal will show what is going on between the NetBus server with the port 12345 and the client. Figure 8.9 shows the version of the NetBus server and also shows that the intruder downloaded the file C:\temp\secret.txt.
Figure 8.10 shows the client
Figure 8.10: NetBus Client-Server Content
RST.b is a
Figure 8.11 shows a packet capture of an intruder scanning for systems infected with the RST.b trojan. We filtered on UDP to focus in on the last nine UDP packets. The intruder uses different source IP addresses and random destination ports to prevent IDSs from detecting the scan. Because the RST.b trojan listens in promiscuous mode, it will respond to UDP packets, containing the “DOM” payload, on any port.
Figure 8.11: RST.b Backdoor Scan
Many people get
A virus is a program that can infect files by attaching to them, or replacing them, without the knowledge of the user. A virus can execute itself, and replicate itself to other files within the system. To do this, it often attaches to executable files, known as host files. Viruses travel from computer to computer when users transmit infected files or share storage media, such as a floppy disk. Viruses may be benign or malicious. A benign virus does not have any destructive behavior; it
File infector A virus that attaches to an executable file.
A virus that places code in the boot sector of a computer so that it is executed every time the computer is
Master boot record A virus that infects the first physical sector of all disks.
A virus that will use a number of infection
Macro A virus that attaches itself to documents in the form of macros.
A trojan is a program that is covertly hiding another,
A worm is a program much like a virus that has the added functionality of being able to replicate itself without the use of a host file. With a worm, you don’t have to receive an infected file, or use an infected floppy to become infected; the worm does this all on its own. A worm actively replicates itself and propagates itself throughout computer networks. Not only will a worm consume valuable system resources, it can also
|< Day Day Up >|