Chapter 10: Backdoors and Remote Access Tools

OVERVIEW

Backdoors and remote access tools are important for any security professional to understand. For the security auditor who performs attack and penetration assessments, such tools are important because hackers can use them to obtain an initial foothold into an otherwise secure network. For the security administrator, understanding the tools' fingerprints and potential entry points into the network is an ongoing task. For the security incident investigator , the fingerprint and remediation process must be clearly understood to keep the network running and to build legal cases against offenders. This chapter will address issues and tools important for security auditors , administrators, and incident investigators .

Possibly the best use for this category of tools during security assessments is to aid in determining whether the system users are the weakest links in an organization's security architecture. Some of the tools discussed in this chapter, as you will see, can be detected by intrusion-detection systems (IDSs) and anti-virus countermeasures. Because backdoors and remote access tools can be distributed inadvertently by users for entry into the network, the tools discussed in this chapter would be a good check to determine whether your IDS and anti-virus sentries are doing their job as advertised.

Because some remote access software packages are typically used with good intentions, they are not usually considered "hacking tools." Therefore, most virus detectors and IDSs will not be on the lookout for these tools unless they are tuned to do so. It may be a smart move for an intruder to use a tool designed with good intentions with the ultimate intent of evading detection. One tool that is a "good intention " remote control/backdoor tool in this chapter is Virtual Network Computing (VNC).

Other tools have been designed specifically for nefarious purposes. These are tools written and modified by those considered in the " underground ." These types of tools are typically detected by virus checkers and host- or network-based IDSs and therefore often employ better techniquessuch as mutation engines, encryption techniques, and changing parametersto foil the dominant signature-based recognition systems of countermeasure tools.

Typically, up-to-date virus checkers quickly spot the installation files and a good IDS will generate an alert when it sees the related traffic. While these tools may not pop up very often on networks with savvy administrators, they are often used to target less sophisticated networks and less aware users. This chapter covers the nefarious tools Back Orifice, Netbus, and SubSeven.

Yet another breed of backdoor tools dwarfs the other two categories: kernel root kits and covert channels. These types of tools are difficult to detect, and sometimes remediation may seem impossible . Thorough understanding of how these tools operate should bring some enlightenment to how the tools' programmers attack systems at their most fundamental level. These tools would be used by an auditor with a high level of comfort in the security field, but it is unlikely they would be used in any scenario other than a narrowly targeted test.

Virus scanners typically do not detect these files (the majority are Unix-based), but their activity could be detected by a well-configured IDS. However, if proper attention is given to their use, even detection will not supply the victim with much information. The tools discussed in this chapter that belong to this category are Loki, stcpshell, and Knark.