Trojan Horses (and RootKits)

 What is a Trojan Horse?

 

A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality

Techniques to hide a Trojan Horse program

    - changing/hiding file extension

    - renaming file program

    -setting a path variable

 

Wrappers

 

 

Trojaning Software Distribution Sites

 

 

Compromising the source code

 

    -Easter eggs

 

 

Example: Setiri

 

Hydan

Back Orifice

Back Orifice 2000, or BO2K, as it is known, was released in July 1999 under the public GPL GNU license. It is free for anyone to use or modify. It is very configurable, with point and click GUI configuration screens. The Back Orifice Trojan, like most RATs, has two parts: a server and a client. The server portion is preconfigured by the hacker and then somehow placed on the victim's machine. When the server program is executed, it automatically installs itself, hides its presence, and opens a new port number on the host machine. Often, if the right plug-in is included, it will email the hacker with the IP address of the new host victim. The client program is used by hackers to locate and manipulate server programs. The client and server programs must match many configuration parameters in order to find each other. A client using the common port number of 31337 over TCP with XOR encryption will not work with a server using the UDP protocol or CAST-256 encryption. As shown in Figure 6-2, Back Orifice has a user-friendly GUI to help configure the server executable that will be placed on the victim's PC.

 Back Orifice's server configuration GUI

 

Using the Back Orifice 2000 Server Configuration Utility, a hacker can configure a whole host of server options including whether to use TCP or UDP, what port number to use, the encryption type, the stealth (which works better on Windows 9x machines than on Windows NT) password, and the use of plug-ins. Back Orifice has an impressive array of features including keystroke logging, HTTP file browsing, registry editing, audio and video capture, password dumping, TCP/IP port redirection, message sending, remote reboot, remote lockup, packet encryption, and file compression. It comes with its own software developer's kit (SDK) to allow its functionality to be extended by plug-ins.

Once running, the server portion of the program runs on the host machine waiting for a client to connect. The server can simply open a particular predefined port number by starting its service (daemon process) or if installed with the Butt Trumpet plug-in, it will send an email to the client originator as a predetermined email address. In these cases, the hackers usually choose a portal email system (e.g., Yahoo, Hotmail, etc.) where it is easy to be anonymous. Thus, the hacker can start a new email account, escape detection, and close it if needed.

If Back Orifice is running on a system, it can use its stealth abilities to hide from prying eyes. The server program will not appear on the task list, or if it does, it can appear as any legitimate executable name. Early versions of the Trojan allowed the filename to appear blank, and thus, the whole filename would be .EXE. By default, after the server program is installed on the host machine, it deletes the original Trojan file. Although Back Orifice network packets have a unique signature that can be monitored, BO2K has the ability to modify its data packet headers so they are not conspicuous. The only consistent, reliable way to detect Back Orifice is to use NETSTAT -A, and look for new ports that should not be opened on a particular machine. It also can't hurt to have a scanner or firewall that can detect BO scans.

In Example 6-5, NETSTAT -A reveals Back Orifice running on port 31337. The client is using port 1216 on the remote machine. The server connects to the client and can begin to send commands to control the server. The Back Orifice client offers an array of features and commands that can be sent to the server portion of the program. Pick a command or feature and select the Send Command button to control the server located on the host machine. In Figure 6-3, I sent a text message to the server program.

Netstat -Example with Back Orifice running on port 31337 and a client using port 1216 on the remote machine 
Active Connections
 
  Proto  Local Address          Foreign Address        State
  TCP    roger:5679             ROGER:0                LISTENING
  TCP    roger:137              ROGER:0                LISTENING
  TCP    roger:138              ROGER:0                LISTENING
  TCP    roger:nbsession        ROGER:0                LISTENING
  TCP    roger:31337            ROGERLAP:1216          ESTABLISHED
  UDP    roger:nbname           *:*                    
  UDP    roger:nbdatagram       *:*                   

 

The Back Orifice client

 

Most of the time the server process is invisible to the user, although the slightest syntax or process error on behalf of the client will cause a noticeable runtime error on the server. Back Orifice's developers didn't put in enough error-checking code in their server program. Still, most of these errors don't kill the server program (some do), and most victims don't know that the error on their screen has anything to do with a Trojan.

If a machine is compromised by a RAT, the remote hacker can do anything the local user's security allows. Although most RATs are operated by teenagers without serious harmful intent, malevolent deeds can easily be accomplished. Many within the security industry believe corporate spying is occurring on a grand scale. A business competitor could read a company's financial statements, future strategies, cost breakdowns, and intended sales prices, and record the audio and video feeds of important conversations. A report in a 1996 edition of Government Information Technology Issues magazine revealed that the FBI is investigating at least 250 major hacking crimes at any one time. In order for the FBI to be involved the crime must be of a significant dollar amount and cross state lines. The same report said over $800 million of extortion money has been paid to hackers in the last few years, while 83 percent of hacker-related cases go unreported. This 1996 report was released before the release of easy-to-use RATs. Statistics today would easily quadruple those amounts. Increasingly, protecting the privacy of our home machines is important. Figure 6-4 shows one of the most serious types of threats from a RAT. A Back Orifice server is running on a host computer. In this example, the user is connecting to his online bank to check his bank balance. The client portion of Back Orifice was used to send a fake message to prompt the user for their Visa account information.

 Remote access Trojans can easily compromise security

 

Even if a user didn't fall for this trick, the remote hacker is watching the customer put in his account and PIN number. The hackers could then view financial transactions, transfer money, and withdraw cash (at the ATM). Everywhere the user goes, the hacker can go. In the world of malicious mobile code, backdoor Trojans and RATs rank high on the list of realistic threats.

Rootkits

 

Chapter 7 (Introduction only - up to page306, UNIX RootKits).

RootKits are Trojan horse backdoor tools tahat modify existing operating system software so that an attacker can keep access to and hide on a machine.

User-mode RootKits manipulate user-level operating system elements and processes.

Kernel-mode RootKits manipulate operating system software (kernel).

Rootkits allow an unauthorized person to gain access to the superuser or domain administrator's account. The same software can let an intruder hide his or her tracks, steal or remove files on a system and so forth. A rootkit can allow someone to maintain access to a hijacked computer. A programmer can write a rootkit for any type of operating system. If you have read about companies losing 40,000 customer files, then you will usually find a rootkit to blame.

User-level rootkits are easy to detect and remove. At this level, the software replaces one or more of a legitimate user's applications with a modified program. On Unix-style and newer proprietary systems you can detect a user-level rootkit if you trust the kernel. Programs like AIDE and Tripwire can detect this type of rootkit.

Kernel level rootkits are difficult to find, since you cannot trust the kernel on which the rootkit exists. We've seen kernel-level rootkits delete logs to hide an intruder's tracks and replace system calls. Kernel level rootkits can exist as a Linux Kernel Module (LKM) or a service on a Windows server. Recently, I found a rogue service running on a Windows 2003 R2 server in a test environment. Some examples of LKM rootkits are Afhrm and Synapsis. Earlier Windows kernel mode Trojans included Slanret, IERK, and Backdoor-AL.

Since you cannot trust the kernel, security specialists install packet sniffers on unaffected machines. The specialists look at packets sent to and from the machine on which they expect a rootkit exists. Another way to detect kernel level rootkits involves booting from a live CD. The live CD has a kernel you can trust and will allow you to investigate the drives.

Monitor your system with file integrity checks by looking at the machine for changes. Make a fingerprint of a newly installed OS image or after adding new software. A fingerprint uses cryptography to make a hash of all the data in a file. Once you have the hash you can compare a stored hash value with the running hash value. You can then detect changes and see if someone put a rogue program on your system.