The Game "whackamole.exe" file size 314,636 credited to "John"
alias <ecoli_@hotmail.com>, is
actually the Netbus Trojan. It is contained within Whackjob.zip and installs
"patch.exe",(the Netbus Server portion) within the install shield script for the
game install. The program Netbus.exe is renamed Explore.exe during the install.
This can arbitrarily be installed using the "DotLess IP address" (better known
as the "Buffer Overrun" exploit). Version 2.0 runs on Port 20043 with the "added
feature" of automatically clearing the log file every time the PC is
rebooted.
REGISTRY KEYS ADDED: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_ REGISTRY KEY VALUES ADDED: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_\@="exefile" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dl_\ContentType="application/x- msdownload" It also adds Rundll32:Reg_SZ:rundll2.dl_to HKLM \SW\MSoft\Windows\CurrentVer\Run
Ken Williams noted in a post to bugtraq that "BoSniffer.zip" which
the author claimed to be capable of blocking key points in the registry from BO
as well as search for existing installs of the backdoor, was in fact a
Trojan.
His detailed examination has revealed that this is actually a BO
server with the "SpeakEasy" plug-in installed. If "BoSniffer.exe" is run, the
BoSniffer executable (BO Server Trojan w/ SpeakEasy) will "attempt to log into a
predetermined IRC server on channel #BO_OWNED with a random username. It then
proceeds to announce its IP address and a custom message every few minutes."
This program, "BoSniffer.zip" is being widely distributed as a "cure for Back
Orifice infections". It is likely that it is being distributed with other
software packages and under other names as well. Listed below are relevant
details about this program.
File Sizes (in bytes) - 231068 BoSniffer.exe, 108573
BoSniffer.zip
Evidence that BoSniffer.zip is really BO Server with SpeakEasy
Plug -in:
sector 0X028C38 irc.lightning.net:7000:Hey MASTER where are u!!! sector 0x0303F0 - sector 0x0306D8 sector 0x031848 SpeakEasy.dll sector 0x0318A8 - sector 0x031980 #BO_OWNED with IRC commands: Own Me @ .NOTICE JOIN #BO_OWNED host server :Owned USERNICK BO .QUIT Psssst...Speakeasy was told to shut down .NOTICE #BO_OWNED :Psssst...Speakeasy just started up
| Tools |
FireKiller, written by Iridium is a Trojan that on execution
kills any resistant protection software on execution. For instance, if Norton
Antivirus Auto-Protect option is running in the taskbar, and the AT Guard
Firewall is activated, this program will kill both on execution, and make the
installations of both unusable on the machine. To reuse it, the user will have
to reinstall it.
|
It has been noted to work with all major protection software like
AT guard, Conceal, Norton Antivirus, and McAfee Antivirus etc. Later patches
detect this Trojan. It is typically used in conjunction with an .exe binder,
which binds it to a Trojan before binding this file (Trojan and firekiller2000)
to some other dropper.
The same author has written another Trojan called FireCracker. It
automatically detects AT Guard, Zone Alarm and or McAfee Firewall, deactivates
it and deletes it from the hard disk. The original Firewall Icons remain in the
taskbar all the time, so it looks like nothing is happened. It also reloops the
functions that the victim must reboot the CPU to reinstall the firewall(s).
| Note |
:The Internet Control Message Protocol is an adjunct to the
IP layer. It is a connectionless protocol used to convey error messages and
other information to unicast addresses . ICMP packets are encapsulated inside of
IP datagram. The first 4-bytes of the header are same for every ICMP message,
with the remainder of the header differing for different ICMP message types.
There are 15 different types of ICMP messages.
|
The ICMP types we are concerned with are type ox8 and type 0x8.
ICMP type 0x0 specifies an ICMP_ECHOREPLY (the response) and type 0x8 indicates
an ICMP _ECHO (the query). The normal course of action is for a type 0x8 to
elicit a type 0x0 response from a listening server. (Normally, this server is
actually the OS kernel of the target host. Most ICMP traffic is, by default,
handled by the kernel). This is what the ping program does.
The concept of ICMP Tunneling involves arbitrary information
tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets and using
them to carry the payload.
| Attack Methods |
Covert Channels are methods in which an attacker can hide
the data in a protocol that is undetectable. Covert Channels rely on techniques
called tunneling, which allows one protocol to be carried over another protocol.
A covert channel is a vessel in which information can pass, but this vessel is
not ordinarily used for information exchange.
|
Therefore, as a matter of consequence, covert channels are
impossible to detect and deter using a system's normal (read: unmodified)
security policy. In theory, almost any process or bit of data can be a covert
channel. In practice, it is usually quite difficult to elicit meaningful data
from most covert channels in a timely fashion.
This makes it an attractive mode of transmission for a Trojan. The
attacker can use the covert channel and install the backdoor on the target
machine.
| Concept |
The concept of ICMP Tunneling is simple: arbitrary
information tunneling in the data portion of ICMP_ECHO and ICMP_ECHOREPLY
packets. This exploits the covert channel that exists inside of ICMP_ECHO
traffic. This channel exists because network devices do not filter the contents
of ICMP_ECHO traffic. They simply pass them, drop them, or return them. The
Trojan packets themselves are masqueraded as common ICMP_ECHO traffic. We can
encapsulate (tunnel) any information we want.
|
| Tools |
This program is a working proof-of-concept to demonstrate
that data can be transmitted rather stealthily across a network by hiding it in
traffic that normally does not contain payloads. The example code in the
original Phrack magazine can tunnel the equivalent of a Unix RCMD/RSH session in
either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is
used as a back door into a UNIX system after root access has been compromised.
Presence of LOKI on a system is evidence that the system has been compromised in
the past.
|
Although the payload of ICMP packet is often timing information,
there is no check by any device as to the content of the data. So, as it turns
out, this amount of data can also be arbitrary in content as well. Therein lies
the covert channel. A covert channel is a vessel in which information can pass,
but this vessel is not ordinarily used for information exchange. Therefore,
covert channels are impossible to detect and deter using a system's normal
security policy.
Loki exploits the covert channel that exists inside of ICMP_ECHO
traffic. This channel exists because network devices do not filter the contents
of ICMP_ECHO traffic. The Trojan packets themselves are masqueraded as common
ICMP_ECHO traffic. It can be used as a backdoor into a system by providing a
covert method of getting commands executed on a target machine. The LOKI packet
with a forged source IP address will arrive at the target (and will elicit a
legitimate ICMP_ECHOREPLY, which will travel to the spoofed host, and will be
subsequently dropped silently) and can contain the 4-byte IP address of the
desired target of the Loki response packets, as well as 51-bytes of malevolent
data.
The important aspect of Loki is that routers, firewalls,
packet-filters, dual-homed hosts all can serve as conduits for Loki. A surplus
of ICMP_ECHOREPLY packets with a garbled payload can be ready indication the
channel is in use. The standalone Loki server program can be easily detected.
However, if the attacker can keep traffic on the channel down to a minimum, and
was to hide the Loki server inside the kernel, detection is almost
impossible.
Stateful firewalls are the enhanced version of packet filters. It
still does the same checking against a rule table and only routes if permitted,
but it also keeps track of the state information such as TCP sequence numbers.
Some pay attention to application protocols to ensure only legitimate traffic
passes through. These filters can get UDP packets (e.g. for DNS and RPC)
securely through the firewall to a great extent more so because UDP is a
stateless protocol. And it is more difficult for RPC services. However, this
does not solve the problem in case of ICMP covert channels as ICMP echo are also
subject to firewall rules.
If there is no rule to allow ping, then all such packets get
dropped. If the ping came over a tunnel and interface is not configured to force
tunnel traffic up to the proxies, then the ping packets are sent unmodified.
There are a few countermeasures that may help keep Loki at
bay.
| Countermeasure |
■ Disable external ICMP_ECHO
traffic entirely. This does have serious implications to normal network
management since it does affect network communication management within the
local segment. However, this can be configured to allow internal ping traffic
and disable packets coming from the outside.
|
| Countermeasure |
■ Disable ICMP_ECHO_REPLY traffic
on a Cisco router. Security implications make this a prudent
choice.
|
| Countermeasure |
■ Ensure that the routers are
configured to not send ICMP_UNREACHABLE error packets to hosts that do not
respond to ARPs.
|
| Attack Methods |
This Trojan can work through any firewall which allows users
to access the Internet. It is the reverse of a straight HTTP tunnel. The program
is run on the internal host, which spawns a child every day at a special time.
The child program appears as a user to the firewall, which in turn allows it to
access the Internet. However, this child program executes a local shell and
connects to the web server owned by the attacker on the internet through a
legitimate looking http request and sends it 'ready' signal. The legitimate
looking answer of the web server owned by the attacker is in reality the
commands the child will execute on its machine's local shell. All traffic will
be converted into a Base64 like structure and given as a value for a cgi-string
to prevent caching.
|
Example of a connection:
-
Slave
GET /cgi-bin/order?M5mAejTgZdgYOdgIOoBgFfVYTgjFLdgxEdbiHe7krj HTTP/1.0
-
Master replies with
g5mAlfbknz
For instance, The GET of the internal host (SLAVE) is just the
command prompt of the shell; the answer is an encoded "Is" command from the
hacker on the external server (MASTER). The SLAVE tries to connect daily at a
specified time to the MASTER if needed; the child is spawned because if the
shell hangs for whatever reason the attacker can check and fix it the next
day.
In case the administrator sees connects to the attacker's server
and connects to it himself he will just see a broken web server because there's
a Token (Password) in the encoded cgi GET request; WWW Proxies (e.g. squid) are
supported; program masks it's name in the process listing. The programs are
reasonably small with the master and slave program just one 260-lines perl file
Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl
slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it is
time that the slave tries to connect.
Sample of Reverse Http Shell:
Http Http |Internal|—------------>|PROXY|-->|FIREWALL|<---------->|Attacker| SLAVE MASTER
| Countermeasure |
Countermeasure
It is clear that a tight application gateway firewall with a
strict policy is essential. Ideally DNS resolving should be only done on the
WWW/FTP proxies and access given to WWW with prior proxy authentication only.
Mails should be on a separate server. A secure solution would be to set up a
second network which is connected to the internet, and the real one kept
separated.
|
Perhaps the old adage 'Prevention is better than cure' holds the
greatest relevance here.
| Countermeasure |
The first line of defense is to educate users regarding the
dangers of installing applications downloaded from the Internet and to take
great caution if they have to open any mail
attachment.
|
| Countermeasure |
The second line of defense can be antivirus products that
are capable of recognizing Trojan signatures. Ensure that these updates are
regularly applied over the network.
|
| Countermeasure |
The third line of defense comes from keeping application
version updated by following security patches and vulnerability
announcements.
|
An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate
1000 types of backdoor programs and Trojans. Some of the other anti-Trojan
software is:
-
TDS-3 (http://tds.diamondcs.com.au)
-
Hacker Eliminator (http://www.lockdown2000.com)
-
Trojan Remover (http://www.simplysup.com/tremover/details.html)
-
Pest Patrol (http://www.safersite.com/)
-
Anti-Trojan (http://www.anti-trojan.net)
-
Tauscan (http://www.agnitum.com/products/tausean)
-
The Cleaner (http://www.moosoft.com)
-
PC Door Guard (http://www.trojanclinic.com/pdg.html)
-
Trojan Hunter (http://www.mischel.dhs.org/trojanhunter.jsp)
-
LogMonitor (http://www.logmon.bitrix.ru/logmon/eng/)
| Tools |
fport supports Windows NT4, Windows 2000 and Windows XP.
fport reports all open TCP/IP and UDP ports and maps them to the owning
application. This is the similar to the information seen using the 'netstat-an'
command. However, it also maps those ports to running processes with the PID,
process name and path. Fport can be used to quickly identify unknown open ports
and their associated applications. The applications are not shown by netstat -a
command.
|
Usage:
C:\>fport Pid Process Port Proto Path 392 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 8 System -> 445 TCP 508 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe 392 svchost -> 135 UDP C:\WINNT\system32\svchost.exe 8 System -> 137 UDP 8 System -> 138 UDP 8 System -> 445 UDP 224 lsass -> 500 UDP C:\WINNT\system32\lsass.exe 212 services -> 1026 UDP C:\WINNT\system32\services.exe
The program contains five (5) switches. The switches may be
utilized using either a '/' or a ' -' preceding the switch. The switches
are;
/? usage help, /p sort by port, /a sort by application, /i sort by pid, /ap sort by application path.
| Tools |
TCPView is a Windows program that will show detailed
listings of all TCP and UDP endpoints on the system, including the local and
remote addresses and state of TCP connections. On Windows NT, 2000 and XP
TCPView also reports the name of the process that owns the
endpoint.
|
TCPView provides a more informative and conveniently presented
subset of the Netstat program that ship with Windows. TCPView works on Windows
NT/2000/XP and Windows 98/ME. Using TCPView
When TCPView is run, it will enumerate all active TCP and UDP
endpoints, resolving all IP addresses to their domain name versions. On Windows
XP systems, TCPView shows the name of the process that owns each endpoint.
By default, TCPView updates every second. Endpoints that change
state from one update to the next are highlighted in yellow; those that are
deleted are shown in red, and new endpoints are shown in green. The user can
close established TCP/IP connections (those labeled with a state of ESTABLISHED)
and save TCPView's output window to a file as well.
A similar utility TDImon allows the user to monitor TCP and UDP
activity on your local system. It is the most powerful tool available for
tracking down network-related configuration problems and analyzing application
network usage. On Windows NT and Windows 2000, simply execute the TDImon program
file (tdimon.exe) and TDImon will immediately start capturing TCP/IP activity.
As events are printed to the output, they are tagged with a sequence number.
| Tools |
PrcView is a process viewer utility that displays detailed
information about processes running under Windows. For each process it displays
memory, threads and module usage. For each DLL it shows full path and version
information.
|
PrcView comes with a command line version that allows the user to
write scripts to check if a process is running, kill it, etc. The main window
shows a list of running processes including information process Id, priority,
and full path to the process module. The user can sort columns by clicking on
the column header
With the Process Finder Tool one can find the process
corresponding to a selected window. The Process Tree shows the process hierarchy
for all running processes. The desired task can be selected by clicking on the
process item in the Process Tree window.
Module Usage gives information about all loaded modules in the
system including the module name, the module base address in process space, the
module size and full to the loaded module path. Selecting a module from the
module list shows only processes which use a selected module.
Kill process is just another way to kill a selected process. Note
that killing a process can cause undesired results including loss of data and
system instability. The process will not be given a chance to save its state or
data before it is terminated. It is advisable to try the "Notify" button in the
"Kill" dialog to close a GUI-based application first (via WM_SYSCOMMAND)
For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer
COMMENTS