Backdoors
- Provide attacker with remote access to your system
- Very common type of malware
- Commonly seen variants include
- Reverse Shells
- Remote Access Trojans/Remote Administration Tool (RATs)
- Botnets
- Commonly communicate over port 80 using HTTP
- Botnets infect millions of hosts, RATs typically control fewer hosts
- Botnets are used in mass attacks. Rat used in targeted attacks
- All botnet 'zombies' controlled at once. RATs controlled on a per-victim level
- Collection of compromised hosts (known as zombies)
- Controlled by a single entity through the use of a server
- Goal of a botnet is to compromise as many hosts as possible
- Functionality more likely to be targeted at (malicious) external actions rather than manipulating the infected machine
- RAT used to remotely manage a computer
- Often used in targeted attacks with a specific goal
- Typically communicate over common ports (80,443)
- RAT server runs on the victim, implanted with malware
- 'Client' runs remotely as a command and control unit operated by the attacker
- Server connects back to command and control unit to start a connection then controlled by the client
- Manipulate registry keys
- Enumerate Display windows
- Create directories
- Search files
Can determine the functionality provided by looking at the windows API functions imported
- Simplest form of back door
- Provides attacker with a standard shell
- Offers same functionality as being logged into the machine
- Called a reverse shell because rather than the attacker connected to the infected machine
- Infected machine connects back to a machine controlled by the attacker
- Either offered standalone, or as part of a sophisticated backdoor
- Start cmd, redirect i/o. Using netcat program
- Can set
hStdInput
, hStdOutput
, hStdError
to change where the programs input and output is sent - Standard windows
HANDLE
s just set to any valid HANDLE
- Basic method is popular among malware authors
- Create a socket in the normal fashion
- Establish connection to remote server
- CMD not directly connected to socket connected to a pipe
- One thread reads data from the socket, and then writes the data to the relevant pipe
- Other thread reads data from the pipe and then writes the data to the socket