Skip to main content

Backdoors

  • Provide attacker with remote access to your system
  • Very common type of malware
  • Commonly seen variants include
    • Reverse Shells
    • Remote Access Trojans/Remote Administration Tool (RATs)
    • Botnets
  • Commonly communicate over port 80 using HTTP

Rats and Bots

  • Botnets infect millions of hosts, RATs typically control fewer hosts
  • Botnets are used in mass attacks. Rat used in targeted attacks
  • All botnet 'zombies' controlled at once. RATs controlled on a per-victim level

Botnet

  • Collection of compromised hosts (known as zombies)
  • Controlled by a single entity through the use of a server
  • Goal of a botnet is to compromise as many hosts as possible
  • Functionality more likely to be targeted at (malicious) external actions rather than manipulating the infected machine

RAT

  • RAT used to remotely manage a computer
  • Often used in targeted attacks with a specific goal
  • Typically communicate over common ports (80,443)
  • RAT server runs on the victim, implanted with malware
  • 'Client' runs remotely as a command and control unit operated by the attacker
  • Server connects back to command and control unit to start a connection then controlled by the client

Functionality

  • Manipulate registry keys
  • Enumerate Display windows
  • Create directories
  • Search files Can determine the functionality provided by looking at the windows API functions imported

Reverse Shell

  • Simplest form of back door
  • Provides attacker with a standard shell
  • Offers same functionality as being logged into the machine
  • Called a reverse shell because rather than the attacker connected to the infected machine
  • Infected machine connects back to a machine controlled by the attacker
  • Either offered standalone, or as part of a sophisticated backdoor

Creating a reverse shell

  • Start cmd, redirect i/o. Using netcat program

Startup Info

  • Can set hStdInput, hStdOutput, hStdError to change where the programs input and output is sent
  • Standard windows HANDLEs just set to any valid HANDLE

Basic Reverse Shell

  • Basic method is popular among malware authors
  • Create a socket in the normal fashion
  • Establish connection to remote server

Multithread Reverse Shell

  • CMD not directly connected to socket connected to a pipe
  • One thread reads data from the socket, and then writes the data to the relevant pipe
  • Other thread reads data from the pipe and then writes the data to the socket