110 likes | 483 Views
Trojan Horse & Backdoor Intrusion. CS 450 - Nathan Digangi. Trojan Horse. Secret, undocumented routine embedded within a useful program Execution of the program results in execution of secret code Not self-replicating (except when attached to a worm)
E N D
Trojan Horse & Backdoor Intrusion CS 450 - Nathan Digangi
Trojan Horse • Secret, undocumented routine embedded within a useful program • Execution of the program results in execution of secret code • Not self-replicating (except when attached to a worm) • Hidden in seemingly legitimate applications, activeX controls, or other program exploits
Trojan Functions • Botnet node • Data theft • File modification • Keystroke logging • Screen captures • Backdoors • RAT – Remote Access Tool or Remote Administration Tool • Widely used by “Script Kiddies”
List of Trojan Horses • 2004 • Nuclear RAT (Remote Administration Tool) – Windows NT kernel backdoor • Vundo – Popup advertisements and DOS attacks • Bitfrost – Windows backdoor • 2005 • Zlob – Popup advertisements. Disguises itself as required video codec • Bandook RAT – Windows backdoor. Uses process hijacking and kernel patching to bypass firewalls • 2006 • Leap or OompaLoompa – First ever Mac OSX malware trojan that is spread through a worm using iChat • 2007 • Storm Worm – Botnettrojan spread through an email worm • 2008 • Mocmex – Trojan that infected digital photo frames • Torpig – Turns off antivirus, steals data, and installs more malware • Bohmini.A – backdoor RAT that exploits security flaws in Adobe Flash 9.0.115 with Internet Explorer 7.0 and Firefox 2.0 under Windows XP SP2. • 2010 • Alureon – Trojan and rootkit that intercepts system network traffic and searches it for usernames, passwords, and credit card data. Caused BSoD problems after a Patch Tuesday update.
Backdoor Intrusion • Bypass normal authentication, security, and access routines (RAT) • Provide secret functionality or hidden areas in a program (Easter Eggs) • Symmetric backdoor – Anyone can use the backdoor who finds it, usually by port scanning • Asymmetric backdoor – can only be used by the attacker who plants it because of the use of encryption methods. (more difficult to detect)
Notable Backdoors • Sobig and Mydoom – Worms that installed a backdoor used for spamming • Sony BMG rootkit – distributed on millions of CDs in 2005 as copy protection. • Silently installed itself automatically on windows computers to change the way the CD played and collect usage data • Caused resource drain and created security holes that could be exploited by malware • Beast – Windows NAT with a GUI client and a built-in firewall bypasser and the ability to disable antivirus • Sub7 – Windows NAT with GUI client and a robust set of features. New version released on March 9th.
Notable Backdoors cont… • Netbus • RAT • Server installed via a Trojan horse • In 1999, NetBus was used to plant child pornography on the work computer of a law scholar at Lund University. The 3,500 images were discovered by system administrators, and the law scholar was assumed to have downloaded them knowingly. He lost his research position at the faculty, and following the publication of his name fled the country and had to seek professional medical care to cope with the stress. He was acquitted from criminal charges in late 2004, as a court found that NetBus had been used to control his computer.
Notable Backdoors cont… • Back Orifice (BO) - 1998 • RAT • Created by a Hacker organization called the “Cult of The Dead Cow” • Designed to demonstrate the lack of Security in Windows • Script Kiddies
References • Wikipedia • BitDefender.com • Dmoz.org (Open Directory Project) • Security in Computing (Pfleeger & Pfleeger) • Lecture Slides