UP | HOME
../../ | NoSlides

Backdoors

Table of Contents

1 Abstract

In this lecture, we focus on how an attacker having obtained access to a system carefully plants backdoors facilitating future visits. So called rootkits also provide backdoors.

1.1 Educational Objectives

  1. Present the backdoors installed once a system is compromised.
  2. Discovering and disabling backdoors.

2 Backdoor Functions

The backdoors for most intruders provide two or three main functions.

  1. Be able to get back into a machine even if the administrator tries to secure it, e.g., changing all the passwords.
  2. Be able to get back into the machine with the least amount of visibility. Most backdoors provide a way to avoid being logged and many times the machine can appear to have no one online even while an intruder is using it.
  3. Be able to get back into the machine with the least amount of time. Most intruders want to easily get back into the machine without having to do all the work of exploiting a hole to gain access.
  4. Vulnerabilities and pre-installed Trojans are of course "backdoors."

3 Some Well Known Backdoors

Below we summarize some of the backdoors that have been in use over the years.

3.1 Login Backdoor

Install a modified login so that if you typed in the backdoor password, it would allow you to log in regardless of what the password really is. Such a backdoor would spawn access before the user actually logged in and appeared in utmp and wtmp. To better hide such backdoor passwords from commands like strings, one can encrypt and hide backdoor password better.

3.2 Services Backdoor

Almost every network service has at one time or another been backdoored by an intruder. Backdoored versions of finger, rsh, rexec, rlogin, ftp, even inetd, etc., have been floating around forever. These are programs that are nothing more than a shell connected to a TCP port with maybe a backdoor password to gain access. These programs sometimes replace a service like uucp that never gets used or they get added to the inetd.conf file as a new service.

A normal = in.telnetd=, does several checks such as the setting of the environment variable named TERM (for terminal the user was using). Typically, the terminal setting might be Xterm or VT100. An intruder could backdoor it so that when the terminal was set to, say, "letmein", it would spawn a shell without requiring any authentication.

3.3 Cron backdoor

Cron on Unix schedules the running of certain programs according to a configuration file. An intruder could add a backdoor shell program to run between 1 AM and 2 AM. So, for 1 hour every night, the intruder could gain access. Intruders have also looked at legitimate programs that typically run in cronjob and built backdoors into those programs as well.

3.4 Library backdoors

Almost every UNIX system uses shared (*.so) libraries. The shared libraries are intended to reuse many of the same routines thus cutting down on the size of programs. Some intruders have backdoored routines like crypt.o and= _crypt.o=. Programs like login would use the crypt() routine and if a backdoor password was used it would spawn a shell. Therefore, even if the administrator was checking the MD5 of the login program, it was still spawning a backdoor routine and many administrators were not checking the libraries as a possible source of backdoors.

Suppose we start doing MD5 checksums of almost everything. Attackers get around that by backdooring the open() library routine and file access routines. The backdoor routines were configured to read the original files, but execute the Trojan backdoors. Therefore, when the MD5 checksum program was reading these files, the checksums always looked good. But when the system ran the program, it executed the Trojan version. Even the trojan library itself, could be hidden from the MD5 checksums. It is therefore necessary to statically link the MD5 checksum checker, and be very sure of the loader.

3.5 Kernel backdoors

The same method used for libraries for bypassing MD5 checksum could be used at the kernel level. Even a statically linked MD5 program cannot tell the difference.

3.6 File system backdoors

An intruder will want to store their "loot" on the server waiting for an opportune time to transport it away. To hide these rather large files from an administrator, an intruder may patch the files system commands like "ls", "du", and "fsck" to hide the existence of certain directories or files. In one case, an intruder created a section on the hard drive to have a proprietary format that was designated as "bad" sectors on the hard drive.

3.7 Bootblock backdoors

In the PC world, many viruses hide within the boot block section and most antivirus software will check to see if the boot block has been altered. On Unix, surprisingly, it is not typical to check the boot block, therefore some intruders have placed backdoors in the boot block area.

3.8 Network traffic backdoors

There are many network backdoor programs that allow an intruder to set up on a certain port number on a machine that will allow access without ever going through the normal services. Because the traffic is going to a non-standard network port, the administrator can overlook the intruder's traffic. These network traffic backdoors are typically using TCP, UDP, and ICMP, but it could be many other kinds of packets.

Administrators can spot a TCP connection and notice the odd behavior, while UDP shell backdoors lack any connection so netstat would not show an intruder accessing the machine. Many firewalls have been configured to allow UDP packets for services like DNS through. Many times, intruders will place the UDP Shell backdoor on that port and it will be allowed to by-pass the firewall.

3.9 Encrypted Link

An administrator can set up a sniffer trying to see the data while a suspicious someone is accessing a shell, but an intruder can add encryption to the network traffic backdoors and it becomes almost impossible to determine what is actually being transmitted between the two machines.

3.10 Syntactic Problems in /etc/passwd

When parsing uid/gid in the /etc/password file, most login(1) implementations will fail to detect non-numeric characters in the uid/gid field and the standard atoi(3) will return 0, giving super user privileges. Example: rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/bash On Linux boxes, this will give uid 0 to user rmartin.

4 Backdooring Binary Objects

The article by [klog] describes object backdooring methods by manipulating the binaries.

5 (Suggested) Lab Experiment

  1. Install backdoors suggested by the following papers and tools.
  2. Pierre Graux, Aymeric Mouillard, and Mounir Saoud, Backdooring ELF Using Unused Code, PDF, 2016
  3. The Backdoor Factory – Patch Binaries With Shellcode, 2017.
  4. https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/ 2017
  5. How to Create a Nearly Undetectable Backdoor using MSFvenom in Kali Linux Updated May 2019 {A detailed procedure. Uses metasploit.}
  6. https://officialhacker.com/create-backdoor-in-kali-linux/ 2017 {Forces you to Facebook-like.}
  7. https://github.com/Screetsec/Vegile Vegile - Ghost In The Shell 2018 updated 2019 "This tool sets up backdoor/ rootkits. When backdoor is already setup, it will be hidden. Even when it is killed, it will re-run again." {Poorly described. Has a demo video.}

6 Acknowledgements

The details regarding wtmp and services can be found in Garfinkel and Spafford.

7 References

  1. Sam Lloyd Thomas, Backdoor Detection Systems for Embedded Devices, University of Birmingham, PhD Thesis, https://www.cs.bham.ac.uk/~garciaf/theses/badseed.pdf, April 2018, 213 pp.
  2. klog, Backdooring Binary Objects, Phrack Magazine, http://www.phrack.com Issue 56, 2000. Highly Recommended Reading.
  3. Yin Zhang, and Vern Paxson, "Detecting Backdoors", Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, August 2000. Reference
  4. Simson Garfinkel, Gene Spafford, Chapter 10: Auditing and Logging, Practical Unix and Internet Security, 3rd edition (2003), O'Reilly & Associates; ISBN: 0596003234. Required Reading.
  5. Angel Alonso-Parrizas, Analysis of a Multi-Architecture SSH Linux Backdoor, https://www.sans.org/reading-room/whitepapers/threatintelligence/analysis-multi-architecture-ssh-linux-backdoor-39015 {This paper does a code analysis of an SSH Linux backdoor used in the wild by a criminal group from 2016 to at least October 2018.} June 2019.
  6. https://threatpost.com/backdoor-found-in-utility-for-linux/147581/ Aug 2019
  7. https://arstechnica.com/information-technology/2019/05/advanced-linux-backdoor-found-in-the-wild-escaped-av-detection/ Fully developed HiddenWasp gives attackers full control of infected machines. May 2019.

8 End


Copyright © 2018 www.wright.edu/~pmateti • 2018-09-10