Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment

by Bartosz Bobkiewicz [Published on 23 Jan. 2003 / Last Updated on 23 Jan. 2003]

Not every case of a successful intrusion is “crowned” with a replaced Web site on the server, data theft or damage. Often electronic intruders do not wish to create a spectacle but prefer to avoid fame by hiding their presence on compromised systems, sometimes leaving certain unexpected things. They use sophisticated techniques to install specific “malware” (backdoors) to let them in again later with full control and in secret.

Not every case of a successful intrusion is “crowned” with a replaced Web site on the server, data theft or damage. Often electronic intruders do not wish to create a spectacle but prefer to avoid fame by hiding their presence on compromised systems, sometimes leaving certain unexpected things. They use sophisticated techniques to install specific “malware” (backdoors) to let them in again later with full control and in secret.

What is malevolent software intended for?

Obviously, hackers have a variety of motives for installing malevolent software (malware). These types of software tend to yield instant access to the system to continuously steal various types of information from it – for example, strategic company’s designs or numbers of credit cards. In some cases, they use compromised machines as launch points for massive Denial of Service attacks. Perhaps the most common reason hackers tend to settle on another system is the possibility of creating launch pads that attack other computers while disguised as innocent computer addresses. This is a certain kind of spoofing where the intrusion logs fool the target system into believing that it is communicating with another, legitimate computer rather than that of an intruder.

Under normal conditions, it is hardly to compromise LAN security from the Internet, because in most cases LANs are tied to the Internet via reserved addresses such as type 10.0.0.0 or 192.168.0.0 – (for more details, see the RFC 1918 document available at http://www.faqs.org/rfcs/rfc1918.html). Thus, a hacker cannot have direct access from the Internet, which presents a certain problem for him. Installing shell programs (e.g. Telnet) on any Internet-accessible computer will allow the intruder to gain access to the LAN and spread his control over the infrastructure. Such types of attacks are prevalent on Unix computers, because they use more common remote access shell services (SSH, or more rarely, Telnet) and no additional installation is required. This article will, however, focus on Microsoft Windows-based systems.

Who will become a victim?

An intelligent hacker will not try to put his program on a server that is monitored and checked regularly. He will secretly, without the knowledge of any legitimate user. Therefore, his attempts to get in will certainly not be through the main domain controller which has its log frequently examined, network traffic monitored and will detect any alterations immediately. Of course, everything depends on the observance of the security policy and as is well known, network administrators are not always scrupulous in performing their work. Nevertheless, a host that plays no key role in the network makes a perfect target for a hacker. Before commencing the selection process, a successful hacker tends to transfer the zone and thereafter identify probable roles of individual hosts within a domain by deducing the knowledge from their names. A poorly secured workstation, isolated from the main network, may ideally be used for hacking purposes because there would be a little chance to detect signs of an installed backdoor.

Backdoors

A backdoor is a program or a set of related programs that a hacker installs on the victim computer to allow access to the system at a later time. A backdoor’s goal is to remove the evidence of initial entry from the systems log. But a “nice” backdoor will allow a hacker to retain access to a machine it has penetrated even if the intrusion factor has in the meantime been detected by the system administrator. Resetting passwords, changing disk access permissions or fixing original security holes in the hope of remedying the problem may not help.  

A trivial example of a backdoor is default BIOS, router or switch passwords set either by careless manufacturers or security administrators.

A hacker could simply add a new user account with administrator privileges and this would be a sort of backdoor, but far less sophisticated and easy detectable.

Adding a new service is the most common technique to disguise backdoors in the Windows operating system. This requires involving tools such as Srvany.exe and Srvinstw.exe that comes with the Resource Kit utility and also with Netcat.exe [1]. The principle of this operation is that the srvany.exe tool is installed as a service and then permits netcat.exe to run as a service. The latter, in turn, listens on an appropriate port for any connection. Once connected, it will have spawned a remote shell on the server (using cmd.exe) and from this moment onwards, a hacker has free reign.

Just before commencing the installation of a backdoor, a hacker must investigate within the server to find activated services. He could simply add a new service and give it an inconspicuous name, but he would be better off choosing a service that never gets used and that is either activated manually or even completely disabled. It is sufficient to remove it using the Srvinstw.exe utility and again to install a new service with the same name.  By doing so, the hacker considerably reduces possibility that the administrator will detect the backdoor during a later inspection. Whenever an event occurs, the system administrator will focus on looking for something odd in the system, leaving all existing services unchecked. From the hacker point of view, it is essential to hide files deeply in system directories to protect them from being detected by the system administrator. In time, a hacker will think of naming the tools to be planted on the server disk. Netcat.exe and Srvany.exe are utilities that are required to run continuously and will be seen in the task manager. Hackers understand that backdoor utilities must have names that will not attract any undue attention. They use the same approach when choosing an appropriate port for a backdoor. For example, port 5555 does not seem to be backdoored for the reason that it could immediately tip off the system administrator.

The technique presented above is very simple but efficient at the same time. It allows a hacker to get back into the machine with the least amount of visibility within the server logs (we are obviously not speaking about situations where extra software is used to monitor traffic and there is an efficient event logging system installed). Moreover, the backdoored service allows the hacker to use higher privileges – in most cases as a System account. This may cause some problems for an intruder because, notwithstanding the highest permissions, the System account has no power outside the machine. Under this account, disk mapping or adding user accounts is not possible. Instead, passwords can be changed and privileges may be assigned to existing accounts. With a backdoor that has captured the system administrator account, no such restrictions exist. The only problem that remains is related to the change of user password, because a password update is required to restart the related service. An administrator will undoubtedly start noticing log errors, once care for event logging and monitoring is provided. The example given above describes a backdoor that is the most dangerous one from the victim system point of view, because anyone can connect to it and obtain the highest permissions with no authentication required. It may be any scriptkiddie using a portscanning tool against computers randomly selected from the Internet.

Hacker–dedicated Web sites give examples of many tools that serve to install backdoors, with the difference that once a connection is established the intruder must login by entering a predefined password. iCMD [2], Tini [3], RemoteNC [4] or WinShell [5] (Fig. 1) are examples of tools resembling Telnet.

Fig.  1 WinShell program may be used to install certain simple backdoors

I once saw a very interesting script named CGI-backdoor [6]. I considered this to be interesting because an attacker could execute remote commands on the server via WWW. It was a specifically created totally dynamic .asp site written in VBScript (available also in Perl, PHP, Java and C) that enabled one to execute commands on the server using the default command processor cmd.exe. A hacker can exploit this to configure the reverse WWW script on the victim's system but can only permitted by default with sufficient privileges to the IUSR_MACHINE account. This script can be used without logging at all, thus no traces are left on the system. Its additional advantage is that it does not listen in on any port but translates between the HTML used in WWW pages and the server that runs interactive websites.

In order to create backdoors, hackers can use commercially available tools such as Remote Administrator [7], or free available TightVNC [8], that apart from a full control over the computer also allow one to operate a remote console.

“The Fall of Troy, the wooden horse and all events thereafter…”

Trojan horses or Remote Administration Trojans (RATs) are a class of backdoors that are used to enable remote control over the compromised machine. They provide apparently useful functions to the user, and at the same time, open a network port on a victim computer. Then, once started, some trojans behave as executable files, interact with certain keys of the registers responsible for starting processes and sometimes create their own system services.

Contrary to common backdoors, Trojan horses hook themselves into the victim operating system and always come packaged with two files – the client file and the server file. The server, as its name implies, is installed in the infected machine while the client is used by the intruder to control the compromised system. Some well known trojan functions include: managing files on the victim computer, managing processes, remote activation of commands, intercepting keystrokes, watching screen images and also restarting and closing down infected hosts - just to name a few of their features. Some are even able to connect themselves to their originator. Of course, these possibilities vary among individual Trojan horses. The following are considered the most popular: NetBus, Back Orifice 2000, SubSeven, Hack’a’tack, and one of Polish origin, named Prosiak.

In most cases, Trojan horses propagate via email. They are usually found within attachments, because their authors exploit vulnerabilities of the email client. Another technique relies on the fact that they bound into other programs. There are many programs in the Web that malts files to create a single executable file.

Trojan horses (also called trojans) typically operate in a somewhat schematic manner. In contrast to previously described backdoors, where both implementation and function are limited only by intruder’s ingenuity, the behavior here is quite well defined. They listen in on specific ports (for example, 12345 is the NetBus Trojan default port), setting specific references in start files and registers, thereby being relatively simple to detect and identify. In most cases, problems with Trojan horses can be solved by using an anti-virus (AV) software (updated!) to check for possible infections.

RootKit – hiding presence

To accomplish his goal, a hacker must install a backdoor that is not easily detectable. This is his primary task. Hackers use a variety of methods for this purpose, placing their tools at the deepest level of compromised systems and renaming files so as not to arouse suspicions. However that is not enough since the processes are still visible and it is so simple to discover any unexpected program that listens in on a certain port using netstat for checking information about that port. Therefore, hackers can also use Root Kits.

As most readers know, a rootkit is generally a Unix concept that is spreading to other platforms in its increasingly sophisticated forms. This is a collection of tools used by an intruder to hide his presence in an attacked system. Typical goals include replacing or infecting binaries such as ps, find, ls, top, kill, passwd, netstat, hiding directories, files and even their portions  – for example, in  /etc/passwd. Moreover, catching passwords, deleting logins of attacker’s activity, placing backdoors in specific services (for example, Telnet), to get in without authorization at any time. There are plenty of rootkits in the Unix environment, and each new release is more “forward thinking” in terms of its functions. They are also available to attack Windows systems – less sophisticated but still powerful and also trendy. Some handy rootkit solutions deal with hiding or altering netstat commands, thereby making a previously planted backdoor invisible while listening in on any port.

A simple script put in Perl’s string context, compiled and named netstat.exe may be an example of a trivial rootkit. A real system netstat could be named oldnetstat.exe. The principle of operation of the new netstat is that once the command line will call the real netstat (now oldnetstat.exe), it will be directed to a temporary text file. Then the rootkit searches that file for any information about the listening port to remove it (according to the procedure predefined in the rootkit code). After modification, the result is displayed on the screen and the old file is removed. This principle is both simple and efficient and provides an interesting possibility – it may be used to spoof output data acting from any other tool available through the command line – for example, tlist, or dir. There are many programs of this type available on the Web. The ones that I encountered did not display, for example, information on listening ports such as 666, 27374, 12345, 31337 – i.e. well-known Trojan horse ports.

The idea of a first enhanced rootkit for the Windows environment was born in due time. The originator was Greg Hoglund, whilst the progress of this idea could be seen on www.rootkit.com (unfortunately no longer available). From what I know, the development got stuck after the 0.44 version [9]. However below you will find a description of a somewhat older version, namely 0.40 [10].

This rootkit has been designed as a kernel mode driver that runs with system privileges right at the core of the system kernel. Given this fact, it has access to all resources of the operating system, thus having a broad field of action. In order to install it one requires the administrator’s permissions whilst simple net start/net stop commands are sufficient to activate/disactivate it respectively.

Once the rootkit has been loaded, the hacker can hide directories and files on the victim’s disk. This method is efficient provided that the object to be hidden has a name prefixed with _root_ – for example, _root_directory_name. How does this work? The rootkit, by patching the kernel, intercepts all system calls for the listing of the disk content and all objects beginning with the sequence _root_ – are hidden from display. The same applies to the searching process – all files and directories with the above sequence of characters are hidden from the search.

This rootkit feature can also be used to hide processes running as well as to do the same with the system registry entries, by prefixing all keys and entries with _root_. This enables the hacker to install, for example, services which will become a backdoor, thus being as invisible for the system administrator as services or registry entries or processes running in the system memory.

The rootkit can also intercept all key strokes typed at the system console. This may be carried out by hooking into the keyboard driver and issuing the ‘sniffkeys’ command.

This is not the last feature of the described rootkit. Its newest version (0.44) offers some other functions such as a hard-coded backdoor (Fig. 2) that allows a remote attacker to connect with the infected machine and gain the “top” privileged shell.

Fig. 2   A backdoored rootkit allows a hacker to activate a sniffer

Moreover, new implementations are foreseen, for example to have a function that redirects .EXE files to other programs. Starting a completely different tool after the rootkit has detected the execution of a file name that started with _root_ will do this. No other details have been published so far.  Everything is currently in the proof-of-concept stage and hackers cannot use this functionality.

Guarding against the rootkit

An ingenious hacker will be smart enough to hide his track forever. He will use all available means to outwit his victim and often has a big chance of reaching that goal. However system administrators are not defenseless against malicious attacks. There are many known techniques and procedures to detect any suspected installation within systems. At a first glance a rootkit seems to be a powerful tool and undoubtedly it is. Luckily, rootkits are a double-edged sword with their design. As I already mentioned, a kernel-based rootkit monitors calls for objects (files, directories, registers or processes) the names of which begin with a string

Luckily many crackers are careless and portions of their rootkit can be detected. The trojaned files above often have configuration files that list which programs to hide and which to display. Often they forget to hide the configuration files themselves. Since /dev is the default location for many of these configuration files, looking in there for anything that is a normal file is often a good idea.

A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to  _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs – for example, Task Manager (see Fig. 3).

Fig. 3   Task Manager – after changing its name to _root_taksmgr.exe, you can see hidden processes running in your system

Next “vulnerability” of a rootkit: objects are only hidden from the environment of the compromised machine and they can easily be seen from another computer. Mapping a Network Drive remotely from another machine (or using net use command) is a means to see everything, which has been hidden for a local user. This is because the remote machine is using a clean kernel to view the files and directories on the compromised machine, avoiding the rootkits filtration process.

Another trick is to use drivers.exe tools (see Fig. 4) available in the Resource Kit package, or Winmsd.exe.

Fig. 4 Use drivers.exe utility from the Resource Kit for listing all drivers  – even those where the rootkit is involved

Using the programs mentioned above, the system administrator can get the listing off all drivers, including the _root_.sys, that is, the rootkit device driver itself. This is an exceptional case, in which a process named with a prefix _root_ is not hidden. I would like to stress that the name of the driver as above is related to the specific rootkit described here and not necessarily to other rootkits. But as far as I know, more recent versions of the Windows rootkit are not available as yet.

An interesting anti-rootkit solution has been developed by Pedestal Software. The company has created a program called Intact Integrity Protection Driver [11] that blocks changes and additions to registry keys and values. It effectively prohibits the Service Control Manager or user applications from changing service and driver keys, and values in the registry and also from adding to or replacing existing driver binaries.

Detecting and guarding against backdoors

Is your system secure? How do you know? A machine is very rarely targeted for an attack for any other reason than because it was vulnerable. One of the first steps in being proactive is to assess your basic security policy rules and requirements. I think that having an up-to-date anti-virus software installed is a primary concern, and even it won't fully protect your machine itself, it can be a lifesaver, providing good protection against most viruses and trojans. 

Another good practice is to look routinely at any modification of programs to discover new, odd services or processes. Administration scripts are very useful tools in this regard, particularly when dealing with multiple systems. One might also wish to consider host scanning on your network from time to time. If you suspect that there is an open port at your computer, give a snapshot to check whether it is authorized or no. You may use network, application diagnosis and troubleshooting programs such as TCPview (Fig. 5) [12], FPort [13], Inzider [14], Active Ports (Fig. 6) [15], or Vision [16].

Fig. 5  TCPview tool allows to locate which application opened a port in your computer. Like Active Ports, it tells you what is running on which  port.

 

Fig. 6  Active Ports in action

These tools provide a means to identify the specific application opening the port. Moreover, they let one avoid using Netstat, if it suspects that is has been replaced or infected. This brings me to another interesting consideration: whichever tool is used, it is a good practice to use original tools previously uploaded on a trusty diskette or CD-ROM when attempting to make a check of the system. If any doubt exists whether individual tools are original ones, checksum them to check if they match the installation CD-ROM.

In this regard, ListDlls [17] and Process Explorer [18] (Fig. 7) can certainly be useful if finding any suspect signs of trojan infected or backdoored processes.

Fig. 7    Process Explorer that displays object processes and related DLL libraries

These programs with their DLL libraries give some assistance and provide additional information on handling incidents, investigations and conducting analysis to gather legal evidence in view of criminal prosecution.

May I also suggest that one pay closer attention to the registry keys that are responsible for starting programs on the system startup. In most cases, these registry elements usually contain some indication of how the intruder gained access, from where, when, etc. These are:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\KnownDLLs
HKEY_LOCAL_MACHINE\System\ControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows (run)
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows (run)
HKEY_CLASSES_ROOT\exefile\shell\open\command

It is extremely important to establish consistent access permissions on these keys and activate inspection tools to continuously monitor for any malicious attempts. The same applies to those system directories and files that are security critical. A commonly accepted computer security policy usually starts with a “sound” firewall as a guard against backdoors. Even if the intruder manages to install a backdoor, the firewall will block him from getting to the listening port.  

In fact, bypassing a firewall is not a plug-n-play thing, but I take liberty to serve a nice dose of pessimism. There are known hacker tools that can get through even the most hardened firewalls.

However this is beyond the scope of this article, so I would recommend reading the document available at the address: http://www.spirit.com/Network/net0699.txt.

Finally, I would like to raise your awareness about a certain issue. Once your machine has been compromised and the hacker has gained total administrative access, be very careful in recovering the system from the back-up copy or the disk image! I have personally experienced a situation, where someone replaced a WWW site. The system administrator had retrieved the system from a back-up copy, patched the system, updated the access database and changed passwords. Thus, he has considered the server perfectly safe. But he overlooked the fact, that the intrusion had been made long before he made the copy containing a back-doored version. So, I would strongly recommend checking the system whenever it is backed up.

Hackers increasingly threaten the network community with their new techniques, backdoors and Trojan horses. Therefore we must take steps to guard against known methods of hacking, even though their will still be a large number of worrying factors we don’t know about. The only thing is absolutely obvious – you never know how long your immune system can hold out before breaking down.

Tools:

[1] Netcat - http://www.hackerscor.com/km/files/hfiles/ncnt090.zip
[2] iCMD - http://go8.163.com/lmqkkk/mytools/iCmd.exe
[3] RemoteNC - http://go8.163.com/lmqkkk/mytools/remotenc.zip
[4] Tini - http://go8.163.com/lmqkkk/mytools/tini.exe
[5] WinShell - http://go8.163.com/lmqkkk/mytools/Winshell4.0.zip
[6] CGI-backdoor - http://go8.163.com/lmqkkk/mytools/cgi.zip
[7] Remote Administrator - www.radmin.com
[8] TightVNC - http://www.tightvnc.com/download.html
[9] Rootkit v.0.44 – www.ndsafe.com/fires/rk_044.zip
[10] IIP Driver - http://www.pedestalsoftware.com/intact/iipdriver.htm
[11] TCPview – www.winternals.com
[12] Fport - http://www.foundstone.com/knowledge/proddesc/fport.html
[13] Inzider - http://ntsecurity.nu/toolbox/inzider/
[14] Active Ports - http://www.ntutility.com/freeware.html
[15] Vision - http://www.foundstone.com/knowledge/proddesc/vision.html
[16] ListDlls – http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml
[17] Process Explorer - http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
[18] LANguard Network Security Scanner

Additional information:

1. RootKit
http://www.crackinguniversity2000.it/Paper/__==__--%20rootkit%20--__==__.htm
http://packetstorm.decepticons.org/UNIX/penetration/rootkits
2. Intact Integrity Protection Driver
http://www.pedestalsoftware.com/intact/iipdriver.htm
3. Preventing and Detecting Malware Installations on NT/2K
http://www.securitystorm.net/mobile/securityfocus-articles/preventing_and_detecting_malware.htm
4. Detecting rootkits
http://r00t.h1.ru/texts/detectrk.php
5. Hacker’s Rootkit for NT
http://webbuilder.netscape.com/webbuilding/0-7532-8-4877567-1.html
6. Rootkit: Attacker undercover tools By Saliman Manap
http://www.niser.org.my/resources/rootkit.pdf
7. Stop Windows hackers
http://webbuilder.netscape.com/webbuilding/0-7532-8-4996985-1.html
8. Understanding and Guarding Against Rootkits
http://rr.sans.org/threats/rootkits2.php
9. Hacking lexicon
http://www.robertgraham.com/pubs/hacking-dict.html
10. Securing a compromised Microsoft Windows NT or 2000 Server
http://www.utexas.edu/computer/security/news/iis_hole.html
11. Windows backdoors – update II
http://www.ciac.org/ciac/bulletins/j-032.shtml
12. Backdoors Continued
http://www.themanagementor.com/EnlightenmentorAreas/it/SW/1202_4.htm
13. At the root of rootkits
http://builder.cnet.com/webbuilding/0-7532-8-4561014-1.html?tag=st.bl.7532.edt.7532-8-4561014

Featured Links