-
May 1st, 2003, 12:21 PM
#1
Trojans/ Backdoors - My observations
Who is this tut for? This is for all those people who *keep* posting the same old threads.
We all have read the other tuts about Trojans/etc and know what they are, here I attempt to expel some myths
Myth 1: Virus checkers will protect you
This is untrue.
Virus checkers mostly work by comparing programs against signatures in their databases. They are very stupid in this respect (I'm not knocking them per-se). This works very well against viruses, as each virus exists in huge numbers, and they're all the same. This does not work against trojans.
Clearly a backdoor program (not necessarily a trojan) can be hand-crafted on a per-installation basis, therefore there will not be another one in existence that is the same. No virus scanner can have it in its database, because it has never been seen before.
Virus checkers have signatures of well known binary-distributed backdoor "blackhat" programs in their databases. This mostly prevents kiddies. It will do nothing against an adversary who rolls their own, or compiles a modified version of a source-code distributed one.
Some experiments showed that changing compiler options or using a different compiler was entirely sufficient to mask even well-known backdoors from any virus checker.
Some use "Heuristics", which is extremely unreliable, as it creates a lot of false positives. Also, you don't *know* exactly what a given backdoor is going to do.
Myth 2: firewalls will protect you
So you think firewalls will protect you? No.
There are two types of firewall - network and application. The former are common in companies and filter packets on a rule-basis or by stateful inspection. They won't help, because a backdoor program can disguise its malicious traffic as normal traffic.
Application firewalls won't help either. These are common on desktops, and often used by home users. However, a backdoor can easily get around them, by masquerading as a normal application and creating an innocent type of traffic.
Myth 3: backdoors listen on "ports"
This is untrue too. It is entirely unnecessary for a piece of mal-ware to listen on a "port", whatever that means.
Complete remote control can be obtained without the need to listen on any ports, or show up on "netstat".
They can simply make innocent-looking connections in an outward direction from
time to time, looking for commands.
They can operate by sending and receiving covert emails through your email program.
They can use the port-less ICMP or raw sockets.
Conclusions
1. No amount of off-the-shelf security products will protect you against every
back-door or trojan.
2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.
3. The ONLY WAY of preventing backdoors from taking over your computer is to engage in safe computing practices. There are no other measures which are effective. So DON'T open that attachment, don't download that crack and don't install that suspect program.
-
May 1st, 2003, 02:54 PM
#2
Senior Member
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.
-
May 1st, 2003, 03:00 PM
#3
VEry nice points there ...lots of stuff i ddint know about firewalls not protecting ... tx
-
May 1st, 2003, 03:09 PM
#4
Originally posted here by King of CaveMen
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes.
In a way this is true and false. On un*x you don't have to worry about windows virusses that's true. But all un*x have their own specific little problems that make this a false statement. What Slarty wrote is true for all operating systems (not just windows).
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 1st, 2003, 03:56 PM
#5
Originally posted here by King of CaveMen
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.
i love it how people think that linux is the best thing in the world, with absolutely no viruses written for it, user-friendliness, worldwide program compatibility.
get real. some people can't use linux for very obvious reasons.... half of the world doesn't write programs for linux, including most of the big industry stuff. some people are by default married to windows, and there aint a thing to be done about it (i'm luckily not one of those, but you get my point)
linux is not for everyone. stop offering "switch to linux" as a solution for a simple virus or trojan problem. it doesn't make sense, nor is it economical to ditch the os you just payed a few hundred for.
-
May 1st, 2003, 04:06 PM
#6
Member
Are you suggesting that we should discard our firewall totally?
I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.
It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.
-
May 1st, 2003, 04:07 PM
#7
Originally posted here by King of CaveMen
You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.
I am assumeing that you have never heard of a root kit, trojans like a root kit are the ban of a unix admins existance, they are a pain to find, and a pain to clean.
Originally posted here by Shakira
Are you suggesting that we should discard our firewall totally?
I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.
It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.
I don't think the suggestion was to discard a firewall. Just Understand that you are not 100% secure just because you have a firewall. Its a great tool but not the end all and be all of network security, nothing is. This is why the concept of security in depth is so important.
On another note, a tool that should be added to every ones kit is spy++, its a great little tool that can be used to find Trojans and other malicious code bits if you know what to look for. I haven’t had anything hid from it yet, and it lets you know all the interesting stuff going on in the background.
-
May 1st, 2003, 04:16 PM
#8
Ok, I'm going to attempt to respond:
You can also switch to linux and not have to worry about alot of the crap...
Not at all. None of the stuff in the article was platform-specific, all the points APPLY EQUALLY to Linux or any other OS for that matter.
Are you suggesting that we should discard our firewall totally?
No, firewalls are valuable for preventing most attacks, they just won't necessarily help against backdoors installed locally. In many cases, they will still be effecive at preventing the backdoors from being installed in the first place.
This is a theoretical article which examines what backdoors CAN do. It has very little to do with what backdoors DO do. In fact, most are much more stupid and use few if any of the techniques I mentioned. Also (thankfully) most of the people using them are equally, if not more, stupid.
I'm not for a minute suggesting that people abandon virus scanners and firewalls, they do their job very well. They just have limits.
-
May 1st, 2003, 04:40 PM
#9
A statement that I make to *anyone* who asks:
There is no such thing as a 100% secure network - period.
This is for obvious reasons, many of which are noted very well by Slarty. The information given in this thread is accurate. For that reason alone, layered approaches to network security are in place in many (not all) IT shops. This includes security awareness training which stresses safe computing techniques.
--My two cents
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 15th, 2003, 10:30 PM
#10
nice post but a virus scanner will not protect you from a slight change in kode of a trojan like back orifice if they configure it at all more than likely the scanner wont detect it until it is runnin and sometimes the trojan has specified directories to delete like C:\program files\norton or C:\windows\netstat and by the way i agree with sickyouIT that an OS switch isnt the awnswer
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|