Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Trojans/ Backdoors - My observations

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207

    Trojans/ Backdoors - My observations

    Who is this tut for? This is for all those people who *keep* posting the same old threads.

    We all have read the other tuts about Trojans/etc and know what they are, here I attempt to expel some myths

    Myth 1: Virus checkers will protect you
    This is untrue.

    Virus checkers mostly work by comparing programs against signatures in their databases. They are very stupid in this respect (I'm not knocking them per-se). This works very well against viruses, as each virus exists in huge numbers, and they're all the same. This does not work against trojans.

    Clearly a backdoor program (not necessarily a trojan) can be hand-crafted on a per-installation basis, therefore there will not be another one in existence that is the same. No virus scanner can have it in its database, because it has never been seen before.

    Virus checkers have signatures of well known binary-distributed backdoor "blackhat" programs in their databases. This mostly prevents kiddies. It will do nothing against an adversary who rolls their own, or compiles a modified version of a source-code distributed one.

    Some experiments showed that changing compiler options or using a different compiler was entirely sufficient to mask even well-known backdoors from any virus checker.

    Some use "Heuristics", which is extremely unreliable, as it creates a lot of false positives. Also, you don't *know* exactly what a given backdoor is going to do.

    Myth 2: firewalls will protect you

    So you think firewalls will protect you? No.

    There are two types of firewall - network and application. The former are common in companies and filter packets on a rule-basis or by stateful inspection. They won't help, because a backdoor program can disguise its malicious traffic as normal traffic.

    Application firewalls won't help either. These are common on desktops, and often used by home users. However, a backdoor can easily get around them, by masquerading as a normal application and creating an innocent type of traffic.

    Myth 3: backdoors listen on "ports"

    This is untrue too. It is entirely unnecessary for a piece of mal-ware to listen on a "port", whatever that means.

    Complete remote control can be obtained without the need to listen on any ports, or show up on "netstat".

    They can simply make innocent-looking connections in an outward direction from
    time to time, looking for commands.

    They can operate by sending and receiving covert emails through your email program.

    They can use the port-less ICMP or raw sockets.

    Conclusions

    1. No amount of off-the-shelf security products will protect you against every
    back-door or trojan.
    2. The recipies for detecting them (netstat, looking at the registry, process listing) often cited on AO can be fooled fairly easily.
    3. The ONLY WAY of preventing backdoors from taking over your computer is to engage in safe computing practices. There are no other measures which are effective. So DON'T open that attachment, don't download that crack and don't install that suspect program.

  2. #2
    Senior Member
    Join Date
    Mar 2002
    Posts
    137
    You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.

  3. #3
    Banned
    Join Date
    Apr 2003
    Posts
    3,839
    VEry nice points there ...lots of stuff i ddint know about firewalls not protecting ... tx

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by King of CaveMen
    You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes.
    In a way this is true and false. On un*x you don't have to worry about windows virusses that's true. But all un*x have their own specific little problems that make this a false statement. What Slarty wrote is true for all operating systems (not just windows).
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    217
    Originally posted here by King of CaveMen
    You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.
    i love it how people think that linux is the best thing in the world, with absolutely no viruses written for it, user-friendliness, worldwide program compatibility.

    get real. some people can't use linux for very obvious reasons.... half of the world doesn't write programs for linux, including most of the big industry stuff. some people are by default married to windows, and there aint a thing to be done about it (i'm luckily not one of those, but you get my point)

    linux is not for everyone. stop offering "switch to linux" as a solution for a simple virus or trojan problem. it doesn't make sense, nor is it economical to ditch the os you just payed a few hundred for.

  6. #6
    Are you suggesting that we should discard our firewall totally?

    I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.

    It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Originally posted here by King of CaveMen
    You can also switch to linux and not have to worry about alot of the crap that goes along with windows boxes. None the less, you made some good points.
    I am assumeing that you have never heard of a root kit, trojans like a root kit are the ban of a unix admins existance, they are a pain to find, and a pain to clean.

    Originally posted here by Shakira
    Are you suggesting that we should discard our firewall totally?

    I also heard some posters telling us Zone Alarm sucks. I wonder whether these posters are trying to ask people to switch to other firewalls because they discover that they could not hack those who are using Zone Alarm.

    It is very difficult to tell who is telling the truth in the forum if you are a newbie like me who has a lot to learn about network security.
    I don't think the suggestion was to discard a firewall. Just Understand that you are not 100% secure just because you have a firewall. Its a great tool but not the end all and be all of network security, nothing is. This is why the concept of security in depth is so important.

    On another note, a tool that should be added to every ones kit is spy++, its a great little tool that can be used to find Trojans and other malicious code bits if you know what to look for. I haven’t had anything hid from it yet, and it lets you know all the interesting stuff going on in the background.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Ok, I'm going to attempt to respond:

    You can also switch to linux and not have to worry about alot of the crap...
    Not at all. None of the stuff in the article was platform-specific, all the points APPLY EQUALLY to Linux or any other OS for that matter.

    Are you suggesting that we should discard our firewall totally?
    No, firewalls are valuable for preventing most attacks, they just won't necessarily help against backdoors installed locally. In many cases, they will still be effecive at preventing the backdoors from being installed in the first place.

    This is a theoretical article which examines what backdoors CAN do. It has very little to do with what backdoors DO do. In fact, most are much more stupid and use few if any of the techniques I mentioned. Also (thankfully) most of the people using them are equally, if not more, stupid.

    I'm not for a minute suggesting that people abandon virus scanners and firewalls, they do their job very well. They just have limits.

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    A statement that I make to *anyone* who asks:

    There is no such thing as a 100% secure network - period.

    This is for obvious reasons, many of which are noted very well by Slarty. The information given in this thread is accurate. For that reason alone, layered approaches to network security are in place in many (not all) IT shops. This includes security awareness training which stresses safe computing techniques.

    --My two cents
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    nice post but a virus scanner will not protect you from a slight change in kode of a trojan like back orifice if they configure it at all more than likely the scanner wont detect it until it is runnin and sometimes the trojan has specified directories to delete like C:\program files\norton or C:\windows\netstat and by the way i agree with sickyouIT that an OS switch isnt the awnswer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •