Analysis of 4 kinds of new backdoor technology in 2004 _ Web surfing

Once suffered from Trojans, backdoor (hereinafter referred to as the backdoor), people will not forget the destruction of the machine after the carnage, so people launched a positive defensive work, from the patch to the firewall, want to even add a validator, in a variety of defensive techniques under the fire, a large number of back door down, rookie do not have to panic online ... ... But will the back door stop? The answer is, of course, negative. You see, under the calm land, a batch of new backdoor is sneak ...

1, the intruder of the took

Hacker a connected to the network, but he did not see any action, what is he doing? We can only see him lit a cigarette, seems to be in a daze ... After a while, he suddenly threw cigarette butts, hands quickly hit the keyboard, through the screen, we learned that he has entered an enterprise internal server, a firewall installed, and deep inside the server ... How did he do that? Is he a fairy? Please return the lens back to the scene, hacker a in the smoke around a program interface staring at a trance, suddenly, that interface changes, at the same time, hacker A also started tapping the keyboard, followed by the familiar control interface. You may not believe your eyes: Did the machine find him by itself? No way...... But this is the truth, really is the server to find their own. Hacker A is also not high-tech, he just uses a kind of took backdoor--bounce Trojan.

As is known to all, the invasion is usually said to be an intruder who initiates an attack. This is a kind of hunting-like way, in front of the vigilance of the prey, they have been powerless, but for the use of the rebound technology of the intruder, they are much easier, the rebound Trojan horse is like a wolf grandmother, waiting for Little Red Riding Hood personally sent to the door. The general intrusion is the intruder Operation control program to find connection to the injured computer, the bounce-back invasion, however, was reversed by opening a port on the intruder's computer, which allowed the victim to contact the intruder and let the intruder control it, since most firewalls only deal with external data and close their eyes to the internal data, so the tragedy happened.

The working mode of the rebound Trojan is as follows: The victim (the computer on which the server is implanted) sends a request for a connection control at a certain time, which loops to a successful connection to the control, and then the control end accepts the service-side connection request and the trust transmission channel between the two is established; What the control has done is commonplace-to gain control of the victim. Because the victim initiated the connection, so the firewall in most cases will not alarm, and this mode of connection can break through the intranet and external connection, the intruder easily into the internal computer.

Although the rebound Trojan than ordinary Trojan to be terrible, but it has a natural Achilles ' heel: Invisibility is not high enough, because it has to open a random port in the local, as long as the victim has a bit of experience, recognize the rebound Trojan is not difficult. So, another kind of Trojan horse was born.

2. Normal connection of restless points

Now a lot of users have installed a personal HTTP server, which is doomed to the machine will open 80 ports, which is normal, but who knows that  chiselled  5 mu of Silk mound  Chun Gosausee  offers  green onion Chaos Huan  the false ∫? Tunnel, a new technology that brings pain to countless network administrators, makes a normal service a powerful tool for intruders.

When a machine is planted tunnel, its HTTP port is tunnel--the data transmitted to the WWW Service program is also transmitted to the tunnel behind it, and the intruder pretends to browse the Web page (the machine thinks), but sends a special request data (in line with the HTTP protocol), Tunnel and WWW Services receive this information, because the requested page usually does not exist, the WWW service returns a HTTP404 answer, and tunnel is busy ...

First, tunnel sends a confirmation data to the intruder, reports that the tunnel exists, and then tunnel immediately sends a new connection to solicit the intruder's attack data and process the intruder's data from the HTTP port, and finally, tunnel to perform the action the intruder wants. Because this is a "normal" data transfer, the firewall is not visible. But the target is not open 80 port how to do? Opening a port without authorization is tantamount to committing suicide. But the intruder will not forget that lovely NetBIOS port--139 ports that are open over the ages--sharing data with it, he le? Tunnel technology makes the back door a level of concealment, but this does not mean that the unassailable, because an experienced administrator will see through the sniffer of the unusual scene ... Tunnel attack was defeated by the administrator, but a more terrible invasion is being carried out secretly ...

3, useless data transmission?

1. The thief in the nose--icmp

Icmp,internet Control Message Protocol (Internet-controlled Information protocol), the most common network message, has been heavily used in recent years for flood blocking attacks, but few people notice that ICMP also secretly involved in this Trojan war ... The most common ICMP message is used as Pathfinder--ping, which is actually a type 8 ICMP data, which requires the remote machine to return a type 0 response after receiving the data, reporting "I'm online". However, because the ICMP message itself can carry data, it is doomed to become the intruder's right-hand man. Because the ICMP message is handled by the system kernel and it does not occupy a port, it has a high priority. ICMP is like the system kernel of relatives, can not be blocked by any doorman, so, the basket of the old man with arms in the country sounded the president's door ...

Using a special ICMP to carry data in the back door is quietly popular, this seemingly normal data in the firewall under the supervision of the victims, even if the administrator is an experienced master, will not think of these "normal" ICMP message in the swallowed his machine. Someone might say, grab a bag and have a look. However, in the practical application, the most of the ICMP packets that pass the data must be encrypted.

However, ICMP is not invincible, there are more experienced administrators simply prohibit all ICMP message transmission, so that the relative should not be close to the system, although this will affect some of the system's normal functions, but in order to avoid being murdered by relatives, can only endure. The people who are the most intimate and least suspected, are often the ones who are most likely to kill you.

2. An abnormal postman--ip the first trick

We all know that the network is based on the IP datagram, anything to deal with the IP, but even the most basic IP message postman has been bought by the invaders, this war will never stop ... Why, then? Let's take a look at the structure of the IP datagram, which is divided into two parts, the first and the body, and the first is filled with address information and identifying data, just like an envelope; the body is the familiar data, just like stationery. Any message is wrapped in an IP message, usually we only pay attention to what is written on the stationery, but ignore whether the envelope is coated with potassium cyanate. As a result, many administrators died of an examination of the suspected disease ...

This is caused by a flaw in the protocol specification, which is not unique, as is the result of a SYN attack that is also a protocol specification error. Similarly, the IP header is used for both. SYN is using fake envelopes, and "socket" Trojan is on the envelope superfluous blank content smeared Poison--IP protocol specification, IP header has a certain length to place a sign (express?) Mail ), additional data (comments on the letter), resulting in a few bytes of the IP header blank, do not underestimate these blanks, it can carry highly toxic substances. These seemingly harmless letters will not be intercepted by the doorman, but the president is dead in the office ...

The intruder fills the IP header blank with short attack data, and sends several more letters if there is too much data. The postman who mixes the victim's machine records the "superfluous" contents of the envelope, and when the content can be pieced together into an attack order, the offense begins ...

4. Conclusion

Backdoor technology has developed to today, is no longer a rigid machine to the machine war, they have learned to test the human race, now the defense technology if still stay in the simple data judgment processing, will be countless new backdoor rout. The real defense must be the human management operations as the main body, rather than relying on the machine code, or your machine will be corroded beyond recognition ...