Discussion on backdoor Detection Technology

315 hack
 

First, we need to know what a backdoor program is?

The common explanation of "backdoors" on the Internet can be summarized in a very simple sentence: backdoors are stored in computer systems, you can control the computer system in some special way !! -Obviously, mastering backdoor technology is an indispensable basic skill for every network security enthusiast! It allows you to stick to bots and never fly out of your fingers!

Because of this, backdoor technology and anti-Backdoor detection technology have also become the focus of Hacker defense. The so-called "Know Yourself" and "Know Yourself" cannot be defeated. To understand anti-backdoor technology, we need to learn more about it.

Backdoor Classification

Backdoors can be classified by many methods. Different standards may be categorized by nature. To facilitate your understanding, we will consider the classification method of backdoors in terms of technology:

I have mentioned so many theoretical knowledge before. Do you think it's a little big? Let's talk about some common backdoor tools.

1. webshell

This type of backdoor program is generally used by normal web Services on the server to construct their own connection methods, such as the very popular ASP and cgi script backdoors.

Typical Backdoor programs: the top of the ocean, the personal version of the red powder beauty, and many versions of such Web backdoors are derived later. The programming languages asp, aspx, jsp, and php are various.

2. The thread inserts a backdoor.

You can use a service or thread of the system to insert a backdoor program into it. This backdoor does not have a process at runtime, and all network operations are carried into other application processes.

Typical Backdoor programs: BITS, and the xdoor (the first backdoor inserted by the process) that I saw in the security focus also belongs to the backdoor inserted by the process.

3. Extended Backdoor

In a general sense, the so-called extended backdoors can be seen as integrating a lot of functions into backdoors, allowing the backdoors themselves to implement many functions to facilitate direct control of bots or servers, these backdoors are very popular for beginners. They generally integrate functions such as file upload/download, System User Detection, HTTP access, terminal installation, port opening, start/stop services, etc, it is a small toolkit with powerful functions.

Typical backdoor program: Wineggdroup shell

4. C/S Backdoor

This Backdoor uses the ICMP channel for communication, so it does not open any port, but uses the system's ICMP packet for control and installation into the system service, and runs automatically upon startup, it can penetrate many firewalls-it is obvious that its biggest feature is that it does not open any ports ~ Only use ICMP control! Compared with any backdoor program above, its control mode is very special, and port 80 is not open, I have to admire the unique thinking angle and vision of business programming in this regard.

Typical backdoor program: ICMP Door

5. root kit

Many people think that rootkit is used as a tool to obtain the root access permission of the system. In fact, rootkit is a tool used by attackers to hide their traces and retain root access permissions. Generally, attackers obtain root access permissions through remote attacks, or obtain system access permissions by means of password guesses or forced password deciphering. After entering the system, if he has not yet obtained the root permission, then he can obtain the root permission of the system through some security vulnerabilities. Then, the attacker will install the rootkit In the compromised host, and then he will often use the rootkit backdoor to check whether other users have logged on to the system, the attacker began to clean up the relevant information in the log. Attackers can exploit this information to access other systems after obtaining the users and passwords of other systems through the rootkit sniffer.

Typical backdoor program: hacker defender

The above is my previous summary on the Internet. It is worth noting that these categories are not perfect yet and they have not yet pointed out the strength of backdoors.

I will continue to add some of the rare backdoor technologies I have seen when I updated the black base technical article.

6 BootRoot

By inserting third-party code to a technical project during Windows Kernel startup, it is "BootRoot ". The foreign organization eBye is using this new Rootkit startup technology and gives this technology and its derivatives-"BootKit ", that is, "Boot Rootkit ".

How does Mebroot implement MBR infection and operation?

Mebroot is started earlier than Windows, and then the driver code is inserted into the kernel for execution, bypassing the Defects Detected by registry HIVE. At the same time, the underlying technology used blinded most Anti-Rootkit tools-because it did not leave any startup projects in the system. Detection tools will naturally detect failures. Then, the user process is remotely injected through the DLL to open a backdoor for the system and download the Trojan to run. Under this non-traditional penetration idea, the anti-Rootkit tool cannot eradicate it.

Are you familiar with the above terrible backdoor knowledge?

Let's talk about how to detect backdoors.

1. Simple Manual Detection

All backdoors must be concealed and hidden. To find these programs, you need to carefully look for every possible suspicious location in the system, such as self-starting items. According to incomplete statistics, there are more than 80 self-starting projects.

Use AutoRuns to check system startup items. Observe the suspicious startup service and suspicious Startup Program path. For example, some common system paths are generally in system32. If the execution path is found in a non-system system32 directory
Notepad
System
Smss.exe
Csrss.exe
Winlogon.exe
Services.exe
Lsass.exe
Spoolsv.exe
Two such processes may have caused your computer to be poisoned.

If the webshell program is used to check recently modified files, some advanced webshell webshells support changing the creation and modification time to confuse administrators.

2. Backdoor detection with reverse connection

This type of backdoor listens to a specified fracture. to check this type of backdoor, you need to use the doscommand to enter netstat-an to listen to the local open port without opening any network connection page or firewall, check whether a local ip address is connected to an Internet ip address.

3. No connected system backdoor

For example, shift, magnifiers, and screen-preserving backdoors, these backdoors generally modify system files. Therefore, the method for detecting these backdoors is to compare their MD5 values such as sethc.exe (shift backdoors) the value detected by the encryption tool is

MD5: f09365c4d87098a209bd10d92e7a2bed

If the value is not equal to this value, it indicates it has been tampered.

4. CA Backdoor

A super administrator with a suffix of $ cannot view the user under dos, and the user group management does not display the user, manual check usually deletes the account key value in sam. Of course, be careful. If you have no experience, use tools. Of course, the CA may clone the guest user, so it is recommended that the server set a complex password for guest.

5. ICMP Backdoors

This type of backdoor is rare. To prevent this, you only need to set the default windows Firewall to allow only echo requests passed in By ICMP.

6. For rootkit

This type of backdoor is quite hidden. We can learn from a document on security focus that has a long history, in 1989, it was found that the first rootkit prototype on Unix that could filter its process to be viewed by the ps-aux command. Since then, this kind of advanced hidden tools have continued to develop and complete, and have been successfully applied to advanced backdoors in 94 years and become popular, keeping the leading position of backdoors, the latest Boot Root is also an advanced variant of the backdoor. In order to defend against such advanced backdoors, this type of scanning and removal tools also appeared in foreign countries. For example, the Dutch tool Gmer, Rootkit Unhooker, and RKU can detect and clear these RootKit including variants.