Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting "hosts" & "services" issue

From: Daniel McCranie <dsmccran () VALDOSTA EDU>
Date: Fri, 11 Aug 2000 01:28:32 -0400
Put a bogus entry like the one below or many of them in the hosts
file.  When the user visits one of those popular domains make your backdoor
call home and tell you that its safe to communicate.  Your traffic will
look like some kinda server at that domain.  Make your master listen on
port 80 so it looks even more like web traffic.  You could even go further
by hiding your commands in the actual http protocol.

norealserver.somepopularserver.com     yourmaster

A thought, maybe already thought of before...

Dan


At 10:02 PM 8/8/2000, Bluefish wrote:

I was doing some thinking regarding how to make a backdoor program
somewhat harder to detect. This is mostly a windows95/98 issue as other
operating systems does offer some security :)

Anyway, I was thinking on ways to make the communication from the backdoor
to whoever is in control of it less obvious, and make the following
assumptions:
  1. user does not check that files such as WINDOWS\HOSTS are in order.
  2. user uses a software such as netstat (or any other which by default
     rely on HOSTS-file), and does so without using the proper command
     line switches

Anyway, the obvious change of HOSTS is to add
    "xxx.xxx.xxx.xxx innocent.victim.com"

But a more interresting change would be
    "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"

why's the later preferable? well, because in the first example a e.g.
traceroute might uncover the hoax, where the later will, correctly, be
interprented as an IP by traceroute...

Similary, modifying WINDOWS\SERVICES might also simplify fooling a user.
Making something look like e.g. 205.188.5.233:5190 will make people think
the communication is merely ICQ...

Nothing in this mail is really any vulnerability, or a new one. The big
problem is that windows 9x allows any program to do what ever they want.
But of course, the numerous people using wNT/w2K as administrator are
vulnerable to this as well. Although these tricks are rather obvious, it
might very well be the difference between a backdoor being found or not.
The user gets suspicious, but NETSTAT looks as it should, and the user
thinks [s]he is imagining things.
Previous By Date Next
Previous By Thread Next

Current thread: