Vulnerability Development mailing list archives
Re: Interesting "hosts" & "services" issue
From: Daniel McCranie <dsmccran () VALDOSTA EDU>
Date: Fri, 11 Aug 2000 01:28:32 -0400
Put a bogus entry like the one below or many of them in the hosts file. When the user visits one of those popular domains make your backdoor call home and tell you that its safe to communicate. Your traffic will look like some kinda server at that domain. Make your master listen on port 80 so it looks even more like web traffic. You could even go further by hiding your commands in the actual http protocol. norealserver.somepopularserver.com yourmaster A thought, maybe already thought of before... Dan At 10:02 PM 8/8/2000, Bluefish wrote:
I was doing some thinking regarding how to make a backdoor program somewhat harder to detect. This is mostly a windows95/98 issue as other operating systems does offer some security :) Anyway, I was thinking on ways to make the communication from the backdoor to whoever is in control of it less obvious, and make the following assumptions: 1. user does not check that files such as WINDOWS\HOSTS are in order. 2. user uses a software such as netstat (or any other which by default rely on HOSTS-file), and does so without using the proper command line switches Anyway, the obvious change of HOSTS is to add "xxx.xxx.xxx.xxx innocent.victim.com" But a more interresting change would be "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy" why's the later preferable? well, because in the first example a e.g. traceroute might uncover the hoax, where the later will, correctly, be interprented as an IP by traceroute... Similary, modifying WINDOWS\SERVICES might also simplify fooling a user. Making something look like e.g. 205.188.5.233:5190 will make people think the communication is merely ICQ... Nothing in this mail is really any vulnerability, or a new one. The big problem is that windows 9x allows any program to do what ever they want. But of course, the numerous people using wNT/w2K as administrator are vulnerable to this as well. Although these tricks are rather obvious, it might very well be the difference between a backdoor being found or not. The user gets suspicious, but NETSTAT looks as it should, and the user thinks [s]he is imagining things.
Current thread:
- Interesting "hosts" & "services" issue Bluefish (Aug 09)
- <Possible follow-ups>
- Re: Interesting "hosts" & "services" issue J. Oquendo (Aug 10)
- Re: Interesting "hosts" & "services" issue Bluefish (Aug 10)
- Re: Interesting "hosts" & "services" issue Arturo Busleiman (Aug 10)
- Re: Interesting "hosts" & "services" issue Daniel McCranie (Aug 13)