Backdoors

Prabhaker Mateti

Abstract: Vulnerabilities are of course "backdoors." In this lecture, we focus on how an attacker having obtained access to a system carefully plants backdoors facilitating future visits. So called rootkits also provide backdoors. These are discussed in a separate lecture.

Table of Contents

  1. Educational Objectives
  2. Backdoors
    1. Some Well Known Backdoors
    2. Backdooring Binary Objects
  3. Lab Experiment
  4. Acknowledgements
  5. References

Educational Objectives

  1. Present the backdoors installed once a system is compromised.
  2. Discovering and disabling backdoors.

Backdoors

The backdoors for most intruders provide two or three main functions.

  1. Be able to get back into a machine even if the administrator tries to secure it, e.g., changing all the passwords.
  2. Be able to get back into the machine with the least amount of visibility. Most backdoors provide a way to avoid being logged and many times the machine can appear to have no one online even while an intruder is using it.
  3. Be able to get back into the machine with the least amount of time. Most intruders want to easily get back into the machine without having to do all the work of exploiting a hole to gain access.

Vulnerabilities and pre-installed Trojans are of course "backdoors." In this lecture, we focus on how an attacker having obtained access to a system carefully plants backdoors facilitating future visits. So called rootkits also provide backdoors. These are discussed in a separate lecture.

Some Well Known Backdoors

Below we summarize some of the backdoors that have been in use.

  1. Login Backdoor: Install a modified login so that if you typed in the backdoor password, it would allow you to log in regardless of what the password really is. Such a backdoor would spawn access before the user actually logged in and appeared in utmp and wtmp. To better hide such backdoor passwords from commands like strings, one can encrypt and hide backdoor password better.

  2. Services Backdoor: Almost every network service has at one time or another been backdoored by an intruder. Backdoored versions of finger, rsh, rexec, rlogin, ftp, even inetd, etc., have been floating around forever. These are programs that are nothing more than a shell connected to a TCP port with maybe a backdoor password to gain access. These programs sometimes replace a service like uucp that never gets used or they get added to the inetd.conf file as a new service.

    A normal in.telnetd, does several checks such as the setting of the environment variable named TERM (for terminal the user was using). Typically, the terminal setting might be Xterm or VT100. An intruder could backdoor it so that when the terminal was set to, say, "letmein", it would spawn a shell without requiring any authentication.

  3. Cron backdoor: Cron on Unix schedules the running of certain programs according to a configuration file. An intruder could add a backdoor shell program to run between 1 AM and 2 AM. So, for 1 hour every night, the intruder could gain access. Intruders have also looked at legitimate programs that typically run in cronjob and built backdoors into those programs as well.
  4. Library backdoors: Almost every UNIX system uses shared (*.so) libraries. The shared libraries are intended to reuse many of the same routines thus cutting down on the size of programs. Some intruders have backdoored routines like crypt.o and _crypt.o. Programs like login would use the crypt() routine and if a backdoor password was used it would spawn a shell. Therefore, even if the administrator was checking the MD5 of the login program, it was still spawning a backdoor routine and many administrators were not checking the libraries as a possible source of backdoors.

    Suppose we start doing MD5 checksums of almost everything. Attackers get around that by backdooring the open() library routine and file access routines. The backdoor routines were configured to read the original files, but execute the Trojan backdoors. Therefore, when the MD5 checksum program was reading these files, the checksums always looked good. But when the system ran the program, it executed the Trojan version. Even the trojan library itself, could be hidden from the MD5 checksums. It is therefore necessary to statically link the MD5 checksum checker, and be very sure of the loader.

  5. Kernel backdoors: The same method used for libraries for bypassing MD5 checksum could be used at the kernel level. Even a statically linked MD5 program cannot tell the difference.
  6. File system backdoors: An intruder will want to store their "loot" on the server waiting for an opportune time to transport it away. To hide these rather large files from an administrator, an intruder may patch the files system commands like "ls", "du", and "fsck" to hide the existence of certain directories or files. In one case, an intruder created a section on the hard drive to have a proprietary format that was designated as "bad" sectors on the hard drive.
  7. Bootblock backdoors: In the PC world, many viruses hide within the boot block section and most antivirus software will check to see if the boot block has been altered. On Unix, surprisingly, it is not typical to check the boot block, therefore some intruders have placed backdoors in the boot block area.

  8. Network traffic backdoors: There are many network backdoor programs that allow an intruder to set up on a certain port number on a machine that will allow access without ever going through the normal services. Because the traffic is going to a non-standard network port, the administrator can overlook the intruder's traffic. These network traffic backdoors are typically using TCP, UDP, and ICMP, but it could be many other kinds of packets.

    Administrators can spot a TCP connection and notice the odd behavior, while UDP shell backdoors lack any connection so netstat would not show an intruder accessing the machine. Many firewalls have been configured to allow UDP packets for services like DNS through. Many times, intruders will place the UDP Shell backdoor on that port and it will be allowed to by-pass the firewall.

  9. Encrypted Link: An administrator can set up a sniffer trying to see the data while a suspicious someone is accessing a shell, but an intruder can add encryption to the network traffic backdoors and it becomes almost impossible to determine what is actually being transmitted between the two machines.

  10. Syntactic Problems in /etc/passwd: When parsing uid/gid in the /etc/password file, most login(1) implementations will fail to detect non-numeric characters in the uid/gid field and the standard atoi(3) will return 0, giving super user privileges. Example:
    rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/bash
    On Linux boxes, this will give uid 0 to user rmartin.

Backdooring Binary Objects

The article by [klog] describes object backdooring methods by manipulating the binaries.

Lab Experiment

Acknowledgements

This article is based on [Klaus]. The details regarding wtmp and services can be found in Garfinkel and Spafford.

References

  1. Christopher Klaus, "Backdoors", Usenet news group article, 8/4/97. Reference.
  2. klog, Backdooring Binary Objects, Phrack Magazine, www.phrack.com Volume 0xa, Issue 0x38 05.01.2000 0x09[0x10] Recommended Reading.
  3. Van Hauser, Placing Backdoors Through Firewalls, April 1998, http://www.itsecurity.com/ papers/p37.htm Required Reading after the Firewalls lecture.
  4. Yin Zhang, and Vern Paxson, "Detecting Backdoors", Proceedings of the 9th USENIX Security Symposium, Denver, Colorado, August 2000. Reference
  5. Simson Garfinkel, Gene Spafford, Chapter 10: Auditing and Logging, Practical Unix and Internet Security, 3rd edition (2003), O'Reilly & Associates; ISBN: 0596003234. Required Reading.

Open Content Copyright 2010 • pmateti@wright.edu