A white paper published by McAfee in 2005. All citations and credits for any part or content should be for McAfee. McAfee however holds no liability for any thing in this blog since this blog is created by a third party without their express consent. This blog is created for academic purposes only.

Backdoors, Rootkits and HTTP Exploits

Backdoors

When attackers obtain root-level access to a server, such as using a buffer overflow exploit or a privilege escalation exploit, they will want to do two things:
1. Install a backdoor
2. Cover their tracks
Backdoors allow attackers to remotely access a system again in the future. For example, the attacker may have used a particular security hole to get root-level access to a computer. However, over time, that particular security hole may be closed, preventing the attacker from accessing the system again. In order to avoid being shut out in the future, attackers install backdoors. These backdoors take different forms, but all allow an attacker to access the server again without going through the standard login procedures and without having to repeat the attack that gave them access in the first place. 

Many worms install backdoors as a part of their malicious payload. Code Red II, for example, installed a backdoor that provided access to the C and D drives of the compromised Web server from anywhere on the Internet. Other common backdoor programs are Netbus and BackOrifice, which allow attackers to remotely control a compromised server.

RootKits

Rootkits are used to cover an attacker’s tracks. If an attacker installs a backdoor or other malicious program, the system administrator may notice the new program and remove it, ending the hacker’s ability to access the system in the future. The goal of a rootkit is to disguise the existence of malicious programs on a system. 

By replacing certain system programs with modifi ed versions of those same programs, rootkits mask the presence of backdoors or other malicious programs. For example, the UNIX program “Ls” prints a directory listing of the file system. This would normally allow a system administrator to see fi les left by an attacker.

The rootkit installs a modified version of “Ls” that displays all the fields and programs in the directory except the backdoor program and any other fields left by the attacker. This effectively masks the evidence of the system compromise. Rootkits generally replace “Ls” as well as many other operating system programs to cover their tracks.

HTTP Exploits

HTTP exploits involve using the Web server application to perform malicious activities. These attacks are very common and are growing in popularity because firewalls typically block most traffic from the Internet to keep it away from corporate servers. However, HTTP traffic, used for Web browsing, is almost always allowed to pass through firewalls unhindered. Thus, attackers have a direct line to the Web server. If they can coerce the Web server into performing malicious activities, they can access resources that would otherwise be unavailable. 

New HTPP exploits appear quite frequently. Some recent exploits include the Unicode directory traversal exploit and the double hex encoding exploit. Directory traversal exploits use strings like “./././” to access directories outside the normal webroot directory where Web content is stored. Since most Web servers will block URLs that contain “./”, attackers circumvent this protection by using the special Unicode/hexadecimal encodings to represent the “./” pattern. By typing a properly crafted attack string into a Web browser, attackers can access other directories on the Web server. These other directories may contain confidential information, passwords, or other sensitive files. By using an HTTP exploit, attackers can access these files easily through a standard Web browser. Other HTPP exploits allow attackers to execute programs, alter system information, access registry keys, and perform other malicious activities.
Subscribe to: Posts (Atom)