How Do We Stop Back Doors?
Most modern anti-virus software will quickly pick up backdoor software, however, very new Trojans or rootkits can be easily missed. In this instance, detection becomes much harder. (One lesson to take from this is that you should keep your anti-virus signature file as up-to-date as possible, to maximize the number of backdoors it can detect.)
Even if youre anti-virus software doesnt identify a particular backdoor, analysis of network traffic and processor/memory utilization will usually yield some clues.
Once a computer has had a backdoor installed, it generally cannot be considered safe to use until it has been wiped and rebuilt from scratch. Take the machine off the network immediately (but do not power down, as that may remove evidence) and perform your forensic investigations. Once you have finished, power the machine down, boot from a write-protected clean floppy disk and remove all data & partitions from the system. Then reboot using your operating system install floppies or CD, and reinstall the operating system from scratch.
Backdoors are also one of the best reasons for ensuring your firewall rules are correctly configured. Someone installing a backdoor which listens for network connections can often set it up to listen on any unused TCP/IP port. Stick to the Deny by default methodology and ensure that your firewall prevents all but the minimum requirement of traffic to pass through it. Yes, this means denying access even to ports on which you know you are not running services just in case someone else decides to start a bogus one up on one of those ports. If, an attacker configures their Trojan to listen for incoming connections on port 31337 and your firewall only allows traffic to pass on port 80, youre making it much harder for them to gain further access into your network.
Before leaving rootkits, the title "Exploiting Software: How to Break Code" (Addison-Wesley/Pearson Higher Education, February 2004) does mention one scary thought. "It turns out that on the motherboard of a typical PC there are many megabytes of unused EPROMM memory sitting around," he explained. "And if you rewrite interrupt tables properly, you can place malicious code on the motherboard that will never go away way down there. I found working on that fascinating and downright scary. If you get rooted by somebody who's really serious about it, they could hide the rootkit so low that, unless you replace the motherboard, you're owned forever.71"
72. SANS Intrusion Detection FAQ, http://www.sans.org/resources/IDFAQ/oddports.php
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.