Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks
           9  1.4.2  Backdoors

Previous Topic/Section
How Do Backdoors Get Onto a System?
Previous Page
Pages in Current Topic/Section
1
Next Page
1.4.3  Spoofing
Next Topic/Section

How Do We Stop Back Doors?

Most modern anti-virus software will quickly pick up backdoor software, however, very new Trojans or rootkits can be easily missed. In this instance, detection becomes much harder. (One lesson to take from this is that you should keep your anti-virus signature file as up-to-date as possible, to maximize the number of backdoors it can detect.)

Even if you’re anti-virus software doesn’t identify a particular backdoor, analysis of network traffic and processor/memory utilization will usually yield some clues.

Once a computer has had a backdoor installed, it generally cannot be considered safe to use until it has been wiped and rebuilt from scratch. Take the machine off the network immediately (but do not power down, as that may remove evidence) and perform your forensic investigations. Once you have finished, power the machine down, boot from a write-protected “clean” floppy disk and remove all data & partitions from the system. Then reboot using your operating system install floppies or CD, and reinstall the operating system from scratch.

Infection = Nuke ‘em

The safest way to recover when you find out that one of your systems has had a back door installed is to completely wipe that system’s disk and reinstall the OS, after taking the machine off the network and performing whatever forensics are required. Doing anything less than that risks leaving some remnant of the back door, or the means used to install it, on your system and leaves the system more open to attack.


Backdoors are also one of the best reasons for ensuring your firewall rules are correctly configured. Someone installing a backdoor which listens for network connections can often set it up to listen on any unused TCP/IP port. Stick to the “Deny by default” methodology and ensure that your firewall prevents all but the minimum requirement of traffic to pass through it. Yes, this means denying access even to ports on which you “know” you are not running services – just in case someone else decides to start a bogus one up on one of those ports. If, an attacker configures their Trojan to listen for incoming connections on port 31337 and your firewall only allows traffic to pass on port 80, you’re making it much harder for them to gain further access into your network.

Before leaving rootkits, the title "Exploiting Software: How to Break Code" (Addison-Wesley/Pearson Higher Education, February 2004) does mention one scary thought. "It turns out that on the motherboard of a typical PC there are many megabytes of unused EPROMM memory sitting around," he explained. "And if you rewrite interrupt tables properly, you can place malicious code on the motherboard that will never go away way down there. I found working on that fascinating and downright scary. If you get rooted by somebody who's really serious about it, they could hide the rootkit so low that, unless you replace the motherboard, you're owned forever.71"

netstat –a to the rescue

Is your system running any of the common backdoor programs? Take that list of “netstat –a” results that you generated earlier and inspect it for known backdoor ports per the list in the SANS Intrusion Detection FAQ.
72 And that won’t help you if the NT Root Kit found in the footnote is installed73.



 __________________

71. http://www.adtmag.com/print.asp?id=9260

72. “SANS Intrusion Detection FAQ,” http://www.sans.org/resources/IDFAQ/oddports.php

73. http://www.megasecurity.org/Tools/Nt_rootkit_all.html

Previous Topic/Section
How Do Backdoors Get Onto a System?
Previous Page
Pages in Current Topic/Section
1
Next Page
1.4.3  Spoofing
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.