, you will see how to analyze backdoors at the packet level, to create effective network signatures. For now, we will focus on high-level communication.
Backdoors come with a common set of functionality, such as the ability to manipulate registry keys, enumerate display windows, create directories, search files, and so on. You can determine which of these features is implemented by a backdoor by looking at the Windows functions it uses and imports. See for a list of common functions and what they can tell you about a piece of malware.
, can be used to create a reverse shell by running it on two machines. Attackers have been known to use Netcat or package Netcat within other malware.
When Netcat is used as a reverse shell, the remote machine waits for incoming connections using the following:
.The multithreaded version of a Windows reverse shell involves the creation of a socket, two pipes, and two threads (so look for API calls to CreateThread and CreatePipe). This method is sometimes used by malware authors as part of a strategy to manipulate or encode the data coming in or going out over the socket. CreatePipe can be used to tie together read and write ends to a pipe, such as standard input (stdin) and standard output (stdout). The CreateProcess method can be used to tie the standard streams to pipes instead of directly to the sockets. After CreateProcess is called, the malware will spawn two threads: one for reading from the stdin pipe and writing to the socket, and the other for reading the socket and writing to the stdout pipe. Commonly, these threads manipulate the data using data encoding, which we’ll cover in . You can reverse-engineer the encoding/decoding routines used by the threads to decode packet captures containing encoded sessions.
shows the RAT network structure. The server is running on a victim host implanted with malware. The client is running remotely as the command and control unit operated by the attacker. The servers beacon to the client to start a connection, and they are controlled by the client. RAT communication is typically over common ports like 80 and 443.) is a freely available and popular RAT. Its functionality is controlled by shellcode plug-ins, which makes it extensible. Poison Ivy can be a useful tool for quickly generating malware samples to test or analyze.
A botnet is a collection of compromised hosts, known as zombies, that are controlled by a single entity, usually through the use of a server known as a botnet controller. The goal of a botnet is to compromise as many hosts as possible in order to create a large network of zombies that the botnet uses to spread additional malware or spam, or perform a distributed denial-of-service (DDoS) attack. Botnets can take a website offline by having all of the zombies attack the website at the same time.
There are a few key differences between botnets and RATs:
Botnets have been known to infect and control millions of hosts. RATs typically control far fewer hosts.
All botnets are controlled at once. RATs are controlled on a per-victim basis because the attacker is interacting with the host at a much more intimate level.
RATs are used in targeted attacks. Botnets are used in mass attacks.
Войти в систему
Войти с помощью соц. сетей:
