Cybersecurity: Backdoors and Threats

Questions and Answers

Which of the following accurately describes Kernel-Level RootKits?

• They can completely hide specific processes and redirect execution. (correct)
• They operate solely by modifying application-level processes.
• They create user accounts to access the system remotely.
• They are limited to altering user-level applications.

What is a common characteristic of application-level Trojans?

• They modify critical OS components to gain access.
• They run as separate programs on the target system. (correct)
• They require kernel-level access to operate effectively.
• They function independently without a user interface.

In the context of network security threats, what is one main function of keyloggers?

• They encrypt network traffic to ensure privacy.
• They block unauthorized access to network resources.
• They monitor bandwidth usage for analysis.
• They capture keystrokes to gather sensitive information. (correct)

How can attackers implement a Kernel-Level RootKit?

By patching the kernel image on the hard drive. (D)

What analogy is used to describe traditional backdoor Trojans?

Swapping good noodles with poisoned ones. (A)

What does the application-level Trojan horse provide to an attacker?

Complete control over the victim’s machine (C)

Which method is commonly used to trick a user into installing a Trojan?

Embedding backdoor applications in innocent-looking programs (A)

What is the primary function of a kernel-level RootKit?

To enable hidden access by modifying the operating system kernel (D)

Which tool can help detect the presence of an application-level Trojan horse?

Antivirus tools that check for specific fingerprints (B)

What is a significant drawback of EXE wrappers used by Trojans?

They may cause false positives in anti-virus applications. (D)

Which of the following is NOT a recommended defense against application-level Trojans?

Use single-purpose checkers for specific threats. (A)

What role does the XAMPP Control Panel play in the Weevely backdoor process?

It serves as the server environment for the backdoor. (D)

What is a common characteristic of traditional RootKits?

They conceal the presence of malware within critical OS components. (D)

What distinguishes application-specific key loggers from system key loggers?

They only record keystrokes for a specific application. (C)

Which type of trojan is categorized as a rootkit?

A malware that provides remote access to a computer. (B)

What is a significant vulnerability of hardware keyboard loggers?

They need physical access to the target machine. (C)

What is one primary function of key logger software?

To monitor and record clipboard activities. (A)

In terms of security threats, what is a key characteristic of kernel-level rootkits?

They modify core operating system components. (D)

How can collected information from a key logger be transmitted to an attacker?

Via email, LAN, or FTP. (A)

What aspect differentiates 'non-promiscuous' from 'promiscuous' backdoors?

Promiscuous backdoors allow unrestricted access from any remote host. (D)

What function does the Key Logger Pro have that is limited in the free version?

Monitoring clipboard activities. (C)

Flashcards

Kernel-Level Rootkit

A type of malware that modifies the operating system's kernel to provide attackers with access and control.

Trojan Backdoor (Application-Level)

A type of Trojan horse malware that installs a separate program on the system; separate from core OS

Kernel Modification

Altering the core of an operating system, providing attackers full control of the system.

Hiding Processes/Files

A key feature of rootkits; keeping certain processes, files, and folders hidden from normal view.

Loadable Kernel Module

One method of implementing a kernel-level rootkit, adding new kernel components to the OS.

Trojan Horse Backdoor

A program that appears harmless but secretly gives an attacker access to a computer system.

EXE Wrappers

Files packed into an executable archive that can execute other programs, potentially hidden from the user.

Application Level Trojan Horse

A program installed separately from the operating system that provides backdoor access to the system.

Rootkit

A program that modifies the operating system or core executables to create backdoors and hide malicious activity.

Weevely

A web-based backdoor application that allows attackers to access and control a compromised system remotely.

Firewall Port Opening

Allowing network traffic to flow through a specific port on the system's firewall.

Compromised Machine Access

Gaining control over a victim's computer or server through malicious software.

Digital Signatures

A method for verifying that a program or file is authentic and hasn't been tampered with.

Key Logger

Software that records keystrokes to capture user input.

Application-Level Key Logger

A key logger that records keystrokes only within a specific application.

System Key Logger

Records all keystrokes from a user or all users.

Hardware Key Logger

A physical device placed between the keyboard and computer to log keystrokes.

Key Logger Pro

A (likely) specific key logger program, its details are given in the document.

Actual Key Logger

A key logger program with functions including network activity capture and screenshots.

Trojan

Malicious software that disguises itself as legitimate software.

Rootkit

A type of malware that hides itself in the operating system.

Study Notes

Backdoors

• Backdoors are access points created to bypass security.
• They can arise from system vulnerabilities.
• Attackers sometimes install them on compromised systems for later use.
• Common in advanced persistent threats.
• Effective backdoors are hidden or disguised.

Real World Examples

• Debugging backdoor left in sendmail wizard.
• Trojan planted by Code Red worm.
• Etumbot APT backdoor (affected numerous media outlets, companies, and governments).
• Hikit backdoor (used in cyber espionage, targeting U.S. defense contractors).
• Dridex Trojan backdoor (targeting online banking users in Romania, August 2015).

Non-promiscuous and Promiscuous Backdoors

• Non-promiscuous sniffers target a specific target.
• Promiscuous sniffers monitor all network traffic.

Netcat Demo

• Netcat is a versatile tool.
• It allows reading and writing to TCP/UDP ports.
• Installation is on the victim machine.
• An attacker can connect to and interact with it.
• A shell can be executed to access victim internals.
• Remote access is possible to run a shell on the victim's machine.
• File transfers are performed using Netcat.

Trojans

• Trojans are malicious programs disguised as legitimate software.
• They are used to gain unauthorized access.
• Trojans typically aim to take victim computer control, steal data and other malicious activities.
• Trojans use stealthy installation and background execution.
• They access sensitive information without user consent

ProRat Trojan

• Downloadable software tool for remote access and control.
• ProRat is available for download.
• Create a server to enable remote control.
• A password is necessary for remote access.

Weevely Web Backdoor Demo

• Weevely is a web backdoor.
• The code for Weevely can be found on GitHub.
• The code for operating the backdoor is found on GitHub.

Rootkits Overview

• Traditional Rootkits
• Critical operating system executables are replaced.
• Backdoors are created to facilitate hiding the system.
• Kernel-Level Rootkits
• Operating system kernel is modified allowing backdoors.
• Backdoors and stealth capabilities are more in Kernel-Level Rootkits compared to App-Level Rootkits.

Contemporary Rootkit Developments

• Tools allow attackers to maintain root-level access.
• They hide evidence of system compromise.
• Replacing key operating system components allows for backdoor access.

Keyloggers

• Keyloggers record user keystrokes.
• Application-specific keyloggers only record keystrokes for a given application.
• System keyloggers record all keystrokes for a target system (or one user).
• Hardware keyloggers physically intercept keystrokes.

Key Logger Pro

• Software tool to record keystrokes and other system activities.
• It requires enabling a particular key combination.
• Software can provide a list of keystrokes in a report.

Actual Key Logger

• A software program used to capture keystrokes.
• It can send data via networks including email and FTP.
• The software captures keyboard and internet information.
• It can automatically capture screenshots at regular intervals.

Description

This quiz covers the concept of backdoors in cybersecurity, including how they are created, their real-world examples, and types of sniffers. Explore various scenarios involving advanced persistent threats and tools like Netcat that are used to exploit vulnerabilities.