Or for that matter any other kind of direct connection. So basically yeah it’s a backdoor over which you have no realtime control. Realtime is overrated anyways and people are way to attached to direct control of their backdoors. Let’s think about the following scenario for a minute:
You want to steal information, have as much (and long term) control as possible and avoid anomaly detection on the wire. Preferably avoid locally installed firewalls, possibly without administrator/root privileges.
How would you go about that? I assume most responses to that question will be along the lines of:
- behave like normal traffic
- don’t have a direct connection, spawn one when needed
- use connectionless protocols
- sniffing the wire
All good and well, but they would still require the backdoor to initiate a connection to the attacker or vice versa. So let’s just choose the most obvious answer to the question: avoid any kind of direct connection to and from the backdoor. So ehhh how would you communicate with your backdoor then? Let’s again choose the obvious and easy answer: have others do the dirty work for you. Just concern yourself(the backdoor) with the really important stuff which is data. So let’s define how our connectionless backdoor should work:
Monitor any file or stream which contains data that the attacker would be able to indirectly manipulate and for which the rights of the backdoor are high enough to read or manipulate.
So practically what does this mean? That as an attacker you must know your target and be able to control his environment somewhat. Here are a few examples for sending data to the backdoor:
- Create an account on the same forum as your target and have a dynamic signature which sets and receives cookies.
- Email him asking a normal question and embed the command in your signature or email text
- Upload a game to a website the target usually plays games on and have it create
Here are a few example for sending data from the backdoor to the attacker:
- Edit the cookies to send information back, the browser will handle the connection and firewall for you
- Embed the data in all pictures on the computer eventually they will get uploaded somewhere
- Adjust attachments of email in the draft folder
- Adjust his bookmarks
Well you get the drift, it depends a lot on the privileges the backdoor has and the files it can access. Creativity will be your best buddy when implementing/using this backdoor. Just make sure your continuous file monitoring or wire sniffing doesn’t slow down the whole computer, cause that will surely alert the target.
Of course you can loosen up a bit and only use the connectionless technique to send commands which include a postback url and have the backdoor post it’s results to the given url. This of course brings the firewall problem back into the equation. It would also make the backdoor a lot less stealthy just like the traditional sniffing the wire based backdoors (ex: SniffDoor, Silent Backdoor, trixd00r).
Like you have probably concluded by now, it isn’t the most efficient backdoor, but it sure would be very stealthy. It makes an excellent candidate to have long term access to a compromised target. Yes the initial planting of this backdoor is it’s weakest point. The detection of the backdoor based on traffic however would be pretty difficult, since it generates none.
3 thoughts on “connectionless backdoor idea, doesn’t use tcp/udp”
Haven’t attempted it just, only did a quick POC to test the cookie based idea.
This sounds pretty cool, have you attempted to write one?
Thanks for your thread, but seems Trixd00r would need a good thread in setup/configure from you, as i like your blog, but need to know more info in how to setup this trixd00r :- /