connectionless backdoor idea, doesn’t use tcp/udp

Posted: February 10, 2012 in midnight thoughts
Tags: , , , , , ,

Or for that matter any other kind of direct connection. So basically yeah it’s a backdoor over which you have no realtime control. Realtime is overrated anyways and people are way to attached to direct control of their backdoors. Let’s think about the following scenario for a minute:

You want to steal information, have as much  (and long term) control as possible and avoid anomaly detection on the wire. Preferably avoid locally installed firewalls, possibly without administrator/root privileges.

How would you go about that? I assume most responses to that question will be along the lines of:

  • behave like normal traffic
  • don’t have a direct connection, spawn one when needed
  • use connectionless protocols
  • sniffing the wire

All good and well, but they would still require the backdoor to initiate a connection to the attacker or vice versa. So let’s just choose the most obvious answer to the question: avoid any kind of direct connection to and from the backdoor. So ehhh how would you communicate with your backdoor then? Let’s again choose the obvious and easy answer: have others do the dirty work for you. Just concern yourself(the backdoor) with the really important stuff which is data. So let’s define how our connectionless backdoor should work:

Monitor any file or stream which contains data that the attacker would be able to indirectly manipulate and for which the rights of the backdoor are high enough to read or manipulate.

So practically what does this mean? That as an attacker you must know your target and be able to control his environment somewhat. Here are a few examples for sending data to the backdoor:

  • Create an account on the same forum as your target and  have a dynamic signature which sets and receives cookies.
  • Email him asking a normal question and embed the command in your signature or email text
  • Upload a game to a website the target usually plays games on and have it create

Here are a few example for sending data from the backdoor to the attacker:

  • Edit the cookies to send information back, the browser will handle the connection and firewall for you
  • Embed the data in all pictures on the computer eventually they will get uploaded somewhere
  • Adjust attachments of email in the draft folder
  • Adjust his bookmarks

Well you get the drift, it depends a lot on the privileges the backdoor has and the files it can access. Creativity will be your best buddy when implementing/using this backdoor. Just make sure your continuous file monitoring or wire sniffing doesn’t slow down the whole computer, cause that will surely alert the target.

Of course you can loosen up a bit and only use the connectionless technique to send commands which include a postback url and have the backdoor post it’s results to the given url. This of course brings the firewall problem back into the equation. It would also make the backdoor a lot less stealthy just like the traditional sniffing the wire based backdoors (ex: SniffDoorSilent Backdoortrixd00r).

Like you have probably concluded by now, it isn’t the most efficient backdoor, but it sure would be very stealthy. It makes an excellent candidate to have long term access to a compromised target. Yes the initial planting of this backdoor is it’s weakest point. The detection of the backdoor based on traffic however would be pretty difficult, since it generates none.

Advertisements
Comments
  1. diablohorn says:

    Haven’t attempted it just, only did a quick POC to test the cookie based idea.

  2. m46 says:

    This sounds pretty cool, have you attempted to write one?

  3. j0j01 says:

    Thanks for your thread, but seems Trixd00r would need a good thread in setup/configure from you, as i like your blog, but need to know more info in how to setup this trixd00r :- /

    ^r1z

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s