Security Incidents mailing list archives
Re: "closed-port" backdoors
From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Thu, 22 Mar 2001 00:06:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If the back door is capable of detecting SYN's, then I would guess it is running the NIC in promiscuous mode. Instead of opening a port with sockets, why not just do the whole communication in promiscuous mode? In that case there would be no 'open' port, but the trojan would still listen. Using this technique, the trojan can speak more than just TCP/UDP, it can invent it's own IP protocol :) A trojan that listens in promiscuous mode for certain packets, and then opens a standard socket, seems to be a lame trojan... Regards, Frank
-----Original Message----- From: Andreas Hasenack [mailto:andreas () CONECTIVA COM BR] Sent: Wednesday, March 21, 2001 2:04 PM Has somebody seen in the wild a type of backdoor where no ports are open until a specifig set of packets are sent to the machine? For example, the backdoor would only bind to port X if the machine receives SYN packets to three other ports in sequence. I've seen code to do this (and sorry if it's not new), but I haven't seen rootkits using it.
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOrmWapytSsEygtEFEQK9zACgwKYjR156i5qb5VTYixrMEqC6Zx4AoL6+ PcVB/14JTOVTCxAPpZPaMSnH =cGQL -----END PGP SIGNATURE-----
Current thread:
- "closed-port" backdoors Andreas Hasenack (Mar 21)
- Virus sig? John R. Sciandra (Mar 22)
- Re: "closed-port" backdoors Alexander Reelsen (Mar 22)
- Re: "closed-port" backdoors Fernando Cardoso (Mar 22)
- Re: "closed-port" backdoors Valdis Kletnieks (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors Joe Boyle (Mar 22)
- <Possible follow-ups>
- Re: "closed-port" backdoors Frank Knobbe (Mar 22)
- Re: "closed-port" backdoors Andreas Hasenack (Mar 22)
- Re: "closed-port" backdoors M ixter (Mar 23)