Type Purpose Remote Access

Type Purpose Remote Access

Designed to give hacker access to the victim’s machine. Traditionally, Trojans would listen for a connection
on a port that had to be available to the hacker. Now Trojans will call out to hackers giving access to the
hacker to machines that are behind a firewall. Some Trojans can communicate through IRC commands,
meaning a real TCP/IP connection is never made.
Data Sending
Sends information back to the hacker. Tactics include key logging, searching for password files and other
private information.
Destructive
Destroys and deletes files.
Denial-of-Service
Gives a remote hacker the power to start Distributed DoS (DDoS) attacks using multiple “Zombie”
computers.

Proxy

Designed to turn the victim’s computer into a proxy server available to the hacker. Used for anonymous
TelNet, ICQ, IRC, etc. to make purchases with stolen credit cards, etc. Gives the hacker complete
anonymity as trail leads back to infected computer.

Spreading Viruses via Trojans
Hybrid attacks that combine the use of Trojans and traditional viruses have become increasingly popular.
An example of this is the notorious Nimba virus that used multiple methods to spread itself and managed to
get past anti-virus software by using a behavior not typically associated with viruses. Nimda exploited a flaw
in the MIME header and managed to infect 8.3 million computers worldwide.
The increased sophistication of attacks is evidenced by viruses containing their own SMTP engines
(MyDoom, Bagle.G, NetSky). By using its own SMTP engine, a virus can avoid the use of MAPI, which
allows it to isolate itself from any e-mail client configuration issues and integrated virus scanner(s) that may
be present.

Typical Hacking Scenario
While not all hacker attacks are alike, the following steps outline what could be referred to as a “typical”
attack scenario. Keep in mind that an attack on your enterprise may look completely different from the one
outlined below, as the methods used in attacks are constantly changing to adapt to improved security
techniques.

Step 1: Outside Reconnaissance
The intruders will attempt to find out as much information as possible without actually exposing themselves.
They will do this by finding public information or appearing as a normal user. In this stage, you really can't
detect them. The intruders will do a 'whois' lookup to find as much information as possible about your
network as registered along with your Domain Name. The intruders might walk through your DNS tables
(using 'nslookup', 'dig', or other utilities to do domain transfers) to find the names of your machines. The
intruders will browse other public information, such as your public Web sites and anonymous FTP sites.
The intruders might search news articles and press releases about your company.
Additionally, many attackers will resort to social engineering steps in an effort to perform their outside
reconnaissance. For example, an attacker might call an employee on the phone posing as a member of
the Information Technology department. The attacker might then request personal information from the
vulnerable employee such as username or password information. Unfortunately many unsuspecting
employees when presented with a supposed “authority figure” will give any information at their disposal,
thus putting the organization at significant risk.
Step 2: Inside Reconnaissance
Here, intruders use more technically invasive techniques to scan for information, but still don't do anything
physically harmful. They might do a “ping” sweep in order to see which machines are active. They might do
a UDP/TCP scan on target machines in order to see what services are available. They'll run utilities like
“rcpinfo,” “showmount” or ”snmpwalk” in order to see what information is available. Hackers also will send e-
mail to invalid users to receive error response so that they can determine information such as how many
hops are involved in the mail system, where in the infrastructure the company does recipient checking on
inbound e-mails, and other information that can be gleaned from the data captured in e-mail headers. At
this point, the intruders have engaged only in “normal” activity on the network and have not done anything
that can be classified as an intrusion.
Step 3: Exploit
At this point, the intruders cross the line and start exploiting possible holes in the target machines. The
intruders might attempt to exploit well-known buffer overflow holes by sending large amounts of data, or
may start checking for login accounts with easily guessable (or empty) passwords. The hackers may go
through several stages of exploits. For example, if the hackers were able to access a user account, they
will now attempt further exploits in order to get root/admin access.
Step 4: Foot Hold
At this stage, the hackers have successfully gained a foot hold into your network by hacking into a
machine. The intruders’ main goal is to hide evidence of the attacks (doctoring the audit trail and log files)
and make sure they can get back in again. They may install “toolkits” that give them access, replace
existing services with their own Trojan horses that have backdoor passwords, or create their own user
accounts. System Integrity Verifiers (SIVs) can often detect an intruder at this point by noting the changed
system files. The hackers will then use the system as a stepping stone to other systems, since most
networks have fewer defenses from inside attacks.
Step 5: Profit
This is where it can get really ugly for an enterprise. The intruders now can take advantage of their status
to steal confidential data, misuse system resources (i.e. stage attacks at other sites from your site), or
deface Web pages, often receiving monetary rewards from behind-the-scenes benefactors.
Another scenario starts differently. Rather than attack a specific site, intruders might simply scan random
Internet addresses looking for a specific hole. For example, intruders may attempt to scan the entire
Internet for machines that have the SendMail DEBUG hole. They simply exploit such machines that they
find. They don't target you directly, and they really won't even know who you are. (This is known as a
“birthday attack”; given a list of well-known security holes and a list of IP addresses, there is a good
chance that there exists some machine somewhere that has one of those holes).

The Hacker’s Toolkit
The following tools make up the standard “toolkit” for an intruder:
Tool
Purpose
Crack/NTcrack/L0phtCrack
Crack network passwords using dictionaries or brute force. These packages also contain utilities for
dumping passwords out of databases and sniffing them off the wire.
Exploit Packs
A set of one or more programs that know how to exploit holes on systems (usually designed to be used
once the targeted user is logged on).