11

Are there any known cases of malware in the wild that utilize port knocking on a backdoor to evade detection by network scanners?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
sdanelson
  • 1,267
  • 10
  • 21

2 Answers2

12

  • Sebastein Jeanquier's Master's thesis section 7.1, "Port Knocking in Malware (Backdoors)", states that SAdoor and its predecessor cd00r both used this feature.

  • Tony Bradley writes in About.com that "malware writers of the world have unfortunately ... begun to adopt this technique for opening backdoors on victimized systems" but doesn't provide any examples.

vy32
  • 515
  • 2
  • 9
-5

I don't think there are any--back in '99, one of the early botnet tools called Stacheldraht contained some pretty awesome crypto features; but soon after that, malware authors realized that infosec people hardly ever review their firewall logs, and stopped trying to hide or secure their command and control channels. These days, they mostly just use plaintext IRC for C&C.

user502
  • 3,261
  • 1
  • 22
  • 18
  • 4
    I've not heard about port-knocking for use in malware, but I disagree nearly with everything you have said. First of all, most malware authors do use strong encryption mechanisms both for data transfer and in malware itself. Secondly, IRC is obsolete for C&C. Thirdly, malware authors do their best to make long-living C&C's, thus developing distributed and decentralized systems. Where did you got such outdated information? –  Dec 04 '10 at 17:58
  • The command and control channels for some of the newer malware are impressive examples of the way to hide and/or secure comms pathways. – Rory Alsop Dec 05 '10 at 00:24
  • @Ams: +1, however IRC is not yet obsolete. It's certainly on the way out, but it still gets used. You see eggdrop dropped onto compromised Linux boxen still. –  Dec 05 '10 at 13:22
  • Ams, [it seems](http://www.esecurityplanet.com/headlines/article.php/3913711/The-Death-of-the-IRC-Botnet.htm) you're correct that IRC C&C is being phased out in favor of web-based control; however, [recent](https://www.infosecisland.com/blogview/6992-Internet-Relay-Chat-and-the-Effect-of-Botnets-on-Security.html) articles [still](http://www.redteamsecure.com/labs/post/28/botnet-command-and-control-via-covert-channels) list IRC C&C as a major risk. The malware with cool technical features get the writeups by their reversers, but the bread and butter malware is still comparitively simple. – user502 Dec 05 '10 at 16:44
  • Well, I just wanted to point out that assumption of IRC based C&C prevalence in these days is not correct. Though, this type of control will exist forever because it is easy to deploy - that's why it is often the choice of newbie malware writers. Regularly reading technical write-ups about modern malware that posses threat to masses, I have not seen for a long time any mentions about IRC. So, we are all right at some point. –  Dec 05 '10 at 17:47