Pages

Sunday, February 3, 2013

Backdoor

How to Detect Hidden Backdoors, Trojan Horses and Rootkit Tools ?

Learn How To Detect A Backdoor On a Tool.
In this article i'm going to show you how to detect a backdoor on a tool.

What is a BackDoor?

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected, the backdoor may take the form of an installed program, or could be a modification to an existing program or hardware device. It hides in the computer, scans existing loopholes, opens corresponding ports, as well as modifies system registration files.

Backdoor will not duplicate or actively spread itself. It will only open a certain port through which a remote computer in the network can control the infected computer. Generally the backdoor will not influence normal communication of the network, so firewalls or IDS can hardly detect its existence.

Is my network infected with a backdoor?

According to statistics, most of the backdoors work under port 31337, 31335, 27444, 27665, 20034, 9704, 6063, 5999, 5910, 5432, 2049, 1433, 444, and 137-139. So whether there is communication through these ports in the network determines whether the network is infected with a backdoor.

How To Detect A BackDoor On A Tool?

1. Right click it, if you got winrar installed and you see "open with winrar" then this means it was binded with winrar so def backdoored

2. Open it with a resource editor such as Resource Hacker and check the rcdata section. If there's 1 & 2 entries in it then its binded.

3. Open it with a hex editor. At the start of a PE header there’s always this line "This program cannot be run in DOS mode". Search for it, if it exists more then once then it might be binded
it depends on the specific app, for example its not unusual for binders/crypters to have the stub file attached in the resources. Also search for .exe and inspect the results, a binded file
drops the files to a temp folder before executing em , so if you find somethin like this: %.t.e.m.p.%.\.x.x...e.x.e or file1.exe/file2.exe then its binded.

Published By at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)