6.4 Rootkits and Backdoors
6.4.1 Introduction
Often when a computer has been compromised by a hacker, they will attempt to
install a method to retain easy access to the machine. There are many variations on this,
some of which have become quite famous – have a look on the Internet for “Back Orifice” !
6.4.2 Description
Rootkits and backdoors are pieces of malware that create methods to retain access
to a machine. They could range from the simple ( a program listening on a port ) to the very
complex ( programs which will hide processes in memory, modify log files, and listen to a
port ). Often a backdoor will be as simple as creating an additional user in a password file
which has super-user privileges, in the hope that it will be overlooked. This is because a
backdoor is designed to bypass the system's normal authentication. Both the Sobig and
MyDoom viruses install back doors as part of their payload.
Exercises:
1) Find on the Internet examples of rootkits and backdoors.
2) Research “Back Orifice”, and compare its functionality to the commercially available
offering for remote systems management from Microsoft.
6.4 隐匿程序和后门程序
6.4.1 简介
当黑客成功入侵一台电脑后,他会在这台电脑上安装一个程序,该程序使他下次侵入该电脑时变得简单。这种程序有很多种,其中一些已经变得很有名了-在网上查找“闯后门程序”。
6.4.2 描述
隐匿程序和后门程序是一种恶意软件,这种恶意软件能使黑客下次入侵电脑时变得简单。这种程序有简单的(在一个接口上监听的程序),也有很复杂的(隐藏进程到存储器重,改变日志文件,监听接口的程序)。通常后门程序就是在记录用户名的文件上加上另外一个用户,这种用户有超级权力,后门程序希望增加的这个用户能被忽略掉。因为后门程序就是为了能跳过系统一般权限检查而创造的。Sobig和MyDoom病毒在运行时会安装一个后门程序到电脑上。
练习
1)在网上找隐匿程序和后门程序的例子。
2)搜索“Back orifice”,和市场上能买到的比较性能。向微软上申请远程系统管理。
6.5 Logicbombs and Timebombs
6.5.1 Introduction
Systems programmers and administrators can be quite odd people. It has been known
for there to be measures on a system that will activate should certain criteria be met. For
example: a program could be created that, should the administrator fail to log in for more
than three weeks, would start to delete random bits of data from the disks. This occurred in a
well-known case involving a programmer at a company called General Dynamics in 1992.
He created a logicbomb which would delete critical data and which was set to be activated
after he was gone. He expected that the company would then pay him significant amounts
to come back and fix the problem. However, another programmer found the logic bomb
before it went off, and the malicious programmer was convicted of a crime and fined $5,000
US dollars. The judge was merciful – the charges the man faced in court carried fines of up to
$500,000 US dollars, plus jail time.
6.5.2 Description
Logicbombs and Timebombs are programs which have no replication ability and no
ability to create an access method, but are applications or parts of applications that will
cause damage to data should they become active. They can be stand-alone, or part of
worms or viruses. Timebombs are programmed to release their payload at a certain time.
Logicbombs are programmed to release their payload when a certain event occurs.
The idea behind timebombs, however, is also a useful one. Timebomb programming is
used to allow you to download and try a program for a period of time – usually 30 days. At
the end of the trial period, the program ceases to function, unless a registration code is
provided. This is an example of non-malicious timebomb programming.
Exercises:
1) What other reasonable ( and legal ) uses might there be for timebomb and logicbomb
coding.
2) Think about how you might detect such a program on your system.
6.5 逻辑炸弹和时间炸弹
6.5.1 简介
系统程序员和管理员都是有点古怪的人,当某种行为发生到电脑上时,电脑会自动运行一些程序。例如,有一种程序便是这样,当管理员在三周内都登陆错误时,电脑会自动删除硬盘上的一些资料。有一个真实的例子,在1992年,通用动力公司的一个程序员,写了一个逻辑炸弹程序,如果他离开了该公司,该程序就会运行,并且删除重要的资料。他原本希望公司会给他更多的钱请他回去,解决这个问题,但是,另一个程序员在该程序运行之前就发现了他,制作该逻辑炸弹的程序员被指控犯罪,被罚了5000美金。那个法官是仁慈的,这个人花费在法庭上的费用,包括罚金共500,000美元,并且坐牢。(这里有点蒙,到底是多少钱??)
6.5.2 描述
逻辑炸弹和时间炸弹程序不能进行复制,也不能制造一个新的访问方法,但是当他们运行时会对破坏电脑上的资料。他们可以使独立的,或者和蠕虫和病毒一起。时间炸弹在某个时间释放负荷。逻辑炸弹是当某个特殊事件发生时释放负荷。和时间炸弹原理一样,但也很有用。时间炸弹编程允许你在某个时间下载并运行某个程序-通常30天。在这段时间结束后,除非提供注册码,否则无法阻止其运行。下面是一个关于非恶意的时间程序编程。
练习:
1)还有其它什么理由使用时间炸弹和逻辑炸弹。
2)想想如何在电脑上侦查到这种程序。
扫一扫
2316
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
