On 4/10/2016 10:00 AM, Virus Guy wrote:
> "David H. Lipman" wrote:
>
>> As a Backdoor, it has to Beacon the compromised system and/or
>> Phone Home.
>
> Wouldn't the act of downloading a payload package be a beacon or signal
> in and of itself?
>
> What is being "beacon'd" or signaled by the following that couldn't be
> done by Getting what presumably it will end up getting anyways in the
> near future?
>
>> POST /allow.php HTTP/1.1
>> Cache-Control: no-cache
>> Connection: close
>> Pragma: no-cache
>> Content-Type: application/octet-stream
>> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
>> Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
>> 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
>> Content-Length: 42
>> Host: betaleuco.net
>
> ?
>
> Is there a difference between a backdoor and a dropper?
>
> Am I thinking that these initial infectors are usually droppers - in
> that the first (and perhaps only) thing they do is obtain and launch at
> least one additional code file from an external server?
>
> Whereas a backdoor has enough functionality to be persistent on the
> infected system and accept incoming connections to carry out future
> instructions?
>
> If the latter, how does the backdoor insure that it is reachable through
> the gateway or nat-router to which the host is presumably connected to
> the internet? (presumably it can easily defeat any firewall running on
> the host)
>
Dropper just refers to an initial action. A trojan can be a dropper or
a downloader. A dropper means that a trojan is encapsulated in another
file. It can be a MS Office Document or it can be an EXE like a SFX.
It drops the payload. The Dropper is the delivery mechanism for the
payload.
A downloader is simply a trojan that gets the payload from the Internet.
Either the file is in raw PE format or is is being obfuscated with a
different file extension such as PDF or JPG. Or it could be Zlib
encoded or in Base64 format or XOR'd with some value or even encrypted.
But the results are the same, the downloader trojan obtains the
payload from the Internet. That payload may be hard-wired in the
downloader or it may obtain the download site from a C2 server and then
download the payload.
The Backdoor is the end result. The payload.
The malicious actor does not know what system(s) are now compromised and
can be used to their benefit. Thus the now compromised system will
beacon and/or Phone Home telling the malicious actor this system is now
available.
The backdoor invites the malicious actor and thus grants access to the
compromised system so it can communicate through a NAT Router. It is
the job of the Firewall constructs of NAT or using a full Firewall
implementation within the NAT Router that is the Doorman of the Router
determining if even invited systems can get through the NAT Router. So
if the Backdoor opens TCP port 23500 it would be up to the Firewall
constructs of NAT or using a full Firewall implementation that will
block the malicious actor from ingress through TCP port 23500.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|