Port knocking
What is a port knocking backdoor? The
concept is actually rather simple: it's a
typical backdoor into a user's system, of
which there are many, but it's one that
effectively lays dormant and does not appear
to be functioning or listening on any ports
until an attacker "knocks" on the
door using a special series of events to
wake it up. Typical port scans from the
Internet reveal nothing. A legitimate port
knocking application would often parse
firewall logs, waiting for a sequence of
logged errors and then spring to life,
manipulating firewall rules to open a port.
A backdoor generally operates in a similar
fashion, but can listen real-time with the
need for a firewall. Generally, the process
or daemon quietly listens for a sequence of
pings (such a hitting ports 100, 109, 101,
101 three times in that sequence, a code of
911 that could be used to bring the backdoor
to life), or by using packet type, such as
sending SYN requests in a similar
predetermined sequence. When the right
series of knocks are received, the backdoor
opens a TCP port and starts listening.
Voila.
Port knocking backdoors allow the virus
writer to retain more control. Perhaps this
is a good thing, as this would keep control
of compromised systems in the hands of very
few, instead of being open to misuse by any
script junkie on the Internet. Having
compromised bots available to anyone who
wants to use them, as we commonly see today,
is part of the reason why massive DDOS
attacks, open SPAM relays and open proxies
are available to any pimple-faced kid. So
who's responsible?
There is an excellent article from the New
York Times by Clive Thompson that
profiles several virus writers and clearly
makes the distinction between the people who
write the malicious code and the individuals
who release it into the wild - it's argued
that these two are often not the same. Some
virus writers claim to write
proof-of-concept code for educational
purposes only, and then make it available
for peer review. In contract, it is said
that those who release that code into the
wild often find it on a hacker website, and
release it with pure malicious intent.
The proof-of-concept defense is an
interesting one for a bright, teenaged coder
sitting in a dark basement in Singapore, but
I am appalled at the lack of responsibility
by otherwise clever people. I take issue
with the virus writers who write stealthy,
tight pieces of virus code that leave
backdoors open on thousands of naked
systems, available for exploit by any
miscreant script-abuser on the Internet.
Perhaps if the author of such malicious code
took more responsibility for his actions, by
not leaving the door wide open, compromised
machines wouldn't be so readily available
for misuse by people who barely understand
how the backdoor even works.
Port knocking is a legitimate security
concept that has been discussed on Slashdot
recently, and some virus writers have
started using it "secure" their
own backdoors. Add port knocking
capabilities to a backdoor and you get a
port knocking backdoor. The power to control
these things would be held in the hands of
an elite few, instead of any miscreant with
malformed intent, as it is today.
Related information