[Snort-sigs] db entry for sid 152

Patrick Sarnacke pbsarnac at ...409...
Wed Mar 6 12:37:08 EST 2002

alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR 
BackConstruction 2.1 Connection"; flags: A+; content:"c|3A|\\"; sid:152; 
classtype:misc-activity; rev:3;) 
This signature indicates that a control connection was activated to a machine 
on $HOME_NET that is infected with the BackConstruction trojan.
A remote attacker can browse, manipulate, download and delete files from the 
trojaned machine; launch and kill remote applications; chat with the trojaned 
machine; and log out, shutdown, and power-off the trojaned machine.
Detailed Information:
BackConstruction is a simple Windows backdoor trojan that allows file 
browsing, manipulation,and download; remote application launching and 
killing; chat; and remote system crash, shutdown, and reboot. This particular 
signature indicates that the BackConstruction client on an attacker's machine 
has established a control connection to the infected machine (which is 
running the BackConstrucion server). After a tcp handshake is established, 
the first thing BackConstruction does is send a '*' to the server on the 
trojaned machine. The server responds by sending list of the drives 
available. On most Windows boxes, the first available drive is the c:\ drive, 
and this signature looks for the BackConstruction server announcing the 
presence of c:\ to the client.
Attack Scenarios:
This trojan can be distributed through any of the normal means. Once 
installed, any attacker can connect at leisure, as long as she knows the IP 
address and has access to ports 21, 666,  5401 and 5402.
Ease of Attack:
Once the trojan is installed, as long as the IP address is known and the 
necessary ports are available to the attacker, attack is extremely easy.
False Positives:

False Negatives:
If the trojaned machine doesn't have a c: drive for some reason, this 
signature will never fire. I would guess that's pretty rare, and may be 
impossible in Windows 9x.
Corrective Action:
Block inbound ports 21, 666, 5401, and 5402 at the firewall, or install a 
host-based firewall to block the same ports.
Remove the file c:\windows\cmctl32.exe. Delete the registry key:
Reboot the infected machine to kill the running instance of the trojan.

[Removal instructions from http://www.tlsecurity.net]

Additional References:
Packet dump:
0000  00 50 56 fe 18 10 00 50  56 ff ae cb 08 00 45 00   .PVþ...P Vÿ®Ë..E.
0010  00 2d 45 01 40 00 80 06  5f 6e c0 a8 ea 85 c0 a8   .-E. at ...253... _nÀšê.Àš
0020  ea 84 15 19 04 07 00 ac  7c d1 00 40 bb b6 50 18   ê......¬ |Ñ.@»¶P.
0030  22 37 18 5c 00 00 63 3a  5c 0a 0d 7e               "7.\..c: \..~    

More information about the Snort-sigs mailing list