[Snort-sigs] db entry for sid 152
pbsarnac at ...409...
Wed Mar 6 12:37:08 EST 2002
alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR
BackConstruction 2.1 Connection"; flags: A+; content:"c|3A|\\"; sid:152;
This signature indicates that a control connection was activated to a machine
on $HOME_NET that is infected with the BackConstruction trojan.
A remote attacker can browse, manipulate, download and delete files from the
trojaned machine; launch and kill remote applications; chat with the trojaned
machine; and log out, shutdown, and power-off the trojaned machine.
BackConstruction is a simple Windows backdoor trojan that allows file
browsing, manipulation,and download; remote application launching and
killing; chat; and remote system crash, shutdown, and reboot. This particular
signature indicates that the BackConstruction client on an attacker's machine
has established a control connection to the infected machine (which is
running the BackConstrucion server). After a tcp handshake is established,
the first thing BackConstruction does is send a '*' to the server on the
trojaned machine. The server responds by sending list of the drives
available. On most Windows boxes, the first available drive is the c:\ drive,
and this signature looks for the BackConstruction server announcing the
presence of c:\ to the client.
This trojan can be distributed through any of the normal means. Once
installed, any attacker can connect at leisure, as long as she knows the IP
address and has access to ports 21, 666, 5401 and 5402.
Ease of Attack:
Once the trojan is installed, as long as the IP address is known and the
necessary ports are available to the attacker, attack is extremely easy.
If the trojaned machine doesn't have a c: drive for some reason, this
signature will never fire. I would guess that's pretty rare, and may be
impossible in Windows 9x.
Block inbound ports 21, 666, 5401, and 5402 at the firewall, or install a
host-based firewall to block the same ports.
Remove the file c:\windows\cmctl32.exe. Delete the registry key:
Reboot the infected machine to kill the running instance of the trojan.
[Removal instructions from http://www.tlsecurity.net]
0000 00 50 56 fe 18 10 00 50 56 ff ae cb 08 00 45 00 .PVþ...P Vÿ®Ë..E.
0010 00 2d 45 01 40 00 80 06 5f 6e c0 a8 ea 85 c0 a8 .-E. at ...253... _nÀšê.Àš
0020 ea 84 15 19 04 07 00 ac 7c d1 00 40 bb b6 50 18 ê......¬ |Ñ.@»¶P.
0030 22 37 18 5c 00 00 63 3a 5c 0a 0d 7e "7.\..c: \..~
More information about the Snort-sigs