Windows offers a large number of networking functions
outside the traditional Berkeley sockets model. Many of these convenience functions
can be found in the WinInet library and include functions such as InternetOpen,
InternetConnect, InternetOpenUrl, and InternetReadFile.
Malware that creates server sockets is generally operating in one of two capacities.
Either the malware possesses a backdoor connect capability, or the malware implements
a proxy capability. Analysis of how incoming data is handled will reveal which capacity
the malware is acting in. Backdoors typically contain some form of command processing
loop in which they compare incoming commands against a list of valid commands.
Typical backdoor capabilities include the ability to execute a single command and
return results, the ability to upload or download a file, the ability to shut down the
backdoor, and the ability to spawn a complete command shell. Backdoors that provide
full command shells will generally configure a connected client socket as the standard
input and output for a spawned child shell process. On Unix systems, this usually
involves calls to dup or dup2, fork, and execve to spawn /bin/sh. On Windows systems,
this typically involves a call to CreateProcess to spawn cmd.
Pages:
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928