Be aware of potential threats from port knocking

by Michael "Mullins CCNA, MCP" | Jun 30, 2005 9:12:00 PM

Tags: Spyware, Spyware, adware & malware, SECURITY, Viruses and worms, PRODUCTIVITY, Mike Mullins, Michael Mullins CCNA, MCP, trojan horse, freeware, back door, shareware, attacker, Security Solutions Newsletter

49 comment(s)

Takeaway: Some of the newest and most complex Trojans utilize the "port knocking" method, which involves establishing a connection to a networked computer that has no open ports. Mike Mullins has the details of where these Trojans come from, how attackers activate them, and what you can do to keep them off your network.

Some of the newest and most complex Trojans utilize the "port knocking" method. This technique involves establishing a connection to a networked computer that has no open ports.

A normal scan of the computer might show that it's not listening on any ports. But that doesn't mean that the system is clean of rogue daemons.

Where these Trojans come from

The two most common delivery methods for Trojans are e-mail attachments and bad freeware or shareware.

Most security-minded users and administrators would never open an e-mail attachment, much less run a program they receive from some unknown source. However, there are millions of uneducated, unprotected home users with fast connections that are altogether too willing to see what someone e-mailed them.

For those who won't open unknown attachments, there's the lure of freeware and shareware. Everyone loves freeware, but it's not without risks.

For example, say you're looking for a utility program to do something. You'd rather not pay for it, and you find a cool little freeware that says it does the job. You download the utility, which records your IP address, and you scan the software with your antivirus tool before running it.

Don't bet your network on this tool. While not all freeware authors inject Trojans into their code, the possibility does exist for a Trojan to lie dormant on your machine until the author is ready to unleash its payload.

How these Trojans are activated

If you do have such a back door loaded on your system, typical port scans from the Internet will reveal no new listening ports. The Trojan will lie dormant, and it won't appear to be operating or listening on any ports�until the attacker uses a specific series of events to wake it up.

Activating a Trojan is rather simple. The attacker uses port knock sequences to activate the back door.

More specifically, a series of connection attempts in a specific order to a series of closed ports (for example, three connection attempts to ports 500, 501, and 502) activates the back door and opens a TCP port to listen for further instructions. Now, the attacker can use your machine for a massive distributed denial of service (DDoS) attack on his or her choice of targets.

Port-knocking back doors are cutting-edge virus technology. Computers can receive them without immediate side effects, and they allow attackers to retain control of their distribution network.

Final thoughts

Continue to educate your users�and anyone else who will listen�about e-mail attachment security. Antivirus programs are great, but education is the key to eliminating viruses and back doors on your network.

On a final note, I'm not against freeware and shareware programs. I use them and then delete them after they've served their purpose, or I replace them with a program I've paid for.

However, don't bet your network or your reputation on a program from someone you don't know. With today's technology, you get what you pay for.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

49 comment(s)