Some of the newest and most complex Trojans utilize the
“port knocking” method. This technique involves establishing a
connection to a networked computer that has no open ports.

A normal scan of the computer might show that it’s not
listening on any ports. But that doesn’t mean that the system is clean of rogue
daemons.

Where these Trojans come from

The two most common delivery methods for Trojans are e-mail
attachments and bad freeware or shareware.

Most security-minded users and administrators would never
open an e-mail attachment, much less run a program they receive from some
unknown source. However, there are millions of uneducated, unprotected home
users with fast connections that are altogether too willing to see what someone
e-mailed them.

For those who won’t open unknown attachments, there’s the
lure of freeware and shareware. Everyone loves freeware, but it’s not without
risks.

For example, say you’re looking for a utility program to do
something. You’d rather not pay for it, and you find a cool little freeware
that says it does the job. You download the utility, which records your IP
address, and you scan the software with your antivirus tool before running it.

Don’t bet your network on this tool. While not all freeware
authors inject Trojans into their code, the possibility does exist for a Trojan
to lie dormant on your machine until the author is ready to unleash its
payload.

How these Trojans are activated

If you do have such a back door loaded on your system, typical port scans from the Internet will reveal no new
listening ports. The Trojan will lie dormant, and
it won’t appear to be operating or listening on any ports—until the attacker
uses a specific series of events to wake it up.

Activating a Trojan is rather simple. The attacker uses port
knock sequences to activate the back door.

More specifically, a series of connection attempts in a
specific order to a series of closed ports (for example, three connection
attempts to ports 500, 501, and 502) activates the back door and opens a TCP
port to listen for further instructions. Now, the attacker can use your machine
for a massive distributed denial of service (DDoS) attack on his or her choice
of targets.

Port-knocking back doors are cutting-edge virus technology.
Computers can receive them without immediate side effects, and they allow
attackers to retain control of their distribution network.

Final thoughts

Continue to educate your users—and anyone else who will
listen—about e-mail attachment security. Antivirus programs are great, but
education is the key to eliminating viruses and back doors on your network.

On a final note, I’m not against freeware and shareware
programs. I use them and then delete them after they’ve served their purpose,
or I replace them with a program I’ve paid for.

However, don’t bet your network or your reputation on a
program from someone you don’t know. With today’s technology, you get what you
pay for.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.