86     Chapter 2 • General Security Concepts: Attacks

                 As an example, the QAZ Trojan horse infected computers in 2000.This is the
             Trojan that was used to hack into Microsoft’s network and allowed the hackers to
             access source code.This particular Trojan spreads within a network of shared com-
             puter systems, infecting the Notepad.exe file. It opens port 7597 (part of a block of
             unassigned ports) on the network, allowing a hacker to gain access at a later time
             through the infected computer. If the user of an infected system opens Notepad,
             the virus is run. QAZ Trojan will look for individual systems that share a net-
             worked drive and then seek out the Windows folder and infect the Notepad.exe file
             on those systems.The first thing that QAZ Trojan does is to rename Notepad.exe to
             Note.com, and then the Trojan creates a virus-infected file Notepad.exe. QAZ Trojan
             then rewrites the system registry to load itself every time the computer is booted.
             This Trojan was particularly insidious, because most users had been told that text
             files were safe from viruses, so they didn’t hesitate running a program associated
             with Notepad.

             Rootkits

             A rootkit is type of malware that tries to conceal its presence from the OS and anti-
             virus programs in a computer. Its name comes from the UNIX world, where
             hackers try to keep root-level (superuser) access to a computer long after they infect
             it.A rootkit can modify the basic blocks of an OS like the kernel or communication
             drivers, or replace commonly used system programs with rootkit versions. Security
             researchers have even demonstrated rootkits that install as a virtual machine man-
             ager, and then loads the victim’s OS as a virtual machine. Such a rootkit would be
             virtually impossible to detect. Rootkits can make it easy for hackers to install remote
             control programs or software that can cause significant damage.
                 The most famous and widespread rootkit infestation happened in 2005, when
             Sony BMG Music Entertainment used a rootkit to implement copy protection in
             some of its music CDs. Even worse, other attackers could use the rootkit’s stealth
             features to hide their own viruses on infected computers.The rootkit was very hard
             to uninstall, and according to some researchers, it could have infected over 500,000
             computers. Eventually, major anti-virus vendors included removal tools for the
             rootkit, but it was a public relations nightmare for Sony.An earlier rootkit is
             t0rnkit, which can be used to infect and take control over Linux machines.

             Back Doors

             A back door is essentially any program or deliberate configuration designed to
             allow for remote access to a system.Trojans, rootkits, and even legitimate programs




          www.syngress.com