88     Chapter 2 • General Security Concepts: Attacks



              TEST DAY TIP
                  While it isn’t necessary to have installed backdoor or virus software on a
                  test machine in order to pass this exam, it can be useful in gaining a
                  greater understanding of the concept. Reading about a topic is one
                  thing, but seeing it running in the wild is another. Hands-on experience
                  can make the concepts seem more tangible, while giving insight into
                  not just what malware is, but how it actually works. The added famil-
                  iarity can ease nerves on the test day. However, be sure you get this
                  hands-on experience in a controlled test environment; do not install
                  these programs on machines that are connected to a production net-
                  work or the Internet. Even better, try using a virtual machine.




                 A backdoor attack that was common some years ago was Back Orifice. It con-
             sists of a client application and a server application.The only way for the server
             application of Back Orifice to be installed on a machine is for it to be deliberately
             installed.This is the reason this server application is commonly disguised via a
             Trojan horse.After the server application has been installed, the client machine can
             transfer files to and from the target machine, execute an application on the target
             machine, restart or lock up the target machine, and log keystrokes from the target
             machine.All of these operations are of value to a hacker.The original Back Orifice
             only worked in Windows 95 and 98, while Back Orifice 2000 (BO2k) also runs on
             Windows 2000, ME and XP. Even if a machine is infected, a properly configured
             firewall prevents the client application from connecting to the victim.
                 Another common remote control Trojan horse was named the SubSeven Trojan.
             Sent within a software called Whack-a-Mole, after execution it displayed a cus-
             tomized message to mislead the victim. SubSeven allowed the attacker to have
             nearly full control of the victim’s computer with the ability to delete folders and/or
             files, taking screen shots of the current desktop, control the mouse point, sniff
             traffic off the victim’s network, and even eavesdrop through the victim computer’s
             microphone. It can run on Windows NT, 9x, 2000, and XP.



              EXAM WARNING

                  While the concepts behind worms, viruses, spyware, rootkits, logic
                  bombs, and Trojan horses are very similar, it’s important to be sure you
                  can quickly differentiate. There is often a fine line between a virus and
                  a worm, so be sure to know the specific differences between them.



          www.syngress.com