Encrypted Link
An administrator can set up a sniffer trying to see data appears as someone accessing a shell, but an intruder can add encryption to the Network traffic backdoors and it becomes almost impossible to determine what is actually being transmitted between two machines.
Windows NT
Because Windows NT does not easily allow multiple users on a single machine and remote access similar as Unix, it becomes harder for the intruder to break into Windows NT, install a backdoor, and launch an attack from it. Thus you will find more frequently network attacks that are spring boarded
from a Unix box than Windows NT. As Windows NT advances in multi-user technologies, this may give a higher frequency of intruders who use Windows NT to their advantage. And if this does happen, many of the concepts from Unix backdoors can be ported to Windows NT and administrators can be ready for the intruder. Today, there are already telnet daemons available for Windows NT. With Network Traffic backdoors, they are very feasible for intruders to install on Windows NT.
Solutions
As backdoor technology advances, it becomes even harder for administrators to determine if an intruder has gotten in or if they have been successfully locked out.
Assessment
One of the first steps in being proactive is to assess how vulnerable your network is, thus being able to figure out what holes exist that should be fixed. Many commercial tools exist to help scan and audit the network and systems for vulnerabilities. Many companies could dramatically improve
their security if they only installed the security patches made freely available by their vendors.
MD5 Baselines
One necessary component of a system scanner is MD5 checksum baselines. This MD5 baseline should be built up before a hacker attack with clean systems. Once a hacker is in and has installed backdoors, trying to create a baseline after the fact could incorporate the backdoors into the
baseline. Several companies had been hacked and had backdoors installed on their systems for many months. Overtime, all the backups of the systems contained the backdoors. When some of these companies found out they had a hacker, they restored a backup in hopes of removing any backdoors. The effort was futile since they were restoring all the files, even the backdoored ones. The binary baseline comparison needs to be done before an attack happens.
Intrusion detection
Intrusion detection is becoming more important as organizations are hooking up and allowing connections to some of their machines. Most of the older intrusion detection technology was log-based events. The latest intrusion detection system (IDS) technology is based on real-time sniffing and network traffic security analysis. Many of the network traffic backdoors can now easily be detected. The latest IDS technology can take a look at the DNS UDP packets and determine if it matches the DNS protocol requests. If the data on the DNS port does not match the DNS protocol, an alert flag can be signaled and the data captured for further analysis. The same principle can be applied to the data in an ICMP packet to see if it is the normal ping data or if it is carrying encrypted shell session.
Boot from CD-ROM.
Some administrators may want to consider booting from CD-ROM thus eliminating the possibility of an intruder installing a backdoor on the CD-ROM. The problem with this method is the cost and time of implementing this solution enterprise wide.
Vigilant
Because the security field is changing so fast, with new vulnerabilities being announced daily and intruders are constantly designing new attack and backdoor techniques, no security technology is effective without vigilance.
