{
	"id": "0cafbd9e-fecb-458e-bd3f-3c2e4a1cf7db",
	"created_at": "2026-04-06T00:06:31.621112Z",
	"updated_at": "2026-04-10T03:22:07.189029Z",
	"deleted_at": null,
	"sha1_hash": "2f6abbda2e6cd11dc0d295681de0261acc8d7e29",
	"title": "Inside a Back Door Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108406,
	"plain_text": "Inside a Back Door Attack\r\nPublished: 2011-06-29 · Archived: 2026-04-05 18:07:57 UTC\r\nA colleague of mine recently wrote about one of the June “Microsoft Tuesday” vulnerabilities being exploited in\r\nthe wild. Because we're a bit like that, we decided to allow the exploit to compromise one of our honeypot\r\ncomputers so we could observe what happened.\r\nThe exploit first came to our attention by way of email messages that were initially sent to a customer and then\r\npassed on to us for investigation. These messages were sent from an account hosted on a popular webmail service,\r\ncontained very bad grammar, and were purportedly sent by a Chinese university student. The emails either asked\r\nfor advice on a particular topic, or thanked the recipient for a recent presentation and included a question related to\r\nthat presentation. The emails included a link to a Chinese restaurant and the destination Web page contained the\r\nexploit for an Internet Explorer 8 vulnerability:\r\nFigure 1: The hidden iframe tag can be seen, in addition to a link to cnzz, presumably for statistical purposes.\r\nAlthough the scenario in question might be referred to as a \"targeted attack,\" there are of course degrees of\r\nsophistication involved in every attack, and definitions of what is and is not a \"targeted\" attack tend to vary\r\nsomewhat. In this case, given that the recipients were not Chinese, were not in any way related to a university,\r\nwere not related to the topic on which advice was sought, and didn’t have anything to do with the presentation\r\nmentioned, one has to wonder why the attacker didn't do more to tailor the email message content to the recipient.\r\nIn the environment in which they were presented, they truly stuck out like a sore thumb, and beg the question of\r\nwhether this was indeed a targeted attack or just a random phishing expedition.\r\nEither way, given that the exploit was hosted on a Web page belonging to the Chinese restaurant, the easiest way\r\nto force the compromise of one of our honeypot computers was to simply browse to that Web page using a\r\nvulnerable version of Internet Explorer. We braced ourselves for the impact, and with one seemingly innocent\r\nclick of the mouse, the exploit triggered and our honeypot computer was duly compromised. The computer we\r\nused for this exercise had a fairly basic setup, but we had spent a bit of time trying to make it look like a genuine\r\nperson's computer and not just a clone. It had several bait files on it, many of which were viewed by the attacker,\r\nand some of which were “downloaded.” Scratch that. Let's call it what it is—some of which were “stolen.”\r\nAs mentioned in the previous blog, the exploit uses shell code to download and install a back door that then\r\ncontacts 323332.3322.org (a dynamic DNS service based in China) on TCP port 80 and awaits further commands.\r\nIt is interesting to note that the attacker used a brand-new exploit to compromise the computer, but then relied on a\r\nvery old back door (detected by Symantec since January 2010) to set up remote access.\r\nhttps://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack\r\nPage 1 of 3\n\nWe didn't have to wait long. Just minutes after the back door was installed, the attacker started discovery of the\r\ncompromised computer. Some of the commands used were as follows:\r\nFigure 2: Some of the commands used by the attacker during their discovery phase\r\nNotice the typo on line six? That’s always a good indication you are dealing with a human, as opposed to an\r\nautomated script or bot. You can see the attacker was interested in the running processes, active connections,\r\nspecific Windows configuration of the targeted computer, as well as any networked devices connected to the\r\ntarget. You can also see the attacker tried to connect to one of the networked devices using the administrator\r\naccount. They failed, by design.\r\nImmediately after this, the attacker uploaded a full file and folder listing for all local fixed drives. One of the bait\r\nfiles on the computer must have caught their attention early because the next action was to upload a .pdf file from\r\nthe honeypot computer. Shortly after that, a base-64 encoded executable file was downloaded and executed on the\r\ncompromised computer. It turned out to be a different back door, this time one that we hadn't previously seen. It\r\nresulted in a second connection to a different IP address and brought an infamous remote administration tool\r\n(RAT) known as Gh0st Rat to the party. Another of my colleagues wrote about this remote access tool back in\r\n2009 and included a very informative video showing what an attacker can do with one of these remote access\r\ntools. Take a look if you're not familiar; you may be surprised to see what can be done.\r\nWith the introduction of the Gh0st Rat tool, the majority of traffic was now encrypted using SSL, and sessions\r\njumped between the original host at 323332.3322.org and the second back door command-and-control server the\r\nGh0st RAT tool was downloaded from.\r\nFigure 3: Encrypted traffic, but you can see the obvious references to “Gh0st”\r\nhttps://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack\r\nPage 2 of 3\n\nWe did see the Outlook Express mailbox file being uploaded as well, as well as the default browser bookmarks.\r\nDuring the short period we monitored the attack before disconnecting the honeypot computer from the Internet,\r\nwe observed intermittent bursts of activity, but the majority of it took place soon after the honeypot computer was\r\ncompromised. In total, there were approximately 2.5 megabytes of traffic to our honeypot computer originating\r\nfrom the attacker’s two computers, and about 9 megabytes of traffic outbound to the attacker’s computers.\r\nSo, be aware that the next time you click a URL in an email; you might get a lot more than you bargained for.\r\nKeep your security software up to date, and when Microsoft releases those patches, get 'em quick. Believe me, the\r\nbad guys are counting on you not doing so.\r\nNote: A special thanks to Henry Bell for his kind assistance with this article.\r\nSource: https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack\r\nhttps://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack"
	],
	"report_names": [
		"inside-back-door-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775433991,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f6abbda2e6cd11dc0d295681de0261acc8d7e29.pdf",
		"text": "https://archive.orkl.eu/2f6abbda2e6cd11dc0d295681de0261acc8d7e29.txt",
		"img": "https://archive.orkl.eu/2f6abbda2e6cd11dc0d295681de0261acc8d7e29.jpg"
	}
}