Learning Hacks The Chinese Hackers Use
By Dan Morrill
Article Date: 2009-01-14
You might be surprised by how mundane this list is, most security engineers should have them in their toolboxes as well. A few here are new to me, and worth sharing.
The Dark visitor has a list of common tools that Chinese hackers are using, the good part is that if you find any of these on your network, and they are not yours you might have an idea of where they came from. Although many of these tools are in just about every security engineer's toolbox, some tools like Snow are new to me, and could be interesting to try out. It is always good to know what tools the bad guys are using so you can work out countermeasures for them.
Password detector: the use of snow can easily be traced back the completion of various forms of web-based password guessing, such as email, forum registered user passwords.
Password crackers: chaos knife can crack unix system dark text password for access to the etc / passwd file hackers, this is indispensable. The bad part is that there are many exposed Unix systems (check Google) that are sharing the password files. This just makes the hackers job easier to do, so always guard your ect/password files.
This is one of the few Chinese certified security software firewalls. It also integrates into hardware as well making a nice way for hackers to protect the systems they hack, from other hackers. The use of this software is funny, but the competition between hackers is fierce, so they will protect what they hack. Often they will do this better than the original system administrator who might find they no longer hve any access to their systems.
This is a domestic Chinese Trojan software that is used for remote monitoring and information gathering. This is a neat little tool to play around with, but it is written in native Chinese, so hard for non-Chinese speakers to use.
This is a free network monitoring and network protocol analysis tool, great for finding out what is going on with the network.
This is a highly efficient and quick network scanner.
Local Port Scanner Local Port Scanner
This is another port scanning software, used mostly to see if a computer has been infected with a Trojan. Hackers will usually see if someone has been there before, and then try all the common things they can do to hack the other hacker's installation. Some hackers do not change the malware's default passwords, making this very easy to do if they know the system has been compromised in the past.
This is a Windows system call monitor, and can help the hacker find rootkits and other hidden malware. Much like any other root kit process finder, this is a great tool to have around.
Netmon comes with windows systems, and can be used to see what the system is connected to. This is part of working out if something has been hacked or not, or find other interesting targets of interest on the network.
LANguard Network Scanner
I do not know anyone who has not tried LanGuard, this is the quintessential software that many security engineers play around with. The latest versions are very robust and you can still download free. Although the free version is limited by time and by IP address range.
Leechsoft's Net Monitor
This is another netework monitor that is very common in organizations.
Win Trinoo Server Sniper
This one actually surprised me because it will show up on just about every AV scan out there. I don't think that anyone misses this although it is also easy to change the hash value on the file hiding it deeper. This makes sense when people are looking for rootkits and using stack analyzers to see if the system has been hacked in the past. This tool can also be used to clear previous installations of Win Trinoo
SubSeven Server Sniper
The same as Win Trinoo, only this one finds and deletes SubSeven. It is still surprising that these rootkits should still be in use, but they were very good code.
There are a couple more tools, but they are also very common. What is interesting amongst all of these tools is just how common they are, and how easy they are to get. Of course the file provided by Dark Visitor is not going to go into the even more cool tools that are out there and not well known, but this is still an interesting list to catch up on.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.