Třída: Backdoor
Zadní stěny jsou navrženy tak, aby poskytovaly škodlivým uživatelům vzdálený přístup k infikovanému počítači. Pokud jde o funkčnost, Backdoors jsou podobné mnoha administrativním systémům navrženým a distribuovaným vývojáři softwaru.Tyto typy škodlivých programů umožňují dělat cokoliv, co autor chce na napadeném počítači: odesílat a přijímat soubory, spouštět soubory nebo je smazat, zobrazovat zprávy, mazat data, restartovat počítač atd.
Programy v této kategorii se často používají k sjednocení skupiny obětí počítačů a vytvoření sítě botnet nebo zombie. To dává zlomyslným uživatelům centralizovanou kontrolu nad armádou infikovaných počítačů, které pak mohou být použity pro kriminální účely.
Existuje také skupina Backdoors, která je schopna šíření prostřednictvím sítí a infikování jiných počítačů jako Net-Worms. Rozdíl je v tom, že takové Backdoors se nerozšířují automaticky (jak to dělá Net-Worms), ale pouze na speciální "příkaz" od škodlivého uživatele, který je ovládá.
Platfoma: Win32
Win32 je rozhraní API v operačních systémech Windows NT (Windows XP, Windows 7 atd.), Které podporují provádění 32bitových aplikací. Jedna z nejrozšířenějších programovacích platforem na světě.Family: Backdoor.Win32.Saklof
No family descriptionExamples
3282EE78CC2D44C2C8A4A0AAF9A9802AB5A7A0750FB3BCCA1C0269B7D69A231F
A562DCCCD20BDD3ED8DAB1A9BD82C680
DD89F371201D797E560CAD2A7D7A3BEA
18E0D6E756A174E9B0C769EA8F983105
Tactics and Techniques: Mitre*
TA0007
Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1016
System Network Configuration Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g.
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g.
show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
TA0011
Command and Control
The adversary is trying to communicate with compromised systems to control them.
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
T1568
Dynamic Resolution
Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.
Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
Adversaries may use dynamic resolution for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.