Kategorie: Backdoor
Backdoors sollen bösartigen Benutzern die Fernsteuerung über einen infizierten Computer ermöglichen. In Bezug auf die Funktionalität ähneln Backdoors vielen Verwaltungssystemen, die von Softwareentwicklern entworfen und vertrieben werden.Diese Arten von bösartigen Programmen ermöglichen es, alles zu tun, was der Autor auf dem infizierten Computer möchte: Dateien senden und empfangen, Dateien starten oder löschen, Nachrichten anzeigen, Daten löschen, den Computer neu starten usw.
Die Programme in dieser Kategorie werden häufig verwendet, um eine Gruppe von Opfercomputern zu vereinigen und ein Botnet- oder Zombie-Netzwerk zu bilden. Dies gibt bösartigen Benutzern die zentrale Kontrolle über eine Armee von infizierten Computern, die dann für kriminelle Zwecke verwendet werden können.
Es gibt auch eine Gruppe von Backdoors, die sich über Netzwerke verbreiten und andere Computer infizieren können, wie Net-Worms es tun. Der Unterschied ist, dass sich solche Backdoors nicht automatisch verbreiten (wie Net-Worms), sondern nur auf einen speziellen "Befehl" von dem bösartigen Benutzer, der sie kontrolliert.
Mehr Informationen
Plattform: Win32
Win32 ist eine API auf Windows NT-basierten Betriebssystemen (Windows XP, Windows 7 usw.), die die Ausführung von 32-Bit-Anwendungen unterstützt. Eine der am weitesten verbreiteten Programmierplattformen der Welt.Familie: Backdoor.Win32.Lotok
No family descriptionExamples
0855F3D1618E693590B3AF7837E0FFCA0C6AEB75AC52A32F10A82B5124A70E2B
0DCDBF928D545778F2413FD1F80E096C
677F10576730F98DF6CA6CA5FBAE7717
42FEFC2FA35DCCF489BFB41A2974F454
Tactics and Techniques: Mitre*
TA0002
Execution
The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
T1204.002
User Execution: Malicious File
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
TA0011
Command and Control
The adversary is trying to communicate with compromised systems to control them.
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.
T1071.001
Application Layer Protocol: Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.