Backdoors and malware and trojans oh my!

Post 31337 (tcp or udp) is not an officially assigned port according to IANA. Most /etc/services files do not reference it. So why pick what seems to be an obscure port that does not have a protocol associated with it to discuss as part of Cyber Security Awareness Month? If you use a popular search engine 31337 tends to return references to 31337 being an alternate spelling for Eleet (or Elite), and possible infections of a backdoor trojan which listened by default on this port. Back Orifice is not exactly new, originally released in 1998, it's successors such as BO2K have been updated somewhat. Most anti-virus engines will classify Back Orifice as malware and attempt removal. Some IDS engines will still alarm on traffic going to or from once popular typical trojan ports.

One part of the discussion of port 31337 could be the futility of alarming on any particular tcp or udp port at all. In 1998 BO had the ability to change its default listening port to anything at all. Any service in fact can be made to listen on pretty much any port. Without looking at the payload of the traffic you have no idea what is happening, whether it is a firewall or an IDS triggering on a 'suspicious' packet.

Trojans have not gone away to be a footnote in the history of InfoSec, they have evolved.

Please contact us if you have any comments or would like to add to this diary entry.

Update1: Dan wrote in to remind me that port 31337 is also the default listen port for Ncat, the netcat replacement from the Nmap team. Thanks Dan!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.