Due to the format of the BO2k protocol, simply encrypting the data payload of each BO2k packet is not enough to prevent an advanced Intrusion Detection System from detecting the presence of a backdoor. There is a length header describing the data portion of the traffic that makes BO2k easy to identify on any port, so a plug-in was created to address this situation. By working in conjunction with a preconfigured encryption plug-in, the STCPIO (or Stealthy TCPIO) plug-in further obfuscates the BO2k protocol, making it much harder to identify as backdoor traffic. The strength of STCPIO greatly relies upon the strength of the default encryption plug-in that you are using with it. The stronger the encryption you use, the harder it is to detect BO2k traffic while using STCPIO. I highly recommend using either AES or SERPENT.
STCPIO functions as a direct replacement for the TCPIO module (if you still prefer to communicate through UDP, you're out of luck). STCPIO is available from the main BO2k download site (http://www.bo2k.com/software/bo2k11.html#stcpio). Before installing the plug-in, make sure that you are running BO2k version 1.1 or later and that you have an encryption plug-in configured and functioning on the server.
Installation and configuration of STCPIO is very similar to the way you installed UDPIO in Configuring a BO2k Server.
From the downloaded STCPIO archive, extract the ie_stcpio.dll file to the plug-ins/io subdirectory under the main BO2k directory. Begin server configuration by inserting the io_stcpio.dll plug-in into the server binary using bo2kcfg (see Configuring a BO2k Server). A cyan-colored STCPIO folder should appear in the Option Variables box. For a basic installation, four variables need to be configured. The two STCPIO variables tell the plug-in the basic settings, and the two Startup variables tell the backdoor how to configure itself for STCPIO during initialization:
Set this to match the name of the encryption module that the server is already configured to use. For example, set the string to be AES. Access this variable from the STCPIO menu item.
Set this to be the TCP port you wish the backdoor to listen on. I set this to 9090, which is the same port I used earlier during UDPIO configuration. Access this variable from the STCPIO menu item.
This variable tells the server to use STCPIO as the default IO plug-in upon startup. Set this string to be STCPIO. Access this variable from the Startup menu item.
This must be set to match the value that you entered as Default Port. In this example, it is set to 9090. Access this variable from the Startup menu item.
Remember these values, because you'll need to use them again when setting up the client. Save the backdoor and execute it on the desired server.
Load the same io_stcpio.dll plug-in into the BO2k client (see "Client Setup" earlier in this chapter). The same cyan-colored STCPIO folder appears in the client's Option Variables box. Set the "STCPIO Header Encryption and Default Port" to match the settings you applied to the server. Open the Edit Server Settings window for the server to which you wish to connect. The Connection Type select box contains an item called STCPIO: BO2K Stealthy TCP IO Module. Highlight it. Also, double-check to make sure that the encryption plug-in you selected is highlighted in the Default Encryption select box. In this example it is set to AES. Click OK, and everything is ready to go.
As with encryption, other plug-ins may be configured to take advantage of the STCPIO IO module.
If everything is configured properly, the next time you connect, you will be much harder to detect. If you are interested in seeing the difference between visible and concealed, try setting up two servers, one using regular TCPIO without encryption, and the other using STCPIO with AES. Record and analyze a similar session using both setups, where you send a few commands to the backdoor. Use a tool such as WireShark (see Chapter 5) for the experiment and you'll see for yourself how much harder you are to see using STCPIO with AES without the key.