1 / 67

TCP/IP Perversion

TCP/IP Perversion. Rares Stefan, Third Brigade Inc. SecTor 2007. Introduction. Perspective from a researcher focused on protecting hosts from malware Implementing kernel-based protection mechanisms Insight into a potential class of network driver malware. The Rise of Silent Malware.

lars-randolph
Download Presentation

TCP/IP Perversion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007

  2. Introduction • Perspective from a researcher focused on protecting hosts from malware • Implementing kernel-based protection mechanisms • Insight into a potential class of network driver malware

  3. The Rise of Silent Malware • Three main areas of interest in malware R&D: • Delivery and activation • Hiding presence - rootkit techniques • Evasion - Minimize operating noise • Show no signs of activity on the infected system • Show no traces of network activity on the wire

  4. Operational Challenges • Operate on wire data • Active at a layer that guarantees transparency to the host • Correctly perform inline IP reassembly and TCP stream reassembly • Allow for arbitrary injection/removal of data in TCP sessions

  5. Operational Challenges…part deux • Maintain silence on the host: • Never initiate TCP sessions • Never receive TCP open-session requests • Do not rely on TCP port splicing if the infected host is a server • Do not rely on static motherships if the infected host is a workstation • Packet modifications should not be easily visible in local network traces

  6. Operational Challenges…part trois • Maintain silence on the wire • Only make use of legitimate TCP sessions • Do not alter protocol semantics - resistance to network anomaly detection engines • Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers

  7. Never Access to data stream, not packets Some interesting areas No guaranteed access to outbound payload NDIS hooking • Some delivery challenges- Most flexibility - Driver signing issues- Complete control over hardware drivers to transport protocol communications Driver Implementation Pre-Vista User Land TDI FW hook PF hook TCP/IP NDIS NDIS.SYS Intermediate driver Miniport driver

  8. Rogue Network Driver Framework • Firewall hook kernel module for basic packet header operations • IM Filter driver: • Inline IP reassembly • Inline TCP stream reassembly • TCP session normalization

  9. Packet Header Modifications

  10. Infected Workstation SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server BOB https://server ALICE 10.0.1.26 DNAT – DstIP_server -> DstIP_Bob 10.0.1.124 server Translated request reaches server

  11. Infected Workstation SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server BOB https://server ALICE 10.0.1.26 DNAT – DstIP_server -> DstIP_Bob 10.0.1.124 server Translated request reaches server

  12. Infected Server Selective DN(P)AT: SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135 telnet server:80 ALICE Server https request served https://server

  13. Infected Server Selective DN(P)AT: SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135 telnet server:80 ALICE Server https request served https://server

  14. Packet Header Opportunities • Passive covert channels • http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf • http://www.ouah.org/neural_networks_vs_NUSHU.pdf • http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf • Port splicing • Most significant; communicating the original intent: • DNAT on outgoing SYN – change destination address to that of the MIM • Insert original dstIP in header fields • MIM double NAT

  15. Why Payload Injection ? • Access to packet data • High bandwidth channel • Bypass application proxies • Altering TCP data length on the wire is not trivial!

  16. Inline Injection • Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic • Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things

  17. Inline TCP Reassembly • Maintain two edges (pre and post modification): • ISN • MaxSeq • MaxAck • Window • Maximum SeqNo of Filtered Data • Maximum AckNo of Filtered Data • Queue/counter for non Ack-ed datagrams • Queue/counter for not sent datagrams • Needed Window Scale • Actual Window Scale

  18. SMTP Injection – Eliminating Bob from the Equation • Reduces the complexity of MIM and random redirection • Works with application level proxies • Replace RCPT TO argument or inject additional RCPT TO (BCC) • Increases the probability detection – SMTP server logs

  19. BOB Eva SMTP Injection Alice Sends Bob message Driver injects BCC to Eva Bob receives original message SMTP Server So does Eva

  20. SMTP Injection Demo Vid1

  21. HTTP Injection • TCP Headers useless – need to find workaround • Easy workaround but we need to be careful: • Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) • Direct proxies – easy to spot in HTTP(s) requests • URI & Headers will help us redirect/leak data • Make use of Authorization, Cookies headers – they won’t be scrubbed • POST data also presents injection opportunities

  22. google.com BOB HTTP Injection Web Proxy – Content Filtering Change request; Inject Data http://www.google.com ALICE

  23. google.com BOB HTTP Injection Web Proxy – Content Filtering Change request; Inject Data http://www.google.com ALICE

  24. BOB SSL Injection Demo somebank.com Perimeter Security Inject Data https://somebank.com ALICE

  25. BOB SSL Injection Demo somebank.com Perimeter Security Inject Data https://somebank.com ALICE

  26. SSL Alice – browser video

  27. Detecting Network Driver Malware • Conventional detection mechanisms • AV, AS signatures; configuration mgmt • New detection mechanisms • Traffic based detection? • Malicious destinations, ISN analysis • Network trace diff – local vs. remote • NDIS based sniffer for better visibility? • Other • Host based application control ineffective • DLP? • …

  28. Conclusions • Passive kernel malware difficult to spot • There are significant implementation challenges for coders • Prevention remains key approach

  29. Thank You

  30. Infected Workstation

  31. Alice – Browser Capture

  32. Alice-Bob Network Traces

  33. Alice Driver_SNAT

  34. Alice_SNAT

  35. Back to Infected Workstation

  36. Bob_Double_NAT

  37. Bob_Double_NAT

  38. Bob_Double_NAT

  39. Bob_Double_NAT

  40. Back to Infected Workstation

  41. Infected Server

  42. Server network trace

  43. Server SNAT&DPAT

  44. Back to Infected Server

  45. HTTP Injection

  46. Alice – browser video

  47. Alice – network trace

  48. Alice - original data

More Related