1 / 50

Maintaining Access

Maintaining Access. In This Chapter…. Trojans Backdoors Rootkits. Trojan Horses. The original Trojan Horse Used by Greeks attacking Troy Trojan rabbit Monty Python and the Holy Grail Modern trojan horse Software that appears to be something that it is not --- hidden malicious function.

macy
Download Presentation

Maintaining Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Maintaining Access Maintaining Access 1

  2. In This Chapter… • Trojans • Backdoors • Rootkits Maintaining Access 2

  3. Trojan Horses • The original Trojan Horse • Used by Greeks attacking Troy • Trojan rabbit • Monty Python and the Holy Grail • Modern trojan horse • Software that appears to be something that it is not --- hidden malicious function Maintaining Access 3

  4. Trojan • Perhaps most common form of malware • Any “innocent” program can be a trojan • Example • Free DVD ripping software! • In reality, deleted content of hard drive • Trojan could be much more clever… Maintaining Access 4

  5. Backdoors • “Alternative” access to machine • Front door: username and password • Backdoor: unauthorized access • Note: once backdoor is established, improved authentication is useless Maintaining Access 5

  6. Backdoor • Suppose Trudy installs backdoor • What’s next? • Trudy likely to “harden” system • Fix vulnerabilities, apply patches,… Why? • “0wned” system likely more “secure” • Trudy may use strong authentication! Maintaining Access 6

  7. Netcat Backdoor • Install Netcat listener • Must compile Netcat with its GAPING_SECURITY_HOLE option • In UNIX: nc victim_machine 12345 • Starts Netcat in client mode with listener on TCP port 12345 • No authentication required of attacker Maintaining Access 7

  8. Backdoors • Trojan backdoor appears to be “good” • But actually installs backdoor • Three types of trojans (soup analogy) • Application level: separate application • Trudy adds poison to your soup • User-mode rootkit: replace system stuff • Trudy switched potatoes for poisonous potatoes • Kernel-mode rootkit: OS itself is modified • Trudy replaces your tongue with “poison” tongue Maintaining Access 8

  9. Application Level Trojans • Separate application • Gives attacker access • Most prevalent on Windows • Remote-control backdoor • Can control system across network • Microsoft itself supposedly attacked in 2000 Maintaining Access 9

  10. Remote-Control Backdoor Maintaining Access 10

  11. Remote-Control Backdoor • Thousands of such backdoors • See www.megasecurity.org • Some months, 50 or more released • Eventually, detectable by antivirus • Popular remote-control tools • VNC, Dameware, Back Orifice, SubSeven Maintaining Access 11

  12. Remote-Control Backdoor Examples Maintaining Access 12

  13. Remote-Control Backdoor • Functionality • Pop-up dialog box on victim’s machine • Log keystrokes • List system info • Collect passwords • Manipulate files (view, copy, …) • Modify registry settings or processes • Remotely accessible command shell • GUI “control”, video, audio, sniffers Maintaining Access 13

  14. BO2K Maintaining Access 14

  15. Remote-Control Backdoors • Like a hammer… • In the right hands, useful tool • Administrator, white hat, … • In the wrong hands, can cause damage • Hacker, black hat, … Maintaining Access 15

  16. Build Your Own Trojan • No programming skill required! • Use “wrapper” • Attaches (evil) exe to another (nice) exe • Wrappers include • Silk Rope • SaranWrap • EliteWrap • AFX File Lace • Trojan Man Maintaining Access 16

  17. Build Your Own Trojan • Use a wrapper • Give program a nice name • FreeGame.exe, not EvilVirus.exe • Email it to lots of people • Spoof source of email, etc., etc. • Problem: where are the victims? • Solution: “notification” functionality • Via email? Maintaining Access 17

  18. Related Attacks • Phishing • Email-based • Can be fairly sophisticated/targeted • URL obfuscation • Evil site disguised as legitimate website Maintaining Access 18

  19. Bots • Designed for “economies of scale” • Control many machines, not one at a time • A botnet, controlled by a bot master • Usually via IRC (but that is changing) • Bots of 100,000 or more machines • Bot code freely available • Phatbot (500+ variations), sdbot, mIRC bot • Some high-quality code (phatbot) Maintaining Access 19

  20. Botnet Maintaining Access 20

  21. Botnets • Botnet functionality includes • DoS • Vulnerability scanning • Metamorphism • Anonymizing HTTP proxy • Email address collection/spamming • Other? Maintaining Access 21

  22. Virtual Machine Detection • Virtual machines used to analyze bots • And other malware • Some bots try to detect virtual machine • What if virtual machine is detected? • Red Pill • Execute SIDT, look at IDTR location • If non-virtual then IDTR is at low address • If virtual machine then IDTR at high address • What could be simpler than that? Maintaining Access 22

  23. Virtual Machine Detection • Lots of other techniques • Recent research shows system calls a good indicator of virtual machine Maintaining Access 23

  24. Worms and Bots • Worms --- self-propagating malware • Can use worm to infect systems that become part of a botnet Maintaining Access 24

  25. Spyware • Software the spies on you • Typically focused on one objective • Usually simple propagation method • User installs it • May be disguised as anti-spyware • May also use browser flaws Maintaining Access 25

  26. Spyware • Capabilities of spyware • Web surfing statistics • Personal identifiable information (PII) • Customized advertising • Customized filtering of searches • Pop-up ads • Keystroke logging Maintaining Access 26

  27. Defenses • Defenses against application level trojans/backdoors, bots, spyware • Antivirus, user education • Look for unusual TCP/UDP ports • Know your software • Easier said than done! • Check hashes/fingerprints • Better yet, use digital signatures Maintaining Access 27

  28. Defenses • MD5 hash • NOT a “signature” • Regardless of the “signatures” line Maintaining Access 28

  29. User-Mode Rootkits • Application level backdoors • Separate applications • Relatively easy to detect • User-mode rootkits • More insidious • Modify OS software/libraries Maintaining Access 29

  30. User-Mode Rootkits Maintaining Access 30

  31. User-Mode Rootkits • Linux/UNIX example • “Better” version would look the same Maintaining Access 31

  32. User-Mode Rootkits • Linux/UNIX rootkits might replace… • du --- to lie about disk usage • find --- hide attacker’s files • ls --- hide rootkit files • netstat --- lie about ports in use • ps --- hide processes • syslogd --- don’t log attacker’s actions Maintaining Access 32

  33. User-Mode Rootkits • Windows rootkits are different • Often alter memory of running processes associated with OS • E.g., make OS “think” port not in use… • Why this approach? • Difficult to change critical system files • Easy for one process to access another Maintaining Access 33

  34. User-Mode Rootkits • In Windows, rootkit “hooks” API calls • Rootkit overwrites API call to point to attacker’s code • Attack code calls real function, returns altered results to hooked function • Rootkit likely also includes command shell backdoor Maintaining Access 34

  35. User-Mode Rootkits • Windows rootkits might hook… • NtQuerySystemInformation --- Hide running processes • NtQueryDirectoryFile --- Hide files • NtEnumerateKey --- hide registry keys • NtReadVirtualMemory --- hide hooked API calls Maintaining Access 35

  36. Hacker Defender Maintaining Access 36

  37. Hacker Defender Maintaining Access 37

  38. AFX Windows Rootkit • Creates “cone of invisibility” for rootkit Maintaining Access 38

  39. Cone of Silence Maintaining Access 39

  40. Defenses • Defenses against user-mode rootkits • Don’t let attacker get root access • Good pwds, close ports, etc., etc. • Employ file integrity/hash checking • Tripwire • Antivirus Maintaining Access 40

  41. Kernel-Mode Rootkits • Kernel is heart of OS • User-mode rootkit • Alters administrator’s eyes and ears • Kernel-mode rootkit • Alters part of administrator’s brain • “If the kernel cannot be trusted, you can trust nothing on the system” Maintaining Access 41

  42. Kernel-Mode Rootkits Maintaining Access 42

  43. Kernel-Mode Rootkit • Execution redirection • Calls to certain app mapped elsewhere • For example, map sshd to backdoor_sshd • File hiding • You see only what attacker wants you to • Process hiding, network hiding, etc. Maintaining Access 43

  44. Kernel-Mode Rootkits • Adore-ng: Linux Kernel-Mode Rootkit • Promiscuous mode hiding: smart enough to check if promiscuous mode is by admin • Process hiding: can cloak any process • Kernel module hiding: Adore-ng hides itself Maintaining Access 44

  45. Kernel-Mode Rootkits • Windows FU Kernel-Mode Rootkit • Pronounced “F” “U”, not “foo” • So it is OK to say “Windows FU” • Created by “Fuzen” • Consists of special device driver: msdirectx.sys • Hide processes, alter privilege, hides events, etc. Maintaining Access 45

  46. Defenses • Install kernel-mode rootkit on your own system? Good idea or bad idea? • Bad idea… • Attacker might understand rootkit better than you do… • Postmortem analysis more difficult • Multiple rootkits could be installed, in principle Maintaining Access 46

  47. Defenses • Don’t let attacker get root • Control access to kernel • Systrace (by Niels Provos), CSA, Entercept • Use IDS • Automated rootkit checkers • Chkrootkit: signature scan, hidden processes, file structure inconsistencies,… • Rootkit Hunter, Rootkit Revealer: look for discrepancies between user mode/kernel mode Maintaining Access 47

  48. Defenses • File integrity check • Antivirus • Note: some antivirus will flag rootkit checkers • Boot from CD for analysis Maintaining Access 48

  49. Conclusions Maintaining Access 49

  50. Summary Maintaining Access 50

More Related