1 / 22

Understanding Trojan Horses: Stealthy Malware

Learn about Trojan horses, malware that masquerades as useful software but hides malicious functions. Discover their origins, goals, file tricks, and defense strategies.

olgaa
Download Presentation

Understanding Trojan Horses: Stealthy Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Definition A Trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality Origin of term: The ancient greeks laying siege to Troy…

  2. Goals of Trojans Duping user/syadmin into installing the Trojan Blending in with “normal” programs running on a machine.

  3. Filenaming tricks Goal – hide true nature of a program Hiding true filetype extension after spaces • textfile.txt -> textfile.txt .exe • Just as companion viruses Many kinds of files can contain malware: • .api, .bat, .bpl. .chm, .com, .cpl, .dll, .dpl, .drv, .exe, .hta, .js, .ocx, .pif, .pl, .scr, .shs, .sys, .vbe, .vbs, .vxd, .wma, .wsf, .wsh

  4. Exploiting UNIX paths Goal: Trick users into running your program instead of system utilities If user has a bad path, can pick up the wrong executable. victim$ echo $PATH .:/usr/local/bin:/bin:/usr/bin

  5. Hiding in hacked binaries Combine multiple programs together in a single executable • Program with original, normal non-malicious purpose, and malware • e.g. notepad.exe + your back door • Not just masquerading as other innocuous programs, it _is_ a normal program • Easy way to add a back door Trojan

  6. Mimicking other processes Goal – pretend to be another task • Rename executable, so in a process listing, it will look like other nice processes UNIX Examples: • httpd, sshd, crond, syslogd Windows Examples: • explorer.exe, notepad.exe, iexplorer.exe

  7. Windows Example

  8. Not just for tricking users • Renaming the process used to trick the OS! • Windows unkillable tasks • csrss.exe – environment subsystem for 16-bit processes & consols • services.exe – starts/stops sercies / daemons in background • smss.exe - Session Manager SubSystem, starts programs needed after user logs on • winlogon.exe – authenticates users

  9. Not just for tricking users

  10. Trojaning Software Distros Anyone who installs the software gets your Trojan Method #1: Old-fashioned, social engineering method • Mail the systems adminstrator your CDs via snail mail • Make them look authentic so system administrator installs patch • “URGENT Security Patch for Solaris mountd service” Method #2: Trojaning web distros • Modify web software distributions. • Several examples • monkey.org: Security/hacker tools 5/02 • Dsniff, fragroute, fragrouter IDS • openssh.org: July30-Aug1 ’02 • sendmail.org: Sep28-Oct6 ’02

  11. tcpdump/libpcap backdoor November 11 ’02, hackers altered the distribution of tcpdump Normal software installation on UNIX • Download the source • ./configure • make (compile the package) • make install (install the package) New configure: configure script downloaded software from a webserver and ran it Execution: • Polls for requests on TCP port 1993 • Takes one of three 1-character commands • ‘A’ – Turn self off • ‘D’ – Shovel a shell at the sender • (TCPDump is usually installed as administrator) • ‘M’ – Sleep for 1 hour, then resume polling

  12. tcpdump/libpcap backdoor Execution Diagram

  13. tcpdump/libpcap backdoor Hiding tracks! • Modified libpcap doesn’t report packets on port 1993 • Packages built on top of libpcap all effected • Snort, Bro, Ethereal, tcpdump

  14. Defenses Create a signature for the package, to make sure the contents are valid. Hard to make a new file with the same signature. • CignaCert/Harris, PGP Signed copy, SHA1Sum • Must make sure you don’t get the signature from the same site you download from! • Skoudis text recommends MD5 which is now broken • Mini-flame used MD5 collision to issue fake Microsoft signature on malicious software

  15. Poisoning the Source Plant your back door in the original source code somehow. (Possibly through an employee) Not necessary to write a whole backdoor Introduce an exploitable flaw • CMU Study: Programmers introduce between 100-150 defects per 1000 lines of code • Windows XP: 45 Million lines of code

  16. Setiri Win32 Trojan Horse Feb 2002 – a new spin on the Trojan principle Coopts other processes into doing it’s dirty work • Takes a real, valid process • Makes it do the malicious part • Uses OLE to communicate with Internet Explorer Setiri Commands: • Upload a file • Download a file • Execute a program Compromised victim machines check for commands on compromised webservers Compromised webservers have just a few new CGI scripts

  17. Setiri OLE Control of MSIE • Controls an existing program that people use (Hard to detect subversion) • Most personal firewalls allow browser access • Most network firewalls allow outgoing web activity • No ports to look for

  18. Setiri and anonymizers Compromised machine Attacker Setiri hides network communication paths via anonymizing networks Anonymizer Anonymizer Compromised Webserver

  19. Data trojans Steganography • The act of hiding messages/communication • From greek word for “hidden writing” • Popular example of steganography

  20. Steganography Pixels are stored as RGB values, a 3-byte triplet of colour values [0-255] Idea: Drop least significant bit (barely noticable image degredation) 10101010 -> 1010101? + 1 bit of our secret message 512x512 image is 786,432 bytes -> 786,432 bits of secret message ~= 100KB

  21. Hydan Steganography applied to executable files Idea: Most operations can be expressed in multiple ways • add eax, ebx = sub eax, -ebx Reassemble existing executables so that add instructions = 0, subtract instruction = 1 The rub: Final executable is the same size Usually 1 byte encoded per 150 bytes of executable Detectable with tripwire/file integrity detection tools

  22. End of Trojans

More Related