680 likes | 859 Views
TCP/IP Perversion. Rares Stefan, Third Brigade Inc. SecTor 2007. Introduction. Perspective from a researcher focused on protecting hosts from malware Implementing kernel-based protection mechanisms Insight into a potential class of network driver malware. The Rise of Silent Malware.
E N D
TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007
Introduction • Perspective from a researcher focused on protecting hosts from malware • Implementing kernel-based protection mechanisms • Insight into a potential class of network driver malware
The Rise of Silent Malware • Three main areas of interest in malware R&D: • Delivery and activation • Hiding presence - rootkit techniques • Evasion - Minimize operating noise • Show no signs of activity on the infected system • Show no traces of network activity on the wire
Operational Challenges • Operate on wire data • Active at a layer that guarantees transparency to the host • Correctly perform inline IP reassembly and TCP stream reassembly • Allow for arbitrary injection/removal of data in TCP sessions
Operational Challenges…part deux • Maintain silence on the host: • Never initiate TCP sessions • Never receive TCP open-session requests • Do not rely on TCP port splicing if the infected host is a server • Do not rely on static motherships if the infected host is a workstation • Packet modifications should not be easily visible in local network traces
Operational Challenges…part trois • Maintain silence on the wire • Only make use of legitimate TCP sessions • Do not alter protocol semantics - resistance to network anomaly detection engines • Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers
Never Access to data stream, not packets Some interesting areas No guaranteed access to outbound payload NDIS hooking • Some delivery challenges- Most flexibility - Driver signing issues- Complete control over hardware drivers to transport protocol communications Driver Implementation Pre-Vista User Land TDI FW hook PF hook TCP/IP NDIS NDIS.SYS Intermediate driver Miniport driver
Rogue Network Driver Framework • Firewall hook kernel module for basic packet header operations • IM Filter driver: • Inline IP reassembly • Inline TCP stream reassembly • TCP session normalization
Infected Workstation SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server BOB https://server ALICE 10.0.1.26 DNAT – DstIP_server -> DstIP_Bob 10.0.1.124 server Translated request reaches server
Infected Workstation SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server BOB https://server ALICE 10.0.1.26 DNAT – DstIP_server -> DstIP_Bob 10.0.1.124 server Translated request reaches server
Infected Server Selective DN(P)AT: SrcIP_Alice SrcIP_server Dst_Port_443 DstPort_135 telnet server:80 ALICE Server https request served https://server
Infected Server Selective DN(P)AT: SrcIP_Alice SrcIP_server Dst_Port_443 DstPort_135 telnet server:80 ALICE Server https request served https://server
Packet Header Opportunities • Passive covert channels • http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf • http://www.ouah.org/neural_networks_vs_NUSHU.pdf • http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf • Port splicing • Most significant; communicating the original intent: • DNAT on outgoing SYN – change destination address to that of the MIM • Insert original dstIP in header fields • MIM double NAT
Why Payload Injection ? • Access to packet data • High bandwidth channel • Bypass application proxies • Altering TCP data length on the wire is not trivial!
Inline Injection • Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic • Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things
Inline TCP Reassembly • Maintain two edges (pre and post modification): • ISN • MaxSeq • MaxAck • Window • Maximum SeqNo of Filtered Data • Maximum AckNo of Filtered Data • Queue/counter for non Ack-ed datagrams • Queue/counter for not sent datagrams • Needed Window Scale • Actual Window Scale
SMTP Injection – Eliminating Bob from the Equation • Reduces the complexity of MIM and random redirection • Works with application level proxies • Replace RCPT TO argument or inject additional RCPT TO (BCC) • Increases the probability detection – SMTP server logs
BOB Eva SMTP Injection Alice Sends Bob message Driver injects BCC to Eva Bob receives original message SMTP Server So does Eva
SMTP Injection Demo Vid1
HTTP Injection • TCP Headers useless – need to find workaround • Easy workaround but we need to be careful: • Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) • Direct proxies – easy to spot in HTTP(s) requests • URI & Headers will help us redirect/leak data • Make use of Authorization, Cookies headers – they won’t be scrubbed • POST data also presents injection opportunities
google.com BOB HTTP Injection Web Proxy – Content Filtering Change request; Inject Data http://www.google.com ALICE
google.com BOB HTTP Injection Web Proxy – Content Filtering Change request; Inject Data http://www.google.com ALICE
BOB SSL Injection Demo somebank.com Perimeter Security Inject Data https://somebank.com ALICE
BOB SSL Injection Demo somebank.com Perimeter Security Inject Data https://somebank.com ALICE
Detecting Network Driver Malware • Conventional detection mechanisms • AV, AS signatures; configuration mgmt • New detection mechanisms • Traffic based detection? • Malicious destinations, ISN analysis • Network trace diff – local vs. remote • NDIS based sniffer for better visibility? • Other • Host based application control ineffective • DLP? • …
Conclusions • Passive kernel malware difficult to spot • There are significant implementation challenges for coders • Prevention remains key approach