[2010 codeengn conference 04] window31 - art of keylogging 키보드보안과 관계없는...
DESCRIPTION
2010 CodeEngn Conference 04 각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다. http://codeengn.com/conference/04TRANSCRIPT
CodeEngn 2010
Art of KeyloggingArt of Keylogging
Keyloggers who are nothing to do with the keyboard security solutionkeyboard security solution
강병탁 (window31)병탁 ( )
2010.07.03
1www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference
Who am I?Who am I?
• ByungTak Kang (window31)
• NEXON / Security Team – Hacking Analysis, Security Programmingy g g
• A contributor to “Microsoftware” a monthly IT Magazine for over 2 years g y
• A lecturer on hacking/reversing/security at various institutions (KISA, security community, ( y yuniversities, etc)
• 2009 Microsoft MVP Developer Securityp y
2
AgendaAgenda
• Prologue
• K l i Wi d A t• Keylogging Windows Account
• Login without passwordLogin without password
• Keylogging on the website
• Social Engineering Keylogging
• Bypass Keyboard security solution
• Offensive and defensiveOffensive and defensive
3
Prologue
4
Serious account issuesSerious account issues
5
Endless account problemsEndless account problems
• Wh d till f bl ft• Why do we still face many problems even after Keyboard security solution is installed ?
• What is the trend of malicious code today ?
• What we must do ?What we must do ?
6
Endless account problemsEndless account problems
/Trojan-PWS/W32.WebGame.101888.KTrojan-PWS/W32.WebGame.102768.BTrojan-PWS/W32.WebGame.102805Trojan-PWS/W32.WebGame.103150j /Trojan-PWS/W32.WebGame.103182Trojan-PWS/W32.WebGame.103463Trojan-PWS/W32.WebGame.103556Trojan-PWS/W32 WebGame 103810Trojan PWS/W32.WebGame.103810Trojan-PWS/W32.WebGame.10524Trojan-PWS/W32.WebGame.10724Trojan-PWS/W32.WebGame.10764T j PWS/W32 W bG 110145Trojan-PWS/W32.WebGame.110145Trojan-PWS/W32.WebGame.111085Trojan-PWS/W32.WebGame.11218Trojan-PWS/W32.WebGame.116274Trojan-PWS/W32.WebGame.116606Trojan-PWS/W32.WebGame.116822
………………………………
Hundreds of viruses signature are added each day7
Hundreds of viruses signature are added each day
Keylogging Windows Account
8
Windows AccountWindows Account
the winlogon.exe is what you come to face when lk t l k d l dyou walk up to a locked or un-logged-on
computer.
9
msgina structuremsgina structure
Interaction between winlogon and GINAg
10
msgina structuremsgina structure
The library file msgina.dll, is required by windows. It is used by WinLogon within windows, when performing user authentication.
11
WlxLoggedOutSASWlxLoggedOutSAS
int WlxLoggedOutSAS(PVOID pWlxContext, pDWORD dwSasType, PLUID pAuthenticationId,
idPSID pLogonSid, PDWORD pdwOptions, PHANDLE phTokenPHANDLE phToken, PWLX_MPR_NOTIFY_INFO pNprNotifyInfo, PVOID *pProfile );PVOID pProfile );
12
WLX MPR NOTIFY INFOWLX_MPR_NOTIFY_INFO
Typedef struct _WLX_MPR_NOTIFY_INFO { PWSTR pszUserName;PWSTR pszUserName; PWSTR pszDomain; PWSTR pszPassword;PWSTR pszPassword; PWSTR pszOldPassword; } LX_MPR_NOTIFY_INFO;
Here we can see a meaningful structure !!!
13
msgina Hookingmsgina Hooking
14
Reversing msgina MalwareReversing msgina Malware
Naming
• i l Hij k• winlogonHijacker
• Domain Keylogger.Domain Keylogger.
DEMODEMO
15
Login without Password
16
Windows AccountWindows Account
If you press the Shift key 5 times…
17
StickKey PopupStickKey Popup
18
StickKey run structureStickKey run structure
Winlogon thread
Winlogon thread
CreateProcess
RunRunRunsethc.exe
Runsethc.exe
View StickKey
Di l B19
DialogBox
StickKey Local BackdoorStickKey Local Backdoor
• You are able to connect without ID/PW !!!
• Y th l d t t• You can see the explorer or command prompt at the login prompt without authentication.
20
Behavior structureBehavior structure
• Disable WFP (Windows File Protection)Disable WFP
• Replace the files.
• N If I k fi• Now, If I press key five times, I can login at any time
Change File
time.
press the Shift key
Login success
21
Terminal LoginTerminal Login
22
Next actionNext action
• Create a new user account,
“c:\net user iamhacker /add”c:\net user iamhacker /add
•• Add this user to the administrators group
“c:\net localgroup administrators iamhacker”c:\net localgroup administrators iamhacker
• Remove StickKey Local Backdoor and Enable WFP
(T id d bt h ki )23
(To avoid as doubt as hacking)
Which platform is this vulnerability?Which platform is this vulnerability?
• Windows 2000
• Wi d XP• Windows XP
• Windows 2003Windows 2003
• Windows Vista
Most of windows OS does not check the integrity of the file that launches StickyKeysintegrity of the file that launches StickyKeys “sethc.exe” before executing it.
24
From now onFrom now on
Don’t forget to hit the shift key five times and see what pops up on your desktopsee what pops up on your desktop ….everyday :p
25
Remove StickKeyRemove StickKey
This is the real answer.
26
Reversing stickkey MalwareReversing stickkey Malware
DEMODEMO
27
Keylogging on the website
28
Web-based loginWeb-based login
• Very vulnerabley
• Method of attack is varied
• Keyboard security solution exists (Almost always)
29
Attack positionAttack position
NetworkNetworkKey pressKey press
KeyboardhardwareKeyboardhardware
ApplicationApplication
KeyboardKeyboard Message Message controllercontroller QueueQueue
Pot IOPot IO Filter driverFilter driver
ISR in IDTISR in IDT Keyboardclass driverKeyboard
class driver
30
class driverclass driver
Keyboard security solutionKeyboard security solution
protectNetworkNetwork
protect areas
KeyboardhardwareKeyboardhardware
ApplicationApplicationDMZ
KeyboardKeyboard Message Message controllercontroller QueueQueue
Pot IOPot IO Filter driverFilter driver
ISR in IDTISR in IDT Keyboardclass driverKeyboard
class driver
31
class driverclass driver
Protocol handlerProtocol handler
Wininet.dll is the protocol handler for HTTP, HTTPS and FTP It handles all networkHTTPS and FTP. It handles all network communication over these protocols.
32
Query hookQuery hook
url=http%3A%2F%2Fwindow31.com&fail_url &l i i & i id 31& d l N&l=&loginsite=&site_id=31&adult_yn=N&encoding_type=utf-8&ukey=1BBg yp y7E5F2937203480D408B5196E9AC3B9DDF487E636EA15426FAEABDAFB00A6908FE636EA15426FAEABDAFB00A6908F2069ECB5FA6C7B618E4C68C5F37C2900DB07DE9A0CACEC7300A6DBD342A83&game id=DE9A0CACEC7300A6DBD342A83&game_id=13&id=window31&pwd=fucking
33
The API issueThe API issue
34
Reversing malwareReversing malware
DEMODEMO
35
Social Engineering Keylogging
36
Human habitsHuman habits
37
Bad habitBad habit
We do cop and paste nconscio slWe do copy and paste unconsciously. Even the password.
38
Funny CodeFunny Code
while(1){{
// …GetClipBoardData(CF TEXT);p ( _ );
// …//if (bMaybePW)
SendDataToHacker();();
Sleep(500);S eep(500);}
39
ProblemsProblems
• This technique is based on the human behaviorThis technique is based on the human behavior.
• You do not have a login, you can be attacked (for example, paperwork etc).
40
BypassBypass Keyboard security solutiony y
41
Why?Why?
42
Offensive and defensive
43
Hooking detectionHooking detection.
13:12:31:889 [0x756E40D4] jmp msg1na.dll.0xB0A58813:12:31:889 Found inject code !!! 5 byte diff13:12:31:889 Found inject code !!! 5 byte diff13:12:31:889 doubt module: [pid: 420] \??\C:\WINDOWS\system32\winlogon exe\??\C:\WINDOWS\system32\winlogon.exe -c:\windows\system32\msgina.dll13:12:31:889 [KEYLOGGER] Domain Keylogger13:12:31:889 [KEYLOGGER] Domain Keylogger detect !!!! winlogon.exe - msgina.dll inject
44
I hope AntiVirus vendorsI hope AntiVirus vendors.
• WFP check
• Ch k th• Check sethc.exe
• StickyKeys option turns off.StickyKeys option turns off.
• Winlogon dll injection, integrity check
45
ConclusionConclusion
• Keyboard security solution can not prevent everythingy g
• Each location requires different security.
(ex. kernel : ring0, app : integrity check)
• h ld b d• Parameters should be encrypted.
• Let's try reversing a lot of malicious code We canLet s try reversing a lot of malicious code. We can get a hint and we learn a lot of their technology.
• The AntiVirus should be upgraded more behavior-based features
46
Question
http://www.window31.comp //[email protected] : @window31com
47www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference