maintaining access 1 maintaining access maintaining access 2 in this chapter… trojans backdoors ...
Post on 21-Dec-2015
234 views
TRANSCRIPT
Maintaining Access 1
Maintaining Access
Maintaining Access 2
In This Chapter… Trojans Backdoors Rootkits
Maintaining Access 3
Trojan Horses The original Trojan Horse
o Used by Greeks attacking Troy Trojan rabbit
o Monty Python and the Holy Grail Modern trojan horse
o Software that appears to be something that it is not --- hidden malicious function
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Maintaining Access 4
Trojan Perhaps most common form of
malwareo Any “innocent” program can be a
trojan Example
o Free DVD ripping software!o In reality, deleted content of hard drive
Trojan could be much more clever…
Maintaining Access 5
Backdoors “Alternative” access to machine
o Front door: username and passwordo Backdoor: unauthorized access
Note: once backdoor is established, improved authentication is useless
Maintaining Access 6
Backdoor Suppose Trudy installs backdoor What’s next? Trudy likely to “harden” system
o Fix vulnerabilities, apply patches,… Why? “0wned” system likely more “secure” Trudy may use strong authentication!
Maintaining Access 7
Netcat Backdoor Install Netcat listener
o Must compile Netcat with its GAPING_SECURITY_HOLE option
In UNIX: nc victim_machine 12345 o Starts Netcat in client mode with
listener on TCP port 12345o No authentication required of attacker
Maintaining Access 8
Backdoors Trojan backdoor appears to be “good”
o But actually installs backdoor Three types of trojans (soup analogy) Application level: separate application
o Trudy adds poison to your soup User-mode rootkit: replace system stuff
o Trudy switched potatoes for poisonous potatoes
Kernel-mode rootkit: OS itself is modifiedo Trudy replaces your tongue with “poison”
tongue
Maintaining Access 9
Application Level Trojans Separate application
o Gives attacker accesso Most prevalent on Windows
Remote-control backdooro Can control system across networko Microsoft itself supposedly attacked in
2000
Maintaining Access 10
Remote-Control Backdoor
Maintaining Access 11
Remote-Control Backdoor Thousands of such backdoors
o See www.megasecurity.org Some months, 50 or more released
o Eventually, detectable by antivirus Popular remote-control tools
o VNC, Dameware, Back Orifice, SubSeven
Maintaining Access 12
Remote-Control Backdoor Examples
Maintaining Access 13
Remote-Control Backdoor Functionality
o Pop-up dialog box on victim’s machineo Log keystrokeso List system infoo Collect passwordso Manipulate files (view, copy, …)o Modify registry settings or processeso Remotely accessible command shello GUI “control”, video, audio, sniffers
Maintaining Access 14
BO2K
Maintaining Access 15
Remote-Control Backdoors Like a hammer… In the right hands, useful tool
o Administrator, white hat, … In the wrong hands, can cause
damageo Hacker, black hat, …
Maintaining Access 16
Build Your Own Trojan No programming skill required! Use “wrapper”
o Attaches (evil) exe to another (nice) exe Wrappers include
o Silk Ropeo SaranWrapo EliteWrapo AFX File Laceo Trojan Man
Maintaining Access 17
Build Your Own Trojan Use a wrapper Give program a nice name
o FreeGame.exe, not EvilVirus.exe Email it to lots of people Spoof source of email, etc., etc. Problem: where are the victims?
o Solution: “notification” functionalityo Via email?
Maintaining Access 18
Related Attacks Phishing
o Email-basedo Can be fairly sophisticated/targeted
URL obfuscationo Evil site disguised as legitimate
website
Maintaining Access 19
Bots Designed for “economies of scale” Control many machines, not one at a
timeo A botnet, controlled by a bot mastero Usually via IRC (but that is changing)
Bots of 100,000 or more machineso Bot code freely availableo Phatbot (500+ variations), sdbot, mIRC boto Some high-quality code (phatbot)
Maintaining Access 20
Botnet
Maintaining Access 21
Botnets Botnet functionality includes
o DoSo Vulnerability scanningo Metamorphismo Anonymizing HTTP proxyo Email address collection/spammingo Other?
Maintaining Access 22
Virtual Machine Detection Virtual machines used to analyze bots
o And other malware Some bots try to detect virtual machine
o What if virtual machine is detected? Red Pill
o Execute SIDT, look at IDTR locationo If non-virtual then IDTR is at low addresso If virtual machine then IDTR at high addresso What could be simpler than that?
Maintaining Access 23
Virtual Machine Detection Lots of other techniques Recent research shows system calls a
good indicator of virtual machine
Maintaining Access 24
Worms and Bots
Worms --- self-propagating malwareo Can use worm to
infect systems that become part of a botnet
Maintaining Access 25
Spyware Software the spies on you Typically focused on one objective Usually simple propagation
methodo User installs ito May be disguised as anti-spywareo May also use browser flaws
Maintaining Access 26
Spyware Capabilities of spyware
o Web surfing statisticso Personal identifiable information (PII)o Customized advertisingo Customized filtering of searcheso Pop-up adso Keystroke logging
Maintaining Access 27
Defenses Defenses against application level
trojans/backdoors, bots, spyware Antivirus, user education Look for unusual TCP/UDP ports Know your software
o Easier said than done!o Check hashes/fingerprintso Better yet, use digital signatures
Maintaining Access 28
Defenses
MD5 hash NOT a
“signature”o Regardless
of the “signatures” line
Maintaining Access 29
User-Mode Rootkits Application level backdoors
o Separate applicationso Relatively easy to detect
User-mode rootkitso More insidiouso Modify OS software/libraries
Maintaining Access 30
User-Mode Rootkits
Maintaining Access 31
User-Mode Rootkits
Linux/UNIX exampleo “Better”
version would look the same
Maintaining Access 32
User-Mode Rootkits Linux/UNIX rootkits might
replace…o du --- to lie about disk usageo find --- hide attacker’s fileso ls --- hide rootkit fileso netstat --- lie about ports in useo ps --- hide processeso syslogd --- don’t log attacker’s actions
Maintaining Access 33
User-Mode Rootkits Windows rootkits are different Often alter memory of running
processes associated with OSo E.g., make OS “think” port not in
use… Why this approach?
o Difficult to change critical system fileso Easy for one process to access
another
Maintaining Access 34
User-Mode Rootkits In Windows, rootkit “hooks” API calls
o Rootkit overwrites API call to point to attacker’s code
o Attack code calls real function, returns altered results to hooked function
Rootkit likely also includes command shell backdoor
Maintaining Access 35
User-Mode Rootkits Windows rootkits might hook…
o NtQuerySystemInformation --- Hide running processes
o NtQueryDirectoryFile --- Hide fileso NtEnumerateKey --- hide registry keyso NtReadVirtualMemory --- hide hooked
API calls
Maintaining Access 36
Hacker Defender
Maintaining Access 37
Hacker Defender
Maintaining Access 38
AFX Windows Rootkit Creates “cone of invisibility” for rootkit
Maintaining Access 39
Cone of Silence
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Maintaining Access 40
Defenses Defenses against user-mode
rootkits Don’t let attacker get root access
o Good pwds, close ports, etc., etc. Employ file integrity/hash checking
o Tripwire Antivirus
Maintaining Access 41
Kernel-Mode Rootkits
Kernel is heart of OS User-mode rootkit
o Alters administrator’s eyes and ears Kernel-mode rootkit
o Alters part of administrator’s brain “If the kernel cannot be trusted,
you can trust nothing on the system”
Maintaining Access 42
Kernel-Mode Rootkits
Maintaining Access 43
Kernel-Mode Rootkit Execution redirection
o Calls to certain app mapped elsewhereo For example, map sshd to backdoor_sshd
File hidingo You see only what attacker wants you to
Process hiding, network hiding, etc.
Maintaining Access 44
Kernel-Mode Rootkits Adore-ng: Linux Kernel-Mode
Rootkito Promiscuous mode hiding: smart
enough to check if promiscuous mode is by admin
o Process hiding: can cloak any processo Kernel module hiding: Adore-ng hides
itself
Maintaining Access 45
Kernel-Mode Rootkits Windows FU Kernel-Mode Rootkit
o Pronounced “F” “U”, not “foo”o So it is OK to say “Windows FU”o Created by “Fuzen”o Consists of special device driver:
msdirectx.syso Hide processes, alter privilege, hides
events, etc.
Maintaining Access 46
Defenses Install kernel-mode rootkit on your
own system? Good idea or bad idea?
Bad idea…o Attacker might understand rootkit
better than you do…o Postmortem analysis more difficulto Multiple rootkits could be installed, in
principle
Maintaining Access 47
Defenses Don’t let attacker get root Control access to kernel
o Systrace (by Niels Provos), CSA, Entercept Use IDS Automated rootkit checkers
o Chkrootkit: signature scan, hidden processes, file structure inconsistencies,…
o Rootkit Hunter, Rootkit Revealer: look for discrepancies between user mode/kernel mode
Maintaining Access 48
Defenses File integrity check Antivirus
o Note: some antivirus will flag rootkit checkers
Boot from CD for analysis
Maintaining Access 49
Conclusions
Maintaining Access 50
Summary