Maintaining Access 1 Maintaining Access Maintaining Access 2 In This Chapter… Trojans Backdoors ...

Maintaining Access 1

Maintaining Access


In This Chapter… Trojans Backdoors Rootkits


Trojan Horses The original Trojan Horse

o Used by Greeks attacking Troy Trojan rabbit

o Monty Python and the Holy Grail Modern trojan horse

o Software that appears to be something that it is not --- hidden malicious function

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.


Trojan Perhaps most common form of

malwareo Any “innocent” program can be a

trojan Example

o Free DVD ripping software!o In reality, deleted content of hard drive

Trojan could be much more clever…


Backdoors “Alternative” access to machine

o Front door: username and passwordo Backdoor: unauthorized access

Note: once backdoor is established, improved authentication is useless


Backdoor Suppose Trudy installs backdoor What’s next? Trudy likely to “harden” system

o Fix vulnerabilities, apply patches,… Why? “0wned” system likely more “secure” Trudy may use strong authentication!


Netcat Backdoor Install Netcat listener

o Must compile Netcat with its GAPING_SECURITY_HOLE option

In UNIX: nc victim_machine 12345 o Starts Netcat in client mode with

listener on TCP port 12345o No authentication required of attacker


Backdoors Trojan backdoor appears to be “good”

o But actually installs backdoor Three types of trojans (soup analogy) Application level: separate application

o Trudy adds poison to your soup User-mode rootkit: replace system stuff

o Trudy switched potatoes for poisonous potatoes

Kernel-mode rootkit: OS itself is modifiedo Trudy replaces your tongue with “poison”

tongue


Application Level Trojans Separate application

o Gives attacker accesso Most prevalent on Windows

Remote-control backdooro Can control system across networko Microsoft itself supposedly attacked in

2000


Remote-Control Backdoor


Remote-Control Backdoor Thousands of such backdoors

o See www.megasecurity.org Some months, 50 or more released

o Eventually, detectable by antivirus Popular remote-control tools

o VNC, Dameware, Back Orifice, SubSeven

http://www.megasecurity.org/




Remote-Control Backdoor Examples


Remote-Control Backdoor Functionality

o Pop-up dialog box on victim’s machineo Log keystrokeso List system infoo Collect passwordso Manipulate files (view, copy, …)o Modify registry settings or processeso Remotely accessible command shello GUI “control”, video, audio, sniffers


BO2K


Remote-Control Backdoors Like a hammer… In the right hands, useful tool

o Administrator, white hat, … In the wrong hands, can cause

damageo Hacker, black hat, …


Build Your Own Trojan No programming skill required! Use “wrapper”

o Attaches (evil) exe to another (nice) exe Wrappers include

o Silk Ropeo SaranWrapo EliteWrapo AFX File Laceo Trojan Man


Build Your Own Trojan Use a wrapper Give program a nice name

o FreeGame.exe, not EvilVirus.exe Email it to lots of people Spoof source of email, etc., etc. Problem: where are the victims?

o Solution: “notification” functionalityo Via email?


Related Attacks Phishing

o Email-basedo Can be fairly sophisticated/targeted

URL obfuscationo Evil site disguised as legitimate

website


Bots Designed for “economies of scale” Control many machines, not one at a

timeo A botnet, controlled by a bot mastero Usually via IRC (but that is changing)

Bots of 100,000 or more machineso Bot code freely availableo Phatbot (500+ variations), sdbot, mIRC boto Some high-quality code (phatbot)


Botnet


Botnets Botnet functionality includes

o DoSo Vulnerability scanningo Metamorphismo Anonymizing HTTP proxyo Email address collection/spammingo Other?


Virtual Machine Detection Virtual machines used to analyze bots

o And other malware Some bots try to detect virtual machine

o What if virtual machine is detected? Red Pill

o Execute SIDT, look at IDTR locationo If non-virtual then IDTR is at low addresso If virtual machine then IDTR at high addresso What could be simpler than that?


Virtual Machine Detection Lots of other techniques Recent research shows system calls a

good indicator of virtual machine


Worms and Bots

Worms --- self-propagating malwareo Can use worm to

infect systems that become part of a botnet


Spyware Software the spies on you Typically focused on one objective Usually simple propagation

methodo User installs ito May be disguised as anti-spywareo May also use browser flaws


Spyware Capabilities of spyware

o Web surfing statisticso Personal identifiable information (PII)o Customized advertisingo Customized filtering of searcheso Pop-up adso Keystroke logging


Defenses Defenses against application level

trojans/backdoors, bots, spyware Antivirus, user education Look for unusual TCP/UDP ports Know your software

o Easier said than done!o Check hashes/fingerprintso Better yet, use digital signatures


Defenses

MD5 hash NOT a

“signature”o Regardless

of the “signatures” line


User-Mode Rootkits Application level backdoors

o Separate applicationso Relatively easy to detect

User-mode rootkitso More insidiouso Modify OS software/libraries


User-Mode Rootkits


User-Mode Rootkits

Linux/UNIX exampleo “Better”

version would look the same


User-Mode Rootkits Linux/UNIX rootkits might

replace…o du --- to lie about disk usageo find --- hide attacker’s fileso ls --- hide rootkit fileso netstat --- lie about ports in useo ps --- hide processeso syslogd --- don’t log attacker’s actions


User-Mode Rootkits Windows rootkits are different Often alter memory of running

processes associated with OSo E.g., make OS “think” port not in

use… Why this approach?

o Difficult to change critical system fileso Easy for one process to access

another


User-Mode Rootkits In Windows, rootkit “hooks” API calls

o Rootkit overwrites API call to point to attacker’s code

o Attack code calls real function, returns altered results to hooked function

Rootkit likely also includes command shell backdoor


User-Mode Rootkits Windows rootkits might hook…

o NtQuerySystemInformation --- Hide running processes

o NtQueryDirectoryFile --- Hide fileso NtEnumerateKey --- hide registry keyso NtReadVirtualMemory --- hide hooked

API calls


Hacker Defender


AFX Windows Rootkit Creates “cone of invisibility” for rootkit


Cone of Silence

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.


Defenses Defenses against user-mode

rootkits Don’t let attacker get root access

o Good pwds, close ports, etc., etc. Employ file integrity/hash checking

o Tripwire Antivirus


Kernel-Mode Rootkits

Kernel is heart of OS User-mode rootkit

o Alters administrator’s eyes and ears Kernel-mode rootkit

o Alters part of administrator’s brain “If the kernel cannot be trusted,

you can trust nothing on the system”


Kernel-Mode Rootkits


Kernel-Mode Rootkit Execution redirection

o Calls to certain app mapped elsewhereo For example, map sshd to backdoor_sshd

File hidingo You see only what attacker wants you to

Process hiding, network hiding, etc.


Kernel-Mode Rootkits Adore-ng: Linux Kernel-Mode

Rootkito Promiscuous mode hiding: smart

enough to check if promiscuous mode is by admin

o Process hiding: can cloak any processo Kernel module hiding: Adore-ng hides

itself


Kernel-Mode Rootkits Windows FU Kernel-Mode Rootkit

o Pronounced “F” “U”, not “foo”o So it is OK to say “Windows FU”o Created by “Fuzen”o Consists of special device driver:

msdirectx.syso Hide processes, alter privilege, hides

events, etc.


Defenses Install kernel-mode rootkit on your

own system? Good idea or bad idea?

Bad idea…o Attacker might understand rootkit

better than you do…o Postmortem analysis more difficulto Multiple rootkits could be installed, in

principle


Defenses Don’t let attacker get root Control access to kernel

o Systrace (by Niels Provos), CSA, Entercept Use IDS Automated rootkit checkers

o Chkrootkit: signature scan, hidden processes, file structure inconsistencies,…

o Rootkit Hunter, Rootkit Revealer: look for discrepancies between user mode/kernel mode


Defenses File integrity check Antivirus

o Note: some antivirus will flag rootkit checkers

Boot from CD for analysis


Conclusions


Summary

Maintaining Access 1 Maintaining Access Maintaining Access 2 In This Chapter… Trojans Backdoors ...

Documents

Transcript of Maintaining Access 1 Maintaining Access Maintaining Access 2 In This Chapter… Trojans Backdoors ...