Maintaining Access

1
Maintaining Access
2
In This Chapter

• Trojans
• Backdoors
• Rootkits

3
Trojan Horses

• The original Trojan Horse
• Used by Greeks attacking Troy
• Trojan rabbit
• Monty Python and the Holy Grail
• Modern trojan horse
• Software that appears to be something that it is
  not --- hidden malicious function

4
Trojan

• Perhaps most common form of malware
• Any innocent program can be a trojan
• Example
• Free DVD ripping software!
• In reality, deleted content of hard drive
• Trojan could be much more clever

5
Backdoors

• Alternative access to machine
• Front door username and password
• Backdoor unauthorized access
• Note once backdoor is established, improved
  authentication is useless

6
Backdoor

• Suppose Trudy installs backdoor
• Whats next?
• Trudy likely to harden system
• Fix vulnerabilities, apply patches, Why?
• 0wned system likely more secure
• Trudy may use strong authentication!

7
Netcat Backdoor

• Install Netcat listener
• Must compile Netcat with its GAPING_SECURITY_HOLE
  option
• In UNIX nc victim_machine 12345
• Starts Netcat in client mode with listener on TCP
  port 12345
• No authentication required of attacker

8
Backdoors

• Trojan backdoor appears to be good
• But actually installs backdoor
• Three types of trojans (soup analogy)
• Application level separate application
• Trudy adds poison to your soup
• User-mode rootkit replace system stuff
• Trudy switched potatoes for poisonous potatoes
• Kernel-mode rootkit OS itself is modified
• Trudy replaces your tongue with poison tongue

9
Application Level Trojans

• Separate application
• Gives attacker access
• Most prevalent on Windows
• Remote-control backdoor
• Can control system across network
• Microsoft itself supposedly attacked in 2000

10
Remote-Control Backdoor
11
Remote-Control Backdoor

• Thousands of such backdoors
• See www.megasecurity.org
• Some months, 50 or more released
• Eventually, detectable by antivirus
• Popular remote-control tools
• VNC, Dameware, Back Orifice, SubSeven

12
Remote-Control Backdoor Examples
13
Remote-Control Backdoor

• Functionality
• Pop-up dialog box on victims machine
• Log keystrokes
• List system info
• Collect passwords
• Manipulate files (view, copy, )
• Modify registry settings or processes
• Remotely accessible command shell
• GUI control, video, audio, sniffers

14
BO2K
15
Remote-Control Backdoors

• Like a hammer
• In the right hands, useful tool
• Administrator, white hat,
• In the wrong hands, can cause damage
• Hacker, black hat,

16
Build Your Own Trojan

• No programming skill required!
• Use wrapper
• Attaches (evil) exe to another (nice) exe
• Wrappers include
• Silk Rope
• SaranWrap
• EliteWrap
• AFX File Lace
• Trojan Man

17
Build Your Own Trojan

• Use a wrapper
• Give program a nice name
• FreeGame.exe, not EvilVirus.exe
• Email it to lots of people
• Spoof source of email, etc., etc.
• Problem where are the victims?
• Solution notification functionality
• Via email?

18
Related Attacks

• Phishing
• Email-based
• Can be fairly sophisticated/targeted
• URL obfuscation
• Evil site disguised as legitimate website

19
Bots

• Designed for economies of scale
• Control many machines, not one at a time
• A botnet, controlled by a bot master
• Usually via IRC (but that is changing)
• Bots of 100,000 or more machines
• Bot code freely available
• Phatbot (500 variations), sdbot, mIRC bot
• Some high-quality code (phatbot)

20
Botnet
21
Botnets

• Botnet functionality includes
• DoS
• Vulnerability scanning
• Metamorphism
• Anonymizing HTTP proxy
• Email address collection/spamming
• Other?

22
Virtual Machine Detection

• Virtual machines used to analyze bots
• And other malware
• Some bots try to detect virtual machine
• What if virtual machine is detected?
• Red Pill
• Execute SIDT, look at IDTR location
• If non-virtual then IDTR is at low address
• If virtual machine then IDTR at high address
• What could be simpler than that?

23
Virtual Machine Detection

• Lots of other techniques
• Recent research shows system calls a good
  indicator of virtual machine

24
Worms and Bots

• Worms --- self-propagating malware
• Can use worm to infect systems that become part
  of a botnet

25
Spyware

• Software the spies on you
• Typically focused on one objective
• Usually simple propagation method
• User installs it
• May be disguised as anti-spyware
• May also use browser flaws

26
Spyware

• Capabilities of spyware
• Web surfing statistics
• Personal identifiable information (PII)
• Customized advertising
• Customized filtering of searches
• Pop-up ads
• Keystroke logging

27
Defenses

• Defenses against application level
  trojans/backdoors, bots, spyware
• Antivirus, user education
• Look for unusual TCP/UDP ports
• Know your software
• Easier said than done!
• Check hashes/fingerprints
• Better yet, use digital signatures

28
Defenses

• MD5 hash
• NOT a signature
• Regardless of the signatures line

29
User-Mode Rootkits

• Application level backdoors
• Separate applications
• Relatively easy to detect
• User-mode rootkits
• More insidious
• Modify OS software/libraries

30
User-Mode Rootkits
31
User-Mode Rootkits

• Linux/UNIX example
• Better version would look the same

32
User-Mode Rootkits

• Linux/UNIX rootkits might replace
• du --- to lie about disk usage
• find --- hide attackers files
• ls --- hide rootkit files
• netstat --- lie about ports in use
• ps --- hide processes
• syslogd --- dont log attackers actions

33
User-Mode Rootkits

• Windows rootkits are different
• Often alter memory of running processes
  associated with OS
• E.g., make OS think port not in use
• Why this approach?
• Difficult to change critical system files
• Easy for one process to access another

34
User-Mode Rootkits

• In Windows, rootkit hooks API calls
• Rootkit overwrites API call to point to
  attackers code
• Attack code calls real function, returns altered
  results to hooked function
• Rootkit likely also includes command shell
  backdoor

35
User-Mode Rootkits

• Windows rootkits might hook
• NtQuerySystemInformation --- Hide running
  processes
• NtQueryDirectoryFile --- Hide files
• NtEnumerateKey --- hide registry keys
• NtReadVirtualMemory --- hide hooked API calls

36
Hacker Defender
37
Hacker Defender
38
AFX Windows Rootkit

• Creates cone of invisibility for rootkit

39
Cone of Silence
40
Defenses

• Defenses against user-mode rootkits
• Dont let attacker get root access
• Good pwds, close ports, etc., etc.
• Employ file integrity/hash checking
• Tripwire
• Antivirus

41
Kernel-Mode Rootkits

• Kernel is heart of OS
• User-mode rootkit
• Alters administrators eyes and ears
• Kernel-mode rootkit
• Alters part of administrators brain
• If the kernel cannot be trusted, you can trust
  nothing on the system

42
Kernel-Mode Rootkits
43
Kernel-Mode Rootkit

• Execution redirection
• Calls to certain app mapped elsewhere
• For example, map sshd to backdoor_sshd
• File hiding
• You see only what attacker wants you to
• Process hiding, network hiding, etc.

44
Kernel-Mode Rootkits

• Adore-ng Linux Kernel-Mode Rootkit
• Promiscuous mode hiding smart enough to check if
  promiscuous mode is by admin
• Process hiding can cloak any process
• Kernel module hiding Adore-ng hides itself

45
Kernel-Mode Rootkits

• Windows FU Kernel-Mode Rootkit
• Pronounced F U, not foo
• So it is OK to say Windows FU
• Created by Fuzen
• Consists of special device driver msdirectx.sys
• Hide processes, alter privilege, hides events,
  etc.

46
Defenses

• Install kernel-mode rootkit on your own system?
  Good idea or bad idea?
• Bad idea
• Attacker might understand rootkit better than you
  do
• Postmortem analysis more difficult
• Multiple rootkits could be installed, in principle

47
Defenses

• Dont let attacker get root
• Control access to kernel
• Systrace (by Niels Provos), CSA, Entercept
• Use IDS
• Automated rootkit checkers
• Chkrootkit signature scan, hidden processes,
  file structure inconsistencies,
• Rootkit Hunter, Rootkit Revealer look for
  discrepancies between user mode/kernel mode

48
Defenses

• File integrity check
• Antivirus
• Note some antivirus will flag rootkit checkers
• Boot from CD for analysis

49
Conclusions
50
Summary