Maintaining Access - PowerPoint PPT Presentation

About This Presentation
Title:

Maintaining Access

Description:

Hacker Defender. Maintaining Access 37. Hacker Defender. Maintaining Access 38. AFX Windows Rootkit ... So it is OK to say 'Windows FU' Created by 'Fuzen' ... – PowerPoint PPT presentation

Number of Views:198
Avg rating:3.0/5.0
Slides: 51
Provided by: marks9
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Maintaining Access


1
Maintaining Access
2
In This Chapter
  • Trojans
  • Backdoors
  • Rootkits

3
Trojan Horses
  • The original Trojan Horse
  • Used by Greeks attacking Troy
  • Trojan rabbit
  • Monty Python and the Holy Grail
  • Modern trojan horse
  • Software that appears to be something that it is
    not --- hidden malicious function

4
Trojan
  • Perhaps most common form of malware
  • Any innocent program can be a trojan
  • Example
  • Free DVD ripping software!
  • In reality, deleted content of hard drive
  • Trojan could be much more clever

5
Backdoors
  • Alternative access to machine
  • Front door username and password
  • Backdoor unauthorized access
  • Note once backdoor is established, improved
    authentication is useless

6
Backdoor
  • Suppose Trudy installs backdoor
  • Whats next?
  • Trudy likely to harden system
  • Fix vulnerabilities, apply patches, Why?
  • 0wned system likely more secure
  • Trudy may use strong authentication!

7
Netcat Backdoor
  • Install Netcat listener
  • Must compile Netcat with its GAPING_SECURITY_HOLE
    option
  • In UNIX nc victim_machine 12345
  • Starts Netcat in client mode with listener on TCP
    port 12345
  • No authentication required of attacker

8
Backdoors
  • Trojan backdoor appears to be good
  • But actually installs backdoor
  • Three types of trojans (soup analogy)
  • Application level separate application
  • Trudy adds poison to your soup
  • User-mode rootkit replace system stuff
  • Trudy switched potatoes for poisonous potatoes
  • Kernel-mode rootkit OS itself is modified
  • Trudy replaces your tongue with poison tongue

9
Application Level Trojans
  • Separate application
  • Gives attacker access
  • Most prevalent on Windows
  • Remote-control backdoor
  • Can control system across network
  • Microsoft itself supposedly attacked in 2000

10
Remote-Control Backdoor
11
Remote-Control Backdoor
  • Thousands of such backdoors
  • See www.megasecurity.org
  • Some months, 50 or more released
  • Eventually, detectable by antivirus
  • Popular remote-control tools
  • VNC, Dameware, Back Orifice, SubSeven

12
Remote-Control Backdoor Examples
13
Remote-Control Backdoor
  • Functionality
  • Pop-up dialog box on victims machine
  • Log keystrokes
  • List system info
  • Collect passwords
  • Manipulate files (view, copy, )
  • Modify registry settings or processes
  • Remotely accessible command shell
  • GUI control, video, audio, sniffers

14
BO2K
15
Remote-Control Backdoors
  • Like a hammer
  • In the right hands, useful tool
  • Administrator, white hat,
  • In the wrong hands, can cause damage
  • Hacker, black hat,

16
Build Your Own Trojan
  • No programming skill required!
  • Use wrapper
  • Attaches (evil) exe to another (nice) exe
  • Wrappers include
  • Silk Rope
  • SaranWrap
  • EliteWrap
  • AFX File Lace
  • Trojan Man

17
Build Your Own Trojan
  • Use a wrapper
  • Give program a nice name
  • FreeGame.exe, not EvilVirus.exe
  • Email it to lots of people
  • Spoof source of email, etc., etc.
  • Problem where are the victims?
  • Solution notification functionality
  • Via email?

18
Related Attacks
  • Phishing
  • Email-based
  • Can be fairly sophisticated/targeted
  • URL obfuscation
  • Evil site disguised as legitimate website

19
Bots
  • Designed for economies of scale
  • Control many machines, not one at a time
  • A botnet, controlled by a bot master
  • Usually via IRC (but that is changing)
  • Bots of 100,000 or more machines
  • Bot code freely available
  • Phatbot (500 variations), sdbot, mIRC bot
  • Some high-quality code (phatbot)

20
Botnet
21
Botnets
  • Botnet functionality includes
  • DoS
  • Vulnerability scanning
  • Metamorphism
  • Anonymizing HTTP proxy
  • Email address collection/spamming
  • Other?

22
Virtual Machine Detection
  • Virtual machines used to analyze bots
  • And other malware
  • Some bots try to detect virtual machine
  • What if virtual machine is detected?
  • Red Pill
  • Execute SIDT, look at IDTR location
  • If non-virtual then IDTR is at low address
  • If virtual machine then IDTR at high address
  • What could be simpler than that?

23
Virtual Machine Detection
  • Lots of other techniques
  • Recent research shows system calls a good
    indicator of virtual machine

24
Worms and Bots
  • Worms --- self-propagating malware
  • Can use worm to infect systems that become part
    of a botnet

25
Spyware
  • Software the spies on you
  • Typically focused on one objective
  • Usually simple propagation method
  • User installs it
  • May be disguised as anti-spyware
  • May also use browser flaws

26
Spyware
  • Capabilities of spyware
  • Web surfing statistics
  • Personal identifiable information (PII)
  • Customized advertising
  • Customized filtering of searches
  • Pop-up ads
  • Keystroke logging

27
Defenses
  • Defenses against application level
    trojans/backdoors, bots, spyware
  • Antivirus, user education
  • Look for unusual TCP/UDP ports
  • Know your software
  • Easier said than done!
  • Check hashes/fingerprints
  • Better yet, use digital signatures

28
Defenses
  • MD5 hash
  • NOT a signature
  • Regardless of the signatures line

29
User-Mode Rootkits
  • Application level backdoors
  • Separate applications
  • Relatively easy to detect
  • User-mode rootkits
  • More insidious
  • Modify OS software/libraries

30
User-Mode Rootkits
31
User-Mode Rootkits
  • Linux/UNIX example
  • Better version would look the same

32
User-Mode Rootkits
  • Linux/UNIX rootkits might replace
  • du --- to lie about disk usage
  • find --- hide attackers files
  • ls --- hide rootkit files
  • netstat --- lie about ports in use
  • ps --- hide processes
  • syslogd --- dont log attackers actions

33
User-Mode Rootkits
  • Windows rootkits are different
  • Often alter memory of running processes
    associated with OS
  • E.g., make OS think port not in use
  • Why this approach?
  • Difficult to change critical system files
  • Easy for one process to access another

34
User-Mode Rootkits
  • In Windows, rootkit hooks API calls
  • Rootkit overwrites API call to point to
    attackers code
  • Attack code calls real function, returns altered
    results to hooked function
  • Rootkit likely also includes command shell
    backdoor

35
User-Mode Rootkits
  • Windows rootkits might hook
  • NtQuerySystemInformation --- Hide running
    processes
  • NtQueryDirectoryFile --- Hide files
  • NtEnumerateKey --- hide registry keys
  • NtReadVirtualMemory --- hide hooked API calls

36
Hacker Defender
37
Hacker Defender
38
AFX Windows Rootkit
  • Creates cone of invisibility for rootkit

39
Cone of Silence
40
Defenses
  • Defenses against user-mode rootkits
  • Dont let attacker get root access
  • Good pwds, close ports, etc., etc.
  • Employ file integrity/hash checking
  • Tripwire
  • Antivirus

41
Kernel-Mode Rootkits
  • Kernel is heart of OS
  • User-mode rootkit
  • Alters administrators eyes and ears
  • Kernel-mode rootkit
  • Alters part of administrators brain
  • If the kernel cannot be trusted, you can trust
    nothing on the system

42
Kernel-Mode Rootkits
43
Kernel-Mode Rootkit
  • Execution redirection
  • Calls to certain app mapped elsewhere
  • For example, map sshd to backdoor_sshd
  • File hiding
  • You see only what attacker wants you to
  • Process hiding, network hiding, etc.

44
Kernel-Mode Rootkits
  • Adore-ng Linux Kernel-Mode Rootkit
  • Promiscuous mode hiding smart enough to check if
    promiscuous mode is by admin
  • Process hiding can cloak any process
  • Kernel module hiding Adore-ng hides itself

45
Kernel-Mode Rootkits
  • Windows FU Kernel-Mode Rootkit
  • Pronounced F U, not foo
  • So it is OK to say Windows FU
  • Created by Fuzen
  • Consists of special device driver msdirectx.sys
  • Hide processes, alter privilege, hides events,
    etc.

46
Defenses
  • Install kernel-mode rootkit on your own system?
    Good idea or bad idea?
  • Bad idea
  • Attacker might understand rootkit better than you
    do
  • Postmortem analysis more difficult
  • Multiple rootkits could be installed, in principle

47
Defenses
  • Dont let attacker get root
  • Control access to kernel
  • Systrace (by Niels Provos), CSA, Entercept
  • Use IDS
  • Automated rootkit checkers
  • Chkrootkit signature scan, hidden processes,
    file structure inconsistencies,
  • Rootkit Hunter, Rootkit Revealer look for
    discrepancies between user mode/kernel mode

48
Defenses
  • File integrity check
  • Antivirus
  • Note some antivirus will flag rootkit checkers
  • Boot from CD for analysis

49
Conclusions
50
Summary
Write a Comment
User Comments (0)
About PowerShow.com