Maintaining Access Maintaining Access 1.

Slides:



Advertisements
Similar presentations
COEN 250 Computer Forensics Unix System Life Response.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Backdoors, Trojans and Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Trojan Horse Program Presented by : Lori Agrawal.
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Chapter 14 Computer Security Threats Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles,
Windows Security and Rootkits Mike Willard January 2007.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Chapter Nine Maintaining a Computer Part III: Malware.
Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Protecting Your Computer & Your Information
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Vijay Krishnan Avinesh Dupat. A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
CIS 450 – Network Security Chapter 15 – Preserving Access.
Honeypot and Intrusion Detection System
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Linux Networking and Security
CAP6135: Malware and Software Vulnerability Analysis Rootkits Cliff Zou Spring 2012.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Rootkits What are they? What do they do? Where do they come from?
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Malicious Software.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
COEN 250 Computer Forensics Unix System Life Response.
Trojans Daniel Bartsch CPSC 420 April 19,2007. What is a Trojan? Trojans are malware Named after Odysseus’s mythical trick Embedded in a program Cause.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
Computer Security Threats CLICKTECHSOLUTION.COM. Computer Security Confidentiality –Data confidentiality –Privacy Integrity –Data integrity –System integrity.
Role Of Network IDS in Network Perimeter Defense.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Botnets A collection of compromised machines
Remote Control and Advanced Techniques
Botnets A collection of compromised machines
Chap 10 Malicious Software.
I have edited and added material.
Chap 10 Malicious Software.
6. Application Software Security
Presentation transcript:

Maintaining Access Maintaining Access 1

In This Chapter… Trojans Backdoors Rootkits Maintaining Access 2

Trojan Horses The original Trojan Horse Trojan rabbit Used by Greeks attacking Troy Trojan rabbit Monty Python and the Holy Grail Modern trojan horse Software that appears to be something that it is not --- hidden malicious function Maintaining Access 3

Trojan Perhaps most common form of malware Example Any “innocent” program can be a trojan Example Free DVD ripping software! In reality, deleted content of hard drive Trojan could be much more clever… Maintaining Access 4

Backdoors “Alternative” access to machine Front door: username and password Backdoor: unauthorized access Note: once backdoor is established, improved authentication is useless Maintaining Access 5

Backdoor Suppose Trudy installs backdoor What’s next? Trudy likely to “harden” system Fix vulnerabilities, apply patches,… Why? “0wned” system likely more “secure” Trudy may use strong authentication! Maintaining Access 6

Netcat Backdoor Install Netcat listener Must compile Netcat with its GAPING_SECURITY_HOLE option In UNIX: nc victim_machine 12345 Starts Netcat in client mode with listener on TCP port 12345 No authentication required of attacker Maintaining Access 7

Backdoors Trojan backdoor appears to be “good” But actually installs backdoor Three types of trojans (soup analogy) Application level: separate application Trudy adds poison to your soup User-mode rootkit: replace system stuff Trudy switched potatoes for poisonous potatoes Kernel-mode rootkit: OS itself is modified Trudy replaces your tongue with “poison” tongue Maintaining Access 8

Application Level Trojans Separate application Gives attacker access Most prevalent on Windows Remote-control backdoor Can control system across network Microsoft itself supposedly attacked in 2000 Maintaining Access 9

Remote-Control Backdoor Maintaining Access 10

Remote-Control Backdoor Thousands of such backdoors See www.megasecurity.org Some months, 50 or more released Eventually, detectable by antivirus Popular remote-control tools VNC, Dameware, Back Orifice, SubSeven Maintaining Access 11

Remote-Control Backdoor Examples Maintaining Access 12

Remote-Control Backdoor Functionality Pop-up dialog box on victim’s machine Log keystrokes List system info Collect passwords Manipulate files (view, copy, …) Modify registry settings or processes Remotely accessible command shell GUI “control”, video, audio, sniffers Maintaining Access 13

BO2K Maintaining Access 14

Remote-Control Backdoors Like a hammer… In the right hands, useful tool Administrator, white hat, … In the wrong hands, can cause damage Hacker, black hat, … Maintaining Access 15

Build Your Own Trojan No programming skill required! Use “wrapper” Attaches (evil) exe to another (nice) exe Wrappers include Silk Rope SaranWrap EliteWrap AFX File Lace Trojan Man Maintaining Access 16

Build Your Own Trojan Use a wrapper Give program a nice name FreeGame.exe, not EvilVirus.exe Email it to lots of people Spoof source of email, etc., etc. Problem: where are the victims? Solution: “notification” functionality Via email? Maintaining Access 17

Related Attacks Phishing URL obfuscation Email-based Can be fairly sophisticated/targeted URL obfuscation Evil site disguised as legitimate website Maintaining Access 18

Bots Designed for “economies of scale” Control many machines, not one at a time A botnet, controlled by a bot master Usually via IRC (but that is changing) Bots of 100,000 or more machines Bot code freely available Phatbot (500+ variations), sdbot, mIRC bot Some high-quality code (phatbot) Maintaining Access 19

Botnet Maintaining Access 20

Botnets Botnet functionality includes DoS Vulnerability scanning Metamorphism Anonymizing HTTP proxy Email address collection/spamming Other? Maintaining Access 21

Virtual Machine Detection Virtual machines used to analyze bots And other malware Some bots try to detect virtual machine What if virtual machine is detected? Red Pill Execute SIDT, look at IDTR location If non-virtual then IDTR is at low address If virtual machine then IDTR at high address What could be simpler than that? Maintaining Access 22

Virtual Machine Detection Lots of other techniques Recent research shows system calls a good indicator of virtual machine Maintaining Access 23

Worms and Bots Worms --- self-propagating malware Can use worm to infect systems that become part of a botnet Maintaining Access 24

Spyware Software the spies on you Typically focused on one objective Usually simple propagation method User installs it May be disguised as anti-spyware May also use browser flaws Maintaining Access 25

Spyware Capabilities of spyware Web surfing statistics Personal identifiable information (PII) Customized advertising Customized filtering of searches Pop-up ads Keystroke logging Maintaining Access 26

Defenses Defenses against application level trojans/backdoors, bots, spyware Antivirus, user education Look for unusual TCP/UDP ports Know your software Easier said than done! Check hashes/fingerprints Better yet, use digital signatures Maintaining Access 27

Defenses MD5 hash NOT a “signature” Regardless of the “signatures” line Maintaining Access 28

User-Mode Rootkits Application level backdoors User-mode rootkits Separate applications Relatively easy to detect User-mode rootkits More insidious Modify OS software/libraries Maintaining Access 29

User-Mode Rootkits Maintaining Access 30

User-Mode Rootkits Linux/UNIX example “Better” version would look the same Maintaining Access 31

User-Mode Rootkits Linux/UNIX rootkits might replace… du --- to lie about disk usage find --- hide attacker’s files ls --- hide rootkit files netstat --- lie about ports in use ps --- hide processes syslogd --- don’t log attacker’s actions Maintaining Access 32

User-Mode Rootkits Windows rootkits are different Often alter memory of running processes associated with OS E.g., make OS “think” port not in use… Why this approach? Difficult to change critical system files Easy for one process to access another Maintaining Access 33

User-Mode Rootkits In Windows, rootkit “hooks” API calls Rootkit overwrites API call to point to attacker’s code Attack code calls real function, returns altered results to hooked function Rootkit likely also includes command shell backdoor Maintaining Access 34

User-Mode Rootkits Windows rootkits might hook… NtQuerySystemInformation --- Hide running processes NtQueryDirectoryFile --- Hide files NtEnumerateKey --- hide registry keys NtReadVirtualMemory --- hide hooked API calls Maintaining Access 35

Hacker Defender Maintaining Access 36

Hacker Defender Maintaining Access 37

AFX Windows Rootkit Creates “cone of invisibility” for rootkit Maintaining Access 38

Cone of Silence Maintaining Access 39

Defenses Defenses against user-mode rootkits Don’t let attacker get root access Good pwds, close ports, etc., etc. Employ file integrity/hash checking Tripwire Antivirus Maintaining Access 40

Kernel-Mode Rootkits Kernel is heart of OS User-mode rootkit Alters administrator’s eyes and ears Kernel-mode rootkit Alters part of administrator’s brain “If the kernel cannot be trusted, you can trust nothing on the system” Maintaining Access 41

Kernel-Mode Rootkits Maintaining Access 42

Kernel-Mode Rootkit Execution redirection File hiding Calls to certain app mapped elsewhere For example, map sshd to backdoor_sshd File hiding You see only what attacker wants you to Process hiding, network hiding, etc. Maintaining Access 43

Kernel-Mode Rootkits Adore-ng: Linux Kernel-Mode Rootkit Promiscuous mode hiding: smart enough to check if promiscuous mode is by admin Process hiding: can cloak any process Kernel module hiding: Adore-ng hides itself Maintaining Access 44

Kernel-Mode Rootkits Windows FU Kernel-Mode Rootkit Pronounced “F” “U”, not “foo” So it is OK to say “Windows FU” Created by “Fuzen” Consists of special device driver: msdirectx.sys Hide processes, alter privilege, hides events, etc. Maintaining Access 45

Defenses Install kernel-mode rootkit on your own system? Good idea or bad idea? Bad idea… Attacker might understand rootkit better than you do… Postmortem analysis more difficult Multiple rootkits could be installed, in principle Maintaining Access 46

Defenses Don’t let attacker get root Control access to kernel Use IDS Systrace (by Niels Provos), CSA, Entercept Use IDS Automated rootkit checkers Chkrootkit: signature scan, hidden processes, file structure inconsistencies,… Rootkit Hunter, Rootkit Revealer: look for discrepancies between user mode/kernel mode Maintaining Access 47

Defenses File integrity check Antivirus Boot from CD for analysis Note: some antivirus will flag rootkit checkers Boot from CD for analysis Maintaining Access 48

Conclusions Maintaining Access 49

Summary Maintaining Access 50

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.