Download presentation
Presentation is loading. Please wait.
Published byJonas Godley Modified over 9 years ago
1
Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006
2
Background To what risks are we exposed ? System integration Data theft Distributed Denial of Service Current protection methods Signature based Heuristic Firewalls Others (sandboxes, ad-hoc tools)
3
Project Goal Exploring current protection methods. Test the effectiveness of a standard protection scheme against: Remote code execution Remote configuration of an agent Remote uninstall of an agent
4
Challenges Automated Detection Human detection Firewalls Restricted Users (non-Admin) Scalability Persistency
5
System Description
6
Normal Operation Agent Server CMDFILE Request Commands File Send Commands File Parse Commands File Request Executable Send Executable Run Executable Executable
7
Install Phase Extract files to diskInject runtime image to a System processDelete unnecessary files Runtime Image Injection Library Loader spooler.exe Or to a User process if non-Admin explorer.exe
8
Un-Install Phase Extract files to diskEject runtime image from host processDelete unnecessary files Runtime Image Injection Library Loader spooler.exe explorer.exe
9
Points of interest Standard Win32 APIs / C. Code injection (operation within a context of a trusted process). Standard HTTP communication. Storing required components as binary resources in the loader and extracting them on-the-fly.
10
Points of interest - continued Clean un-install (ADS). UPX packing. Social Engineering (harder human detection).
11
Conclusions Standard protection schemes can be easily bypassed. Detection is very difficult on low footprint operation. New protection schemes shall protect processes from code injection. New protection approaches ?
12
Demo
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.