Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maintaining Access Maintaining Access 1.

Similar presentations


Presentation on theme: "Maintaining Access Maintaining Access 1."— Presentation transcript:

1 Maintaining Access Maintaining Access

2 In This Chapter… Trojans Backdoors Rootkits Maintaining Access

3 Trojan Horses The original Trojan Horse Trojan rabbit
Used by Greeks attacking Troy Trojan rabbit Monty Python and the Holy Grail Modern trojan horse Software that appears to be something that it is not --- hidden malicious function Maintaining Access

4 Trojan Perhaps most common form of malware Example
Any “innocent” program can be a trojan Example Free DVD ripping software! In reality, deleted content of hard drive Trojan could be much more clever… Maintaining Access

5 Backdoors “Alternative” access to machine
Front door: username and password Backdoor: unauthorized access Note: once backdoor is established, improved authentication is useless Maintaining Access

6 Backdoor Suppose Trudy installs backdoor What’s next?
Trudy likely to “harden” system Fix vulnerabilities, apply patches,… Why? “0wned” system likely more “secure” Trudy may use strong authentication! Maintaining Access

7 Netcat Backdoor Install Netcat listener
Must compile Netcat with its GAPING_SECURITY_HOLE option In UNIX: nc victim_machine 12345 Starts Netcat in client mode with listener on TCP port 12345 No authentication required of attacker Maintaining Access

8 Backdoors Trojan backdoor appears to be “good”
But actually installs backdoor Three types of trojans (soup analogy) Application level: separate application Trudy adds poison to your soup User-mode rootkit: replace system stuff Trudy switched potatoes for poisonous potatoes Kernel-mode rootkit: OS itself is modified Trudy replaces your tongue with “poison” tongue Maintaining Access

9 Application Level Trojans
Separate application Gives attacker access Most prevalent on Windows Remote-control backdoor Can control system across network Microsoft itself supposedly attacked in 2000 Maintaining Access

10 Remote-Control Backdoor
Maintaining Access

11 Remote-Control Backdoor
Thousands of such backdoors See Some months, 50 or more released Eventually, detectable by antivirus Popular remote-control tools VNC, Dameware, Back Orifice, SubSeven Maintaining Access

12 Remote-Control Backdoor Examples
Maintaining Access

13 Remote-Control Backdoor
Functionality Pop-up dialog box on victim’s machine Log keystrokes List system info Collect passwords Manipulate files (view, copy, …) Modify registry settings or processes Remotely accessible command shell GUI “control”, video, audio, sniffers Maintaining Access

14 BO2K Maintaining Access

15 Remote-Control Backdoors
Like a hammer… In the right hands, useful tool Administrator, white hat, … In the wrong hands, can cause damage Hacker, black hat, … Maintaining Access

16 Build Your Own Trojan No programming skill required! Use “wrapper”
Attaches (evil) exe to another (nice) exe Wrappers include Silk Rope SaranWrap EliteWrap AFX File Lace Trojan Man Maintaining Access

17 Build Your Own Trojan Use a wrapper Give program a nice name
FreeGame.exe, not EvilVirus.exe it to lots of people Spoof source of , etc., etc. Problem: where are the victims? Solution: “notification” functionality Via ? Maintaining Access

18 Related Attacks Phishing URL obfuscation Email-based
Can be fairly sophisticated/targeted URL obfuscation Evil site disguised as legitimate website Maintaining Access

19 Bots Designed for “economies of scale”
Control many machines, not one at a time A botnet, controlled by a bot master Usually via IRC (but that is changing) Bots of 100,000 or more machines Bot code freely available Phatbot (500+ variations), sdbot, mIRC bot Some high-quality code (phatbot) Maintaining Access

20 Botnet Maintaining Access

21 Botnets Botnet functionality includes DoS Vulnerability scanning
Metamorphism Anonymizing HTTP proxy address collection/spamming Other? Maintaining Access

22 Virtual Machine Detection
Virtual machines used to analyze bots And other malware Some bots try to detect virtual machine What if virtual machine is detected? Red Pill Execute SIDT, look at IDTR location If non-virtual then IDTR is at low address If virtual machine then IDTR at high address What could be simpler than that? Maintaining Access

23 Virtual Machine Detection
Lots of other techniques Recent research shows system calls a good indicator of virtual machine Maintaining Access

24 Worms and Bots Worms --- self-propagating malware
Can use worm to infect systems that become part of a botnet Maintaining Access

25 Spyware Software the spies on you Typically focused on one objective
Usually simple propagation method User installs it May be disguised as anti-spyware May also use browser flaws Maintaining Access

26 Spyware Capabilities of spyware Web surfing statistics
Personal identifiable information (PII) Customized advertising Customized filtering of searches Pop-up ads Keystroke logging Maintaining Access

27 Defenses Defenses against application level trojans/backdoors, bots, spyware Antivirus, user education Look for unusual TCP/UDP ports Know your software Easier said than done! Check hashes/fingerprints Better yet, use digital signatures Maintaining Access

28 Defenses MD5 hash NOT a “signature”
Regardless of the “signatures” line Maintaining Access

29 User-Mode Rootkits Application level backdoors User-mode rootkits
Separate applications Relatively easy to detect User-mode rootkits More insidious Modify OS software/libraries Maintaining Access

30 User-Mode Rootkits Maintaining Access

31 User-Mode Rootkits Linux/UNIX example
“Better” version would look the same Maintaining Access

32 User-Mode Rootkits Linux/UNIX rootkits might replace…
du --- to lie about disk usage find --- hide attacker’s files ls --- hide rootkit files netstat --- lie about ports in use ps --- hide processes syslogd --- don’t log attacker’s actions Maintaining Access

33 User-Mode Rootkits Windows rootkits are different
Often alter memory of running processes associated with OS E.g., make OS “think” port not in use… Why this approach? Difficult to change critical system files Easy for one process to access another Maintaining Access

34 User-Mode Rootkits In Windows, rootkit “hooks” API calls
Rootkit overwrites API call to point to attacker’s code Attack code calls real function, returns altered results to hooked function Rootkit likely also includes command shell backdoor Maintaining Access

35 User-Mode Rootkits Windows rootkits might hook…
NtQuerySystemInformation --- Hide running processes NtQueryDirectoryFile --- Hide files NtEnumerateKey --- hide registry keys NtReadVirtualMemory --- hide hooked API calls Maintaining Access

36 Hacker Defender Maintaining Access

37 Hacker Defender Maintaining Access

38 AFX Windows Rootkit Creates “cone of invisibility” for rootkit
Maintaining Access

39 Cone of Silence Maintaining Access

40 Defenses Defenses against user-mode rootkits
Don’t let attacker get root access Good pwds, close ports, etc., etc. Employ file integrity/hash checking Tripwire Antivirus Maintaining Access

41 Kernel-Mode Rootkits Kernel is heart of OS User-mode rootkit
Alters administrator’s eyes and ears Kernel-mode rootkit Alters part of administrator’s brain “If the kernel cannot be trusted, you can trust nothing on the system” Maintaining Access

42 Kernel-Mode Rootkits Maintaining Access

43 Kernel-Mode Rootkit Execution redirection File hiding
Calls to certain app mapped elsewhere For example, map sshd to backdoor_sshd File hiding You see only what attacker wants you to Process hiding, network hiding, etc. Maintaining Access

44 Kernel-Mode Rootkits Adore-ng: Linux Kernel-Mode Rootkit
Promiscuous mode hiding: smart enough to check if promiscuous mode is by admin Process hiding: can cloak any process Kernel module hiding: Adore-ng hides itself Maintaining Access

45 Kernel-Mode Rootkits Windows FU Kernel-Mode Rootkit
Pronounced “F” “U”, not “foo” So it is OK to say “Windows FU” Created by “Fuzen” Consists of special device driver: msdirectx.sys Hide processes, alter privilege, hides events, etc. Maintaining Access

46 Defenses Install kernel-mode rootkit on your own system? Good idea or bad idea? Bad idea… Attacker might understand rootkit better than you do… Postmortem analysis more difficult Multiple rootkits could be installed, in principle Maintaining Access

47 Defenses Don’t let attacker get root Control access to kernel Use IDS
Systrace (by Niels Provos), CSA, Entercept Use IDS Automated rootkit checkers Chkrootkit: signature scan, hidden processes, file structure inconsistencies,… Rootkit Hunter, Rootkit Revealer: look for discrepancies between user mode/kernel mode Maintaining Access

48 Defenses File integrity check Antivirus Boot from CD for analysis
Note: some antivirus will flag rootkit checkers Boot from CD for analysis Maintaining Access

49 Conclusions Maintaining Access

50 Summary Maintaining Access


Download ppt "Maintaining Access Maintaining Access 1."

Similar presentations


Ads by Google