Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007.

Published byAnissa Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007."— Presentation transcript:

1 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007

2 2 Introduction Perspective from a researcher focused on protecting hosts from malware Perspective from a researcher focused on protecting hosts from malware Implementing kernel-based protection mechanisms Implementing kernel-based protection mechanisms Insight into a potential class of network driver malware Insight into a potential class of network driver malware

3 3 The Rise of Silent Malware Three main areas of interest in malware R&D: Three main areas of interest in malware R&D: Delivery and activation Delivery and activation Hiding presence - rootkit techniques Hiding presence - rootkit techniques Evasion - Minimize operating noise Evasion - Minimize operating noise Show no signs of activity on the infected system Show no signs of activity on the infected system Show no traces of network activity on the wire Show no traces of network activity on the wire

4 4 Operational Challenges Operate on wire data Operate on wire data Active at a layer that guarantees transparency to the host Active at a layer that guarantees transparency to the host Correctly perform inline IP reassembly and TCP stream reassembly Correctly perform inline IP reassembly and TCP stream reassembly Allow for arbitrary injection/removal of data in TCP sessions Allow for arbitrary injection/removal of data in TCP sessions

5 5 Operational Challenges…part deux Maintain silence on the host: Maintain silence on the host: Never initiate TCP sessions Never initiate TCP sessions Never receive TCP open-session requests Never receive TCP open-session requests Do not rely on TCP port splicing if the infected host is a server Do not rely on TCP port splicing if the infected host is a server Do not rely on static motherships if the infected host is a workstation Do not rely on static motherships if the infected host is a workstation Packet modifications should not be easily visible in local network traces Packet modifications should not be easily visible in local network traces

6 6 Operational Challenges…part trois Maintain silence on the wire Maintain silence on the wire Only make use of legitimate TCP sessions Only make use of legitimate TCP sessions Do not alter protocol semantics - resistance to network anomaly detection engines Do not alter protocol semantics - resistance to network anomaly detection engines Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers

7 7 Miniport driver NDISNDIS.SYS Intermediate driver PF hook FW hook TDI User Land TCP/IP Driver Implementation Pre-Vista Never Access to data stream, not packets Some interesting areas No guaranteed access to outbound payload NDIS hooking - Some delivery challenges - Most flexibility - Driver signing issues - Complete control over hardware drivers to transport protocol communications

8 8 Rogue Network Driver Framework Firewall hook kernel module for basic packet header operations Firewall hook kernel module for basic packet header operations IM Filter driver: IM Filter driver: Inline IP reassembly Inline IP reassembly Inline TCP stream reassembly Inline TCP stream reassembly TCP session normalization TCP session normalization

9 9 Packet Header Modifications

10 10 Infected Workstation BOB ALICE server DNAT – DstIP_server -> DstIP_Bob SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server Translated request reaches server https://server 10.0.1.124 10.0.1.26

11 11 Infected Workstation BOB ALICE server DNAT – DstIP_server -> DstIP_Bob SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server Translated request reaches server https://server 10.0.1.124 10.0.1.26

12 12 Infected Server ALICE Server https://server https request served telnet server:80 Selective DN(P)AT: SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135

13 13 Infected Server ALICE Server https://server https request served telnet server:80 Selective DN(P)AT: SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135

14 14 Packet Header Opportunities Passive covert channels Passive covert channels http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf Port splicing Port splicing Most significant; communicating the original intent: Most significant; communicating the original intent: DNAT on outgoing SYN – change destination address to that of the MIM DNAT on outgoing SYN – change destination address to that of the MIM Insert original dstIP in header fields Insert original dstIP in header fields MIM double NAT MIM double NAT

15 15 Why Payload Injection? Access to packet data Access to packet data High bandwidth channel High bandwidth channel Bypass application proxies Bypass application proxies Altering TCP data length on the wire is not trivial! Altering TCP data length on the wire is not trivial!

16 16 Inline Injection Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things

17 17 Inline TCP Reassembly Maintain two edges (pre and post modification): Maintain two edges (pre and post modification): ISN ISN MaxSeq MaxSeq MaxAck MaxAck Window Window Maximum SeqNo of Filtered Data Maximum SeqNo of Filtered Data Maximum AckNo of Filtered Data Maximum AckNo of Filtered Data Queue/counter for non Ack-ed datagrams Queue/counter for non Ack-ed datagrams Queue/counter for not sent datagrams Queue/counter for not sent datagrams Needed Window Scale Needed Window Scale Actual Window Scale Actual Window Scale

18 18 SMTP Injection – Eliminating Bob from the Equation Reduces the complexity of MIM and random redirection Reduces the complexity of MIM and random redirection Works with application level proxies Works with application level proxies Replace RCPT TO argument or inject additional RCPT TO (BCC) Replace RCPT TO argument or inject additional RCPT TO (BCC) Increases the probability detection – SMTP server logs Increases the probability detection – SMTP server logs

19 19 SMTP Injection BOB SMTP Server Alice Sends Bob message Driver injects BCC to Eva Eva So does Eva Bob receives original message

20 20 SMTP Injection Demo Vid1

21 21

22 22

23 23 HTTP Injection TCP Headers useless – need to find workaround TCP Headers useless – need to find workaround Easy workaround but we need to be careful: Easy workaround but we need to be careful: Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) Direct proxies – easy to spot in HTTP(s) requests Direct proxies – easy to spot in HTTP(s) requests URI & Headers will help us redirect/leak data URI & Headers will help us redirect/leak data Make use of Authorization, Cookies headers – they won’t be scrubbed Make use of Authorization, Cookies headers – they won’t be scrubbed POST data also presents injection opportunities POST data also presents injection opportunities

24 24 HTTP Injection BOB ALICE http://www.google.com Web Proxy – Content Filtering Change request; Inject Data google.com

25 25 HTTP Injection BOB ALICE http://www.google.com Web Proxy – Content Filtering Change request; Inject Data google.com

26 26 BOB SSL Injection Demo https://somebank.com Perimeter Security Inject Data somebank.com ALICE

27 27 BOB SSL Injection Demo https://somebank.com Perimeter Security Inject Data somebank.com ALICE

28 28 SSL Alice – browser video

29 29 Detecting Network Driver Malware Conventional detection mechanisms Conventional detection mechanisms AV, AS signatures; configuration mgmt AV, AS signatures; configuration mgmt New detection mechanisms New detection mechanisms Traffic based detection? Traffic based detection? Malicious destinations, ISN analysis Malicious destinations, ISN analysis Network trace diff – local vs. remote Network trace diff – local vs. remote NDIS based sniffer for better visibility? NDIS based sniffer for better visibility? Other Other Host based application control ineffective Host based application control ineffective DLP? DLP? …

30 30 Conclusions Passive kernel malware difficult to spot Passive kernel malware difficult to spot There are significant implementation challenges for coders There are significant implementation challenges for coders Prevention remains key approach Prevention remains key approach

31 31 Thank You

32 32 Infected Workstation

33 33 Alice – Browser Capture

34 34 Alice-Bob Network Traces

35 35 Alice Driver_SNAT

36 36 Alice_SNAT

37 37 Back to Infected Workstation

38 38 Bob_Double_NAT

39 39 Bob_Double_NAT

40 40 Bob_Double_NAT

41 41 Bob_Double_NAT

42 42 Back to Infected Workstation

43 43 Infected Server

44 44 Server network trace

45 45 Server SNAT&DPAT

46 46 Back to Infected Server

47 47 HTTP Injection

48 48 Alice – browser video

49 49 Alice – network trace

50 50 Alice - original data

51 51 Alice – driver work

52 52 Alice – driver work

53 53 Alice – driver work

54 54 Alice – driver work

55 55 Back to HTTP Injection

56 56 Bob – driver work

57 57 Bob – modified request

58 58 Bob – driver work

59 59 Bob – driver work

60 60 Back to HTTP Injection

61 61 SSL Injection

62 62 Alice – original data

63 63 Post Insert – Wire Noise!

64 64 Alice – SSL clean

65 65 Back to SSL Injection

66 66 Bob – Post modification. Clean!!

67 67 Back to SSL Injection

Download ppt "1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007."

Similar presentations

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
CCNA 1 v3.1 Module 11 Review.

CCNA 1 v3.1 Module 11 Review.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim 03.01.2010.

CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Chapter 4 OSI Transport Layer

Chapter 4 OSI Transport Layer
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Similar presentations

Ads by Google