Professional Documents
Culture Documents
target
SYN
scapegoat
Scanning
ACK IP-ID = 5
Scanning
SYN
Scanning
SYN-ACK
IP-ID = 7
Scanning
Aha:
Target must
have sent a
reset attack.
Virus: The Principle
Virus attaches itself to a host that can
execute instructions contained in the
virus.
When the host is invoked, the virus
copies itself to other locations on the
system.
Executables
Companion Infection Technique
OS will call the virus when the user requests the
companion file.
Windows:
Virus is Notepad.com to hide as Notepad.exe.
Set the hidden attribute to prevent the virus from being
seen.
Launch the true notebook.exe file from the virus.
If the user selects Start Run and types in notebook,
then windows starts the virus (notebook.com instead of
notebook.exe)
Executables
Companion Infection Technique
Windows:
Virus renames Notepad.exe to Notepad.ex_
and hides it.
Virus takes the place of Notepad.exe.
Works with shortcuts.
Used in the Trilisa virus / worm (2002)
Executables
Companion Infection Technique
Virus uses alternate data stream feature of
NTFS:
Streams look like one file in explorer and
directory listings.
System activates the default stream, the virus.
Virus calls alternate stream.
Win2KStream Virus (2000)
Executables
Overwriting Techniques
Virus replaces part of an executable.
Usually the executable looses functionality.
Users will know that there is something wrong.
Prepending Techniques
Virus placed in front of executable.
After virus executes, host program is called.
Very easy for .com files.
Easy to clean files.
Bliss virus had a disinfect mode built into it.
Used by the NIMDA worm.
Executables
Appending Infection Technique
Insert itself at the end of host file.
Add a jump at the beginning of host file.
Stealth Techniques for Prepending and
Appending:
Compress host.
When virus calls hosts, host is uncompressed into
RAM.
Fill up total package (virus, compressed host) to
same size as original host.
Change filler so that checksum is not changed.
Boot Sector Modification
Target Master Boot Record or Partition Boot Sector.
Michelangelo Virus (1991).
Replaced MBR boot strap to elsewhere on disk.
First the virus loads itself into memory, then it passes control to the
original MBR boot sector.
Places itself into all boot sector of all floppies.
Memory-resident copy of the virus is attached to low-level BIOS
drivers.
Gets called when these are executed.
Can no longer spread under WinNT, Win2K, WinXP, only wreak
havoc, e.g. by overwriting the sectors right after the partition boot
sector.
Boot Sector Modification
Michelangelo Virus (1991).
Bios initializes hardware
and starts drivers.
MBR executes and reads
partition table.
PBS locates OS start
files.
Infection of Document Files
Many software use Macros:
MS Office, WordPerfect Office, StarOffice,
OpenOffice, AutoCAD, Excel, …
WinOffice runs code in subroutines
Document_Open()
Document_Close()
AutoExec()
….
These subroutines are executed with every
document.
Infection of Document Files
Melissa (1999):
Resides in Document_Open()
Copies itself into the Normal.dot file.
Normal.dot is processed whenever MS Office
starts up.
Melissa changed the Document_Close()
routine.
http://www.cert.org/advisories/CA-1999-04.html
Infection of Document Files
Excel Version:
Virus infects Personal.xls
This file can contains macros and is used
whenever excel runs.
Laroux (1996) used auto_open()
subroutine to execute whenever an excel
file was opened.
Infection of Document Files
Frequent macro targets in MS Office:
AutoExec()
AutoClose()
AutoOpen()
AutoNew()
AutoExit()
FileClose()
FileOpen()
FileNew()
Other Targets
Source Code
Scripts
Visual Basic Scripts (.vbs) used by OS:
Startup.vbs
Exec.vbs
Shell scripts, Perl scripts
Java Class Files
Platform independent viruses
Propagation Techniques
Removable Storage
Boot sector viruses, executable viruses
Yamaha’s CD-R drive firmware update contained the
Chernobyl virus.
Email attachments
Shared directories
Windows file sharing via Server Message Block
(SMB) protocol.
Network File System shares
P2P services such as Gnutella or Morpheus
Anti-Virus Defense
Antivirus software on gateways:
User workstations
File servers
Mail servers
Application servers
Border firewalls
Handhelds.
Anti-Virus Defense
Virus signatures
Looks for small patterns indicative of a known
virus.
Polymorphic viruses
Heuristics
Looks for programs with bad behavior:
Attempts to access the boot sector
Attempts to locate all files in a directory
Attempts to write to an exe file
Attempts to delete hard drive contents
…
Anti-Virus Defense
Integrity Verification
Generate database of hashes of important files.
Recalculate these hashes and compare them to
known values.
Configuration Hardening
Least privilege
Minimize active components.
Set warnings (e.g. against macros)
User education
Anti-Anti-Virus Defense
Stealthing
Hide virus files.
Intercept scanning of infected files.
Slow rate of infection.
…
Polymorphism and Metamorphism
Change order of instructions in virus code
Use equivalent code (increment = subtracting with
-1)
Encryption of most of the virus body.
Slightly change functionality of virus as it spreads.
Anti-Anti-Virus Defense
Antivirus software deactivation
Kill processes known to be antivirus
processes.
Disable internet access to antivirus
vendor’s pages.
Change security settings (e.g. allow Word
macros to run)
Worms
Worms:
Propagates across a network
for propagation.
Virus:
Infects files.
system restarts.
Methods are OS dependent.
Starting backdoors
automatically on Windows
Altering Startup Files and Folders
Registry
Task Scheduler
Starting backdoors
automatically on Windows
Startup folders and files
Autostart folders for individual users and all
users.
Starting backdoors
automatically on Windows
Use:
win.ini
system.ini
Q TCPshell
Bindshell Crontab-
backdoor
Virtual Network Computing
Remote GUI tools
Virtual Network Computing (VNC)
Windows Terminal Services
Remote Desktop Service
Citrix MetaFrame
PCAnywhere
Dameware
Back Orifice 2000
SubSeven www.megasecurity.org
Virtual Network Computing
VNC server allow to shovel a shell.
Can be remotely installed:
Attacker has remote shell access on victim
Attacker installs copy of VNC on his machine
Attacker exports the registry keys associated with
VNC to the victim
Attacker moves four files to victim
Attacker adds registry changes to victim
This will display a VNC installation successful message on
the victim
Attacker starts VNC
Defenses against Backdoor
Shell Listeners
Use firewalls
Filter traffic in both directions.
Firewall individual machines.
Look for open ports.
On the network (Nmap)
Or with a trusted tool (on CD) locally.
Close unneeded ports.
Backdoors without ports
ICMP backdoor
ICMP messages don’t use ports.
Firewalls need to let some ICMP messages
pass.
ICMP messages can carry a few bytes of
payload.
Backdoors without ports
ICMP backdoors:
Loki
007shell
ICMP Tunnel
available at www.packetstormsecurity.org
for free.
Non-Promiscuous Sniffing
Backdoors
Sniffer in non-promiscuous mode sniffs
for commands in packets destined for
the local machine.
Non-Promiscuous Sniffing
Backdoors
Cd00r
sniffs for TCP packets to ports X, Y, Z
the ports are not open
syn packets to X, Y, Z: sniffer activates backdoor.
backdoor opens TCP port and shovels shell.
This can be detected.
Is however unnecessary with a sniffer
“Future releases” will discontinue this practice.
Just craft special packets instead.
when backdoor closes, port is closed.
Promiscuous Sniffing
Backdoors
Promiscuous sniffer can gather packets
send to any machine on the same LAN
segment.
IP address of suspicious traffic does not
have to originate on the victim machine.
Promiscuous Sniffing
Backdoors
Promiscuous Sniffing
Backdoors
Attacker has compromised the DSN
server and installed a promiscuous
sniffing backdoor there.
Promiscuous Sniffing Backdoor
Attacker sends a
packet to the
webserver at port
80.
Messages passes
through the firewall.
Promiscuous Sniffing Backdoor
Sniffer on the DSN
server sniffs the
package.
Webserver does not
know what to do
with a malformed Firewall:
request. Message to
webserver.
Let pass.
Promiscuous Sniffing Backdoor
Backdoor on DSN
reacts to packet.
Sends back message
to attacker.
Spoofed return
address from Firewall:
webserver. Message from
webserver.
Firewall lets it pass.
Let pass.
Covert Channels
Covert Channels hide the fact that
information passes through them.
Tunneling:
Protocol that carries data from another
protocol.
Example: SSH
SSH allows to set up a secure connection
such as ftp.
SSH protects these insecure applications.
Covert Channels
Example: LOKI
Source: Phrack 51
Attacker install Loki server (a.k.a. LokiD) on victim.
Attacker runs Loki client on his own machine.
Loki tunnels attackers commands:
Attacker writes shell commands.
Loki client sends out several ICMP packets to victim that contain part of
the commands.
Loki server receives ICMP packets and extracts attacker command.
Loki server executes them.
Reversely, Loki server wraps responses in ICMP messages, sends them
to the Loki client, which displays them.
Port scanners or netstat cannot detect Loki since ICMP does not
use ports.
Only traces are the Loki server running as root and ICMP
messages going back and forth.
Covert Channels
Example: Reverse WWW Shell
Source: www.thc.org
Attacker needs to install the reverse WWW shell
on victim’s machine
Program spawns a child every day at a specific time.
Executes a local shell and connects to www server
owned by the attacker.
This looks to a firewall like an ordinary http request.
www server sends back html resources that the reverse
shell interprets as shell commands.
After a delay of 60 seconds in order to avoid exposure.
Covert Channels
Example: GoToMyPC
Commercial, remote control tool that uses
reverse WWW shell technology.
Security depends on authentication
strength (password).
Covert Channels
Tunnel through any TCP / IP traffic
Insert data in unused or misused fields in
the protocol header of packets, such as:
IP Identification.
TCP sequence number.
TCP acknowledgment number.
Covert Channels
Tunnel through any TCP / IP traffic
Insert data in unused or misused fields in the protocol header of packets,
such as:
Sequence Number.
Can even be used with bouncing:
Bounce Server
Bounce Server
Bounce Server
btmp
stores data on bad logins.
lastlog
stores data on last login for users
Unix User Mode Rootkits: LRK
Goodies
bindshell
creates a backdoor listener
attacker connects with netcat to the listener
sniffer
linsniffer grabs IDs and passwords for ftp,
telnet
Unix User Mode Rootkits: LRK
LRK Installation Script
makefile allows to choose configuration
No need to understand any of the
workings of LRK
installs in seconds / few minutes
Unix User Mode Rootkits: URK
Universal Root Kit
Functions on a variety of Unix variants
Has slightly less functionality than LRK
EFS2 Manipulations to hide
data
RunEFS, Defiler’s toolkit foil computer
forensics investigations on a UNIX machine.
RunEFS
adds pointers of good blocks to the bad blocks
inodes.
stores data in them.
Coroner’s Toolkit and derivatives don’t look at
these blocks.
EFS2 Manipulations to hide
data
Defiler’s toolkit destroys data that a forensics
tool can harvest.
shred and other overwrite tools destroy data in a
block.
Defiler’s toolkit destorys inode and directory
information as well.
Necrofile scrubs inodes clean
Klismafile overwrites directory entries associated with
deleted files.
This leaves blank spots in a directory.
This shows that someone used Klismafile.
Windows User Mode Rootkits
Windows File Protection (WFP)
Scans for changes to critical executables and
libraries.
Compares digital signatures of 1700 files to a protected
file
If WFP detects a change it searches for an
authorized file in different locations.
WFP can be altered
Windows Service Pack Installations (Update.exe)
Hotfix distributions (Hotfix.exe)
Windows Update Feature
Windows Device Installer
Windows User Mode Rootkits
Implementing user mode rootkits in
windows:
Use existing interfaces
Overwrite file
Use DLL injection and API hooking to
manipulate running processes in memory.
Windows User Mode Rootkits
Use existing interfaces:
FakeGINA
sits between winlogon and
msgina
Windows User Mode Rootkits:
Process Explorer
http://www.sysinternals.com/ntw2k/freeware/
procexp.shtml