Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

Slides:

Advertisements

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Advertisements

Enabling Secure Internet Access with ISA Server

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

Network Security.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

Module 5: Configuring Access to Internal Resources.

Working with Proxy Servers and Application-Level Firewalls Chapter 5.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

Layer 7- Application Layer

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Remote Networking Architectures

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

Copyright 2003 CCNA 1 Chapter 7 TCP/IP Protocol Suite and IP Addressing By Your Name.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

1 Enabling Secure Internet Access with ISA Server.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

Firewall Typical Networking and Troubleshooting Common Faults.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

Internet Business Foundations © 2004 ProsoftTraining All rights reserved.

1 Web Server Administration Chapter 9 Extending the Web Environment.

Chapter 7: Internet-Based Applications Business Data Communications, 6e.

Access Gateway Operation

Web Server Administration Chapter 10 Securing the Web Environment.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Chapter 13 – Network Security

Postacademic Interuniversity Course in Information Technology – Module C1p1 Contents Data Communications Applications –File & print serving –Mail –Domain.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Microsoft Internet Information Services 5.0 (IIS) By: Edik Magardomyan Fozi Abdurhman Bassem Albaiady Vince Serobyan.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Setiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.

Module 11: Securing a Microsoft ASP.NET Web Application.

Integrating and Troubleshooting Citrix Access Gateway.

Module 7: Advanced Application and Web Filtering.

TCP/IP (Transmission Control Protocol / Internet Protocol)

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

© N. Ganesan, Ph.D., All rights reserved. FTP and Telnet Services Professor N. Ganesn, Ph.D.

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

ArcGIS for Server Security: Advanced

NAT、DHCP、Firewall、FTP、Proxy

Data Virtualization Tutorial… SSL with CIS Web Data Sources

Application layer tcp/ip

Securing the Network Perimeter with ISA 2004

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 13: Administering Web Resources.

FTP - File Transfer Protocol

Processes The most important processes used in Web-based systems and their internal organization.

الخطوات المطلوب القيام بها قبل انشاء الموقع

IS 4506 Server Configuration (HTTP Server)

Configuring Internet-related services

Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.

Designing IIS Security (IIS – Internet Information Service)

Presentation transcript:

Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002

Schedule Introduction Why Trojans? Brief History of Trojans & Covert Channels The Hybrid model Setiri: Advances in Trojan Technology Demonstration Taking it further Possible fixes

Introduction SensePost The speakers Objective of presentation

Why Trojans? Profile of Trojan users Real criminals… …don’t write buffer overflows The weirdness of the industry Examples

Brief History of Trojans & Covert Tunnels Trojans From Quick Thinking Greeks … to Quick Thinking Geeks Tunnels Covert Channels

Trojans.. Valid IP – No Filters Valid IP – Stateless Filters Private Addresses – Stateful Filters Private + Stateful + IDS + Personal Firewalls + Content Checking + …

Trojans.. (Valid IP – No Filters) “get real..”

Trojans.. (Valid IP – Stateless Filter) Dial Home Trojans Random Ports / Open Ports / High Ports [cDc] ACK Tunneling [Arne Vidstrom]

Trojans.. (Stateful Filters) Back Orifice - Gbot Rattler

Brief History of Trojans & Covert Tunnels Trojans From Quick Thinking Greeks … to Quick Thinking Geeks Tunnels Covert Channels

Tunnels & Covert Channels 1985 – TSC Definition”Covert Channels” 1996 – Phrack Magazine – LOKI 1998 – RWWWShell – THC HTTPTUNNEL – GNU FireThru - Firethru

Conventional Trojans & how they fail Stateful firewall & IDS Direct model Direct model with network tricks ICMP tunneling ACK tunneling Properly configured stateful firewall IRC agents + Authentication proxy HTTP tunnel ++ Personal firewall & Advanced Proxy HTTP tunnel with Authentication +++

Hybrid model: “GatSlag” Combination between covert Tunnel and Trojan Defenses mechanisms today: Packet filters (stateful) / NAT Authentication Proxies Intrusion detection systems Personal firewalls Content/protocol checking Biometrics/Token Pads/One time passwords Encryption

A typical network

How GatSlag worked Reverse connection HTTP covert tunnel Microsoft Internet Explorer as transport Controls IE via OLE Encapsulate in IE, not HTTP Receive commands in title of web page Receive encoded data as plain text in body of web page Send data with POST request Send alive signals with GET request

Why GatSlag worked Integration of client with MS Proxy NTLM authentication SSL capable Registry changes Personal firewalls Just another browser Platform independent IE on every desktop Specify Controller Via public web page – the MASTER site

How GatSlag worked II Creates invisible browser Find controller at MASTER Send request to Controller If no Controller && retry>7, go to MASTER Receive reply Parse reply: + Upload file() +Download file +Execute command Loop

Why defenses fail Firewalls (stateful/NAT) Configured to allow user or proxy out Content level & IDS Looks like valid HTTP requests & replies Files downloaded as text in web pages No data or ports to lock on to SSL provides encryption Personal firewalls IE valid application Configured to allow browsing Authentication proxies User surf the web

Problems with Gatslag The Controller’s IP can be obtained ! Handling of multiple instances GUI support Controller needed to be online Batch commands Command history Multiple controllers Upload facility not efficient Platform support Stability Session level tunneling

Setiri: Advances in Trojan Technology Design notes: Web site contains instructions CGIs to create new instruction Controller’s interface: –EXEC (DOS commands) –TX (File upload) –RX (File download) Directory structure – each instance Trojan “surfs” to web site – just a normal user would

Setiri: Advances in Trojan Technology II Anonymity Problems with normal proxies Already using a proxy Proxy logs “Cleaners” provide anonymity “In browser proxy” – Anonymizer Trojan -> Cleaner: SSL Cleaner -> Controller: SSL Challenges: Browser history Temporary files

Demonstration

Taking it further Session level tunneling

Flow control challenges How this is different from HTTP tunneling A browser is not a socket No select on browser Train model The Controller side Cannot “send” Buffering of data at Controller The Trojan side Multi-part POSTs Multiple connections (HTTP) True network level tunneling

Solving the dilemma Delivery White listing User education AV, personal firewalls Should you allow everyone to surf the ‘net?

Conclusion Awareness Our motivation