1. Rogue Wireless Router By Alex Crowell and James Kasten

2. Attack Modify an open source router so that it performs MITM attacks Inject a Trojan horse into all downloaded executables on the fly

3. Main Steps Hook into the router Identify packets containing executables Modify executable packet with Trojan

4. Implementation on the Router Received a WRT54G router from Professor Halderman Source code available, uses Linux v2.4 New firmware relatively easy to load

5. Netfilter Looking through WRT source, found Netfilter Allows hooking into different stages of packet routing through device Intercepted at post-routing Implementing in kernel-mode allows modification of queued packets

6. Our Implementation Chose to implement as Loadable Kernel Module (LKM) Allows free access to intercepted packets, protocol headers, etc. Just need way to load module

7. How it Works Module intercepts all packets through router Checks for HTTP 200 OK response and Content-Type: application/octet or a variant Passes packet data to James' handler Saves state to recognize future packets Executable state

8. Understanding Binaries Targeted Win32 PEs (standard.exe files)

9. Infection Methods Prepending to beginning of PE Easy Hack0wn.com called this method ”lame” We are not lame Adding to an existing section Doesn't change size of executable Existing section may not be long enough Enlarge an existing section More flexible, but does enlarge PE → more packets

10. Infection Methods Write a new section Most flexible, enlarges PE, additional processing of headers Adding to multiple existing sections Break up the Trojan code Must adjust all references accordingly Bin packing problem A huge mess

11. Adding to Existing Section Fills in the difference between the virtual size of code and the size of the raw data 7zip installer 422 bytes

12. What needs to be modified Essentially 3 fields Address of the Point of Entry Set to the trojan code Located 40 bytes past the PE header Virtual Size of Code Expand the size of the usable code section Located 8 bytes off the appropriate section header Characteristics If not a.text or CODE section Set section to be executable

13. Important fields – first packet Address of Entry Virtual Code Size PE signature Location of PE Section Header Size of Data Pointer to Data

14. How do you change them Both fields need to be changed on the fly Address of Entry Point –> beginning of exploit Set AddrEP to 1 byte past the end of existing code Where is the end of the code? Virtual Size of.text section + Pointer to Raw Data

15. Point of Entry But the file offset entry point is actually... AddrEntryPoint – virtual address + pointer to raw data So we must add in this file offset into the new modified PoE (End of Text + 1) + virtual address – pointer to raw data

16. Virtual Size Modifying virtual size of section is much easier Just add exploit size Make sure you have enough room Now all that is left is to insert the exploit code to jump back to the original entry point Offset by both the virtual address and pointer to raw data of each section

17. Our Exploit Checks to make sure binary is PE Checks to see if there is a.text or CODE section Not packed Fits exploit into.text or CODE section if there is enough room Else inserts exploit into largest section Ignores all binaries that do not meet criteria

18. Demo Trojan on WRT54GL router Reverse Command Shell Precautions MAC address filtering Nothing harmful moved

19. Difficulties Finding the correct source code Initially used Cisco provided source Switched to OpenWRT Difficulty debugging

20. Possible Defenses Don't connect to untrusted routers Download files protected by checksums Example: NSIS created installers Check cryptographic hash of the files Download files over HTTPS