Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002.

Published byPhyllis Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "Setiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002."— Presentation transcript:

1 Setiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002

2 Schedule Introduction Why Trojans? Brief History of Trojans & Covert Channels The Hybrid model Setiri: Advances in Trojan Technology Demonstration Taking it further Possible fixes

3 Introduction SensePost The speakers Objective of the presentation

4 Why Trojans? Profile of Trojan users Real criminals… …don’t write buffer overflows The weirdness of the industry Examples

5 Brief History of Trojans & Covert Tunnels Trojans From Quick Thinking Greeks … to Quick Thinking Geeks Tunnels Covert Channels

6 Trojans (Valid IP – No Filters) “get real..”

7 Trojans (Valid IP – Stateless Filter) Dial Home Trojans Random Ports / Open Ports / High Ports [cDc] ACK Tunneling [Arne Vidstrom]

8 Trojans (Stateful Filters) Orifice - http://bo2k.sourceforge.net Gbot Rattler

9 Brief History of Trojans & Covert Tunnels Trojans From Quick Thinking Greeks … to Quick Thinking Geeks Tunnels Covert Channels

10 Tunnels & Covert Channels 1985 – TSC Definition”Covert Channels” 1996 – Phrack Magazine – LOKI 1998 – RWWWShell – THC 1999 - HTTPTUNNEL – GNU 2000 - FireThru - Firethru

11 Conventional Trojans & how they fail Stateful firewall & IDS Direct model Direct model with network tricks ICMP tunneling ACK tunneling Properly configured stateful firewall IRC agents + Authentication proxy HTTP tunnel ++ Personal firewall & Advanced Proxy HTTP tunnel with Authentication +++

12 Hybrid model: “GatSlag” Combination between covert Tunnel and Trojan Defenses mechanisms today: Packet filters (stateful) / NAT Authentication Proxies Intrusion detection systems Personal firewalls Content/protocol checking Biometrics/Token Pads/One time passwords Encryption

13 A typical network

14 How GatSlag worked Reverse connection HTTP covert tunnel Microsoft Internet Explorer as transport Controls IE via OLE Encapsulate in IE, not HTTP Receive commands in title of web page Receive encoded data as plain text in body of web page Send data with POST request Send alive signals with GET request

15 Why GatSlag worked Integration of client with MS Proxy NTLM authentication SSL capable Registry changes Personal firewalls Just another browser Platform independent IE on every desktop Specify Controller Via public web page – the MASTER site

16 Problems with Gatslag The Controller’s IP can be obtained ! Handling of multiple instances GUI support Controller needed to be online Batch commands Command history Multiple controllers Upload facility not efficient Platform support Stability Session level tunneling

17 Setiri: Advances in Trojan Technology Design notes: Web site contains instructions CGIs to create new instruction Controller’s interface: –EXEC (DOS commands, various) –TX (File upload) –RX (File download) Directory structure – each instance Trojan “surfs” to web site – just a normal user would

18 Setiri: Advances in Trojan Technology II Anonymity Problems with normal proxies Already using a proxy Proxy logs “Cleaners” provide anonymity “In browser proxy” – Anonymizer Trojan -> Cleaner: SSL Cleaner -> Controller: SSL Challenges: Browser history Temporary files

19

20

21

22 Why defenses fail Firewalls (stateful/NAT) Configured to allow user or proxy out Content level & IDS Looks like valid HTTP requests & replies Files downloaded as text in web pages No data or ports to lock on to SSL provides encryption Personal firewalls IE valid application Configured to allow browsing Authentication proxies User surf the web

23 Demonstration

24 Solving the dilemma Delivery White listing User education AV, personal firewalls Should you allow everyone to surf the ‘net?

25 Conclusion Awareness Our motivation

Download ppt "Setiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Layer 7- Application Layer

Layer 7- Application Layer
CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.

CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Www.ciscopress.com Copyright 2003 CCNA 1 Chapter 7 TCP/IP Protocol Suite and IP Addressing By Your Name.

Copyright 2003 CCNA 1 Chapter 7 TCP/IP Protocol Suite and IP Addressing By Your Name.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.

The World's Most Secured Browsing Solution COCKPIT4i is a radically new, powerful solution that protects against the security risks posed by exposure to.

Similar presentations

Ads by Google