Download - Setiri : Advances in trojan technology
![Page 1: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/1.jpg)
Setiri:
Advances in Trojan Technology
Roelof Temmingh & Haroon Meer
BlackHat USA
Las Vegas
2002
![Page 2: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/2.jpg)
Schedule
Introduction
Why Trojans?
Brief History of Trojans & Covert Channels
The Hybrid model
Setiri: Advances in Trojan Technology
Demonstration
Taking it further
Possible fixes
![Page 3: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/3.jpg)
Introduction
SensePost
The speakers
Objective of presentation
![Page 4: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/4.jpg)
Why Trojans?
Profile of Trojan users
Real criminals…
…don’t write buffer overflows
The weirdness of the industry
Examples
![Page 5: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/5.jpg)
Brief History of
Trojans & Covert Tunnels
TrojansFrom Quick Thinking Greeks …
to Quick Thinking Geeks
Tunnels
Covert Channels
![Page 6: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/6.jpg)
Trojans..
Valid IP – No Filters
Valid IP – Stateless Filters
Private Addresses – Stateful Filters
Private
+ Stateful
+ IDS + Personal Firewalls
+ Content Checking
+ …
![Page 7: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/7.jpg)
Trojans (Valid IP – No Filters)
“get real..”
![Page 8: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/8.jpg)
Trojans (Valid IP – Stateless Filter)
Dial Home Trojans
Random Ports / Open Ports / High Ports
[cDc]
ACK Tunneling
[Arne Vidstrom]
![Page 9: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/9.jpg)
Trojans (Stateful Filters)
Back Orifice - http://bo2k.sourceforge.net
Gbot
Rattler
![Page 10: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/10.jpg)
Brief History of
Trojans & Covert Tunnels
TrojansFrom Quick Thinking Greeks …
to Quick Thinking Geeks
Tunnels
Covert Channels
![Page 11: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/11.jpg)
Tunnels & Covert Channels
1985 – TSC Definition”Covert Channels”
1996 – Phrack Magazine – LOKI
1998 – RWWWShell – THC
1999 - HTTPTUNNEL – GNU
2000 - FireThru - Firethru
![Page 12: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/12.jpg)
Conventional Trojans
& how they fail
Stateful firewall & IDS
Direct model
Direct model with network tricks
ICMP tunneling
ACK tunneling
Properly configured stateful firewall
IRC agents +
Authentication proxy
HTTP tunnel ++
Personal firewall & Advanced Proxy
HTTP tunnel with Authentication +++
![Page 13: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/13.jpg)
Hybrid model: “GatSlag”
Combination between covert
Tunnel and Trojan
Defenses mechanisms today:
Packet filters (stateful) / NAT
Authentication Proxies
Intrusion detection systems
Personal firewalls
Content/protocol checking
Biometrics/Token Pads/One time passwords
Encryption
![Page 14: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/14.jpg)
A typical network
![Page 15: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/15.jpg)
How GatSlag worked
Reverse connection
HTTP covert tunnel
Microsoft Internet Explorer as transport
Controls IE via OLE
Encapsulate in IE, not HTTP
Receive commands in title of web page
Receive encoded data as plain text in body of web page
Send data with POST request
Send alive signals with GET request
![Page 16: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/16.jpg)
Why GatSlag worked
Integration of client with MS Proxy
NTLM authentication
SSL capable
Registry changes
Personal firewalls
Just another browser
Platform independent
IE on every desktop
Specify Controller
Via public web page – the MASTER site
![Page 17: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/17.jpg)
How GatSlag worked II
Creates invisible browser
Find controller at MASTER
Send request to Controller
If no Controller && retry>7, go to MASTER
Receive reply
Parse reply:
+ Upload file()
+Download file
+Execute command
Loop
![Page 18: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/18.jpg)
Problems with Gatslag
The Controller’s IP can be obtained !
Handling of multiple instances
GUI support
Controller needed to be online
Batch commands
Command history
Multiple controllers
Upload facility not efficient
Platform support
Stability
Session level tunneling
![Page 19: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/19.jpg)
Setiri:
Advances in Trojan TechnologyDesign notes:
Web site contains instructions
CGIs to create new instruction
Controller’s interface:
–EXEC (DOS commands, various)
–TX (File upload via upload CGI)
–RX (File download, UUencode)
Directory structure – each instance
Trojan “surfs” to web site – just a normal user would
![Page 20: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/20.jpg)
Setiri:
Advances in Trojan Technology II
Anonymity
Problems with normal proxies
Already using a proxy
Proxy logs
“Cleaners” provide anonymity
“In browser proxy” – Anonymizer
Trojan -> Cleaner: SSL
Cleaner -> Controller: SSL
Challenges:
Browser history
Temporary files
![Page 21: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/21.jpg)
![Page 22: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/22.jpg)
![Page 23: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/23.jpg)
![Page 24: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/24.jpg)
Why defenses fail
Firewalls (stateful/NAT)
Configured to allow user or proxy out
Content level & IDS
Looks like valid HTTP requests & replies
Files downloaded as uuencoded text in web pages
No data or ports to lock on to
SSL provides encryption
Personal firewalls
IE valid application
Configured to allow browsing
Authentication proxies
User surf the web
![Page 25: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/25.jpg)
Demonstration
![Page 26: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/26.jpg)
Taking it further
Session level tunneling
![Page 27: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/27.jpg)
Flow control challenges
How this is different from HTTP tunneling
A browser is not a socketNo select on browser
Train model
The Controller side
Cannot “send”
Buffering of data at Controller
The Trojan side
Multi-part POSTs
Multiple connections (HTTP)
True network level tunneling
![Page 28: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/28.jpg)
Solving the dilemma
Delivery
White listing
User education
AV, personal firewalls
Should you allow everyone to surf the ‘net?
![Page 29: Setiri : Advances in trojan technology](https://reader034.vdocuments.net/reader034/viewer/2022051513/54664441b4af9f443f8b4f88/html5/thumbnails/29.jpg)
Conclusion
Awareness
Our motivation