Transcript CIS 450 – Network Security

CIS 450 – Network
Security
Chapter 15 – Preserving Access
 Backdoor – a way for an attacker to get back into a
network or system without being detected
 Common ways to install backdoors



By opening a port and using a listening agent
 Vision Port Scanner
 http://linuxpr.com/releases/5354.html
 Netcat
 Tini – When I went to download the file I received a
message from my virus scanner that the .exe file has
a virus which was cured
Through the use of a Trojan program
 Contains overt and covert programs
 QAZ
Rootkits



What is it
 http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html
Trojanize key system files on the operating system
File-Level Rootkits
 The legitimate program is replaced with the Trojan version
 The legitimate program becomes the overt program and the backdoor
becomes the covert function
 Programs replaced are the ones that a UNIX administrator would use –
page 548
 Attacker can get back into system and hide his tracks
 Operate at the application (user) level
 Defending against
 File-level rootkits can be discovered by looking for changes in binary
programs
 Tripwire
 Aide
Rootkits
 Kernel-Level Rootkits
 Operate at the kernel (operating system level)
 By altering the heart of the operating system, kernel-level
rootkits enable attackers to create a system that appears
normal to users and administrators. In reality, the underlying
kernel is riddled with attacker modifications, all masked by
the manipulated kernel. Kernel-level rootkits usually include
the ability to redirect system calls, so when a user wants to
run one program--say, ps, netstat or ifconfig--a Trojanized
version is executed. These tools can also hide processes,
files, sniffer usage and network port usage by altering the
kernel so that it "lies" to you. Attackers are using numerous
kernel-level rootkits for Linux, Solaris and Windows, among
others.
Rootkits

Kernel-level rootkits – continued
 Defending Against
 Techniques used to defend against file-level rootkits don't work as well
on a system with a kernel-level rootkit, as all requests for information
go through the rotten kernel itself
 While AIDE may show you that your login binary is intact, the kernellevel rootkit redirects execution to the attacker's backdoor
 Defeating kernel-level rootkits requires hardening the kernels of critical
systems
 Saint Jude Project monitors the integrity of a Linux kernel by
looking for modifications of the system call table
 Can deploy machines with monolithic kernels created by building a
kernel that doesn't support loadable kernel modules
 Hardening the kernel itself
 Pittbull
 Hardened versions of Unix and Unix-like OSes such as such as
SELinux3 and Sun Microsystems Trusted Solaris include additional
kernel protections
 Note: Kernel-hardening solutions can be unwieldy if widely
deployed, because they alter the fundamental operation of the
kernel, complicating system administration and possibly breaking
third-party tools
UNIX Rootkits
 File-level Rootkits



TrojanIT http://www.rishabhdara.com/link.php?currentgrp=30
Lrk5 - http://www.ossec.net/rootkits/lrk.php
Ark, Rootkit (This has a Trojan embedded in it, received
message from anti-virus software even though I did not
download it or open it), and Tk http://www.antiserver.it/Backdoor-Rootkit/
 Kernel-level rootkits
 Knark http://www.rishabhdara.com/link.php?currentgrp=30
Wrappers
 A tool that combines two or more files into a single file, usually
for the purpose of hiding one of them.
 Examples
 SilkRope 2000 http://www.pestpatrol.com/pestinfo/s/silk_rope.asp
 Saran Wrap http://pestpatrol.com/zks/pestinfo/s/saran_wrap_1_0.asp