Transcript Group 9 and 10 Summary of Threats and

Rootkits, Backdoors, and Trojans
ECE 4112 – Lab 5 Summary – Spring 2006
Group 9
Greg Sheridan
Terry Harvey
Group 10
Matthew Bowman
Laura Silaghi
Michael Sanders
Agenda
• Rootkits
• User space vs. Kernel Space
• Detection
• Prevention
• Backdoors
• Different Implementations
• Detection
• Prevention
• Trojans
• Port & Web Knocking
Rootkits
“A rootkit is a set of software tools frequently
used by a third party (usually an intruder) after
gaining access to a computer system. These
tools are intended to conceal running
processes, files or system data, which helps
an intruder maintain access to a system
without the user's knowledge.” -Wikipedia
Rootkits
Lrk4
• Linux user space
• replaced system binaries
• /bin/login
• Added user rewt
• Added ‘global’ password satori
• /bin/ls
• /dev/ptyr to hide files
Rootkits
Lrk4
• Detection
• chkrootkit
• matched “root”
• strace
• # of system calls is dependent on location
• Prevention
• Tripwire
Rootkits
Knark
• Linux kernel space
• redirected system calls
• Added /proc/knark/
• Hiding Files
• hidef/unhidef
• Redirecting Binaries
• ered
• Other Knark functions?
Rootkits
Knark
• Detection
• kern_check
• Detected changes in SCT addresses
• rkhunter
• Has a really bad aim
• chkrootkit
• What trick could be used to detect Knark,
and how could this be avoided by Knark?
• Prevention
• Tripwire
• Disable LM
Rootkits
sucKIT
• Linux user space
• Redirected pointer to the SCT
• Attacks kernel via what user file?
Rootkits
sucKIT
• Detection
• chkrootkit
Searching for Suckit rootkit…
Warning: /sbin/init INFECTED
• chkproc
PID
1443(/proc/1443): not in readdir output
PID
1443: not in ps output
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
• Prevention
• Any ideas?
Rootkits
Hacker Defender
• Windows
• Changed memory segments and all
running processes’ behaviors
•
•
•
•
Hide files
Hide processes
Hide services
All TCP ports become potential
backdoors!
Rootkits
Hacker Defender
• Detection
• Any anti-virus software
• Why is this so?
• Rootkit Revealer
• Compares Windows API vs. Registry Hive
on disk
• IceSword
• Found the hidden files/folders, processes,
and services
• Prevention
• Any ideas?
Rootkits
FU
• Windows
• via Direct Kernel Object Manipulation
•
•
•
•
Hide processes
Elevate process privileges
Fake out Windows Event Viewer
Hide device drivers
Rootkits
FU
• Detection
• Rootkit Revealer can’t see a thing
• Prevention
• Any ideas?
Rootkits
Prevention/Detection Audits
• System binaries can’t be trusted
• BusyBox
• Other Linux bootable CD
• Knoppix
Agenda
• Backdoors and Trojans
•
•
•
•
•
•
•
•
•
Netcat
ICMP Backdoor
VNC
BO2K Backdoor
Backdoors in C
Backdoor Detection
ACK Tunneling
Trojans
Port/Web Knocking
Netcat
• Netcat is a powerful TCP/IP protocol tool it
can be used as a backend tool that can be
controlled by other programs or as a
standalone server client.
• Server/Client
• Program Control
• File Transfer
• Relay
• Tunneling
• FIFO
• Covering Tracks
ICMP Backdoor
• Server installed on an infiltrated
machine
• Uses the ICMP packet to hide
malicious network traffic
• Why was the server echoing the
commands back to the client?
Virtual Network Connection (VNC)
• A legitimate tool used by network
administrators
• Gives access to all operations for the
user that is remotely logged in
• Bad it hackers can gain access to a
running VNC server
BO2K Backdoor
• Very well know windows backdoor
• Server/Client
• Many Predefined Functions
•
•
•
•
•
•
•
•
•
•
System Commands
Key Logging
GUI Commands
TCP/IP Commands
MS Networking
Process Control
Registry
Multimedia
File and Directory
File Compression
Backdoors in C
• Simple Linux telnet backdoor
• 32 lines of code
• Intercepts the login
• Look for backdoor password
• If not entered goes to the original login
Backdoor Detection
• Netcat, VNC, BO2K
• Firewalls, Port scanning
• Virus check
• Process checking
• ICMP Detection
• Packet Throughput
• Turn off ICMP through gateways
• Backdoor in C
• Checking for file integrity
Backdoor Dection Cont..
• TCPView
• Scans for active ports
• Provides info on process using the port
• Path info/command used to start process
• Allows you to end running processes
ACK Tunneling
• Used to gain access to a computer
behind a firewall
• Most system admin setup firewalls in
a way that will block most illegitimate
Traffic
• All stateless firewalls allow ACK
messages to pass
• Majority of firewalls are stateless
• Statefull firewalls keep the state of the
connections
• Sets ACK flag to gain access
Trojans
“… A malicious program that is
disguised as legitimate software. …
They may look useful or interesting
(or at the very least harmless) to an
unsuspecting user, but are actually
harmful when executed.” ~Wikipedia
Trojans Cont…
• eLitewrap
• Wrapped a legitimate program with a
malicious program that is run in the
background
• Don’t execute specious programs
• Look for specious processes running
• Explorer's Active X
• Installed a backdoor from a webpage
• Don’t allow Active X
Port/Web Knocking
• Port Knocking
• Blocks all ports but still allows access
• Will open specified port when a correct Knock
sequence is preformed
• Knock sequence
• Series of attempts to open certain ports
• Web Knocking
• Is used where were web access is allowed
through the firewall
• Invalid web Command are sent to the server
the are logged in the error log
• A command script run intermittently runs to
execute the commands
Questions?