1 tcp/ip perversion rares stefan, third brigade inc. sector 2007
TRANSCRIPT
1
TCP/IP TCP/IP PerversionPerversion
Rares Stefan, Third Brigade Rares Stefan, Third Brigade Inc.Inc.
SecTor 2007SecTor 2007
2
IntroductionIntroduction
Perspective from a researcher focused on Perspective from a researcher focused on protecting hosts from malwareprotecting hosts from malware
Implementing kernel-based protection Implementing kernel-based protection mechanismsmechanisms Insight into a potential class of network driver Insight into a potential class of network driver
malwaremalware
3
The Rise of Silent MalwareThe Rise of Silent Malware
Three main areas of interest in malware Three main areas of interest in malware R&D:R&D:
Delivery and activationDelivery and activation
Hiding presence - rootkit techniquesHiding presence - rootkit techniques
Evasion - Minimize operating noiseEvasion - Minimize operating noise Show no signs of activity on the infected systemShow no signs of activity on the infected system Show no traces of network activity on the wireShow no traces of network activity on the wire
4
Operational ChallengesOperational Challenges
Operate on wire dataOperate on wire data
Active at a layer that guarantees transparency Active at a layer that guarantees transparency to the hostto the host
Correctly perform inline IP reassembly and Correctly perform inline IP reassembly and TCP stream reassemblyTCP stream reassembly
Allow for arbitrary injection/removal of data in Allow for arbitrary injection/removal of data in TCP sessionsTCP sessions
5
Operational Challenges…part Operational Challenges…part deuxdeux
Maintain silence on the host:Maintain silence on the host: Never initiate TCP sessionsNever initiate TCP sessions Never receive TCP open-session requestsNever receive TCP open-session requests Do not rely on TCP port splicing if the infected Do not rely on TCP port splicing if the infected
host is a serverhost is a server Do not rely on static motherships if the Do not rely on static motherships if the
infected host is a workstationinfected host is a workstation Packet modifications should not be easily Packet modifications should not be easily
visible in local network tracesvisible in local network traces
6
Operational Challenges…Operational Challenges…part troispart trois
Maintain silence on the wireMaintain silence on the wire
Only make use of legitimate TCP sessionsOnly make use of legitimate TCP sessions
Do not alter protocol semantics - Do not alter protocol semantics - resistance to network anomaly detection resistance to network anomaly detection enginesengines
Piggyback on encrypted channels (SSL) Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data and multiple TCP sessions for large data transferstransfers
7
Miniport driverMiniport driver
NDISNDIS NDIS.SYSNDIS.SYS
Intermediate driverIntermediate driver
PF hook PF hook
FW hook FW hook
TDI TDI
User LandUser Land
TCP/IPTCP/IP
Driver Implementation Pre-Driver Implementation Pre-VistaVista
Never
Access to data stream, not packets
Some interesting areas
No guaranteed access to outbound payload
NDIS hooking
- Some delivery challenges- Most flexibility - Driver signing issues- Complete control over hardware drivers to transport protocol communications
8
Rogue Network Driver Rogue Network Driver FrameworkFramework
Firewall hook kernel module for basic Firewall hook kernel module for basic packet header operations packet header operations
IM Filter driver:IM Filter driver: Inline IP reassemblyInline IP reassembly Inline TCP stream reassemblyInline TCP stream reassembly TCP session normalizationTCP session normalization
9
Packet Header ModificationsPacket Header Modifications
10
Infected WorkstationInfected Workstation
BOB
ALICE
server
DNAT – DstIP_server -> DstIP_Bob
SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server
Translated request reaches server
https://server
10.0.1.124
10.0.1.26
11
Infected WorkstationInfected Workstation
BOB
ALICE
server
DNAT – DstIP_server -> DstIP_Bob
SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server
Translated request reaches server
https://server
10.0.1.124
10.0.1.26
12
Infected ServerInfected Server
ALICE
Server
https://serverhttps request served
telnet server:80
Selective DN(P)AT:
SrcIP_Alice SrcIP_serverDst_Port_443 DstPort_135
13
Infected ServerInfected Server
ALICE
Server
https://serverhttps request served
telnet server:80
Selective DN(P)AT:
SrcIP_Alice SrcIP_serverDst_Port_443 DstPort_135
14
Packet Header OpportunitiesPacket Header Opportunities Passive covert channelsPassive covert channels
http://www.invisiblethings.org/papers/http://www.invisiblethings.org/papers/passivepassive--covertcovert--channelschannels-linux.pdf-linux.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdfhttp://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf
Port splicing Port splicing Most significant; communicating the original Most significant; communicating the original
intent:intent: DNAT on outgoing SYN – change destination address DNAT on outgoing SYN – change destination address
to that of the MIMto that of the MIM Insert original dstIP in header fields Insert original dstIP in header fields MIM double NATMIM double NAT
15
Why Payload InjectionWhy Payload Injection ??
Access to packet dataAccess to packet data
High bandwidth channelHigh bandwidth channel
Bypass application proxiesBypass application proxies
Altering TCP data length on the wire is not Altering TCP data length on the wire is not trivial!trivial!
16
Inline InjectionInline Injection
Support for IP reassembly on incoming Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic and IP fragmentation on outbound traffictraffic
Support for TCP stream reassembly – Support for TCP stream reassembly – datagram reordering, injection of datagram reordering, injection of acknowledgements and resets, among acknowledgements and resets, among other thingsother things
17
Inline TCP ReassemblyInline TCP Reassembly
Maintain two edges (pre and post modification):Maintain two edges (pre and post modification): ISNISN MaxSeqMaxSeq MaxAckMaxAck WindowWindow Maximum SeqNo of Filtered DataMaximum SeqNo of Filtered Data Maximum AckNo of Filtered DataMaximum AckNo of Filtered Data Queue/counter for non Ack-ed datagramsQueue/counter for non Ack-ed datagrams Queue/counter for not sent datagramsQueue/counter for not sent datagrams Needed Window ScaleNeeded Window Scale Actual Window ScaleActual Window Scale
18
SMTP Injection – Eliminating SMTP Injection – Eliminating Bob from the EquationBob from the Equation
Reduces the complexity of MIM and random Reduces the complexity of MIM and random redirectionredirection
Works with application level proxiesWorks with application level proxies
Replace RCPT TO argument or inject additional Replace RCPT TO argument or inject additional RCPT TO (BCC)RCPT TO (BCC)
Increases the probability detection – SMTP Increases the probability detection – SMTP server logsserver logs
19
SMTP InjectionSMTP Injection
BOB
SMTP Server
Alice
Sends Bob message
Driver injects BCC to Eva
Eva
So does Eva
Bob receives original message
20
SMTP Injection DemoSMTP Injection DemoVid1
21
22
23
HTTP InjectionHTTP Injection TCP Headers useless – need to find workaroundTCP Headers useless – need to find workaround
Easy workaround but we need to be careful:Easy workaround but we need to be careful: Transparent proxies (Initial HTTP request looks Transparent proxies (Initial HTTP request looks
normal, so we’ll always assume we may be normal, so we’ll always assume we may be transparently “proxied”)transparently “proxied”)
Direct proxies – easy to spot in HTTP(s) requestsDirect proxies – easy to spot in HTTP(s) requests
URI & Headers will help us redirect/leak dataURI & Headers will help us redirect/leak data Make use of Authorization, Cookies headers – they Make use of Authorization, Cookies headers – they
won’t be scrubbedwon’t be scrubbed POST data also presents injection opportunitiesPOST data also presents injection opportunities
24
HTTP InjectionHTTP Injection
BOB
ALICE
http://www.google.com
Web Proxy – Content Filtering
Change request; Inject Data
google.com
25
HTTP InjectionHTTP Injection
BOB
ALICE
http://www.google.com
Web Proxy – Content Filtering
Change request; Inject Data
google.com
26
BOB
SSL Injection DemoSSL Injection Demo
https://somebank.com
Perimeter Security
Inject Data
somebank.com
ALICE
27
BOB
SSL Injection DemoSSL Injection Demo
https://somebank.com
Perimeter Security
Inject Data
somebank.com
ALICE
28
SSL Alice – browser videoSSL Alice – browser video
29
Detecting Network Driver Detecting Network Driver MalwareMalware
Conventional detection mechanismsConventional detection mechanisms AV, AS signatures; configuration mgmtAV, AS signatures; configuration mgmt
New detection mechanismsNew detection mechanisms Traffic based detection?Traffic based detection?
Malicious destinations, ISN analysisMalicious destinations, ISN analysis Network trace diff – local vs. remoteNetwork trace diff – local vs. remote NDIS based sniffer for better visibility?NDIS based sniffer for better visibility?
OtherOther Host based application control ineffectiveHost based application control ineffective DLP?DLP? … …
30
ConclusionsConclusions
Passive kernel malware difficult to spotPassive kernel malware difficult to spot
There are significant implementation There are significant implementation challenges for coderschallenges for coders
Prevention remains key approachPrevention remains key approach
31
Thank YouThank You
32
Infected WorkstationInfected Workstation
33
Alice – Browser CaptureAlice – Browser Capture
34
Alice-Bob Network TracesAlice-Bob Network Traces
35
Alice Driver_SNATAlice Driver_SNAT
36
Alice_SNATAlice_SNAT
37
Back to Infected WorkstationBack to Infected Workstation
38
Bob_Double_NATBob_Double_NAT
39
Bob_Double_NATBob_Double_NAT
40
Bob_Double_NATBob_Double_NAT
41
Bob_Double_NATBob_Double_NAT
42
Back to Infected WorkstationBack to Infected Workstation
43
Infected ServerInfected Server
44
Server network traceServer network trace
45
Server SNAT&DPATServer SNAT&DPAT
46
Back to Infected ServerBack to Infected Server
47
HTTP InjectionHTTP Injection
48
Alice – browser videoAlice – browser video
49
Alice – network traceAlice – network trace
50
Alice - original dataAlice - original data
51
Alice – driver workAlice – driver work
52
Alice – driver workAlice – driver work
53
Alice – driver workAlice – driver work
54
Alice – driver workAlice – driver work
55
Back to HTTP InjectionBack to HTTP Injection
56
Bob – driver workBob – driver work
57
Bob – modified requestBob – modified request
58
Bob – driver workBob – driver work
59
Bob – driver workBob – driver work
60
Back to HTTP InjectionBack to HTTP Injection
61
SSL InjectionSSL Injection
62
Alice – original dataAlice – original data
63
Post Insert – Wire Noise!Post Insert – Wire Noise!
64
Alice – SSL cleanAlice – SSL clean
65
Back to SSL InjectionBack to SSL Injection
66
Bob – Post modification. Clean!!Bob – Post modification. Clean!!
67
Back to SSL InjectionBack to SSL Injection