Network Attack & Defense II
- how we can protect our systems
- Viruses self-replicating programs that spread by inserting their own code into other files.
- They are not able to run without their host-programs.
- They can (even without having a real payload) damage binaries, because they fail to insert their code correctly.
- They are rather small in size because changing the filesize of an infected program could be noticed.
- There are several stealty approaches of viruses to hide themselves (metamorphic/polymorphic code etc.)
- In theory they sould be easy to detect, because the have to modify files. comparing checksums of infected files with original-checksums should suffice.
- Viruses consist of three parts:
- the infector that is able to insert the viral code into other files
- the trigger
- the payload
- Not every virus has to have a payload, there are viruses that exist just to spread.
- Actually trojans are just programs that claim to do something useful but do have unknown side-effects.
- Trojans can be used to install any kind of malware.
- Often 'trojan' is mixed up with backdoor or rootkit
- Once a system is compromised, the attacker may want to install some kind of backdoor to have further access
to the system.
- A simple example is: echo "1337 stream tcp nowait root /bin/sh sh">>/etc/inetd.conf
- This, of course, has several disadvantages:
- Detectable by just viewing /etc/inetd.conf
- All your activity is visible to the administrator.
- netstat -an will show port 1337 is listening (and that's suspicous :) )
There are more stealthy ways of backdooring a system. The idea is simple: when you've got root on a system you can almost do everything you want to:
- Modify all programs like ps, top, w etc., so that your activity is hidden
- Or even better: modify the kernel to hide your activity
- This is achieved by an lkm which intercepts some system-calls (or replaces some functions in the vfs-layer)
- Such a modification can be very hard to detect because you can't rely on what the kernel is telling you.
- Worms spread in networks and don't 'infect' files.
- They exploit a known vulnerability in software and
- can run without any host-program.
- Worms can create a big deal of network-traffic.
- Size and complexity of worms differs (from one udp-packet up to several KB perl)
how we can protect our systems
- When looking from outside the compromised system, it's theoretically possible to identify any malware.
- Of course that's inefficient, but it shows, that there is no 'perfect' malware.
- The running systems behaviour can give us some hints if anything's wrong. From inside the system we can
- use virus-scanners to find (and sometimes eiliminate) viruses
- check our logfiles regulary (maybe using a log-analyzer)
- scan for signs of rootkits
- We can also use an IDS (on a seperate machine!) to monitor network-traffic
- An ids can be really helpful: There are some generic and common patterns in many network-attacks.
- For example: An http-request containing something like system(foo) can be logged (doesn't mean, that it has to be dangerous, but we can analyze that later).
- Any packets containing many \x90's followed by some machine-code can be logged for further analysis
- An ids can't help against viruses (that don't spread in networks on their own). -t est
- chkrootkit is a shellscript that checks for signs of rootkits (and backdoors). For example:
- suspicious lines in /etc/inetd.conf
- promiscious-flag of network-devices
- replaced files (ps, top, w etc.)
- various sniffers' logs
- suspicious listening ports
- rootkit-related kernel-symbols
- Don't rely on tools like chkrootkit or your ids. They can be fooled if the attacker knows what tools you are using.
- Read the relevant logfiles!
- Monitor system-activity
- Use an ids and tools like chkrootkit