Network Attack & Defense II

From
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

topics

  • viruses
  • trojans
    • backdoors
    • rootkits
  • worms
  • how we can protect our systems
    • IDS
    • chkrootkit

viruses

  • Viruses self-replicating programs that spread by inserting their own code into other files.
  • They are not able to run without their host-programs.
  • They can (even without having a real payload) damage binaries, because they fail to insert their code correctly.
  • They are rather small in size because changing the filesize of an infected program could be noticed.
  • There are several stealty approaches of viruses to hide themselves (metamorphic/polymorphic code etc.)
  • In theory they sould be easy to detect, because the have to modify files. comparing checksums of infected files with original-checksums should suffice.
  • Viruses consist of three parts:
    • the infector that is able to insert the viral code into other files
    • the trigger
    • the payload
  • Not every virus has to have a payload, there are viruses that exist just to spread.

trojans

  • Actually trojans are just programs that claim to do something useful but do have unknown side-effects.
  • Trojans can be used to install any kind of malware.
  • Often 'trojan' is mixed up with backdoor or rootkit

backdoors

  • Once a system is compromised, the attacker may want to install some kind of backdoor to have further access

to the system.

  • A simple example is: echo "1337 stream tcp nowait root /bin/sh sh">>/etc/inetd.conf
  • This, of course, has several disadvantages:
    • Detectable by just viewing /etc/inetd.conf
    • All your activity is visible to the administrator.
    • netstat -an will show port 1337 is listening (and that's suspicous :) )

rootkits

There are more stealthy ways of backdooring a system. The idea is simple: when you've got root on a system you can almost do everything you want to:

  • Modify all programs like ps, top, w etc., so that your activity is hidden
  • Or even better: modify the kernel to hide your activity
    • This is achieved by an lkm which intercepts some system-calls (or replaces some functions in the vfs-layer)
    • Such a modification can be very hard to detect because you can't rely on what the kernel is telling you.

worms

  • Worms spread in networks and don't 'infect' files.
  • They exploit a known vulnerability in software and
  • can run without any host-program.
  • Worms can create a big deal of network-traffic.
  • Size and complexity of worms differs (from one udp-packet up to several KB perl)

how we can protect our systems

  • When looking from outside the compromised system, it's theoretically possible to identify any malware.
  • Of course that's inefficient, but it shows, that there is no 'perfect' malware.
  • The running systems behaviour can give us some hints if anything's wrong. From inside the system we can
    • use virus-scanners to find (and sometimes eiliminate) viruses
    • check our logfiles regulary (maybe using a log-analyzer)
    • scan for signs of rootkits
  • We can also use an IDS (on a seperate machine!) to monitor network-traffic

ids

  • An ids can be really helpful: There are some generic and common patterns in many network-attacks.
    • For example: An http-request containing something like system(foo) can be logged (doesn't mean, that it has to be dangerous, but we can analyze that later).
    • Any packets containing many \x90's followed by some machine-code can be logged for further analysis
  • An ids can't help against viruses (that don't spread in networks on their own). -t est

chkrootkit

  • chkrootkit is a shellscript that checks for signs of rootkits (and backdoors). For example:
    • suspicious lines in /etc/inetd.conf
    • promiscious-flag of network-devices
    • replaced files (ps, top, w etc.)
    • various sniffers' logs
    • suspicious listening ports
    • rootkit-related kernel-symbols

summary

  • Don't rely on tools like chkrootkit or your ids. They can be fooled if the attacker knows what tools you are using.
  • Read the relevant logfiles!
  • Monitor system-activity
  • Use an ids and tools like chkrootkit

references