139.149.1.194: /* ids */

2005-06-13T12:32:11Z

ids

← Older revision		Revision as of 12:32, 13 June 2005
Line 65:		Line 65:
	**For example: An http-request containing something like system(foo) can be logged (doesn't mean, that it has to be dangerous, but we can analyze that later).		**For example: An http-request containing something like system(foo) can be logged (doesn't mean, that it has to be dangerous, but we can analyze that later).
	**Any packets containing many \x90's followed by some machine-code can be logged for further analysis		**Any packets containing many \x90's followed by some machine-code can be logged for further analysis

	*An ids can't help against viruses (that don't spread in networks on their own).		*An ids can't help against viruses (that don't spread in networks on their own). -t est

	==chkrootkit==		==chkrootkit==

80.231.3.140: /* topics */

2005-02-18T22:03:43Z

topics

← Older revision		Revision as of 22:03, 18 February 2005
Line 9:		Line 9:
	**IDS		**IDS
	**chkrootkit		**chkrootkit

	weeeeeeeeeeeeeee

	==viruses==		==viruses==

80.231.3.140: /* topics */

2005-02-18T22:03:25Z

topics

← Older revision		Revision as of 22:03, 18 February 2005
Line 9:		Line 9:
	**IDS		**IDS
	**chkrootkit		**chkrootkit

			weeeeeeeeeeeeeee

	==viruses==		==viruses==

217.81.125.34 at 16:18, 6 February 2005

2005-02-06T16:18:12Z

New page

==topics==

*viruses
*trojans
**backdoors
**rootkits
*worms
*how we can protect our systems
**IDS
**chkrootkit

==viruses==
*Viruses self-replicating programs that spread by inserting their own code into other files.
*They are not able to run without their host-programs.
*They can (even without having a real payload) damage binaries, because they fail to insert their code correctly.
*They are rather small in size because changing the filesize of an infected program could be noticed.
*There are several stealty approaches of viruses to hide themselves (metamorphic/polymorphic code etc.)
*In theory they sould be easy to detect, because the have to modify files. comparing checksums of infected files with original-checksums should suffice.
*Viruses consist of three parts:
**the infector that is able to insert the viral code into other files
**the trigger
**the payload
*Not every virus has to have a payload, there are viruses that exist just to spread.

==trojans==
*Actually trojans are just programs that claim to do something useful but do have unknown side-effects.
*Trojans can be used to install any kind of malware.
*Often 'trojan' is mixed up with backdoor or rootkit

==backdoors==
*Once a system is compromised, the attacker may want to install some kind of backdoor to have further access
to the system.
*A simple example is: echo "1337 stream tcp nowait root /bin/sh sh">>/etc/inetd.conf
*This, of course, has several disadvantages:
**Detectable by just viewing /etc/inetd.conf
**All your activity is visible to the administrator.
**netstat -an will show port 1337 is listening (and that's suspicous :) )

==rootkits==
There are more stealthy ways of backdooring a system.
The idea is simple: when you've got root on a system you can almost do everything you want to:
*Modify all programs like ps, top, w etc., so that your activity is hidden
*Or even better: modify the kernel to hide your activity
**This is achieved by an lkm which intercepts some system-calls (or replaces some functions in the vfs-layer)
**Such a modification can be very hard to detect because you can't rely on what the kernel is telling you.

==worms==
*Worms spread in networks and don't 'infect' files.
*They exploit a known vulnerability in software and
*can run without any host-program.
*Worms can create a big deal of network-traffic.
*Size and complexity of worms differs (from '''one''' udp-packet up to several KB perl)

==how we can protect our systems==
*When looking from outside the compromised system, it's theoretically possible to identify any malware.
*Of course that's inefficient, but it shows, that there is no 'perfect' malware.
*The running systems behaviour can give us some hints if anything's wrong. From inside the system we can
**use virus-scanners to find (and sometimes eiliminate) viruses
**check our logfiles regulary (maybe using a log-analyzer)
**scan for signs of rootkits
*We can also use an IDS (on a seperate machine!) to monitor network-traffic

==ids==
*An ids can be really helpful: There are some generic and common patterns in many network-attacks.
**For example: An http-request containing something like system(foo) can be logged (doesn't mean, that it has to be dangerous, but we can analyze that later).
**Any packets containing many \x90's followed by some machine-code can be logged for further analysis
*An ids can't help against viruses (that don't spread in networks on their own).

==chkrootkit==
*chkrootkit is a shellscript that checks for signs of rootkits (and backdoors). For example:
**suspicious lines in /etc/inetd.conf
**promiscious-flag of network-devices
**replaced files (ps, top, w etc.)
**various sniffers' logs
**suspicious listening ports
**rootkit-related kernel-symbols

==summary==
*Don't rely on tools like chkrootkit or your ids. They can be fooled if the attacker knows what tools you are using.
*Read the relevant logfiles!
*Monitor system-activity
*Use an ids and tools like chkrootkit

==references==

*Silvio Cesare 'Unix viruses': http://vx.netlux.org/lib/vsc02.html
*Adore rootkit: http://stealth.openwall.net/rootkits/
*Snort ids: http://www.snort.org
*chkrootkit: http://www.chkrootkit.org

Network Attack & Defense II - Revision history

139.149.1.194: /* ids */

80.231.3.140: /* topics */

80.231.3.140: /* topics */

217.81.125.34 at 16:18, 6 February 2005