Network Attack & Defense II

From
Revision as of 12:32, 13 June 2005 by 139.149.1.194 (talk) (→‎ids)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

topics

  • viruses
  • trojans
    • backdoors
    • rootkits
  • worms
  • how we can protect our systems
    • IDS
    • chkrootkit

viruses

  • Viruses self-replicating programs that spread by inserting their own code into other files.
  • They are not able to run without their host-programs.
  • They can (even without having a real payload) damage binaries, because they fail to insert their code correctly.
  • They are rather small in size because changing the filesize of an infected program could be noticed.
  • There are several stealty approaches of viruses to hide themselves (metamorphic/polymorphic code etc.)
  • In theory they sould be easy to detect, because the have to modify files. comparing checksums of infected files with original-checksums should suffice.
  • Viruses consist of three parts:
    • the infector that is able to insert the viral code into other files
    • the trigger
    • the payload
  • Not every virus has to have a payload, there are viruses that exist just to spread.

trojans

  • Actually trojans are just programs that claim to do something useful but do have unknown side-effects.
  • Trojans can be used to install any kind of malware.
  • Often 'trojan' is mixed up with backdoor or rootkit

backdoors

  • Once a system is compromised, the attacker may want to install some kind of backdoor to have further access

to the system.

  • A simple example is: echo "1337 stream tcp nowait root /bin/sh sh">>/etc/inetd.conf
  • This, of course, has several disadvantages:
    • Detectable by just viewing /etc/inetd.conf
    • All your activity is visible to the administrator.
    • netstat -an will show port 1337 is listening (and that's suspicous :) )

rootkits

There are more stealthy ways of backdooring a system. The idea is simple: when you've got root on a system you can almost do everything you want to:

  • Modify all programs like ps, top, w etc., so that your activity is hidden
  • Or even better: modify the kernel to hide your activity
    • This is achieved by an lkm which intercepts some system-calls (or replaces some functions in the vfs-layer)
    • Such a modification can be very hard to detect because you can't rely on what the kernel is telling you.

worms

  • Worms spread in networks and don't 'infect' files.
  • They exploit a known vulnerability in software and
  • can run without any host-program.
  • Worms can create a big deal of network-traffic.
  • Size and complexity of worms differs (from one udp-packet up to several KB perl)

how we can protect our systems

  • When looking from outside the compromised system, it's theoretically possible to identify any malware.
  • Of course that's inefficient, but it shows, that there is no 'perfect' malware.
  • The running systems behaviour can give us some hints if anything's wrong. From inside the system we can
    • use virus-scanners to find (and sometimes eiliminate) viruses
    • check our logfiles regulary (maybe using a log-analyzer)
    • scan for signs of rootkits
  • We can also use an IDS (on a seperate machine!) to monitor network-traffic

ids

  • An ids can be really helpful: There are some generic and common patterns in many network-attacks.
    • For example: An http-request containing something like system(foo) can be logged (doesn't mean, that it has to be dangerous, but we can analyze that later).
    • Any packets containing many \x90's followed by some machine-code can be logged for further analysis
  • An ids can't help against viruses (that don't spread in networks on their own). -t est

chkrootkit

  • chkrootkit is a shellscript that checks for signs of rootkits (and backdoors). For example:
    • suspicious lines in /etc/inetd.conf
    • promiscious-flag of network-devices
    • replaced files (ps, top, w etc.)
    • various sniffers' logs
    • suspicious listening ports
    • rootkit-related kernel-symbols

summary

  • Don't rely on tools like chkrootkit or your ids. They can be fooled if the attacker knows what tools you are using.
  • Read the relevant logfiles!
  • Monitor system-activity
  • Use an ids and tools like chkrootkit

references