Setiri: Advances in Trojan Technology Roelof Temmingh & Haroon Meer Defcon 10 Las Vegas 2002.

Setiri: Advances in Trojan Technology

Roelof Temmingh & Haroon MeerDefcon 10

Las Vegas 2002

Schedule

IntroductionWhy Trojans?

Brief History of Trojans & Covert Channels

The Hybrid modelSetiri: Advances in Trojan Technology

Demonstration

Taking it furtherPossible fixes

Introduction

SensePostThe speakers

Objective of the presentation

Why Trojans?

Profile of Trojan users

Real criminals……don’t write buffer overflows

The weirdness of the industry

Examples

Brief History of Trojans & Covert Tunnels

TrojansFrom Quick Thinking Greeks …

to Quick Thinking Geeks

TunnelsCovert Channels

Trojans (Valid IP – No Filters)

“get real..”

Trojans (Valid IP – Stateless Filter)

Dial Home Trojans

Random Ports / Open Ports / High Ports [cDc]

ACK Tunneling[Arne Vidstrom]

Trojans (Stateful Filters)

Orifice - http://bo2k.sourceforge.net

GbotRattler

Brief History of Trojans & Covert Tunnels

TrojansFrom Quick Thinking Greeks …

to Quick Thinking Geeks

TunnelsCovert Channels

Tunnels & Covert Channels

1985 – TSC Definition”Covert Channels”

1996 – Phrack Magazine – LOKI

1998 – RWWWShell – THC

1999 - HTTPTUNNEL – GNU

2000 - FireThru - Firethru

Conventional Trojans & how they fail

Stateful firewall & IDSDirect model

Direct model with network tricksICMP tunnelingACK tunneling

Properly configured stateful firewallIRC agents +

Authentication proxyHTTP tunnel ++

Personal firewall & Advanced ProxyHTTP tunnel with Authentication +++

Hybrid model: “GatSlag”

Combination between covert Tunnel and Trojan

Defenses mechanisms today:

Packet filters (stateful) / NATAuthentication Proxies

Intrusion detection systemsPersonal firewalls

Content/protocol checkingBiometrics/Token Pads/One time passwords

Encryption

A typical network

How GatSlag worked

Reverse connectionHTTP covert tunnel

Microsoft Internet Explorer as transport

Controls IE via OLEEncapsulate in IE, not HTTP

Receive commands in title of web pageReceive encoded data as plain text in body of web

pageSend data with POST request

Send alive signals with GET request

Why GatSlag worked

Integration of client with MS ProxyNTLM authentication

SSL capableRegistry changes

Personal firewallsJust another browser

Platform independentIE on every desktop

Specify ControllerVia public web page – the MASTER site

Problems with Gatslag

The Controller’s IP can be obtained !Handling of multiple instances

GUI supportController needed to be online

Batch commandsCommand history

Multiple controllersUpload facility not efficient

Platform supportStability

Session level tunneling

Setiri: Advances in Trojan Technology

Design notes:

Web site contains instructionsCGIs to create new instruction

Controller’s interface:–EXEC (DOS commands, various)

–TX (File upload)–RX (File download)

Directory structure – each instanceTrojan “surfs” to web site – just a normal user

would

Setiri: Advances in Trojan Technology II

AnonymityProblems with normal proxies

Already using a proxyProxy logs

“Cleaners” provide anonymity“In browser proxy” – Anonymizer

Trojan -> Cleaner: SSLCleaner -> Controller: SSL

Challenges:Browser historyTemporary files

Why defenses failFirewalls (stateful/NAT)

Configured to allow user or proxy out

Content level & IDSLooks like valid HTTP requests & repliesFiles downloaded as text in web pages

No data or ports to lock on toSSL provides encryption

Personal firewallsIE valid application

Configured to allow browsing

Authentication proxiesUser surf the web

Demonstration

Solving the dilemma

Delivery

White listing

User education

AV, personal firewalls

Should you allow everyone to surf the ‘net?

Conclusion

Awareness

Our motivation