OLD WIN32 CODE OLD WIN32 CODE FOR A MODERN, FOR A MODERN, SUPER-STEALTH TROJAN SUPER-STEALTH TROJAN Eric DETOISIEN Eric DETOISIEN – – Team Team Rstack Rstack Eyal Eyal DOTAN DOTAN – – Tegam Tegam International International BLACKHAT EUROPE 2004 BLACKHAT EUROPE 2004 BlackHat BlackHat Europe 2004 Europe 2004 2 2 Agenda Agenda ? Introduction ? Communication model ? Code injection ? API Hooking ? Final demo ? Future evolutions ? Prevention ? Conclusion BlackHat BlackHat Europe 2004 Europe 2004 3 3 Introduction Introduction ? Today there are reliable (?) methods for securing public part of the information system from outside threats (hardening, defense in depth, authentication, crypto, …) ? But the weakest link in information security is still the endpoint a.k.a the workstations. Even if sysadmins can trust their users, how can they trust the programs they are running? BlackHat BlackHat Europe 2004 Europe 2004 4 4 Introduction Introduction ? Trojan horses are more and more widespread, they are very interesting to target the end-user. ? But most Trojan horses are easily detectable and thus are inefficient in a corporate environment behind firewalls, proxies, and desktop security software. BlackHat BlackHat Europe 2004 Europe 2004 5 5 Introduction Introduction ? In this presentation, we will show that it is perfectly possible to implement a super-stealth Trojan horse using Win32 techniques that have been around for over 10 years now. ? We will also discuss prevention methods and discuss about the existence of such stealth programs. ? We'll assume the following protections : User privileges, Desktop Firewall, Edge Firewall, authentication-enabled Proxy BlackHat BlackHat Europe 2004 Europe 2004 6 6 Communication Model Communication Model ? Communication capability is the first thing that trojan needs ? The Trojan horse communicates with the outside world via HTTP protocol. It regularly checks for instructions on a Web server maintained by the attacker. ? Edge firewalls see HTTP requests initiated from inside the network, but they cannot tell the difference between this and a regular Web trafic from a browser BlackHat BlackHat Europe 2004 Europe 2004 7 7 Communication Model Communication Model BlackHat BlackHat Europe 2004 Europe 2004 8 8 Communication Model Communication Model ? This communication mechanism is basic and still quite efficient. ? HTTP Covert Channel isn't new in the security world (HTTPTunnel, Setiri, webdownloader, …) but trojans with this function aren't widely diffused (why ?) ? In a Windows environment the simplest way is to use WININET.DLL BlackHat BlackHat Europe 2004 Europe 2004 9 9 Communication Model Communication Model DEMO [ Simple trojan based on WININET.DLL for HTTP communication] BlackHat BlackHat Europe 2004 Europe 2004 10 10 Communication Model Communication Model HTTPTrojanBasic skills ? HTTP communication ? IE Proxy configuration detection HTTPTrojanBasic drawbacks ? Detected by Personal Firewall ? Blocked by proxy authentification ? Not stealthy ? Survival instinct very low BlackHat BlackHat Europe 2004 Europe 2004 11 11 Code Injection Code Injection Code injection mechanism ? Code injection is a technique that has been known for about 10 years: "Load Your 32-bit DLL into Another Process's Address Space Using INJLIB" - Jeffrey Richter (May 1994). ? Direct code injection (no DLL, pure thread injection). Harder to code but more stealther ? Most importantly: no particular rights are required. All processes that belong to the same user can be injected. BlackHat BlackHat Europe 2004 Europe 2004 12 12 Code Injection Code Injection ? APIs for code injection: ? OpenProcess : get handle on target process ? VirtualAllocEx : memory allocation in target process ? WriteProcessMemory : inject (write) code into allocated memory ? CreateRemoteThread : execute code from target process BlackHat BlackHat Europe 2004 Europe 2004 13 13 Code Injection Code Injection Benefits for a Trojan horse ? Bypassing desktop firewalls by injecting authorized applications. ? Even behavior monitoring software can be fooled by such manipulation. ? Allows the Trojan to easily hook APIs in injected processes, for other purposes (which we'll see in the next section). BlackHat BlackHat Europe 2004 Europe 2004 14 14 Code Injection Code Injection BlackHat BlackHat Europe 2004 Europe 2004 15 15 Code Injection Code Injection BlackHat BlackHat Europe 2004 Europe 2004 16 16 Code Injection Code Injection DEMO [ Previous simple trojan but now it's injected in process] BlackHat BlackHat Europe 2004 Europe 2004 17 17 Code Injection Code Injection HTTPTrojanInjected skills ? HTTP communication ? IE Proxy configuration detection ? Personal Firewall bypass ? Stealthy HTTPTrojanInjected drawbacks ? Blocked by proxy authentification ? Survival instinct very low BlackHat BlackHat Europe 2004 Europe 2004 18 18 Code Injection Code Injection Use in existing malicious programs Today there are several malicious programs that use injection techniques (not necessarily for the same goals described above) : ? BackStealth (proof of concept) ? Optix, Beast and other Trojan horses ? Keylogger … BlackHat BlackHat Europe 2004 Europe 2004 19 19 Code Injection Code Injection Taking code injection farther ? ? Inject and die ?: once the Trojan injected its code, it can terminate and disappear from Windows' task manager and process list. ? Survival of the injected thread: once the Trojan horse dies, it depends on the survival of injected processes. Solution: injecting all user processes at a regular interval. BlackHat BlackHat Europe 2004 Europe 2004 20 20 Code Injection Code Injection DEMO [Multi-Injection Proof of Concept] BlackHat BlackHat Europe 2004 Europe 2004 21 21 Code Injection Code Injection New skills ? Very good survival instinct ? Control of all processes ? Still here ? drawbacks ? Blocked by proxy authentification BlackHat BlackHat Europe 2004 Europe 2004 22 22 API API Hooking Hooking How does it work? ? API hooking has also been known for 10 years: "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format" - Matt Pietrek (March 1994) ? Most popular method: IAT (Import Address Table) hooking. BlackHat BlackHat Europe 2004 Europe 2004 23 23 API API Hooking Hooking ? Doesn't work well for Trojan horses: 1. Not all APIs are IAT-hook friendly! Some APIs call other APIs directly, without using the IAT (LoadLibrary & GetProcAddress) 2. When the Trojan horse is injected, the program may have already obtained the API 's address, before the Trojan could hook GetProcAddress. ? Best method we know of: JMP redirection BlackHat BlackHat Europe 2004 Europe 2004 24 24 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 25 25 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 26 26 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 27 27 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 28 28 API API Hooking Hooking int WINAPI SendHook(SOCKET s, const char FAR * buf, int len, int flags) { DWORD ZoneTampon; int Result; // Pre-processing... // Call original API _asm { push flags push len push buf push s call ZoneTampon mov Result, eax } // Post-processing... return (Result); } BlackHat BlackHat Europe 2004 Europe 2004 29 29 API API Hooking Hooking API hooking: What for? ? Identifying communication applications: hooking socket APIs such as ? connect ?. ? Intercepting the CreateProcess API -- making thread survival more efficient, more aggressive. Every time a process is created, the Trojan horse injects it. BlackHat BlackHat Europe 2004 Europe 2004 30 30 API API Hooking Hooking ? Rootkit-like features: hiding files and registry keys to hide the Trojan's most visible items: registry keys for execution at startup, as well as the Trojan's binary itself. All in user mode, and… without local administration privileges! ? API hooking allows the Trojan to log local TCP/IP trafic in user mode and without Admin privileges. BlackHat BlackHat Europe 2004 Europe 2004 31 31 API API Hooking Hooking Here are some actions a Trojan horse can perform : ? Spy e-mail, proxy and socks passwords (send hook) ? Spy incoming and outgoing e-mail messages (recv & send hooks) ? Spy Web authentication data & forms (recv & send hooks) ? Intercept and deny / simulate anti-virus processes connecting to their signature update servers (specific, depends on which anti-virus is to be aimed). BlackHat BlackHat Europe 2004 Europe 2004 32 32 API API Hooking Hooking Malware and API hooking today ? Some malicious programs have implemented API hooking as of today (rootkit like Hacker Defender or Vanquish) Taking API hooking farther ? No DLL injection (same as for thread injection) ? Hooking essential APIs: Winsock APIs, but also LoadLibraryW. BlackHat BlackHat Europe 2004 Europe 2004 33 33 Final Final Demo Demo CASPER THE FRIENDLY TROJAN He really wants to be your friend BlackHat BlackHat Europe 2004 Europe 2004 34 34 Future Evolutions Future Evolutions Injection & API Hooking ? Try to inject code without CreateRemoteThread ? Include a length-disassembler engine for API Hooking BlackHat BlackHat Europe 2004 Europe 2004 35 35 Future Evolutions Future Evolutions Bypassing anti-viruses ? This kind of Trojan horses is made for aimed attacks, not for mass distribution. ? Still, the Trojan horse can escape detection in case it becomes known, by implementing an auto-update feature that keeps changing the Trojan horse's binary. BlackHat BlackHat Europe 2004 Europe 2004 36 36 Future Evolutions Future Evolutions Bypassing anti-viruses ? This kind of auto-update feature is very common for legitimate software. Why not expect to see auto- updating malware? BlackHat BlackHat Europe 2004 Europe 2004 37 37 Future Evolutions Future Evolutions Different communication protocols For our proof-of-concept Trojan horse, we've used HTTP protocol. Other protocols may be used as well: DNS, FTP or SMTP for example. BlackHat BlackHat Europe 2004 Europe 2004 38 38 Future Evolutions Future Evolutions Sniffing encrypted traffic When the navigator communicates via HTTPS, data sent via the ? send ? function is encrypted. By intercepting higher-level APIs, we can see the data before it is encrypted. This depends on the Web browser used. Internet Explorer uses high-level WININET APIs, which allows the Trojan to intercept data before it is encrypted. BlackHat BlackHat Europe 2004 Europe 2004 39 39 Future Evolutions Future Evolutions Remote control This kind of Trojan horse would be even more efficient if it had real-time remote control (just like VNC). The problem left to resolve is the inversed client-server communication we're using -- too heavy for this kind of operations and the HTTP tunneling. BlackHat BlackHat Europe 2004 Europe 2004 40 40 Prevention Prevention ? Hence, prevention is better than cure. ? Protection can be achieved by these steps : 1. Don't let come unknow code to the user 2. Educate user to avoid click everywhere symptom 3. Securing the users' workstations from untrusted code. BlackHat BlackHat Europe 2004 Europe 2004 41 41 Prevention Prevention ? HTTP, FTP and SMTP filters can help, to keep users away from unauthorized executable code. ? Educating and training users to keep away from untrusted code. ? Specific anti-injection techniques (i.e hooking CreateRemoteThread). But this is not the end of the story… There are other more indirect ways of injecting code into other processes. BlackHat BlackHat Europe 2004 Europe 2004 42 42 Conclusion Conclusion ? In Windows, whenever a malicious program is executed, its possibilites are almost unlimited. ? Question: since most of the techniques shown in this presentation already exist, how come we don't see many Trojan horses using them? ? Possible answer: The fact that the Win32 API has only recently been unified (i.e. thread injection didn't exist in Windows 9x, and API hooking was quite different from Windows 9x to NT systems). BlackHat BlackHat Europe 2004 Europe 2004 43 43 Conclusion Conclusion Q&A THANK YOU Eric DETOISIEN http://www.rstack.org http://valgasu.rstack.org valgasu@rstack.org Eyal DOTAN Tegam International http://www.viguard.com edotan@viguard.info http://valgasu.rstack.org/casper/
下载该文档
文档格式:PDF
更新时间:2014-08-08
下载次数:0
点击次数:2
OLD WIN32 CODE OLD WIN32 CODE FOR A MODERN, FOR A MODERN, SUPER-STEALTH TROJAN SUPER-STEALTH TROJAN Eric DETOISIEN Eric DETOISIEN – – Team Team Rstack Rstack Eyal Eyal DOTAN DOTAN – – Tegam Tegam International International BLACKHAT EUROPE 2004 BLACKHAT EUROPE 2004 BlackHat BlackHat Europe 2004 Europe 2004 2 2 Agenda Agenda ? Introduction ? Communication model ? Code injection ? API Hooking ? Final demo ? Future evolutions ? Prevention ? Conclusion BlackHat BlackHat Europe 2004 Europe 2004 3 3 Introduction Introduction ? Today there are reliable (?) methods for securing public part of the information system from outside threats (hardening, defense in depth, authentication, crypto, …) ? But the weakest link in information security is still the endpoint a.k.a the workstations. Even if sysadmins can trust their users, how can they trust the programs they are running? BlackHat BlackHat Europe 2004 Europe 2004 4 4 Introduction Introduction ? Trojan horses are more and more widespread, they are very interesting to target the end-user. ? But most Trojan horses are easily detectable and thus are inefficient in a corporate environment behind firewalls, proxies, and desktop security software. BlackHat BlackHat Europe 2004 Europe 2004 5 5 Introduction Introduction ? In this presentation, we will show that it is perfectly possible to implement a super-stealth Trojan horse using Win32 techniques that have been around for over 10 years now. ? We will also discuss prevention methods and discuss about the existence of such stealth programs. ? We'll assume the following protections : User privileges, Desktop Firewall, Edge Firewall, authentication-enabled Proxy BlackHat BlackHat Europe 2004 Europe 2004 6 6 Communication Model Communication Model ? Communication capability is the first thing that trojan needs ? The Trojan horse communicates with the outside world via HTTP protocol. It regularly checks for instructions on a Web server maintained by the attacker. ? Edge firewalls see HTTP requests initiated from inside the network, but they cannot tell the difference between this and a regular Web trafic from a browser BlackHat BlackHat Europe 2004 Europe 2004 7 7 Communication Model Communication Model BlackHat BlackHat Europe 2004 Europe 2004 8 8 Communication Model Communication Model ? This communication mechanism is basic and still quite efficient. ? HTTP Covert Channel isn't new in the security world (HTTPTunnel, Setiri, webdownloader, …) but trojans with this function aren't widely diffused (why ?) ? In a Windows environment the simplest way is to use WININET.DLL BlackHat BlackHat Europe 2004 Europe 2004 9 9 Communication Model Communication Model DEMO [ Simple trojan based on WININET.DLL for HTTP communication] BlackHat BlackHat Europe 2004 Europe 2004 10 10 Communication Model Communication Model HTTPTrojanBasic skills ? HTTP communication ? IE Proxy configuration detection HTTPTrojanBasic drawbacks ? Detected by Personal Firewall ? Blocked by proxy authentification ? Not stealthy ? Survival instinct very low BlackHat BlackHat Europe 2004 Europe 2004 11 11 Code Injection Code Injection Code injection mechanism ? Code injection is a technique that has been known for about 10 years: "Load Your 32-bit DLL into Another Process's Address Space Using INJLIB" - Jeffrey Richter (May 1994). ? Direct code injection (no DLL, pure thread injection). Harder to code but more stealther ? Most importantly: no particular rights are required. All processes that belong to the same user can be injected. BlackHat BlackHat Europe 2004 Europe 2004 12 12 Code Injection Code Injection ? APIs for code injection: ? OpenProcess : get handle on target process ? VirtualAllocEx : memory allocation in target process ? WriteProcessMemory : inject (write) code into allocated memory ? CreateRemoteThread : execute code from target process BlackHat BlackHat Europe 2004 Europe 2004 13 13 Code Injection Code Injection Benefits for a Trojan horse ? Bypassing desktop firewalls by injecting authorized applications. ? Even behavior monitoring software can be fooled by such manipulation. ? Allows the Trojan to easily hook APIs in injected processes, for other purposes (which we'll see in the next section). BlackHat BlackHat Europe 2004 Europe 2004 14 14 Code Injection Code Injection BlackHat BlackHat Europe 2004 Europe 2004 15 15 Code Injection Code Injection BlackHat BlackHat Europe 2004 Europe 2004 16 16 Code Injection Code Injection DEMO [ Previous simple trojan but now it's injected in process] BlackHat BlackHat Europe 2004 Europe 2004 17 17 Code Injection Code Injection HTTPTrojanInjected skills ? HTTP communication ? IE Proxy configuration detection ? Personal Firewall bypass ? Stealthy HTTPTrojanInjected drawbacks ? Blocked by proxy authentification ? Survival instinct very low BlackHat BlackHat Europe 2004 Europe 2004 18 18 Code Injection Code Injection Use in existing malicious programs Today there are several malicious programs that use injection techniques (not necessarily for the same goals described above) : ? BackStealth (proof of concept) ? Optix, Beast and other Trojan horses ? Keylogger … BlackHat BlackHat Europe 2004 Europe 2004 19 19 Code Injection Code Injection Taking code injection farther ? ? Inject and die ?: once the Trojan injected its code, it can terminate and disappear from Windows' task manager and process list. ? Survival of the injected thread: once the Trojan horse dies, it depends on the survival of injected processes. Solution: injecting all user processes at a regular interval. BlackHat BlackHat Europe 2004 Europe 2004 20 20 Code Injection Code Injection DEMO [Multi-Injection Proof of Concept] BlackHat BlackHat Europe 2004 Europe 2004 21 21 Code Injection Code Injection New skills ? Very good survival instinct ? Control of all processes ? Still here ? drawbacks ? Blocked by proxy authentification BlackHat BlackHat Europe 2004 Europe 2004 22 22 API API Hooking Hooking How does it work? ? API hooking has also been known for 10 years: "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format" - Matt Pietrek (March 1994) ? Most popular method: IAT (Import Address Table) hooking. BlackHat BlackHat Europe 2004 Europe 2004 23 23 API API Hooking Hooking ? Doesn't work well for Trojan horses: 1. Not all APIs are IAT-hook friendly! Some APIs call other APIs directly, without using the IAT (LoadLibrary & GetProcAddress) 2. When the Trojan horse is injected, the program may have already obtained the API 's address, before the Trojan could hook GetProcAddress. ? Best method we know of: JMP redirection BlackHat BlackHat Europe 2004 Europe 2004 24 24 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 25 25 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 26 26 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 27 27 API API Hooking Hooking BlackHat BlackHat Europe 2004 Europe 2004 28 28 API API Hooking Hooking int WINAPI SendHook(SOCKET s, const char FAR * buf, int len, int flags) { DWORD ZoneTampon; int Result; // Pre-processing... // Call original API _asm { push flags push len push buf push s call ZoneTampon mov Result, eax } // Post-processing... return (Result); } BlackHat BlackHat Europe 2004 Europe 2004 29 29 API API Hooking Hooking API hooking: What for? ? Identifying communication applications: hooking socket APIs such as ? connect ?. ? Intercepting the CreateProcess API -- making thread survival more efficient, more aggressive. Every time a process is created, the Trojan horse injects it. BlackHat BlackHat Europe 2004 Europe 2004 30 30 API API Hooking Hooking ? Rootkit-like features: hiding files and registry keys to hide the Trojan's most visible items: registry keys for execution at startup, as well as the Trojan's binary itself. All in user mode, and… without local administration privileges! ? API hooking allows the Trojan to log local TCP/IP trafic in user mode and without Admin privileges. BlackHat BlackHat Europe 2004 Europe 2004 31 31 API API Hooking Hooking Here are some actions a Trojan horse can perform : ? Spy e-mail, proxy and socks passwords (send hook) ? Spy incoming and outgoing e-mail messages (recv & send hooks) ? Spy Web authentication data & forms (recv & send hooks) ? Intercept and deny / simulate anti-virus processes connecting to their signature update servers (specific, depends on which anti-virus is to be aimed). BlackHat BlackHat Europe 2004 Europe 2004 32 32 API API Hooking Hooking Malware and API hooking today ? Some malicious programs have implemented API hooking as of today (rootkit like Hacker Defender or Vanquish) Taking API hooking farther ? No DLL injection (same as for thread injection) ? Hooking essential APIs: Winsock APIs, but also LoadLibraryW. BlackHat BlackHat Europe 2004 Europe 2004 33 33 Final Final Demo Demo CASPER THE FRIENDLY TROJAN He really wants to be your friend BlackHat BlackHat Europe 2004 Europe 2004 34 34 Future Evolutions Future Evolutions Injection & API Hooking ? Try to inject code without CreateRemoteThread ? Include a length-disassembler engine for API Hooking BlackHat BlackHat Europe 2004 Europe 2004 35 35 Future Evolutions Future Evolutions Bypassing anti-viruses ? This kind of Trojan horses is made for aimed attacks, not for mass distribution. ? Still, the Trojan horse can escape detection in case it becomes known, by implementing an auto-update feature that keeps changing the Trojan horse's binary. BlackHat BlackHat Europe 2004 Europe 2004 36 36 Future Evolutions Future Evolutions Bypassing anti-viruses ? This kind of auto-update feature is very common for legitimate software. Why not expect to see auto- updating malware? BlackHat BlackHat Europe 2004 Europe 2004 37 37 Future Evolutions Future Evolutions Different communication protocols For our proof-of-concept Trojan horse, we've used HTTP protocol. Other protocols may be used as well: DNS, FTP or SMTP for example. BlackHat BlackHat Europe 2004 Europe 2004 38 38 Future Evolutions Future Evolutions Sniffing encrypted traffic When the navigator communicates via HTTPS, data sent via the ? send ? function is encrypted. By intercepting higher-level APIs, we can see the data before it is encrypted. This depends on the Web browser used. Internet Explorer uses high-level WININET APIs, which allows the Trojan to intercept data before it is encrypted. BlackHat BlackHat Europe 2004 Europe 2004 39 39 Future Evolutions Future Evolutions Remote control This kind of Trojan horse would be even more efficient if it had real-time remote control (just like VNC). The problem left to resolve is the inversed client-server communication we're using -- too heavy for this kind of operations and the HTTP tunneling. BlackHat BlackHat Europe 2004 Europe 2004 40 40 Prevention Prevention ? Hence, prevention is better than cure. ? Protection can be achieved by these steps : 1. Don't let come unknow code to the user 2. Educate user to avoid click everywhere symptom 3. Securing the users' workstations from untrusted code. BlackHat BlackHat Europe 2004 Europe 2004 41 41 Prevention Prevention ? HTTP, FTP and SMTP filters can help, to keep users away from unauthorized executable code. ? Educating and training users to keep away from untrusted code. ? Specific anti-injection techniques (i.e hooking CreateRemoteThread). But this is not the end of the story… There are other more indirect ways of injecting code into other processes. BlackHat BlackHat Europe 2004 Europe 2004 42 42 Conclusion Conclusion ? In Windows, whenever a malicious program is executed, its possibilites are almost unlimited. ? Question: since most of the techniques shown in this presentation already exist, how come we don't see many Trojan horses using them? ? Possible answer: The fact that the Win32 API has only recently been unified (i.e. thread injection didn't exist in Windows 9x, and API hooking was quite different from Windows 9x to NT systems). BlackHat BlackHat Europe 2004 Europe 2004 43 43 Conclusion Conclusion Q&A THANK YOU Eric DETOISIEN http://www.rstack.org http://valgasu.rstack.org valgasu@rstack.org Eyal DOTAN Tegam International http://www.viguard.com edotan@viguard.info http://valgasu.rstack.org/casper/