CIS 442 Chapter 4 Trojan Horses Trojan Horses

  • Slides: 15
Download presentation
CIS 442 Chapter 4 Trojan Horses

CIS 442 Chapter 4 Trojan Horses

Trojan Horses and Backdoors • A Trojan Horse is a seemingly innocent application that

Trojan Horses and Backdoors • A Trojan Horse is a seemingly innocent application that contains malicious code that is hidden somewhere inside it. � • Trojans are often useful programs that have unnoticeable, yet harmful, side effects. • The history of the name • Characteristics • Differences from Viruses and Worms

Applications of Trojans • Trojans do not replicate • Main difference from worms and

Applications of Trojans • Trojans do not replicate • Main difference from worms and viruses, but today many trojans are spread by virus‐like mechanisms • SSH • Ways to counter against key loggers • Passwords encryption

Installing Trojans • Applications that can be used to include trojans with [ free

Installing Trojans • Applications that can be used to include trojans with [ free or utility software]

Typical purposes of Malware • Backdoor access: Attacker gains unlimited access to the machine.

Typical purposes of Malware • Backdoor access: Attacker gains unlimited access to the machine. • �Denial‐of‐service (Do. S) attacks: Infect a huge number of machines to try simultaneously to connect to a target server in hope of overwhelming it and making it crash. • �Vandalism: E. g. , defacing a web site. • �Resource Theft: E. g. , stealing other users computing and network resources, such as using your neighbors¶ Wireless Network. • �Information Theft: E. g. , stealing other users credit card numbers

Trojan horses: Operation (1) • Embed a malicious element inside anotherwise benign program. �

Trojan horses: Operation (1) • Embed a malicious element inside anotherwise benign program. � • The victim: 1. receives the infected program, 2. launches it, 3. remains oblivious of the fact that the system has been infected. • The application continues to operate normally to eliminate any suspicion.

 • Fool users into believing that a file containing a malicious program is

• Fool users into believing that a file containing a malicious program is really an innocent file such as a video clip or an image. �This is easy to do on MS Windows because file types are determined by their extension as opposed to examining the file headers. �e. g. , A Great Picture. jpg. exe. • The. exe might not be visible in the browser. • The Trojan author can create a picture icon that is the default icon of MS Windows for. jpg files.

Backdoors • A backdoor is malware that creates a covert access channel that the

Backdoors • A backdoor is malware that creates a covert access channel that the attacker can use for: • connecting, ±controlling, ±spying, ±or otherwise interacting with the victims system. • Backdoors can be embedded in actual programs that, when executed, enable the attacker to connect to and to use the system remotely. �Backdoors may be planted into the source code by rogue software developers before the product is released. • This is more difficult to get away with if the program is open source.

 • A trivial example of a backdoor is default BIOS, router or switch

• A trivial example of a backdoor is default BIOS, router or switch passwords set either by careless manufacturers or security administrators. • A hacker could simply add a new user account with administrator privileges and this would be a sort of backdoor, but far less sophisticated and easy detectable. • Adding a new service is the most common technique to disguise backdoors in the Windows operating system. This requires involving tools such as Srvany. exe and Srvinstw. exe that comes with the Resource Kit utility and also with Netcat. exe [1].

 • The principle of this operation is that the srvany. exe tool is

• The principle of this operation is that the srvany. exe tool is installed as a service and then permits netcat. exe to run as a service. The latter, in turn, listens on an appropriate port for any connection. Once connected, it will have spawned a remote shell on the server (using cmd. exe) and from this moment onwards, a hacker has free reign. • http: //www. windowsecurity. com/articles‐ tutorials/windows_os_security/Hidden_Backdoors_Tro jan_Horses_and_Rootkit_Tools_in_a_Windows_Enviro nment. html

Trojan example • • • Buffer overflow in BIND to get root on Lockheed

Trojan example • • • Buffer overflow in BIND to get root on Lockheed Martin’s DNS server, install password sniffer – Sniffer logs stored in directory called /var/adm/ … • [email protected] employees connect via dialup; attacker installs remote access trojans on their machines via open network shares, sniffs IP addresses of promising targets – To bypass anti‐virus scanners, use commercial remote‐access software, modified to make it invisible to user

 • • • 1987: Login program on NASA computers hacked by Chaos Computer

• • • 1987: Login program on NASA computers hacked by Chaos Computer Club, steals passwords • 1999: Hacked login program at U. of Michigan steals 1534 passwords within 23 hours • 2003: AOL employees tricked into accepting Trojans via AIM, hackers get complete remote control over their machines via IRC – Also social engineering to steal passwords • 2003: Badtrans worm installs keystroke‐logging Trojan, sends log to one of 22 email accounts

Remote Administration Tools • • • Legitimate tools are often abused – Citrix Meta.

Remote Administration Tools • • • Legitimate tools are often abused – Citrix Meta. Frame, Win. VNC, PC Anywhere • Complete remote control over the machine • Easily found by port scan (e. g. , port 1494 – Citrix) – Bad installations, crackable password authentication • “The Art of Intrusion” – breaking into a cash transfer company, a bank’s IBM AS/400 server • Semi‐legitimate tools – Back Orifice, Net. Bus – Can hide their presence, log keystrokes, etc. – Considered malicious by anti‐virus software

Modern Backdoors • • • SSH daemon on a high port – Communication encrypted,

Modern Backdoors • • • SSH daemon on a high port – Communication encrypted, hard for networkbased intrusion detector to recognize – Hide SSH activity from the host by patching netstat • UDP listener • Passively sniff the network for master’s commands • All sorts of standard and non‐standard covert tunnels

Night Dragon Attacks • • • Started in November 2009 • Targets: oil, energy,

Night Dragon Attacks • • • Started in November 2009 • Targets: oil, energy, petrochemical companies • Install customized RAT tools, steal internal documents, deliver them to China • Propagation vectors – SQL injection on external Web servers to harvest account credentials – Targeted emails to company executives (spearfishing) – Password cracking and “pass the hash” attacks • See http: //www. mcafee. com/us/resources/whitepapers/ wp‐global‐energy‐cyberattacks‐nightdragon. pdf