Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Cracking of wireless networks wikipedia , lookup
Cross-site scripting wikipedia , lookup
Windows Update wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Mobile security wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
A Trojan Report and Analysis of BO2K, NetBus 1.7, and Sub7 Legends Mike Ware 11/30/04 What is a trojan? Any program that overtly does one thing but covertly does something else in a malicious manner. Normally provides remote access to a victim’s computer. Not considered a virus because it does not self propagate. Not considered a worm because it does not automatically spread from one computer to the next over a network. Back Orifice, NetBus, and Sub7 are three very popular trojan horses. Why is a trojan a security threat? A trojan cannot install itself. It must be executed by the user. Many users are non-technical individuals and are unaware of their system’s activity. Detection is difficult. Most trojans are designed to run invisible to the victim by removing itself from the process list and hiding its system “footprint”. A successful trojan attack opens a virtual channel to the victim’s file system, registry, process list, service list, and other OS structures. Anti-virus and other virus monitoring software will only detect and remove the trojan if its signature is known. Recovering from information theft and costs due to down time from denial-ofservice attacks is burdensome. Overview of BO2K, NetBus 1.7, and Sub7 Legends All three were developed by underground hacking community as RATs (remote access tools). All three have same architecture, which consists of a server and client. Cult of the Dead Cow or CDC developed BO2K (first version released Aug 1998) Mobman developed Sub7 Legends (first version released May 1999) Carl-Fredrik Neikter developed NetBus 1.7 (first version released Mar 1998) Attacker uses client to control any remote machine that has the server installed. Server is stored on victim’s machine and once installed, waits for a probe from the client to establish connection. Victim must execute the malicious trojan file. The trojan will normally disguise itself as a appealing program (video, music, game, etc.) or attach itself to a legitimate program that when ran will install both the legitimate application and the attached trojan without the user’s knowledge. (setup package or self-extracting zip files) Compare/Contrast Initial Actions Similarities All three copy themselves to some other location. Sub7 Legends and NetBus 1.7 will place a copy in the Windows directory while BO2K places a copy in Windows\System32. If configured to do so, all three will create registry entries in the auto-run startup keys so they will execute each time Windows is loaded. All three disconnect from original file and execute the planted second copy. All three open some port. Differences filename of the server file number and names of other files created and used by the server number, type, name, and location of created registry edits server port usage Connection Method Attacker only needs to know IP address of victim. BO2K NetBus 1.7 Can password protect server using 3DES or XOR encryption. Can password protect server. Can be notified of victim’s connection using a specified SMTP engine. Sub7 Legends Can password protect server. Attacker can be notified by ICQ, IRC, or email. Operational Capabilities Once connected, the attacker has full access to victim’s operating system functionality. File System manipulation Key Logging ability BO2K logs to viewable file while Sub7 and NetBus log “real-time”. Port Redirection find/delete/view/move/rename/copy files create/delete directories download/upload files Allows attacker to send input to another machine using victim’s machine. System Functions View, kill, start processes View and close active windows Mouse control (move/hide pointer, enable tails, reverse buttons) Perform system shutdown, log off, restart, and power off Other Interesting Features Sub7 and BO2K: registry manipulation: screen or web/video capture; tap PC microphone complete server control change startup method, server filename, port usage, or remove the server entirely. Sub7 create/delete/rename keys set/get/delete/rename values enumerate keys and values hide/show desktop, start button, and taskbar flip screen horizontally/vertically mess with CTRL-ALT-DEL, NUM LOCK, SCROLL LOCK, CAPS LOCK BO2K: XOR and 3DES encryption for client/server communication. ability to enhance its functionality through plug-ins. (has software development kit) BO2K Attack Footprint on XP SP1 File Mods: c:\windows\system32\UMGR32.EXE 112 KB Original trojan file located at original location if it doesn’t delete itself. Netstat reports: TCP 54320 by default possibly UDP 54321 Task manager will report name of the running server as a process. UMGR32.EXE NetBus 1.7 Attack Footprint on XP SP1 File Mods: => running server => key logging functions => attacker note-taking => host connection log => server IP log => server configuration info Registry Mods: c:\windows\patch.exe (483 KB) c:\windows\KeyHook.dll (54 KB) c:\windows\Memo.txt c:\windows\Hosts.txt c:\windows\IP.txt c:\windows\Patch.ini HKCU\NETBUS HKCU\NETBUS\Settings HKCU\Patch HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value: “PATCH”=“c:\windows\patch.exe” Netstat reports two open TCP ports 12345 and 12346 Sub7 Legends Attack Footprint on XP SP1 File Mods: Registry Mods: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices value: “WinLoader”=“c:\windows\server.com” Netstat reports open TCP port c:\windows\server.com 364 KB Original trojan file located at original location if it doesn’t delete itself. 27374 by default Task manager will report name of the running server as a process. server.com Cyberspace Security Implications Ability to remotely control OS makes a trojan attack far more dangerous than a typical virus or worm. Risks of information theft and malicious activity: theft of passwords theft of product designs (this can be crucial to a company) theft of medical, financial, and other personal data interception of email, chat, and video content attacker can plant discriminating data on victim’s machine (child pornography!) attacker can find discriminating data and use it against the victim Future attacks: DDOS - Attack high risk targets. Have already seen first trojan, Brador.a, for PocketPC. Imagine DDOS attack aimed at disabling a multitude of PocketPC devices. Electronic Voting (e-voting) What can be done to combat trojans? Increase User Security Awareness President’s third highest priority outlined in “The National Strategy to Secure Cyberspace” document. Use updated anti-virus protection. Properly use software/hardware firewalls. Periodically scan using specialized trojan horse PC scanners: windowsecurity.com/trojanscan Conclusion A trojan is any program that overtly does one thing but covertly does something else in a malicious manner. The architecture and “footprint” of BO2K, NetBus 1.7, and Sub7 follow a similar pattern. BO2K, NetBus 1.7, and Sub7 Legends are a serious and direct threat to current home computing technologies such as e-commerce and banking as well as future computing technologies such as e-voting and online surgery procedures. We can combat trojan attacks through increased user awareness, properly configured anti-virus software and firewalls, and specialized trojan scanners.