十一届全国政协委员职务和界别情况T课件

Setiri:AdvancesinTrojanTechnologyRoelofTemminghHaroonMeerBlackHatUSA2002Setiri:AdvancesinTrojanTec1

ScheduleIntroductionWhyTrojans?BriefHistoryofTrojans&CovertChannelsTheHybridmodelSetiri:AdvancesinTrojanTechnologyDemonstrationTakingitfurtherPossiblefixesScheduleIntroduction2

IntroductionSensePostThespeakersObjectiveofpresentationIntroduction3

WhyTrojans?ProfileofTrojanusersRealcriminals……don’twritebufferoverflowsTheweirdnessoftheindustryExamplesWhyTrojans?4BriefHistoryofTrojans&CovertTunnelsTrojansFromQuickThinkingGreeks…toQuickThinkingGeeksTunnelsCovertChannelsBriefHistoryofTrojans&Cov5Trojans..

ValidIP–NoFiltersValidIP–StatelessFiltersPrivateAddresses–StatefulFiltersPrivate+Stateful+IDS+PersonalFirewalls+ContentChecking+…Trojans..ValidIP–NoFilter6

Trojans..

(ValidIP–NoFilters)“getreal..”Trojans..

(ValidIP–NoFi7

Trojans..

(ValidIP–StatelessFilter)

DialHomeTrojansRandomPorts/OpenPorts/HighPorts[cDc]ACKTunneling[ArneVidstrom]Trojans..

(ValidIP–State8

Trojans..

(StatefulFilters)BackOrifice-

GbotRattlerTrojans..

(StatefulFilters9

BriefHistoryofTrojans&CovertTunnelsTrojansFromQuickThinkingGreeks…toQuickThinkingGeeksTunnelsCovertChannelsBriefHistoryofTrojans&10

Tunnels&CovertChannelsTunnels&CovertChannels11

ConventionalTrojans&howtheyfailStatefulfirewall&IDSDirectmodelDirectmodelwithnetworktricksICMPtunnelingACKtunnelingProperlyconfiguredstatefulfirewallIRCagents+AuthenticationproxyHTTPtunnel++Personalfirewall&AdvancedProxyHTTPtunnelwithAuthentication+++ConventionalTrojans&how12

Hybridmodel:“GatSlag”CombinationbetweencovertTunnelandTrojanDefensesmechanismstoday:Packetfilters(stateful)/NATAuthenticationProxiesIntrusiondetectionsystemsPersonalfirewallsContent/protocolcheckingBiometrics/TokenPads/OnetimepasswordsEncryptionHybridmodel:“GatSlag”13AtypicalnetworkAtypicalnetwork14HowGatSlagworkedReverseconnectionHTTPcoverttunnelMicrosoftInternetExplorerastransportControlsIEviaOLEEncapsulateinIE,notHTTPReceivecommandsintitleofwebpageReceiveencodeddataasplaintextinbodyofwebpageSenddatawithPOSTrequestSendalivesignalswithGETrequestHowGatSlagworked15

WhyGatSlagworkedIntegrationofclientwithMSProxyNTLMauthenticationSSLcapableRegistrychangesPersonalfirewallsJustanotherbrowserPlatformindependentIEoneverydesktopSpecifyControllerViapublicwebpage–theMASTERsiteWhyGatSlagworkedIntegratio16

HowGatSlagworkedIICreatesinvisiblebrowserFindcontrolleratMASTERSendrequesttoControllerIfnoController&&retry>7,gotoMASTERReceivereplyParsereply:+Uploadfile()+Downloadfile+ExecutecommandLoopHowGatSlagworkedII17

WhydefensesfailFirewalls(stateful/NAT)ConfiguredtoallowuserorproxyoutContentlevel&IDSLookslikevalidHTTPrequests&repliesFilesdownloadedastextinwebpagesNodataorportstolockontoSSLprovidesencryptionPersonalfirewallsIEvalidapplicationConfiguredtoallowbrowsingAuthenticationproxiesUsersurfthewebWhydefensesfail18

ProblemswithGatslagTheController’sIPcanbeobtained!HandlingofmultipleinstancesGUIsupportControllerneededtobeonlineBatchcommandsCommandhistoryMultiplecontrollersUploadfacilitynotefficientPlatformsupportStabilitySessionleveltunnelingProblemswithGatslag19

Setiri:AdvancesinTrojanTechnologyDesignnotes:WebsitecontainsinstructionsCGIstocreatenewinstructionController’sinterface:EXEC(DOScommands)TX(Fileupload)RX(Filedownload)Directorystructure–eachinstanceTrojan“surfs”towebsite–justanormaluserwouldSetiri:AdvancesinTrojanTe20

Setiri:AdvancesinTrojanTechnologyIIAnonymityProblemswithnormalproxiesAlreadyusingaproxyProxylogs“Cleaners”provideanonymity“Inbrowserproxy”–AnonymizerTrojan->Cleaner:SSLCleaner->Controller:SSLChallenges:BrowserhistoryTemporaryfilesSetiri:AdvancesinTrojanTe21

22

23

24

DemonstrationDemonstration25

TakingitfurtherSessionleveltunnelingTakingitfurther26FlowcontrolchallengesHowthisisdifferentfromHTTPtunnelingAbrowserisnotasocketNoselectonbrowserTrainmodelTheControllersideCannot“send”BufferingofdataatControllerTheTrojansideMulti-partPOSTsMultipleconnections(HTTP)TruenetworkleveltunnelingFlowcontrolchallenges27

SolvingthedilemmaDeliveryWhitelistingUsereducationAV,personalfirewallsShouldyoualloweveryonetosurfthe‘net?Solvingthedilemma28

ConclusionAwarenessOurmotivationConclusion29演讲完毕，谢谢观看！演讲完毕，谢谢观看！30Setiri:AdvancesinTrojanTechnologyRoelofTemminghHaroonMeerBlackHatUSA2002Setiri:AdvancesinTrojanTec31

ScheduleIntroductionWhyTrojans?BriefHistoryofTrojans&CovertChannelsTheHybridmodelSetiri:AdvancesinTrojanTechnologyDemonstrationTakingitfurtherPossiblefixesScheduleIntroduction32

IntroductionSensePostThespeakersObjectiveofpresentationIntroduction33

WhyTrojans?ProfileofTrojanusersRealcriminals……don’twritebufferoverflowsTheweirdnessoftheindustryExamplesWhyTrojans?34BriefHistoryofTrojans&CovertTunnelsTrojansFromQuickThinkingGreeks…toQuickThinkingGeeksTunnelsCovertChannelsBriefHistoryofTrojans&Cov35Trojans..

ValidIP–NoFiltersValidIP–StatelessFiltersPrivateAddresses–StatefulFiltersPrivate+Stateful+IDS+PersonalFirewalls+ContentChecking+…Trojans..ValidIP–NoFilter36

Trojans..

(ValidIP–NoFilters)“getreal..”Trojans..

(ValidIP–NoFi37

Trojans..

(ValidIP–StatelessFilter)

DialHomeTrojansRandomPorts/OpenPorts/HighPorts[cDc]ACKTunneling[ArneVidstrom]Trojans..

(ValidIP–State38

Trojans..

(StatefulFilters)BackOrifice-

GbotRattlerTrojans..

(StatefulFilters39

BriefHistoryofTrojans&CovertTunnelsTrojansFromQuickThinkingGreeks…toQuickThinkingGeeksTunnelsCovertChannelsBriefHistoryofTrojans&40

Tunnels&CovertChannelsTunnels&CovertChannels41

ConventionalTrojans&howtheyfailStatefulfirewall&IDSDirectmodelDirectmodelwithnetworktricksICMPtunnelingACKtunnelingProperlyconfiguredstatefulfirewallIRCagents+AuthenticationproxyHTTPtunnel++Personalfirewall&AdvancedProxyHTTPtunnelwithAuthentication+++ConventionalTrojans&how42

Hybridmodel:“GatSlag”CombinationbetweencovertTunnelandTrojanDefensesmechanismstoday:Packetfilters(stateful)/NATAuthenticationProxiesIntrusiondetectionsystemsPersonalfirewallsContent/protocolcheckingBiometrics/TokenPads/OnetimepasswordsEncryptionHybridmodel:“GatSlag”43AtypicalnetworkAtypicalnetwork44HowGatSlagworkedReverseconnectionHTTPcoverttunnelMicrosoftInternetExplorerastransportControlsIEviaOLEEncapsulateinIE,notHTTPReceivecommandsintitleofwebpageReceiveencodeddataasplaintextinbodyofwebpageSenddatawithPOSTrequestSendalivesignalswithGETrequestHowGatSlagworked45

WhyGatSlagworkedIntegrationofclientwithMSProxyNTLMauthenticationSSLcapableRegistrychangesPersonalfirewallsJustanotherbrowserPlatformindependentIEoneverydesktopSpecifyControllerViapublicwebpage–theMASTERsiteWhyGatSlagworkedIntegratio46

HowGatSlagworkedIICreatesinvisiblebrowserFindcontrolleratMASTERSendrequesttoControllerIfnoController&&retry>7,gotoMASTERReceivereplyParsereply:+Uploadfile()+Downloadfile+ExecutecommandLoopHowGatSlagworkedII47

WhydefensesfailFirewalls(stateful/NAT)ConfiguredtoallowuserorproxyoutContentlevel&IDSLookslikevalidHTTPrequests&repliesFilesdownloadedastextinwebpagesNodataorportstolockontoSSLprovidesencryptionPersonalfirewallsIEvalidapplicationConfiguredtoallowbrowsingAuthenticationproxiesUsersurfthewebWhydefensesfail48

ProblemswithGatslagTheController’sIPcanbeobtained!HandlingofmultipleinstancesGUIsupportControllerneededtobeonlineBatchcommandsCommandhistoryMultiplecontrollersUploadfacilitynotefficientPlatformsupportStabilitySessionleveltunnelingProblemswithGatslag49

Setiri:AdvancesinTrojanTechnologyDesignnotes:WebsitecontainsinstructionsCGIstocreatenewinstructionController’sinterface:EXEC(DOScommands)TX(Fileupload)RX(Filedownload)Directorystructure–eachinstanceTrojan“surfs”towebsite–justanormaluserwo