1、Setiri:Advances in Trojan TechnologyRoelof TemminghHaroon MeerBlackHat USA 2002 ScheduleIntroductionWhy Trojans?Brief History of Trojans&Covert ChannelsThe Hybrid modelSetiri:Advances in Trojan TechnologyDemonstrationTaking it furtherPossible fixes IntroductionSensePostThe speakersObjective of prese
2、ntation Why Trojans?Profile of Trojan usersReal criminalsdont write buffer overflowsThe weirdness of the industryExamplesBrief History of Trojans&Covert TunnelsTrojansFrom Quick Thinking Greeks to Quick Thinking GeeksTunnelsCovert ChannelsTrojans.Valid IP No Filters Valid IP Stateless Filters Privat
3、e Addresses Stateful Filters Private+Stateful+IDS+Personal Firewalls+Content Checking+Trojans.(Valid IP No Filters)“get real.”Trojans.(Valid IP Stateless Filter)Dial Home TrojansRandom Ports/Open Ports/High Ports cDc ACK TunnelingArne Vidstrom Trojans.(Stateful Filters)Back Orifice-http:/ GbotRattle
4、r Brief History of Trojans&Covert TunnelsTrojansFrom Quick Thinking Greeks to Quick Thinking GeeksTunnelsCovert Channels Tunnels&Covert Channels Conventional Trojans&how they failStateful firewall&IDSDirect modelDirect model with network tricksICMP tunnelingACK tunnelingProperly configured stateful
5、firewallIRC agents+Authentication proxyHTTP tunnel+Personal firewall&Advanced ProxyHTTP tunnel with Authentication+Hybrid model:“GatSlag”Combination between covert Tunnel and TrojanDefenses mechanisms today:Packet filters(stateful)/NATAuthentication ProxiesIntrusion detection systemsPersonal firewal
6、lsContent/protocol checkingBiometrics/Token Pads/One time passwordsEncryptionA typical networkHow GatSlag workedReverse connectionHTTP covert tunnelMicrosoft Internet Explorer as transport Controls IE via OLEEncapsulate in IE,not HTTPReceive commands in title of web pageReceive encoded data as plain
7、 text in body of web pageSend data with POST requestSend alive signals with GET request Why GatSlag workedIntegration of client with MS ProxyNTLM authenticationSSL capableRegistry changesPersonal firewallsJust another browserPlatform independentIE on every desktopSpecify ControllerVia public web pag
8、e the MASTER site How GatSlag worked IICreates invisible browserFind controller at MASTERSend request to ControllerIf no Controller&retry7,go to MASTERReceive replyParse reply:+Upload file()+Download file+Execute commandLoop Why defenses failFirewalls(stateful/NAT)Configured to allow user or proxy o
9、utContent level&IDSLooks like valid HTTP requests&repliesFiles downloaded as text in web pagesNo data or ports to lock on toSSL provides encryptionPersonal firewallsIE valid applicationConfigured to allow browsingAuthentication proxiesUser surf the web Problems with GatslagThe Controllers IP can be
10、obtained!Handling of multiple instancesGUI supportController needed to be onlineBatch commandsCommand historyMultiple controllersUpload facility not efficientPlatform supportStabilitySession level tunneling Setiri:Advances in Trojan TechnologyDesign notes:Web site contains instructionsCGIs to create
11、 new instructionControllers interface:EXEC(DOS commands)TX(File upload)RX(File download)Directory structure each instanceTrojan“surfs”to web site just a normal user would Setiri:Advances in Trojan Technology IIAnonymityProblems with normal proxiesAlready using a proxyProxy logs“Cleaners”provide anon
12、ymity“In browser proxy”AnonymizerTrojan-Cleaner:SSLCleaner-Controller:SSLChallenges:Browser historyTemporary files Demonstration Taking it furtherSession level tunnelingFlow control challengesHow this is different from HTTP tunnelingA browser is not a socketNo select on browserTrain modelThe Control
13、ler sideCannot“send”Buffering of data at ControllerThe Trojan sideMulti-part POSTsMultiple connections(HTTP)True network level tunneling Solving the dilemmaDeliveryWhite listingUser educationAV,personal firewallsShould you allow everyone to surf the net?ConclusionAwarenessOur motivation踏实,奋斗,坚持,专业,努
14、力成就未来。23.7.2523.7.25Tuesday,July 25,2023弄虚作假要不得,踏实肯干第一名。20:00:5020:00:5020:007/25/2023 8:00:50 PM安全象只弓,不拉它就松,要想保安全,常把弓弦绷。23.7.2520:00:5020:00Jul-2325-Jul-23重于泰山,轻于鸿毛。20:00:5020:00:5020:00Tuesday,July 25,2023不可麻痹大意,要防微杜渐。23.7.2523.7.2520:00:5020:00:50July 25,2023加强自身建设,增强个人的休养。2023年7月25日下午8时0分23.7.25
15、23.7.25追求卓越,让自己更好,向上而生。2023年7月25日星期二下午8时0分50秒20:00:5023.7.25严格把控质量关,让生产更加有保障。2023年7月下午8时0分23.7.2520:00July 25,2023重规矩,严要求,少危险。2023年7月25日星期二20时00分50秒20:00:5025 July 2023好的事情马上就会到来,一切都是最好的安排。下午8时0分50秒下午8时0分20:00:5023.7.25每天都是美好的一天,新的一天开启。23.7.2523.7.2520:0020:00:5020:00:50Jul-23务实,奋斗,成就,成功。2023年7月25日星期二20时00分50秒Tuesday,July 25,2023抓住每一次机会不能轻易流失,这样我们才能真正强大。23.7.252023年7月25日星期二20时00分50秒23.7.25谢谢大家!谢谢大家!