CIS 450 – Network Security Chapter 15 – Preserving Access.
-
Upload
margaret-hutchinson -
Category
Documents
-
view
212 -
download
0
Transcript of CIS 450 – Network Security Chapter 15 – Preserving Access.
CIS 450 – Network Security
Chapter 15 – Preserving Access
Backdoor – a way for an attacker to get back into a network or system without being detected
Common ways to install backdoors By opening a port and using a listening agent
Vision Port Scanner http://linuxpr.com/releases/5354.html Netcat Tini – When I went to download the file I received a
message from my virus scanner that the .exe file has a virus which was cured
Through the use of a Trojan program Contains overt and covert programs QAZ
Rootkits
What is it http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html
Trojanize key system files on the operating system File-Level Rootkits
The legitimate program is replaced with the Trojan version The legitimate program becomes the overt program and the backdoor
becomes the covert function Programs replaced are the ones that a UNIX administrator would use –
page 548 Attacker can get back into system and hide his tracks Operate at the application (user) level Defending against
File-level rootkits can be discovered by looking for changes in binary programs
Tripwire Aide
Rootkits
Kernel-Level Rootkits Operate at the kernel (operating system level) By altering the heart of the operating system, kernel-level
rootkits enable attackers to create a system that appears normal to users and administrators. In reality, the underlying kernel is riddled with attacker modifications, all masked by the manipulated kernel. Kernel-level rootkits usually include the ability to redirect system calls, so when a user wants to run one program--say, ps, netstat or ifconfig--a Trojanized version is executed. These tools can also hide processes, files, sniffer usage and network port usage by altering the kernel so that it "lies" to you. Attackers are using numerous kernel-level rootkits for Linux, Solaris and Windows, among others.
Rootkits
Kernel-level rootkits – continued Defending Against
Techniques used to defend against file-level rootkits don't work as well on a system with a kernel-level rootkit, as all requests for information go through the rotten kernel itself
While AIDE may show you that your login binary is intact, the kernel-level rootkit redirects execution to the attacker's backdoor
Defeating kernel-level rootkits requires hardening the kernels of critical systems
Saint Jude Project monitors the integrity of a Linux kernel by looking for modifications of the system call table
Can deploy machines with monolithic kernels created by building a kernel that doesn't support loadable kernel modules
Hardening the kernel itself Pittbull
Hardened versions of Unix and Unix-like OSes such as such as SELinux3 and Sun Microsystems Trusted Solaris include additional kernel protections
Note: Kernel-hardening solutions can be unwieldy if widely deployed, because they alter the fundamental operation of the kernel, complicating system administration and possibly breaking third-party tools
UNIX Rootkits
File-level Rootkits TrojanIT -
http://www.rishabhdara.com/link.php?currentgrp=30 Lrk5 - http://www.ossec.net/rootkits/lrk.php Ark, Rootkit (This has a Trojan embedded in it, received
message from anti-virus software even though I did not download it or open it), and Tk - http://www.antiserver.it/Backdoor-Rootkit/
Kernel-level rootkits Knark - http://www.rishabhdara.com/link.php?
currentgrp=30
Wrappers
A tool that combines two or more files into a single file, usually for the purpose of hiding one of them.
Examples SilkRope 2000 -
http://www.pestpatrol.com/pestinfo/s/silk_rope.asp Saran Wrap -
http://pestpatrol.com/zks/pestinfo/s/saran_wrap_1_0.asp