140 likes | 271 Vues
Remote Controlled Agent. Avital Yachin Ran Didi SoftLab – June 2006. Background. To what risks are we exposed ? System integration Data theft Distributed Denial of Service Current protection methods Signature based Heuristic Firewalls Others (sandboxes, ad-hoc tools). Project Goal.
E N D
Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006
Background • To what risks are we exposed ? • System integration • Data theft • Distributed Denial of Service • Current protection methods • Signature based • Heuristic • Firewalls • Others (sandboxes, ad-hoc tools)
Project Goal • Exploring current protection methods. • Test the effectiveness of a standard protection scheme against: • Remote code execution • Remote configuration of an agent • Remote uninstall of an agent
Challenges • Automated Detection • Human detection • Firewalls • Restricted Users (non-Admin) • Scalability • Persistency
Normal Operation Executable CMDFILE Agent Server Request Commands File Send Commands File Parse Commands File Send Executable Request Executable Run Executable
Install Phase spooler.exe Runtime Image Loader explorer.exe Injection Library Inject runtime image to a System process Or to a User process if non-Admin Delete unnecessary files Extract files to disk
Un-Install Phase spooler.exe Runtime Image Loader explorer.exe Injection Library Eject runtime image from host process Delete unnecessary files Extract files to disk
Points of interest • Standard Win32 APIs / C. • Code injection (operation within a context of a trusted process). • Standard HTTP communication. • Storing required components as binary resources in the loader and extracting them on-the-fly.
Points of interest - continued • Clean un-install (ADS). • UPX packing. • Social Engineering (harder human detection).
Conclusions • Standard protection schemes can be easily bypassed. • Detection is very difficult on low footprint operation. • New protection schemes shall protect processes from code injection. • New protection approaches ?