Saturday, April 7, 2007

Back Doors

When someone gets on your system once, they want to have a way to get in again so they make an alternate access method for this purpose. This is referred to as a back door. In case you plug the initial hole the attacker used, they will have another way to access the system. Sometimes they add a new account. They could also misconfigure files or deliver toolkits. An attacker with a back door really "owns" your system. This attacker might even make the system more secure to keep ownership.

Three main types of back doors are:
  • Application-level trojan horse: These are set up as client/server. The server resides on the attacker's system and the client resides on the client's system. The victim must install the client portion. The victim will be duped into installing the software thinking it does something useful that they would want (which may also be true).
  • Kernel-level root kit: Most difficult to remove or detect since it's in the kernel. At the kernel-level, so many things could be modified that you cannot trust anything the system tells you. Most of the time, best thing is the reformat your machine. Processes, port usages, etc., can all be hid.
  • Traditional root kit: These try to replace key functions in the system-usually executables and libraries. If this is done, they will act in a trojanized fashion. They may open back doors. If they do, they will give a back door password that will generally not be logged to audit files. This back door password will not change even if all the other system passwords are changed. They initially began on Unix systems , but have been attacking Windows for several years now. On windows, the dll's (dynamic linked libraries) are usually attacked. On unix, the executable files in the \bin and \sbin directories are typically attacked. Standard functions that are replaced are du (disk usage), find (finds files, but hides attacker's files, ifconfig(shows status of interfaces, but hides promiscuous mode), ls (lists files, but hides attacker's files)

How to defend yourself against Application-level trojans?

  • Keep your anti-virus definitions up to date
  • Don't download programs from untrusted sources
  • Don't auto-run active-x controls

How to defend yourself against Kernel-level rootkits?

  • Keep the attacker from gaining the required root-level access that is necessary to install any rootkit
  • Don't try to install your own rootkit
  • Use a kernel without LKM (Loadable kernel module) support
  • Use a rootkit checker if you suspect you may have one (chkrootkit for unix)

How to defend against Traditional rootkits?

  • Prevent attacker's from gaining root access--root is required to install a rootkit
  • Never install a rootkit on your system "to study it or for fun"
  • Use the "echo" command like netstat, but it may also be "trojanized" these days...
  • Get a program to scan /bin/login and see if it's been corrupted
  • Use a file integrity checker like tripwire
  • Compare file hashes with a hash database

How to find "hidden back door"--sometimes discovered by noticing a listening port, although a listening port is not required, since a port could be opened by the host machine after receiving syn packets on other ports from the attacker.

  • Nmap port scanner can help
  • Run "netstat -an" locally
  • Run lsof (unix) or Inzider (windows)
  • Look for anomalous traffic
  • Know legitimate processes which should be running-esp. if they have root privileges
  • Sometimes you just won't be able to find it...

Even virtual machines are susceptible to rootkits! Some other anti-rootkit scanner tools are: Strider GhostBuster and Strider HoneyMonkey, port explorer, boclean, tauscan, trojan hunter, and pest patrol

Unix Rootkit analysis/detection tools: Chkrootkit (best one), rkscan, carbonite, rkdet, checkps, lsm (loadable security module), lcap (linux kernel capability bounding set editor)

Windows deterrence tools: tripwire, symantec, registryprot (free at http://www.diamondcs.com.au/index.php?page=products)

Good website with forums on this topic: www.wilderssecurity.com

Vulnerability Scanning

Even if you have an IDS, all pieces of overall network system should be scanned
  • Network (firewalls, routers, switches, etc)
  • Systems (Servers, Operating System services)
  • Applications (Configuration errors, design flaws)

Why conduct vulnerability scans?

  • Obviously--to find vulnerabilities!!
  • Test your intrusion detection system
  • Test incident response (would your company be able to detect an attack?)
  • Test managed security provider (if you're paying for managed security, you should test them)

How often should you scan?

  • If you're in charge of network, do this at least monthly!

Vulnerability Targets

  • All access points (wireless, vpns, modems, etc.)

There are multiple scanners for different targets

  • firewalls
  • web servers
  • wireless network
  • lotus notes
  • novell netware
  • several others

Attack signature database

  • Must be updatable and kept up to date (otherwise you may miss something)

Once you've found a problem, what should you do?

  • Search the National Vulnerability Database or CVE at (http://nvd.nist.gov/) for ways to protect against or eliminate the vulnerability.
  • Beware of false positives

Scanner characteristics to look for when purchasing

  • Specialization for specific targets requiring protection
  • Ability to perform multiple tests against multiple targets (ip ranges)
  • Reporting mechanism
  • How to fix problems (refers you to CVE or other references)
  • Reasoning for false positives

Open Source Characteristics

  • (Pros) Free!, frequent updates, more vulnerabilites, customizable
  • (Cons) Limited support, many false positives, expertise needed
  • Examples: Nessus, Sara, Nmap

Commercial Characteristics

  • (Pros) User -friendly, enhanced report generation
  • (Cons) Cost of software and support can be high
  • Examples: Cybercop, ISS

Conducting Scan

  • Arrange a time (especially if planning a DoS attack)
  • Make sure you have an authorization agreement with system owner that details what/how you will be targeting, etc.
  • Look at things germaine to customer's business case
  • Look at threats and their probabilities (high vs. low vulnerability)
  • Focus on finding vulnerabilities against those things that would most affect the customer

Data Analysis Challenges

  • Lots of false positives to sift through
  • Important data results are not always obvious from scanning tools (Try putting a few low vulnerabilities together to come up with something potentially more severe)
  • Compare results with the vulnerability database

Some notes on Tripwire (System Integrity Verifier)

Both open source and commercially available. Tripwire is a System integrity verifier (not an IDS!!) It looks at files on your system and report any anomalies. You figure out what "normal" files/permissions are and let Tripwire know. Tripwire will store this information via a hash representation in a secure database. One a regular basis (daily, for eg.), Tripwire will compute a new hash and compare this with the hash in the database. If there is a change, it will report this to you and you can check into this. Open source version missing a lot of the GUIs in the commercial version. Beware that if you install a patch on your system, you may potentially see thousands of changes. You may want to retune Tripwire to represent the files after the patch.

Main steps
1. Tripwire establishes a baseline of your data
2. Periodically performs an integrity check of baseline against data
3. Reports any changes
4. Administrator should examine changes to determine if they are appropriate

The Open Source Tripwire will suffice for monitoring a small number of servers where central reporting and management is not necessary. To download the open source version, go to http://www.tripwire.com/products/enterprise/ost/

Intrusions Detection Systems (HIDS vs. NIDS)

This post will list some of the advantages and disadvantages of network and host based intrusion detection systems. Let's start with Host-based instrusion systems or (HIDS).

HIDS advantages:
  • Ability to use things on the system like logs, system services, registry events, etc.

HIDS disadvantages:

  • By the time the HIDS system detects an attack, it's probably too late
  • Uses system resources since it's running on the host.

NIDS advantages:

  • Usually a separate box, so it doesn't take any cycles from the system (no additional overhead).
  • Good for detecting unauthorized outsider access and bandwidth theft or denial of service attacks.
  • Fairly easy to implement
  • Doesn't affect the speed of the network

NIDS disadvantages:

  • Most people don't correctly size and plan for traffic growth (Once the NIDS gets overloaded and begins dropping packets, you can't trust anything coming from it)
  • Only able to look at packets on the wire and it's unable to see anything like audit records, etc., that would be on a system you're protecting.
  • Susceptible to "low and slow" attacks

It's best to use a combination of both NIDS and HIDS. Typically vpn gateways, web, mail, dns, etc., servers cannot handle the additional overhead of HIDS agents. A good strategy is to use a NIDS and something like Tripwire (a System Integrity Verifier) set to a long alert cycle (~24 hours) for lower overhead. These servers are especially important to protect since about 33% of attacks are aimed against these high value servers.

Use Xinetd instead of inetd or TCP wrappers for Access Control and prevention of DOS attacks

Xinetd stands for eXtended InterNET services Daemon. It's a secure replacement for inetd. It's used to start programs that provide internet services. Rather than having these services up and running for anyone to use (or exploit!) xinetd daemon is up listening on all ports for requests for these services. The advantages of using xinetd are to (1) prevent unnecessary resources from being up when no one needs them (2) provide access control to services (3) provide extensive logging capabilities

Some of the capabilites of Xinetd are listed below:
  • limit access according to time of day
  • prevents denial of service (DoS) attacks
  • improved security beyond inetd and beyond TCP wrappers (TCP wrappers can only see one connection at a time.)
  • limit size of log files, so others can't fill up your disk (DoS attack)
  • bind services to specific IP address (This is great for making services available to your private network and not the rest of the world)
  • may be used as a proxy to other systems (Use it in combination with ip_masquerading or NAT to reach the internal network)
  • limit rate of incoming connections, number of connections from a specific host, or total connections for a service.
  • supports IPv6
  • ability to offload services to a remote host

Visit http://www.xinetd.org/ to download xinetd.