Analysis of Advanced Attacks and Malware Techniques (part 1)

L

LabZero

Guest
#1
Recently I'm studying about some sophisticated attack techniques used by criminals to break and infect the systems (Home and Enterprise Network).
The goal is always to steal data and remain persistent in the affected system: "fly under the radar".

The attacker wants to infect while remaining invisible, thus avoiding triggering "alarms", leaving traces in the logs, be detected by various solutions such as firewalls, IDS/IPS, Antimalware and HIPS.

This article is focused on some of the techniques used during the attack.

After compromise a machine, it is necessary to maintain persistent access to the network, for this purpose the choice of payload is crucial.

It's often used a reverse http shell

REVERSE HTTPS

  • REVERSE: the target use firewall with more or less restrictive rules and very often the only configuration is rejecting all incoming connections, especially if the request originated from a computer within the network.Important to the success of the attack, once compromised the remote machine, then get a shell back. The default setting provides for the attackers to connect directly to the shell meeting in this case the firewall block. By setting the reverse option they get to be the compromised machine to act as a client and to contact the C&C (command and control) of the attackers. (It's the same method used by botnets)
  • WINDOWS: In this case the target machine has the Windows operating system and the exploited process has the features needed to use this method.This method allows to load the payload as a DLL within the process itself, which is very useful to avoid white list of applications on the host to process some HIPS (Host Intrusion Prevention System) and some Antivirus that not support memory scan; especially if the process is authorized and signed, only later, loads the DLL inside it.
  • HTTPS: some security systems (Enterprise for example) use other rules to filter outbound traffic, allowing only certain ports/from some applications/with some protocols. In this way all applications are blocked which try to communicate on the Internet (significantly reducing the window of attack), for example: FTP, IRC, TOR, P2P and a large part of malicious agent. The HTTP shell is programmed to seek, on a regular basis, the connection with the attackers and the type of communication choice causes that traffic looks, to the devices willing to perimeter security, as a surfing the internet consisting of requests and responses.
  • FUD: to prevent the various antivirus products recognize the payload, some techniques are implemented to obfuscate the payload and make it unrecognizable to the antimalware signature database, are usually used not public Crypter who remain FUD for a few weeks.
Some of the advanced features of this type of shell are:

  • The ability to use proxy.

  • The payload has a "hardcoded" deadline in it, the default setting is usually one week from the date on which it is generated, this is to prevent a forgotten connection try to connect indefinitely. When it reach this value the shell terminates. The SessionExpirationTimeout to 0 setting will cause the shell to attempt to connect this up when the process is finished or the target machine restarted.

Exit from a session normally results in "killed" the exploit but the attackers use the detach command (by setting the SessionCommunicationTimeout variable to 0 when generating the payload) so the connection is not terminated and it is recoverable; unless the condition is reached SessionExpirationTimeout or that the process is killed.

Some security systems are making further checks, monitoring network traffic and making sure the content of outgoing packets is acceptable (Egress Filter). These controls are able to identify credit card numbers, users, login and various pattern; all this to notice in real time any breaches within the network.

If credit card data in transit, some of these controls stop traffic and warn network administrators, assuming an internal breach that allowed the dump and the exfiltration of data. To overcome these problems it is then used a HTTPS shell, by encrypting the connection and making data unreadable to those tools, while minimizing the risk of being detected (POS malware for example).

ICMP TUNNEL


Generally the security apps (Enterprise especially) block incoming ICMP packets but often allow the same output, thanks to this configuration, an attacker can use ICMP packets to transfer TCP payload(ICMP tunnel).


  • attacker: TCP connection to TCP PROXY software that sends the request to the remote client.
  • remote client :encapsulate TCP payload to ICMP ECHO packets and sends them to the PROXY.
  • PROXY: de-encapsulates the packets and sends TCP responses to the attacker.

Many attackers use Ping Tunnel


TCP PARAMETERS

An old method but it still works pretty well to bypass IDS and IPS is to use unused TCP parameters packets .

Some of the fields that can be used for this purpose are:

  • IP Identification: you must have already established a session between the two sides, after which the data is transferred from bitwise within this field.
  • TCP initial sequence number: this method does not require either to make a connection. A SYN packet is sent with the initial sequence number that contains the payload.
  • Although the answer is RST, the content is already checked out.


TCP initial sequence acknowledgement number: more complex than the previous method, It's necessary to use a bounce server whose only purpose is to receive packets and forward them to the attacker's machine.

  • The client generates a TCP SYN packet with source, the server address of the attackers (IP address spoofing) and destination address of the bounce server.
  • The value of the Initial Sequence Number (ISN) contains the encoded character (ISNq).
  • The Bounce server receives the packet and responds with SYN/ACK or RST, It depends on whether the door is open or closed. The response is sent to the receiving server (the attacker server) because it has been "spoofed" his address.
  • The answer will be in this format SYNB, ACK (ISNq + 1).
  • The attacker's server receives this packet and retrieves the value from the field.

CONCLUSION

I conclude this thread saying that these techniques include not only attacks that include network intrusion target but the attackers also provide other techniques: Social Engineering and Phishing that cause many victims, especially among inexperienced users.

In the next threads I will explain other persistent attack techniques.

Thanks for reading :)