1. LabZero

    LabZero Guest

    Recently I'm studying about some sophisticated attack techniques used by criminals to break and infect the systems (Home and Enterprise Network).
    The goal is always to steal data and remain persistent in the affected system: "fly under the radar".

    The attacker wants to infect while remaining invisible, thus avoiding triggering "alarms", leaving traces in the logs, be detected by various solutions such as firewalls, IDS/IPS, Antimalware and HIPS.

    This article is focused on some of the techniques used during the attack.

    After compromise a machine, it is necessary to maintain persistent access to the network, for this purpose the choice of payload is crucial.

    It's often used a reverse http shell

    REVERSE HTTPS

    • REVERSE: the target use firewall with more or less restrictive rules and very often the only configuration is rejecting all incoming connections, especially if the request originated from a computer within the network.Important to the success of the attack, once compromised the remote machine, then get a shell back. The default setting provides for the attackers to connect directly to the shell meeting in this case the firewall block. By setting the reverse option they get to be the compromised machine to act as a client and to contact the C&C (command and control) of the attackers. (It's the same method used by botnets)
    • WINDOWS: In this case the target machine has the Windows operating system and the exploited process has the features needed to use this method.This method allows to load the payload as a DLL within the process itself, which is very useful to avoid white list of applications on the host to process some HIPS (Host Intrusion Prevention System) and some Antivirus that not support memory scan; especially if the process is authorized and signed, only later, loads the DLL inside it.
    • HTTPS: some security systems (Enterprise for example) use other rules to filter outbound traffic, allowing only certain ports/from some applications/with some protocols. In this way all applications are blocked which try to communicate on the Internet (significantly reducing the window of attack), for example: FTP, IRC, TOR, P2P and a large part of malicious agent. The HTTP shell is programmed to seek, on a regular basis, the connection with the attackers and the type of communication choice causes that traffic looks, to the devices willing to perimeter security, as a surfing the internet consisting of requests and responses.
    • FUD: to prevent the various antivirus products recognize the payload, some techniques are implemented to obfuscate the payload and make it unrecognizable to the antimalware signature database, are usually used not public Crypter who remain FUD for a few weeks.
    Some of the advanced features of this type of shell are:

    • The ability to use proxy.

    • The payload has a "hardcoded" deadline in it, the default setting is usually one week from the date on which it is generated, this is to prevent a forgotten connection try to connect indefinitely. When it reach this value the shell terminates. The SessionExpirationTimeout to 0 setting will cause the shell to attempt to connect this up when the process is finished or the target machine restarted.

    Exit from a session normally results in "killed" the exploit but the attackers use the detach command (by setting the SessionCommunicationTimeout variable to 0 when generating the payload) so the connection is not terminated and it is recoverable; unless the condition is reached SessionExpirationTimeout or that the process is killed.

    Some security systems are making further checks, monitoring network traffic and making sure the content of outgoing packets is acceptable (Egress Filter). These controls are able to identify credit card numbers, users, login and various pattern; all this to notice in real time any breaches within the network.

    If credit card data in transit, some of these controls stop traffic and warn network administrators, assuming an internal breach that allowed the dump and the exfiltration of data. To overcome these problems it is then used a HTTPS shell, by encrypting the connection and making data unreadable to those tools, while minimizing the risk of being detected (POS malware for example).

    ICMP TUNNEL


    Generally the security apps (Enterprise especially) block incoming ICMP packets but often allow the same output, thanks to this configuration, an attacker can use ICMP packets to transfer TCP payload(ICMP tunnel).


    • attacker: TCP connection to TCP PROXY software that sends the request to the remote client.
    • remote client :encapsulate TCP payload to ICMP ECHO packets and sends them to the PROXY.
    • PROXY: de-encapsulates the packets and sends TCP responses to the attacker.

    Many attackers use Ping Tunnel


    TCP PARAMETERS

    An old method but it still works pretty well to bypass IDS and IPS is to use unused TCP parameters packets .

    Some of the fields that can be used for this purpose are:

    • IP Identification: you must have already established a session between the two sides, after which the data is transferred from bitwise within this field.
    • TCP initial sequence number: this method does not require either to make a connection. A SYN packet is sent with the initial sequence number that contains the payload.
    • Although the answer is RST, the content is already checked out.


    TCP initial sequence acknowledgement number: more complex than the previous method, It's necessary to use a bounce server whose only purpose is to receive packets and forward them to the attacker's machine.

    • The client generates a TCP SYN packet with source, the server address of the attackers (IP address spoofing) and destination address of the bounce server.
    • The value of the Initial Sequence Number (ISN) contains the encoded character (ISNq).
    • The Bounce server receives the packet and responds with SYN/ACK or RST, It depends on whether the door is open or closed. The response is sent to the receiving server (the attacker server) because it has been "spoofed" his address.
    • The answer will be in this format SYNB, ACK (ISNq + 1).
    • The attacker's server receives this packet and retrieves the value from the field.

    CONCLUSION

    I conclude this thread saying that these techniques include not only attacks that include network intrusion target but the attackers also provide other techniques: Social Engineering and Phishing that cause many victims, especially among inexperienced users.

    In the next threads I will explain other persistent attack techniques.

    Thanks for reading :)
     
  2. kaddy

    kaddy Level 2

    Jan 23, 2016
    57
    121
    Programmer
    ときょ
    Very good.
     
  3. KenYang

    KenYang New Member

    Mar 10, 2016
    2
    8
    zh
  4. Akshay Gupta

    Akshay Gupta New Member

    Aug 25, 2016
    7
    13
    India
    Hey after deleting sysnetwrk.exe file from dsq folder I am not to connect to server and not able to use browser any more showing no interest connection plz help me what do?
     
    AtlBo, DardiM and Der.Reisende like this.
  5. davidp

    davidp Level 1

    Aug 16, 2016
    26
    71
    Bay Area
    Thanks for sharing this information.
     
  6. Raheel99

    Raheel99 Level 1

    Sep 15, 2016
    31
    329
    Accountant
    Karachi
    Windows 7
    Avast
    Well written. Thanks for sharing.
     
    kodesilo, AtlBo, DardiM and 1 other person like this.
  7. cheburash

    cheburash Level 1

    Apr 14, 2017
    5
    19
    USA
    macOS Sierra
    Good reading, thanks
     
  8. kodesilo

    kodesilo Level 1

    Dec 12, 2016
    10
    31
    san jose
    Good reading, thanks
     
  9. kodesilo

    kodesilo Level 1

    Dec 12, 2016
    10
    31
    san jose
    Very good.
     
  10. Malware Person

    Malware Person Level 4

    Jun 8, 2016
    156
    244
    United States
    Windows 10
    BitDefender
    nice info! very useful :)
     
  11. David R

    David R Level 1

    May 31, 2017
    19
    42
    Atlanta, GA
    macOS Sierra
    Nice write up!
     
Loading...
Similar Threads Forum Date
Advanced Process Analysis and Identification System Other Security for Windows May 24, 2013
Malware Analysis Fake ESET NOD32 extension analysis (Google Chrome) Malware Analysis Nov 20, 2017
Q&A Fake Sandbox Processes (FSP) - Tool to simulate fake processes of analysis sandbox/VM software General Security Discussions Nov 16, 2017