As a modern IT professional you've done all the rightthings to keep the "bad guys" out: you protected your network withfirewalls and/or proxies, deployed anti-virus software across allplatforms, and secured your mobile workstations with personalfirewalls. You may even be in the process of designing and deploying anenterprise-wide network and host intrusion detection framework to helpkeep an even closer eye on what's going on. Even with all this, are youreally safe? Can your multiple-lines of defense truly protect your network from modern methods of intrusion?
This article presents an overview of modern backdoortechniques, discusses how they can be used to bypass the securityinfrastructure that exists in most network deployments and issues awake-up call for those relying on current technologies to safeguardtheir systems/networks.
The Fundamentals of Firewalls
Before a discussion of modern backdoor techniques cantake place, it is necessary to first look at what obstacles an attackermust get through. Firewalls are an integral part of a comprehensivesecurity framework for your network. If they are relied on too heavilythey can also be the weakest link in your defense strategy.
There are different flavors/combinations of "standard" firewalls to choose from depending on your environment:
Packet filters
- Operates at Layer 3
- Also known as Port-based firewalls
- Each packet is compared to against a list of rules (source/destination address, source/destination port, protocol)
- Inexpensive and fast, but least secure
- 20-year old technology
- Breaks more complex applications (e.g. FTP)
- Example: router access control lists (ACL)
Circuit-level gateways
- Operates at Layer 4
- Relay TCP connections based on port
- Inexpensive but more secure than packet filters
- Generally requires work on the user or application configuration end to support
- Example: SOCKS-based firewalls
Application-level gateways
- Operates at Layer 5
- Application-specific
- Moderately expensive and slower, but more secure and enables user activity logging
- Generally requires work on the user, network or application-configuration end to support
- Example: Web (http) proxy
Stateful, multi-layer inspection firewalls
- Layer 3 filtering
- Layer 4 validation
- Layer 5 inspection
- High level of cost, security and complexity
- Example: CheckPoint Firewall-1
Some newer firewall technologies build upon these foundations and provide additional ways of securing both systems and networks:
"Personal"/host firewalls
This class of firewall has the ability to furtherenhance security by enabling granular control over what types of systemfunctions and processes have access to networking resources. Thesefirewalls can use various types of signatures and host conditions toallow or deny traffic. Some of the more common functions acrosspersonal firewall implementations include:
- Protocol-driver blocking - disallow "non-standard" protocol drivers to be loaded and used by programs
- Application-level blocking - only allow certain applications or libraries to perform network actions or accept incoming connections
- Signature-based blocking - constantly monitor the network traffic and block all known attacks from making it to the host
The added control increases the difficulty of managingsecurity due to the potentially large numbers of systems that may beindividually firewalled. It also increases the risk of damage andexposure due to misconfiguration.
Dynamic Network Firewalling
Similar to the signature-based blocking features ofpersonal firewalls, dynamic network firewalling marries the concepts ofIDS, standard firewalls (see above) and emerging intrusion preventiontechniques to provide "on-the-fly" blocking of specific networkconnections that fit a defined profile while allowing connections fromother sources to the same port(s). This allows a firewall toproactively deny access to, say, clients that are issuing SQL wormattacks against your network while still allowing standard SQL trafficto flow.
The Basics of Backdoors
What is a backdoor?
A backdoor is a "mechanism surreptitiously introduced into a computer system to facilitate unauthorized access to the system," and can be classified into (at least) three categories:
Active
Active backdoors originate outbound connections to oneor more hosts. These connections can either provide full, fluid networkaccess between the hosts (i.e. reverse tunnel-based) or be part of aprocess that actively monitors the compromised system, recordsinformation, sends data out in distinct "chunks" and receives bothacknowledgements and/or commands from the remote systems.
Passive
Passive backdoors listen on one or more ports forincoming connections from one or more hosts. Similar to the activebackdoors, these programs can either be used to establish a forwardtunnel into the compromised network or accept distinct commands andreturn the requested information.
Attack-based
This category of backdoor could also be classified asthe "unknown backdoor." It generally arises from a buffer-overflowexploit of poorly-written programs resulting in some type (e.g.root/Administrator-level, user-level, fully-interactive,one-instruction) of command-level access to the compromised system.
There is one common element among the three types of backdoors - they all work by circumventing the elaborate multi-layer security infrastructureyou have worked diligently to design and deploy. Most real (i.e.non-script-kiddies) hackers can determine almost immediately if it'sworth attempting to meet your perimeter routers and firewalls with ahead-on attack. Textbook methods can be relatively easily employed tohelp discover the types and configurations equipment protecting theborders of your network. Some of these discovery tools can even helpdetect the presence of proactive network intrusion detection systems(IDS). While there are still daily exceptions, most perimeter networksare configured well enough to make backdoors the emergingmethod-of-choice for deep-network penetration for a number of reasons:
They avoid immediate detection by well-configured firewalls, network & host IDS.
A perimeter attack will (or should) make youroperations consoles light up like a Christmas tree. There is no suchthing as a casual or accidental scan of open firewall ports. If youdon't have a penetration test scheduled, chances are that you're beingprobed.
Some proactive environments will immediately lock-outthe originating systems' IP address when these scans are detected. Evenif this is not the case, risking detection removes the primary reasonfor getting into your environment: the ability to operate freely andwithout notice.
They don't rely on potentially hard-to-duplicate, specialized attack methods.
What is more difficult: constructing the preciseSYN-Frag attack necessary to cause a buffer-overflow in a CheckPointfirewall (that is two revisions behind the latest patch-level) torender it as helpless as a router without ACLs, or getting an unwittinguser to open up an e-mail attachment?
To make it past the outer defenses, it might requirethe use of 4-6 of these specialized attack methods with no guaranteesthat one of them won't cause a crash and reboot, rendering the entireattempt useless.
They take advantage of the myriad of exploits available in the soft underbelly of an organization's internal network.
How many Microsoft Windows-based workstations andservers are in your organization? How many *nix systems do you have?How many users do you have with each of these types of systems? Howmany routers, firewalls and IDS systems do you have?
Chances are significantly higher that in mostorganizations a hacker will have a much easier time finding anun-patched Windows or *nix system to exploit than they will anun-patched and/or misconfigured piece of perimeter networking/securityequipment.
An Inside Job
While this article has presented the concept ofbackdoors in the context of external penetration attempts, they are notlimited to that narrow area of practice. Backdoors can be used byemployees, contractors or planted-workers to provide less restrictiveand undetectable "remote access" points all across your network.
Regardless of the type of backdoor, there are twoprimary ways of injecting them into your network. The first methodinvolves getting a user to inadvertently load and run the program ontheir system(s). Extremely common examples of this include e-mailattachments that exploit un-patched vulnerabilities in client systems,web sites/downloads that have an unexpected/hidden payload, andprograms that fall into the classification of "spyware". Unfortunately,these methods are all too common and can result in serious loss ofconfidentiality and privacy. In the case of "spyware", programs areinstalled, registry keys are inserted and browser cookies are set thatenable the tracking of every network-based move a user makes. Thistracking is not limited to Internet sites, which thus make it very easyfor these systems to map out all the important places on a company'sintranet. While the majority of the "spyware" programs are used topresent and track your viewing of web ads, others can be crafted to besentinels to alert remote sites of your online/offline status, completewith current network connection information.
Even without loading malicious "spyware" backdoors, auser can still be susceptible to a more corporate form of backdoor.Real Networks player performs constant communication to its homenetwork and is nearly impossible to deactivate without reinstalling.Microsoft XP users have the ability to be tracked by either enablingautomatic updates or just having their time kept in sync by Microsoft'sown time server.
The second method involves actually being on yournetwork in the first place. A trivial example would be installing acustom-program which has a programmer-created backdoor embedded in it.These types of backdoors can be malicious, but they are usually codedas a means of circumventing standard software development processes inorder to save time.
A more typical, network-level, generic example would beone which is used to bypass remote access restrictions. This may be theoldest form (relative to the early stages of the Internet) of backdoor,initially used to bypass inbound telnet/rlogin restrictions. The setupis rather straightforward: a user installs a program that doesn'trequire elevated privileges to execute, then the program is run and itwaits for connections on a port that isn't blocked by upstream accesscontrol devices. This remote access could be to a multi-user system orto an individual's workstation. Initially only Unix-oriented, thesetypes of programs can be difficult to detect.
These types of backdoors are easier to understand in the context of concrete examples:
Program: | BindShell |
---|---|
Available at: | http://hysteria.sk/sd/f/junk/bindshell/bindshell.c |
Type: | PASSIVE |
This program is easily modified to run on any definedport - for this example, TCP 1234 - and doesn't support a password,thus allowing anyone access. To access this service, the remote usersimply starts a telnet session to the desired host and specifies a portnumber:
telnet some.insecure.host.org 1234
Variations of this program can also be found at http://packetstormsecurity.nl/ which support UDP connections and encrypted sessions.
There are several techniques that can be used toattempt to detect this, none of which will provide simple or directisolation. In all cases knowledge of the normal run state of the OS isnecessary.
- 'netstat -a' is a program that comes aspart of the UNIX operating system and is used to display network portconnection status. One would look for port usage that isn't part of thenormal run state.
- 'nmap' or 'strobe'external port scanners could be used to identify active or listeningports. Again, knowledge of a normal run state would be extremelyhelpful.
- 'lsof -i'a public domain program, can be used to list all open files and theirresource usage. One would search the output for users running unusualprograms that require the use of networking ports.
Program: | Sneakin |
---|---|
Available at: | http://packetstormsecurity.org/Exploit_Code_Archive/sneakin.tgz |
Type: | ACTIVE |
This program requires elevated privileges and basicallywaits for two specially-crafted ICMP packets to arrive before startingsomething very similar to a reverse telnet session which establishes aconnection to a remote machine. Sneakin requires LINUX and netcat.
The "listening" state is just as difficult to detect asin the above example. A conventional external port scan will not worksince the program intercepts and processes ICMP packets while stillallowing access to them by the native operating system kernel. LSOF, however will show a process accessing the network adapter in promiscuous mode. In general, LSOF might be the best tool available to detect NICs in this state. Netstatsneakin" enters it's ACTIVE state, additional processes using network ports will show up in LSOFNetstat output. will also provide a clue to this particular backdoor, as it will show two ICMP ports using the raw protocol. Once " and
Program: | GlFtpD |
---|---|
Available at: | http://www.security-express.com/archives/bugtaq/1999-q4/0443.html |
Type: | ATTACK |
GlFtpD is one of the standard examples of anattack-based backdoor. The premise behind it is simple: an attackerwould take advantage of a few misconfigured features of an ftp server,allowing them to deposit and execute backdoor code, in this case BindShell. A weak inbound policy combined with un-proxied, weak outbound policies do the rest.
Sneakin and bindshell are classic toolsused against weak inbound firewall policies. Many sites deployextremely strong inbound policies, making it difficult to gain directaccess to the listening ports. Without direct access, a large number ofbackdoors cannot be exploited. However, the strongest inbound policycan be easily defeated by active backdoors using "tunneling"methodologies. A tunnel, in the context of backdoors, is best explainedas a program that sits on the inside of a protected network andestablishes an outbound connection to an external host which results inthe flow of bi-directional traffic between these systems and/ornetworks. This is a serious threat to even the most modern securityarchitectures. A popular example of such communications would be tocreate an encrypted network connection between two hosts using VPNsoftware.
Properly configured, a VPN tunnel will allow total andunrestricted access to the networks that the hosts are gateways for.When provided as a legitimate remote access tool for employees andbusiness partners, VPNs can increase productivity, save time and reducecosts. When they are used to exploit gaps in the security architecture,they can have just the opposite effect.
VPN technology is still fairly new and requires morethan casual knowledge to setup and maintain when used legitimately. Thelearning curve is even steeper when they are being used as a backdoortool. You don't need a VPN for a tunnel. Taking a step back, it ispossible to connect just two hosts using more traditional and widelyknown software - secure shell. Secure shell - or SSHas it is more commonly referenced - can be used to establish a tunnelbetween two hosts by allowing the redirection of a port on the client(outside the firewall) to a port on the host (behind the firewall). Forexample, one could redirect a client port 2200 to host port 23.Assuming the user is currently accessing the client (outside thefirewall), they would telnet to the localhost port 2200 and get port 23on the remote host (behind the firewall). A weak outbound policy allowsthe connection to be generated from the host behind the firewall. Thisis a neat and popular trick.
In the same scenario it is also fairly straightforward to provide access to an organization's internal web sites. The user would simply install a copy of a proxying agent - e.g. "squid" web proxy or the Apache "httpd"daemon with proxy support compiled in - on some internal system. Thestandard software configuration could be used for either agent. Theuser would then use SSH port redirection to connect client port 3128 tohost port 3128. The client, again outside the firewall, now has proxiedaccess to the organization's internal web servers thru proxy port 3128.
This example can be extended further to enable morethan one external host to have access to the internal web sites. Theaddition of a simple port redirector can make the tunneled, proxied connection available (on port 3128) to all users of the remote network.
Conventional techniques will not work in identifyingthe existence of this type of tunnel. Depending on the platform used,one could monitor network usage and look for consistent or seeminglypermanent processes with established network connections to theoutside. At a host level, identifying backdoors in this manner wouldnecessitate the building and maintenance of a baseline network usagestate (possibly using the tools mentioned earlier). It is also possibleto query the boundary firewalls and monitor the connection statetables, focusing on these established connections. Either process is adaunting task in busy/large environments.
A Ready Defense
There is little one can do to completely defend theirnetwork from the use of backdoors. The current set of tools - whetherit be host or network IDS - are difficult to configure, deploy and useeffectively, especially in large organizations. Without the developmentof special-purpose tools, expressly designed to monitor systems andnetworks for the presence of backdoors, the only way to defend againstthese techniques is through a change in thinking. Security managers whothink they can simply hide their networks behind a firewall, sit backand declare that "nobody can get in, I closed all the doors" need totake a hard look at their line of thinking. A good defense againstbackdoors needs to start with a change in network access philosophy. Asolid beginning would be to develop strong Internet access policies andimplement technologies that limit outbound access via well-configuredfirewall/outbound-access architectures.
At a network level, stopping backdoors means making itvery difficult for them to establish connections outside of yourinfrastructure. One approach would be to use circuit-level gateways(i.e. SOCKS/port redirection) as a means of restricting backdoors fromusing high (or any) TCP ports. With simple port redirection, networkrequests destined for an external endpoint are terminated internally ata device which makes the connection on its behalf to a pre-definedendpoint. While this limits the number of external resourcesapplications can access, it can also create additional administrativeand processing overhead and may not work for all applications. Withmodern SOCKS gateways, the administration can be done on a globalpolicy level with little impact on performance and almost no impact onapplications.
An alternative approach would be through the use of(again) highly restrictive outbound access policies - where very fewdirect outbound connections are allowed - and Web/application-specificproxies that force authentication before access is enabled. The goal issimilar to port-redirection: stop unchecked access to external hosts.While most traditional security schools would like nothing more than toclose all the doors and windows, modern businesses need access toexternal resources to function. Unfortunately, almost anyoutbound access mechanism can potentially be used to provide a conduitfor backdoors. Proxy-based architectures enable granular control overwhat is allowed outside of your network since applications need to"speak the right language" to be permitted access. Tunnels can beestablished through proxies (especially via SSL connections)but they are much harder to configure, deploy correctly and rely on.With authentication thrown into the mix, a way now exists to identifyall connections down to the source (user). All the pieces are then inplace to deter (where possible), detect and discover backdoors.
Even with these techniques - which will require timeand resources to implement - developing a network access architecturewhich makes it easy for users to get work done and difficultfor backdoors to do their job is not a trivial endeavor. Fundamentally,your aim should be to design an infrastructure that makes it asefficient as possible to tie network connections to users whilenarrowing down the options for the backdoors.
0 comments:
Post a Comment