十一屆全國(guó)政協(xié)委員職務(wù)和界別情況ppt課件

1、Setiri: Advances in Trojan TechnologyRoelof TemminghHaroon MeerBlackHat USA 2002中醫(yī)免費(fèi)資料 zyy123/down. ScheduleIntroductionWhy Trojans?Brief History of Trojans & Covert ChannelsThe Hybrid modelSetiri: Advances in Trojan TechnologyDemonstrationTaking it furtherPossible fixes. IntroductionSensePostThe sp

2、eakersObjective of presentation. Why Trojans?Profile of Trojan usersReal criminalsdont write buffer overflowsThe weirdness of the industryExamples.Brief History of Trojans & Covert TunnelsTrojansFrom Quick Thinking Greeks to Quick Thinking GeeksTunnelsCovert Channels.Trojans. Valid IP No Filters Val

3、id IP Stateless Filters Private Addresses Stateful Filters Private + Stateful + IDS + Personal Firewalls + Content Checking + . Trojans. (Valid IP No Filters)“get real. Trojans. (Valid IP Stateless Filter) Dial Home TrojansRandom Ports / Open Ports / High Ports cDc ACK TunnelingArne Vidstrom. Trojan

4、s. (Stateful Filters)Back Orifice - GbotRattler. Brief History of Trojans & Covert TunnelsTrojansFrom Quick Thinking Greeks to Quick Thinking GeeksTunnelsCovert Channels. Tunnels & Covert Channels1985 TSC DefinitionCovert Channels1996 Phrack Magazine LOKI1998 RWWWShell THC1999 - HTTPTUNNEL GNU2000 -

5、 FireThru - Firethru. Conventional Trojans & how they failStateful firewall & IDSDirect modelDirect model with network tricksICMP tunnelingACK tunnelingProperly configured stateful firewallIRC agents +Authentication proxy tunnel +Personal firewall & Advanced Proxy tunnel with Authentication +. Hybri

6、d model: “GatSlagCombination between covert Tunnel and TrojanDefenses mechanisms today:Packet filters (stateful) / NATAuthentication ProxiesIntrusion detection systemsPersonal firewallsContent/protocol checkingBiometrics/Token Pads/One time passwordsEncryption.A typical network.How GatSlag workedRev

7、erse connection covert tunnelMicrosoft Internet Explorer as transport Controls IE via OLEEncapsulate in IE, not Receive commands in title of web pageReceive encoded data as plain text in body of web pageSend data with POST requestSend alive signals with GET request. Why GatSlag workedIntegration of

8、client with MS ProxyNTLM authenticationSSL capableRegistry changesPersonal firewallsJust another browserPlatform independentIE on every desktopSpecify ControllerVia public web page the MASTER site. How GatSlag worked IICreates invisible browserFind controller at MASTERSend request to ControllerIf no

9、 Controller & retry7, go to MASTERReceive replyParse reply:+ Upload file()+Download file+Execute commandLoop. Why defenses failFirewalls (stateful/NAT)Configured to allow user or proxy outContent level & IDSLooks like valid requests & repliesFiles downloaded as text in web pagesNo data or ports to l

10、ock on toSSL provides encryptionPersonal firewallsIE valid applicationConfigured to allow browsingAuthentication proxiesUser surf the web . Problems with GatslagThe Controllers IP can be obtained !Handling of multiple instancesGUI supportController needed to be onlineBatch commandsCommand historyMul

11、tiple controllersUpload facility not efficientPlatform supportStabilitySession level tunneling. Setiri: Advances in Trojan TechnologyDesign notes:Web site contains instructionsCGIs to create new instructionControllers interface:EXEC (DOS commands)TX (File upload)RX (File download)Directory structure

12、 each instanceTrojan “surfs to web site just a normal user would. Setiri: Advances in Trojan Technology IIAnonymityProblems with normal proxiesAlready using a proxyProxy logs“Cleaners provide anonymity“In browser proxy AnonymizerTrojan - Cleaner: SSLCleaner - Controller: SSLChallenges:Browser historyTemporary files. . . . Demonstration. Taking it furtherSession level tunneling.Flow control challengesHow this is different from tunnelingA browser is not a socketNo select on browserTrain modelThe Controller sideCannot “sendBuffering of data at ControllerThe Trojan sideMulti-part POSTsMul