2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
08448380779 Call Girls In Civil Lines Women Seeking Men
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
1. CodeEngn 2010
Art of KeyloggingArt of Keylogging
Keyloggers who are nothing to do with the
keyboard security solutionkeyboard security solution
강병탁 (window31)병탁 ( )
2010.07.03
1
www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference
2. Who am I?Who am I?
• ByungTak Kang (window31)
• NEXON / Security Team – Hacking Analysis,
Security Programmingy g g
• A contributor to “Microsoftware” a monthly IT
Magazine for over 2 yearsg y
• A lecturer on hacking/reversing/security at
various institutions (KISA, security community,( y y
universities, etc)
• 2009 Microsoft MVP Developer Securityp y
2
3. AgendaAgenda
• Prologue
• K l i Wi d A t• Keylogging Windows Account
• Login without passwordLogin without password
• Keylogging on the website
• Social Engineering Keylogging
• Bypass Keyboard security solution
• Offensive and defensiveOffensive and defensive
3
6. Endless account problemsEndless account problems
• Wh d till f bl ft• Why do we still face many problems even after
Keyboard security solution is installed ?
• What is the trend of malicious code today ?
• What we must do ?What we must do ?
6
7. Endless account problemsEndless account problems
/Trojan-PWS/W32.WebGame.101888.K
Trojan-PWS/W32.WebGame.102768.B
Trojan-PWS/W32.WebGame.102805
Trojan-PWS/W32.WebGame.103150j /
Trojan-PWS/W32.WebGame.103182
Trojan-PWS/W32.WebGame.103463
Trojan-PWS/W32.WebGame.103556
Trojan-PWS/W32 WebGame 103810Trojan PWS/W32.WebGame.103810
Trojan-PWS/W32.WebGame.10524
Trojan-PWS/W32.WebGame.10724
Trojan-PWS/W32.WebGame.10764
T j PWS/W32 W bG 110145Trojan-PWS/W32.WebGame.110145
Trojan-PWS/W32.WebGame.111085
Trojan-PWS/W32.WebGame.11218
Trojan-PWS/W32.WebGame.116274
Trojan-PWS/W32.WebGame.116606
Trojan-PWS/W32.WebGame.116822
………………………………
Hundreds of viruses signature are added each day
7
Hundreds of viruses signature are added each day
11. msgina structuremsgina structure
The library file msgina.dll, is required by windows. It is
used by WinLogon within windows, when performing
user authentication.
11
19. StickKey run structureStickKey run structure
Winlogon
thread
Winlogon
thread
CreateProcess
RunRunRun
sethc.exe
Run
sethc.exe
View
StickKey
Di l B
19
DialogBox
20. StickKey Local BackdoorStickKey Local Backdoor
• You are able to connect without ID/PW !!!
• Y th l d t t• You can see the explorer or command prompt at
the login prompt without authentication.
20
21. Behavior structureBehavior structure
• Disable WFP (Windows
File Protection)Disable WFP
• Replace the files.
• N If I k fi• Now, If I press key five
times, I can login at any
time
Change File
time.
press the Shift
key
Login success
21
23. Next actionNext action
• Create a new user account,
“c:net user iamhacker /add”c:net user iamhacker /add
•• Add this user to the administrators group
“c:net localgroup administrators iamhacker”c:net localgroup administrators iamhacker
• Remove StickKey Local Backdoor and Enable WFP
(T id d bt h ki )
23
(To avoid as doubt as hacking)
24. Which platform is this vulnerability?Which platform is this vulnerability?
• Windows 2000
• Wi d XP• Windows XP
• Windows 2003Windows 2003
• Windows Vista
Most of windows OS does not check the
integrity of the file that launches StickyKeysintegrity of the file that launches StickyKeys
“sethc.exe” before executing it.
24
25. From now onFrom now on
Don’t forget to hit the shift key five times and
see what pops up on your desktopsee what pops up on your desktop
….everyday :p
25
29. Web-based loginWeb-based login
• Very vulnerabley
• Method of attack is varied
• Keyboard security solution exists (Almost always)
29
30. Attack positionAttack position
NetworkNetworkKey pressKey press
Keyboard
hardware
Keyboard
hardware
ApplicationApplication
KeyboardKeyboard MessageMessage
controllercontroller QueueQueue
Pot IOPot IO Filter driverFilter driver
ISR in IDTISR in IDT
Keyboard
class driver
Keyboard
class driver
30
class driverclass driver
31. Keyboard security solutionKeyboard security solution
protect
NetworkNetwork
protect
areas
Keyboard
hardware
Keyboard
hardware
ApplicationApplication
DMZ
KeyboardKeyboard MessageMessage
controllercontroller QueueQueue
Pot IOPot IO Filter driverFilter driver
ISR in IDTISR in IDT
Keyboard
class driver
Keyboard
class driver
31
class driverclass driver
32. Protocol handlerProtocol handler
Wininet.dll is the protocol handler for HTTP,
HTTPS and FTP It handles all networkHTTPS and FTP. It handles all network
communication over these protocols.
32
33. Query hookQuery hook
url=http%3A%2F%2Fwindow31.com&fail_ur
l &l i i & i id 31& d l N&l=&loginsite=&site_id=31&adult_yn=N&enc
oding_type=utf-8&ukey=1BBg yp y
7E5F2937203480D408B5196E9AC3B9DDF487
E636EA15426FAEABDAFB00A6908FE636EA15426FAEABDAFB00A6908F
2069ECB5FA6C7B618E4C68C5F37C2900DB07
DE9A0CACEC7300A6DBD342A83&game id=DE9A0CACEC7300A6DBD342A83&game_id=
13&id=window31&pwd=fucking
33
40. ProblemsProblems
• This technique is based on the human behaviorThis technique is based on the human behavior.
• You do not have a login, you can be attacked (for
example, paperwork etc).
40
46. ConclusionConclusion
• Keyboard security solution can not prevent
everythingy g
• Each location requires different security.
(ex. kernel : ring0, app : integrity check)
• h ld b d• Parameters should be encrypted.
• Let's try reversing a lot of malicious code We canLet s try reversing a lot of malicious code. We can
get a hint and we learn a lot of their technology.
• The AntiVirus should be upgraded more behavior-
based features
46