Remote controlled agent
This presentation is the property of its rightful owner.
Sponsored Links
1 / 12

Remote Controlled Agent PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on
  • Presentation posted in: General

Remote Controlled Agent. Avital Yachin Ran Didi SoftLab – June 2006. Background. To what risks are we exposed ? System integration Data theft Distributed Denial of Service Current protection methods Signature based Heuristic Firewalls Others (sandboxes, ad-hoc tools). Project Goal.

Download Presentation

Remote Controlled Agent

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Remote controlled agent

Remote Controlled Agent

Avital Yachin

Ran Didi

SoftLab – June 2006


Background

Background

  • To what risks are we exposed ?

    • System integration

    • Data theft

    • Distributed Denial of Service

  • Current protection methods

    • Signature based

    • Heuristic

    • Firewalls

    • Others (sandboxes, ad-hoc tools)


Project goal

Project Goal

  • Exploring current protection methods.

  • Test the effectiveness of a standard protection scheme against:

    • Remote code execution

    • Remote configuration of an agent

    • Remote uninstall of an agent


Challenges

Challenges

  • Automated Detection

  • Human detection

  • Firewalls

  • Restricted Users (non-Admin)

  • Scalability

  • Persistency


System description

System Description


Normal operation

Normal Operation

Executable

CMDFILE

Agent

Server

Request Commands File

Send Commands File

Parse Commands File

Send Executable

Request Executable

Run Executable


Install phase

Install Phase

spooler.exe

Runtime Image

Loader

explorer.exe

Injection Library

Inject runtime image to a System process

Or to a User process if non-Admin

Delete unnecessary files

Extract files to disk


Un install phase

Un-Install Phase

spooler.exe

Runtime Image

Loader

explorer.exe

Injection Library

Eject runtime image from host process

Delete unnecessary files

Extract files to disk


Points of interest

Points of interest

  • Standard Win32 APIs / C.

  • Code injection (operation within a context of a trusted process).

  • Standard HTTP communication.

  • Storing required components as binary resources in the loader and extracting them on-the-fly.


Points of interest continued

Points of interest - continued

  • Clean un-install (ADS).

  • UPX packing.

  • Social Engineering (harder human detection).


Conclusions

Conclusions

  • Standard protection schemes can be easily bypassed.

  • Detection is very difficult on low footprint operation.

  • New protection schemes shall protect processes from code injection.

  • New protection approaches ?


Remote controlled agent

Demo


  • Login