Remote controlled agent
Download
1 / 12

Remote Controlled Agent - PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on

Remote Controlled Agent. Avital Yachin Ran Didi SoftLab – June 2006. Background. To what risks are we exposed ? System integration Data theft Distributed Denial of Service Current protection methods Signature based Heuristic Firewalls Others (sandboxes, ad-hoc tools). Project Goal.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Remote Controlled Agent' - pippa


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Remote controlled agent

Remote Controlled Agent

Avital Yachin

Ran Didi

SoftLab – June 2006


Background
Background

  • To what risks are we exposed ?

    • System integration

    • Data theft

    • Distributed Denial of Service

  • Current protection methods

    • Signature based

    • Heuristic

    • Firewalls

    • Others (sandboxes, ad-hoc tools)


Project goal
Project Goal

  • Exploring current protection methods.

  • Test the effectiveness of a standard protection scheme against:

    • Remote code execution

    • Remote configuration of an agent

    • Remote uninstall of an agent


Challenges
Challenges

  • Automated Detection

  • Human detection

  • Firewalls

  • Restricted Users (non-Admin)

  • Scalability

  • Persistency



Normal operation
Normal Operation

Executable

CMDFILE

Agent

Server

Request Commands File

Send Commands File

Parse Commands File

Send Executable

Request Executable

Run Executable


Install phase
Install Phase

spooler.exe

Runtime Image

Loader

explorer.exe

Injection Library

Inject runtime image to a System process

Or to a User process if non-Admin

Delete unnecessary files

Extract files to disk


Un install phase
Un-Install Phase

spooler.exe

Runtime Image

Loader

explorer.exe

Injection Library

Eject runtime image from host process

Delete unnecessary files

Extract files to disk


Points of interest
Points of interest

  • Standard Win32 APIs / C.

  • Code injection (operation within a context of a trusted process).

  • Standard HTTP communication.

  • Storing required components as binary resources in the loader and extracting them on-the-fly.


Points of interest continued
Points of interest - continued

  • Clean un-install (ADS).

  • UPX packing.

  • Social Engineering (harder human detection).


Conclusions
Conclusions

  • Standard protection schemes can be easily bypassed.

  • Detection is very difficult on low footprint operation.

  • New protection schemes shall protect processes from code injection.

  • New protection approaches ?