1 / 12

Remote Controlled Agent

Remote Controlled Agent. Avital Yachin Ran Didi SoftLab – June 2006. Background. To what risks are we exposed ? System integration Data theft Distributed Denial of Service Current protection methods Signature based Heuristic Firewalls Others (sandboxes, ad-hoc tools). Project Goal.

pippa
Download Presentation

Remote Controlled Agent

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Remote Controlled Agent Avital Yachin Ran Didi SoftLab – June 2006

  2. Background • To what risks are we exposed ? • System integration • Data theft • Distributed Denial of Service • Current protection methods • Signature based • Heuristic • Firewalls • Others (sandboxes, ad-hoc tools)

  3. Project Goal • Exploring current protection methods. • Test the effectiveness of a standard protection scheme against: • Remote code execution • Remote configuration of an agent • Remote uninstall of an agent

  4. Challenges • Automated Detection • Human detection • Firewalls • Restricted Users (non-Admin) • Scalability • Persistency

  5. System Description

  6. Normal Operation Executable CMDFILE Agent Server Request Commands File Send Commands File Parse Commands File Send Executable Request Executable Run Executable

  7. Install Phase spooler.exe Runtime Image Loader explorer.exe Injection Library Inject runtime image to a System process Or to a User process if non-Admin Delete unnecessary files Extract files to disk

  8. Un-Install Phase spooler.exe Runtime Image Loader explorer.exe Injection Library Eject runtime image from host process Delete unnecessary files Extract files to disk

  9. Points of interest • Standard Win32 APIs / C. • Code injection (operation within a context of a trusted process). • Standard HTTP communication. • Storing required components as binary resources in the loader and extracting them on-the-fly.

  10. Points of interest - continued • Clean un-install (ADS). • UPX packing. • Social Engineering (harder human detection).

  11. Conclusions • Standard protection schemes can be easily bypassed. • Detection is very difficult on low footprint operation. • New protection schemes shall protect processes from code injection. • New protection approaches ?

  12. Demo

More Related