Attacks and Rootkits - PowerPoint PPT Presentation

1 / 8
About This Presentation
Title:

Attacks and Rootkits

Description:

... call processed via INVITE message proxy server will lookup at what IP address the user with a certain phone number can be accessed at, forwarding INVITE to IP ... – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 9
Provided by: gregb96
Category:

less

Transcript and Presenter's Notes

Title: Attacks and Rootkits


1
Attacks and Rootkits
  • By Greg Bailey

2
Poker and Rootkits
  • Virus developers burden to avoid detection and to
    spread.
  • Social Engineering Kournikova virus of August
    2000. Get people to open the attachment!
  • Small.la trojan
  • Disguised as rakeback calculator, RBCalc.exe,
    for poker players.
  • Executed, installs registry launchpoint, then
    monitors processes, injecting spy component into
    several popular poker tasks (empirepoker.exe,
    ultimatebet.exe, etc.)

3
Poker and Rootkits
  • Quits if it detects network security
    applications.
  • Backdoor trojan starts a keylogger, connects to
    remote server to download and execute files, send
    screenshots, shutdown trojan, upload files.
  • Virus not unique - rootkit.
  • Malware able to hide itself using rootkit
    technology.
  • Persistent activated at boot
  • Memory-based no persistent code.

4
Poker and Rootkits
  • Works
  • Intercepts system calls to Windows
    FindFirstFile/FindNextFile/ APIs used by Explorer
    and command prompt to enumerate through file
    directories.
  • Modify output to remove certain entries, itself,
    to hide from system.
  • More sophisticated
  • Intercept file system, registry, and process
    enumeration functions of the Windows native API,
    which acts as interface between user-mode clients
    and kernel-mode services.

5
Poker and Rootkits
  • Even more powerful
  • Kernel-mode rootkits can intercept the native API
    and also directly manipulate kernel-mode data
    structures.
  • Revealed by
  • Applications like RootkitRevealer
  • Take high level Windows API scan and compare it
    with lowest level raw contents of file system
    volume registry.
  • Any discrepancy can be seen by the application as
    hidden from the API.
  • One of the first rootkits Sony DRM.

6
Voice over IP Attacks
  • SIP
  • Used on TCP/UDP port 5060 to connect SIP servers
    to SIP endpoints, for setting up and tearing down
    calls.
  • User Agent registers with domain registrar of all
    subscribers.
  • Users sends INVITE request to proxy server
    responsible for routing SIP messages and locating
    subscribers via SIP Registrar.

7
Voice over IP Attacks
  • Registration Hijacking
  • Normally, user sends REGISTER request containing
    Contact header with IP address of device.
  • Incoming call processed via INVITE message
    proxy server will lookup at what IP address the
    user with a certain phone number can be accessed
    at, forwarding INVITE to IP address.
  • Attacker can modify REGISTER request by modifying
    Contact header, changing IP address to point to
    attackers device

8
Voice over IP Attacks
  • Why it is possible
  • Signaling messages are sent in the clear,
    allowing attacker to potentially collect and
    replay them.
  • SIP signaling messages do not support any sort of
    message integrity modifications are not
    detectable.
  • Solution
  • Use SIPS (SIP over TLS), authenticating SIP
    requests and responses.
Write a Comment
User Comments (0)
About PowerShow.com