Thursday, March 4, 2010

Reverse WWW Shell - Covert channels using HTTP






  • Reverse WWW shell allows an attacker to access a machine on your internal network from the outside.








  • The attacker must install a simple trojan program on a machine in your network, the Reverse WWW shell server.








  • On a regular basis, usually 60 seconds, the internal server will try to access the external master system to pick up commands.








  • If the attacker has typed something into the master system, this command is retrieved and executed on the internal system.








  • Reverse WWW shell uses standard http protocol.








  • It looks like internal agent is browsing the web.






  • This Trojan can work through any firewall which allows users to access the Internet. It is the reverse of a straight HTTP tunnel. The program is run on the internal host, which spawns a child every day at a special time. The child program appears as a user to the firewall, which in turn allows it to access the Internet. However, this child program executes a local shell and connects to the web server owned by the attacker on the internet through a legitimate looking http request and sends it 'ready' signal. The legitimate looking answer of the web server owned by the attacker is in reality the commands the child will execute on its machine's local shell. All traffic will be converted into a Base64 like structure and given as a value for a cgi-string to prevent caching.
    Example of a connection:

    • Slave
      GET /cgi-bin/order?M5mAejTgZdgYOdgIOoBgFfVYTgjFLdgxEdbiHe7krj HTTP/1.0 

    • Master replies with
      g5mAlfbknz 
    For instance, The GET of the internal host (SLAVE) is just the command prompt of the shell; the answer is an encoded "Is" command from the hacker on the external server (MASTER). The SLAVE tries to connect daily at a specified time to the MASTER if needed; the child is spawned because if the shell hangs for whatever reason the attacker can check and fix it the next day.
    In case the administrator sees connects to the attacker's server and connects to it himself he will just see a broken web server because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (e.g. squid) are supported; program masks it's name in the process listing. The programs are reasonably small with the master and slave program just one 260-lines perl file Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it is time that the slave tries to connect.
    Sample of Reverse Http Shell: Http Http |Internal|—------------>|PROXY|-->|FIREWALL|<---------->|Attacker| SLAVE MASTER
    Backdoor Countermeasures


    • Most commercial ant-virus products can automatically scan and detect backdoor programs before they can cause damage (Eg. before accessing a floppy, running exe or downloading mail)

    • An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate 1000 types of backdoor programs and trojans.

    • Educate your users not to install applications downloaded from the internet and e-mail attachments.
    The first line of defense is to educate users regarding the dangers of installing applications downloaded from the Internet and to take great caution if they have to open any mail attachment.
    The second line of defense can be antivirus products that are capable of recognizing Trojan signatures. Ensure that these updates are regularly applied over the network.
    The third line of defense comes from keeping application version updated by following security patches and vulnerability announcements.
    An inexpensive tool called Cleaner (http://www.moosoft.com/cleanet.html) can identify and eradicate 1000 types of backdoor programs and Trojans. Some of the other anti-Trojan software is:

    0 comments:

    Post a Comment