this looks fun. (from the securiteam list). =jay
ACK Tunneling Trojans ------------------------------------------------------------------------ SUMMARY The following is the complete paper published by: <mailto:[EMAIL PROTECTED]> Arne Vidstrom. Trojans normally use ordinary TCP or UDP communication between their client and server parts. Any firewall between the attacker and the victim that blocks incoming traffic will usually stop all Trojans from working. ICMP tunneling has existed for quite some time now, but if you block ICMP in the firewall, you will be safe from that. This paper describes another concept that is called ACK Tunneling. ACK Tunneling works through firewalls that do not apply their rule sets on TCP ACK segments (ordinary packet filters belong to this class of firewalls). DETAILS A short description of TCP and the way firewalls handle it: TCP is a protocol that establishes virtual connections on top of IP. A session is established when the client sends a SYN (synchronize) segment, the server responds with a SYN/ACK segment, and the client confirms with an ACK (acknowledge) segment. All traffic in the following session consists of ACK segments. Ordinary packet filtering firewalls rely on the fact that a session always starts with a SYN segment from the client. Thus, they apply their rule sets on all SYN segments, and simply assume that any ACK segments are part of an established session. More advanced firewalls apply their rule sets on all segments, including ACK segments. Some firewalls are configurable, so you can choose between the two ways to handle ACK segments. The reason to configure a firewall not to apply the rule set on ACK segments is workload. While a session can contain thousands or millions of ACK segments, it only contains one SYN segment. This way you can decrease the workload on the firewall considerably, and save money on expensive hardware. Remember, you cannot establish a TCP session against an ordinary system through any of these two kinds of firewalls if they are set up to block incoming connections. When ACK Tunneling can be applied Consider the following case. You have a firewall that does not apply its rule set on ACK segments. The rules are to block UDP and ICMP completely, to block all incoming TCP connections, and to allow all outgoing connections. Also to block any other protocols. The attacker sends a Trojan by mail to a user on the inside of the firewall. The user runs the Trojan. Now what? How can the attacker on the outside contact the Trojan on the inside? There are at least two ways. Either the Trojan makes a connection to some computer on the outside, and accepts commands and sends the results through that connection; this solution however has some problems: First, the attacker must have a static IP. If the attacker does not, he/she might for example upload the dynamic IP each time it changes to a web server that the Trojan contacts every now and then to find the attackers IP. Either way the Trojan now contains an address that points part of, or all of the way to the attacker. If the Trojan is discovered and analyzed it can be used to trace the attacker. Enter ACK Tunneling. The client part of the Trojan uses only ACK segments to communicate with the server part, and vice versa. Now the segments pass straight through the firewall. As long as the attacker knows the IP of the target system, it does not matter if his/her own IP is dynamic. In addition, even if the target IP changes with time, the attacker could use a special scanner to scan for the Trojan, straight through the firewall. The Trojan does not have to contain any link to the attacker. Moreover, the person connecting to it might not even know who sent the Trojan to the user. It would be just like scanning for NetBus over a whole network hoping it is running on some of the systems. Of course, the attacker might be traced through sniffing and tracing the ACK segments. On the other hand there is a great possibility that the firewall will not log these even if it is configured to log all outgoing connections, because it probably only logs the starting SYN segment. A working example Trojan A working example Trojan for Windows 2000 has been coded, called <http://www.ntsecurity.nu/toolbox/ackcmd/> AckCmd. It is simply a remote Command Prompt, but the concept could be extended to create a new protocol on top of TCP ACK segments that can have the same features as TCP does. One could also extend it to proxy connections through the server component to other systems on the network behind the firewall. AckCmd sends from port 80 on the client side to port 1054 on the server side. These were chosen because even if everything is blocked in the firewall, most will allow surfing of the web, thus this communication channel will still work. ADDITIONAL INFORMATION The information has been provided by <mailto:[EMAIL PROTECTED]> Arne Vidstrom. _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
