Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors

Full Text (PDF, 642KB), PP.1-10

Views: 0 Downloads: 0

Author(s)

Aaron Zimba 1,* Zhaoshun Wang 2

1. University of Science and Technology Beijing/Department of Computer Science and Technology, Beijing, 100083, China

2. University of Science and Technology Beijing/Computer Science and Technology, Beijing, 100083, China

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2017.07.01

Received: 25 Jan. 2017 / Revised: 5 Apr. 2017 / Accepted: 11 May 2017 / Published: 8 Jul. 2017

Index Terms

Remote Access, Authentication, Backdoor, APT, Accessibility Tools, RDP

Abstract

Advanced Persistent Threat (APT) actors seek to maintain an undetected presence over a considerable duration and therefore use a myriad of techniques to achieve this requirement. This stealthy presence might be sought on the targeted victim or one of the victims used as pawns for further attacks. However, most of the techniques involve some malicious software leveraging the vulnerability induced by an exploit or leveraging the ignorance of the benign user. But then, malware generates a substantial amount of noise in form of suspicious network traffic or unusual system calls which usually do not go undetected by intrusion detection systems. Therefore, an attack vector that generates as little noise as possible or none at all is especially attractive to ATP threat actors as this perfectly suits the objective thereof. Malware-free intrusions present such attack vectors and indeed are difficult to detect because they mimic the behavior of normal applications and add no extra code for signature detection or anomaly behavior. This paper explores malware-free intrusions via backdoors created by leveraging the available at pre-authentication system tools availed to the common user. We explore two attack vectors used to implant the backdoor and demonstrate how such is accessible over the network via remote access while providing the highest level of system access. We further look at prevention, detection and mitigation measures which can be implemented in the case of compromise.

Cite This Paper

Aaron Zimba, Zhaoshun Wang, "Malware-Free Intrusions: Exploitation of Built-in Pre-Authentication Services for APT Attack Vectors", International Journal of Computer Network and Information Security(IJCNIS), Vol.9, No.7, pp.1-10, 2017. DOI:10.5815/ijcnis.2017.07.01

Reference

[1]Mohammad Rasmi, Ahmad Al-Qerem,"PNFEA: A Proposal Approach for Proactive Network Forensics Evidence Analysis to Resolve Cyber Crimes", IJCNIS, vol.7, no.2, pp.25 -32, 2015.DOI: 10.5815/ijcnis.2015.02.03.
[2]Tankard Colin. "Advanced persistent threats and how to monitor and deter them." Network security 2011.8 (2011), pp. 16-19.
[3]Virvilis Nikos and Dimitris Gritzalis. "The big four-what we did wrong in advanced persistent threat detection?." Availability, Reliability and Security (ARES), 2013 Eighth International Conference on. IEEE, 2013.
[4]Ashutosh Gupta, Bhoopesh Singh Bhati, Vishal Jain,"Artificial Intrusion Detection Techniques: A Survey", IJCNIS, vol.6, no.9, pp.51-57, 2014. DOI: 10.5815/ijcnis.2014.09.07.
[5]Daniel Gonzales, Jeremy Kaplan, Evan Saltzman, Zev Winkelman and Dulani Woods "Cloud-trust-a security assessment model for infrastructure as a service (IaaS) clouds." IEEE Transactions on Cloud Computing. (2015).
[6]Zach Grace. "Hunting Sticky Keys Backdoors" (March 2015) [Online] Available: https://zachgrace.com/2015/03/23/hunting-sticky-keys-backdoors.html
[7]Longzheng Cai, Yu Shengsheng, and Zhou Jing-li. "Research and implementation of remote desktop protocol service over SSL VPN." In Services Computing, 2004. (SCC 2004). Proceedings. 2004 IEEE International Conference. (2004), pp. 502-505.
[8]Remote Desktop Protocol. (2016) [Online] Available: https://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx [Accessed 1st November 2016].
[9]Durumeric Zakir, Michael Bailey, and J. Alex Halderman. "An internet-wide view of internet-wide scanning." In 23rd USENIX Security Symposium (USENIX Security 14). (2014), pp. 65-78.
[10]"Network Level Authentication for Remote Desktop Services Connections." [Online] Available: https://technet.microsoft.com/en-us/library/cc732713.aspx [Accessed 20th November 2016].
[11]Mauw Sjouke and Martijn Oostdijk. "Foundations of attack trees." International Conference on Information Security and Cryptology. (CISC 2005). Springer Berlin Heidelberg (2005), pp. 186-198
[12]"Remote Desktop Protocol". Microsoft. (March 30, 2009). [Online] Available: https://msdn.microsoft.com/en-us/library/aa383015(VS.85).aspx [Accessed 10th December 2016]
[13]“Rdesktop” (2017). [Online] Available: http://www.rdesktop.org/ [Accessed 4th January 2017]
[14]“Sticky-Keys-Slayer” (2017). [Online] Available: https://github.com/linuz/Sticky-Keys-Slayer [Accessed 2nd January 2017]
[15]Duraiswamy, K., and R. Uma Rani MCA. "Security through obscurity." KSR College Of Technology, Tiruchengode (2005).
[16]Russinovich Mark, Solomon David, Ionescu Alex. "Windows? Internals". (5th ed.), Microsoft Press, ISBN 0-7356-2530-1. (2009).
[17]Sourabh Saxena. "Demystifying Malware Traffic." SANS Institute InfoSec. (August 2016)
[18]Sticky-keys-scanner. [Online] Available: https://github.com/TrullJ/sticky-keys-scanner [Accessed 4th January 2017].
[19]Rieck Konrad, Philipp Trinius, Carsten Willems, and Thorsten Holz. "Automatic analysis of malware behavior using machine learning." Journal of Computer Security 19, no. 4 (2011), pp. 639-668.
[20]Alazab Mamoun, Sitalakshmi Venkataraman and Paul Watters. "Towards understanding malware behaviour by the extraction of API calls." In Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second, pp. 52-59. IEEE, (2010).