Subscribe via RSS ... Subscribe via e-mail ... Follow me on Twitter ... Follow me on Facebook ...

«
»

Nine ways how hackers propagate malware (2 of 2)

May 6th, 2009 by

injectionIn the first part of this series I wrote about the different ways how attackers propagate malware by sending an infectious executable file or an USB memory stick to their victims or let them pick up an infected file in a file sharing network like emule or bittorrent.
In this article, as promised in the first part, I want to explain how to propagate and inject malware by taking over a victims data stream.

There are two ways how to take over a data stream. From the inside of the victims network (LAN) or from the outside (the Internet). Both of these tactics have their advantages, disadvantages and methods how to proceed which I will explain in the following paragraphs. I wont go too deep into details and technical aspects. Otherwise I had to split this article again in a second and a third part because it would blow it up overly. I will explain the technical aspects in an other article independent from this series and will add example tools and source code where possible.

Attacking the victims home LAN

Beside the fact that home Internet routers are generally weaker protected than corporate Internet access appliances one of the weak links in home routers is often the integrated wireless access point. Sometimes the Internet routers are delivered with the WLAN module activated and only protected by the default settings. Other times the owner activates the WLAN himself and chooses an insecure password or an insecure protection standard like WEP or nowadays also WPA has its weakness. If one of these preconditions is the case chances are good an attacker will overcome the protection mechanisms. Once he is connected with the victims local network over the WLAN several not too complicated scenarios exists to take over the data stream.

Method 5 : Taking over the DNS

The Internet doesn’t understand host names like www.megapanzer.com. Instead it uses IP addresses like 194.208.66.33. And because we are to lazy to remember these irritating IP addresses and prefer the significant hostnames instead the DNS maps between this addressing conventions. Everytime you want to connect to the megapanzer server www.megapanzer.com your computer has to ask a DNS server under which IP address this server is reachable. It doesn’t take too much imagination taking over the DNS service in a victims LAN is the key to the power. Once an attacker controls the DNS, for example by injecting faked DNS response, he controls where the data stream is directed. Traffic destined for ebanking.ubs.com can easily be redirected to an attackers server.

Method 6 : Acting as default gateway

The computers in an ethernet based LAN don’t communicate by IP their addresses. IP addresses are used in the Internet but not inside a small, ethernet based home LAN. Ethernet is using MAC addresses. So every network adapter connected to a computer was assigned once a unique MAC address by its manufacturer. The computers in a LAN constantly tell each other what MAC address and what IP address they have and they keep this information in their memory for a while. Also WLAN adapters support the ethernet standard and have therefore MAC addresses. The only difference between wired and wireless network adapters is the medium (air and copper) they are using, the first layer in the OSI model. From layer 2 on they work exactly the same way.
This situation allows an attacker to spread wrong information inside a LAN and telling every computer HIS computer is the router that leads to the Internet. Afterwards every computer sends its data packets to the attacker instead to the real Internet router. The attacker takes over the data stream and can do with it whatever he wants. Relaying, modifying, blocking …

To give you an idea how this two examples lead to a successful data injection just imagine you as a victim want to download an executable file via your browser. You click on a specific link and are expecting the browser will download this file. An attacker can intercept your request and instead of sending back the real executable the trojan horse will be injected and disguised to make it look unsuspicious. Even if sceptics think you could check the hash checksum also them know only a small percentage really does it and the check sums are not provided everytime.

Method 7 : Intruding the victims Internet router

As you saw in the previous examples the Internet access router is the central point. These attacks were conducted from the internal part of the network. There is also an external part of the network which attackers can reach and attack over the Internet.
Still a big number of home Internet routers are accessible over the Internet and offer a user interface for administration purposes. Often over HTTP/HTTPS and also Telnet and SSH. But private users are not known for having a IT security policy they have to respect. So you can think of several situations you encounter when connecting to a home router:

  • The admin interface acces is blocked
  • The admin interface access is open but unprotected
  • The admin interface access is open and protected with the default account settings
  • The admin interface access is open and protected with a new password

These sittuations invite an attacker to invest some time and trying to crack the password by a bruteforce or dictionary attack.
Once this obstacle was overcome by an attacker he has the control over the appliance, the place where all the data passes to and from the Internet. As an example how the stream can be controled by the attacker think of the DNS service from the two previous examples. The attacker can configure the Internet router that way to redirect all the DNS requests to a DNS server that is controlled by the attacker.

Method 8 : Anonymizing proxy server data injection

TOR and I2P, to mention the most famous amongst them, are quite popular anonymizing services. You install the proxy software on your computer, customize your browser a little and you surf the net anonymously. But the anonymizing services have the problem when the data stream reenters the regular Internet again you don’t know if and who is reading or maybe even manipulating your data stream.
At least in the open and anonymizing proxy chains it is an easy game to infiltrate other peoples data stream, to read it, to manipulate it and to inject data they never requested (read here).

Method 9 : DNS cache poisoning

I would consider DNS cache poisoning as a rather esotherical method that maybe worked one day. But then I remember just too good when Dan Kaminsky discovered and published the DNS poisoning vulnerability. But as with TCP/IP spoofing, the Sendmail Debug or CGI/PHF vulnerabilities, it just doesn’t happen anymore.

DNS cache poisoning is a technique to convince for example a big ISPs DNS server, like the one from Bluewin (the biggest access provider in Switzerland), a hostname outside of their domain like ebanking.ubs.com is reachable under the IP address 192.168.1.1. Of course this is the wrong IP address but all the Bluewin users who ask this DNS server for the IP address of ebanking.ubs.com will see this answer. by using DNS cache poisoning an attacker could redirect the data packets from the Bluewin users to a destination of his choice. He controls the stream.

tags: , , , ,

posted in Articles

Leave a comment


But please respect the commenting rules. Critizism is appreciated and also general comments of course. If you're rude, I have to delete your comment. Also use your personal/nick name but avoid using business names. Have fun and thanks for participating the discussion.