Backdoor, hidden channel and HTTP (s)

From --- http://www.myhack58.com/Article/60/76/2006/7325.htm

Backdoor, hidden channel and HTTP (s)

As a network or system administrator, you often need to restrict access to your network services. There are many implementation methods. The most common method so far is to use a firewall. However, in any case, most firewalls and networks usually need to open at least one service-for example, to enable the user's web surfing function, HTTP is a very simple and commonly used protocol (such as FTP ), almost any common workstation in any network is allowed to send HTTP requests, and the server is usually the same. HTTP behavior can be implemented by proxy. However, this only specifies the HTTP in the text. HTTP (https) encrypted by SSL is usually not implemented by proxy, these systems can communicate directly with online servers without worrying about eavesdropping. HTTP (s) is also an interactive protocol in a sense. You send a request to the server, and the server gives you a response. The interaction between the two and a large number of data transmission behaviors are common, this determines that data transmission that is normally blocked by firewalls or other similar devices can easily reach the destination through the HTTP (s) channel.

There are a lot of users who use this technology, such as Microsoft, which now uses http to process RPC requests between systems, usually Microsoft's RPC (port 135) incoming packets are blocked by most firewalls. Now, by directing (such a service) to HTTP (s), you can use the RPC service without any worries. This makes it easy for RPC developers to work, without having to make a lot of modifications to the system base.

For Microsoft, the solution to getting rid of the firewall is very convenient in most cases, developers do not need to develop their own solutions-this may take time and money for developers and cause errors and security issues. Here we only list a growth trend. As people begin to pay more attention to security issues and increasingly block ports of various services, the use of HTTP channels for data transmission is growing.

Two typical examples are http-tunnel (a commercial solution for Windows) and GNU httptunnle (an open source solution used by Linux and other platforms ). HTTP-tunnel makes it easy for you to use any firewall. You can use most instant messaging software (such as ATM, ICQ, and Yahoo). It also supports TCP, SOCKS5, and Napster. The GNU version of HTTP-tunnel also provides the web page source (http://www.nocrew.org/software/httptunnel.html) below ).

These technologies are of great help to users behind a restricted firewall. If HTTP proxy is allowed for WWW access, httptunnel may be used, and access outside the firewall through telnet or PPP is also possible.

Obviously, we can see that:

Users can connect to external services that are supposed to be blocked by the firewall. Users can use the software (ICQ, Napster) that is usually blocked by the firewall)

Attackers can use this technology to achieve remote control (for example, sending malicious messages by email ).Code)

There are some BackdoorsProgramAttackers can also use HTTP (s) to connect to external machines controlled by attackers. attackers can send commands to achieve interaction between attackers and external machines, which is equivalent to telnet (usually the firewall shields such services ).

Even worse, the current use of SSL-encrypted HTTP has become increasingly common, and many sites use this technology. Attackers (or internal personnel) can avoid any form of monitoring, this is because no intrusion detection system can decrypt or check HTTPS packets. This is equivalent to any http-tunnel that relies on the intrusion detection system to detect.

So what can you do to block or detect such behavior?

First, you may need to change your security policy to achieve the following effect,

Do not install software that uses HTTP, such as aim or ICQ. If you are not sure whether the software meets this requirement, contact the relevant network administrator.

You can also list some (Forbidden) software (such as HTTP-tunnel in Windows ). Generally, if a legitimate user needs to access some external services, they should contact the relevant security administrator rather than attempting to bypass the protected system.

The next step is to strengthen WWW Data Control (if you haven't done so). The best way to achieve this is to install a proxy server and filter out the HTTP access package at the same time, in this way, the user will be forced to use the proxy. If you do this for HTTPS, it will be much more difficult and cause some security risks. However, because most HTTP tunnel software does not yet support https, you do not have to worry too much about it.

An example of providing such a service is Microsoft's proxy server. You can implement the most basic limits for each user or each group of use protocols. It is also a good way to restrict the access from the machine perspective. However, you must note that you may log on to a "trusted" system and use it to access the outside world.

If possible, you should record the outgoing requests. This allows you to view strange behaviors such as too long HTTP requests or "over" consecutive HTTP requests. You can also review seemingly strange usage methods. Unless someone is in front of a machine, most workstations should not generate HTTP traffic. The user access and use logs generated by HTTP Proxy allow you to focus on the machines that may be infiltrated. In addition, if you want to use proxy to record direct external access, you can find devices that do not use proxy and quickly locate suspicious hosts.

The client can replace the get method with the post method, which means it becomes difficult to record the data (I have never heard of anything that supports record post data, this is because such data may be executable, images, texts, and so on.) for a really strong guy, recording all the HTTP data is also an option to consider, although in a large network environment, it may require sufficient space to store the information. In addition, if the site uses SSL, it is impossible to record it.

Summary

Computer security is like a fast-evolving beast. New threats are constantly becoming obsolete (but it never looks "dead"). In the early days, you can block the corresponding services by using the corresponding ports. However, because this method is widely used, software providers (such as Microsoft) who need these things are looking for other solutions. Unfortunately, data is stored in popular protocols such as HTTP, especially encrypted services, software vendors have made it much harder for the company's network administrators who attempt to control data in and out of their managed networks. As a Network Administrator (or company security personnel), you need to maintain an updated security policy to deal with these new threats and maintain a multi-layer security solution. You know, it seems like a software company (or an individual) doesn't stop trying to bypass your security measures.

Related Links
GNU httptunnel
Http://www.nocrew.org/software/httptunnel.html

Http rpc Security
Http://msdn.microsoft.com/library/default.asp? Url =/library/psdk/rpc/ov-http_04qh.htm

HTTP tunnel software for Windows
Http://http-tunnel.com/newpage/index.htm

Placing backdoors through firewils
Http://thc.pimmel.com/files/thc/fw-backd.htm

Reverse WWW Shell
Http://thc.pimmel.com/files/thc/rwwwshell-1.6.perl