ACK Tunneling Trojans

[Paul Wilders]

Quote:

Summary
The following is the complete paper published by: Arne Vidstrom.

Trojans normally use ordinary TCP or UDP communication between their client and server parts. Any firewall between the attacker and the victim that blocks incoming traffic will usually stop all Trojans from working. ICMP tunneling has existed for quite some time now, but if you block ICMP in the firewall, you will be safe from that. This paper describes another concept that is called ACK Tunneling. ACK Tunneling works through firewalls that do not apply their rule sets on TCP ACK segments (ordinary packet filters belong to this class of firewalls).


Details
A short description of TCP and the way firewalls handle it:
TCP is a protocol that establishes virtual connections on top of IP. A session is established when the client sends a SYN (synchronize) segment, the server responds with a SYN/ACK segment, and the client confirms with an ACK (acknowledge) segment. All traffic in the following session consists of ACK segments.

Ordinary packet filtering firewalls rely on the fact that a session always starts with a SYN segment from the client. Thus, they apply their rule sets on all SYN segments, and simply assume that any ACK segments are part of an established session. More advanced firewalls apply their rule sets on all segments, including ACK segments. Some firewalls are configurable, so you can choose between the two ways to handle ACK segments. The reason to configure a firewall not to apply the rule set on ACK segments is workload. While a session can contain thousands or millions of ACK segments, it only contains one SYN segment. This way you can decrease the workload on the firewall considerably, and save money on expensive hardware. Remember, you cannot establish a TCP session against an ordinary system through any of these two kinds of firewalls if they are set up to block incoming connections.

When ACK Tunneling can be applied
Consider the following case. You have a firewall that does not apply its rule set on ACK segments. The rules are to block UDP and ICMP completely, to block all incoming TCP connections, and to allow all outgoing connections. Also to block any other protocols. The attacker sends a Trojan by mail to a user on the inside of the firewall. The user runs the Trojan.

Now what? How can the attacker on the outside contact the Trojan on the inside? There are at least two ways.

Read the full story here:

www.securiteam.com/securityreviews/5OP0P156AE.html

[Zhen-Xjell]

Ah, didn't know you posted this. *I was just reading this a few moments ago and was about to post it here. *Anyhow.....

My assessment: *I only have one Win 2k box at home. *For the heck of it, I ran the server and the client on it. *ZAP prompted me after I executed the client, but not the server. *On my WinME box, ZAP prompted me on the server but then the server just died.

[Paul Wilders]

That's interesting indeed!

regards.

paul

[Zhen-Xjell]

What is also interesting is that NOD32 AMON picked it up immediately, and TDS-3 did not with the 11373 references update.

[Paul Wilders]

mmm..a big plus for NOD32 *. Personally, I didn't check having TDS enabled. Question to be answered for DCS..

regards,

paul

[Zhen-Xjell]

Yeah I was quite impressed. *I'm very glad I went with NOD32. *

[Wayne - DiamondCS]

Paul? AckCmd is a relatively old demo (2000), it has been detected by TDS since its release -

Trojan Client\EditServer found: RAT.AckCmd 1.0 (Client)
*File: t:\analyse\ackcmd\ackcmdc.exe

Positive identification: RAT.AckCmd 1.0
*File: t:\analyse\ackcmd\ackcmds.exe

[Zhen-Xjell]

Wayne, I have execution protection enabled on my system and when I ran ackcmds.exe and ackcmdc.exe TDS-3 alert me. *Why did it not alert me if it is in the database?

[Wayne - DiamondCS]

Not too sure Zhen, I just tested it here and it worked fine. I've just switched you over from Senior Member to Beta Tester at the private DCS forum so you'll be able to access the Beta Test forum there now - feel free to try our new kernel-level execution hook vs AckCmd
There are some strange compatibility issues with the TDS3 execution hook as it uses several Microsoft components that unfortunately aren't friendly on all flavours of Windows at all times. It works fine for most people, but as we aren't in control of those Microsoft components we took the gamble to go into undocumented kernel territory to create our own hook. Mission now accomplished, but the general public won't be able to see it in action until the first release of TDS4/WG4.
*
As far as "ACK tunneling" goes, despite the age of Arne Vidstrom's report, ACKCmd is still the only demo or trojan that has ever used this technique so it's not something to lose sleep over, but I believe most firewall vendors addressed the issue back then when it was more of an issue, and it's more a firewall issue than an anti-trojan issue - the only thing making it different from any other trojan is how it sends packets on networks, and as such that side of it can only be handled by an IDS or firewall. As far as intercepting its execution before allowing it to execute, yes that's the job of anti-virus/anti-trojan software - execution protection, something which can't be handled by firewalls or IDS

Best,
Wayne

[Zhen-Xjell]

Thanks Wayne.. I'll jump into the beta forum tomorrow and try to run some tests.

[UNICRON]

I downloaded that file, NOD32 crawled all over it. At this point, TDS-3 can't get to it because NOD32 already locked it. Amon would't let me run it at all (caught it in the zip) so it doesn't really matter.

Regardless of which security program catches a file, it only needs to be caught once. It matters little to me which one it was. I am sure TDS-3 would have found it but I choose to try NOD32 first.

Point is, this ACK attack sh!t isn't likely to be successful on my machine, not with all this security stuff running.

[Zhen-Xjell]

Yes, there is only one location I have set that AMON doesn't monitor at all. *It is in the folder I place files like these for special testing. *On another machine, AMON tagged it immediately. *But on my protected directory machine, TDS-3 missed it.

I'll test later today using the beta.