|
Despite investments in attack detection and perimeter security, companies remain blind to an entire spectrum of techniques utilized to covertly control and move information across their networks. Sophisticated intruders are well versed in the capabilities and shortcomings of today's defense solutions, and use a toolkit filled with the techniques to evade detection by both the digital and human eye. They take care to keep their motives and actions secret, and perhaps the most effective technique in their suite for doing so is through the utilization of covert data channels. This article serves to outline the basic makeup, application, and detection of covert data channels over the Internet Control Message Protocol, as well as highlight the commercial inability to detect these channels, which underscores a greater problem in conventional security technology today.
A covert data channel is a mechanism for shuttling arbitrary bytes between two points in a fashion that would appear legitimate to someone scrutinizing the exchange. Covert channels manifest themselves in a varying assortment of protocols, frequently embedded in whichever is most common on the compromised network. Data transmitted over covert channels typically takes the form of backdoor control sessions or file transports. Channels have been observed not only inside of application layer protocols, but also in transport headers and application content. For example, steganography introduces the ability to embed arbitrary data inside of images and data fields. As far as application protocols go; DNS, HTTP, SMTP, and ICMP Echo ("ping") are protocols commonly manipulated into covert transports.
ICMP as a Covert Transport
ICMP Echo Request/Reply traffic is some of the more frequent and presumably innocent traffic occurring on nearly all TCP/IP networks today. Network monitoring systems continually send out "ping" requests and field "pong" responses to validate that hosts are alive and responding. When a user can't connect to a given server, expect to see a ping attempt shortly thereafter as the initial phase of troubleshooting begins. This means most enterprise networks are awash in NMS originated ICMP traffic, but also from random and sporadic user-based ICMP traffic. As a result, ICMP Echo makes for an excellent covert blanket, guaranteed to blend subtly in with its legitimate siblings.
The use of ICMP versus other protocol layers, such as TCP or UDP at the transport layer, provides several other significant advantages. All ICMP traffic is fielded by the kernel and delivered to any application that has elected to receive it. No ports are involved. As a result, a system that is being remotely controlled by ICMP will not show up any listening ports when probed with a tool such as NMAP by Fyodor (www.insecure.org) and system tools such as Netstat won't show any established ICMP streams. Furthermore, since ICMP is stateless, there are significant challenges presented when attempting to analyze an imposed session as a result of a backdoor multiple echo-request/echo-reply pairs.
To facilitate analysis, network intrusion detection systems reassemble sessions by combining subsequent packets in a given stream. However, in the case of ICMP, keeping track of echo request/reply pairs -- many of which may never be returned -- on top of everything else has the potential to become a resource hog, introducing the potential for a denial of service against the system. Last but not least, ICMP is routinely shown an amount of leniency in gateway and host access control lists so administrators and NMS systems can make sure hosts are alive without having to be on the same network segment or physically at the console.
ICMP covert channels typically follow the general client/server model. The client delivers requests via ICMP Echo Request packets, and the server satisfies those requests in the form of ICMP Echo Responses. For example, the client would send “ls –al” (UNIX command for requesting a directory listing) to the server, and the server would produce a directory listing in response. The server discerns mal-requests from good ones based upon particular defining characteristics of the request, handing regular echo requests in normal fashion and divvying out the naughty stepchildren to their handler. Many implementations utilize user-land processes not in the kernel, which elect to receive ICMP interrupts from the kernel. Kernel based servers where the backdoor is injected into the kernel as opposed to running a user-land process is not uncommon and generally more discreet.
Identification of ICMP covert channels is difficult and generally time-consuming at best. Familiarity with network sniffing tools such as Ethereal Network Analyzer (www.ethereal.org) or TCPDump Network Analyzer (www.tcpdump.org) is a must. Initially it's important to trim down the analysis set, so limiting your efforts to ICMP traffic not originating or destined for your network monitoring system is helpful. From that set, look for traffic between hosts that is sporadic in nature. A continually even-spaced grouping of echo packets over time is a likely candidate for disqualification. At this point there should be a relatively small, or at least workable, set. Of these, analyze the contents. The majority of these tools do little if anything to disguise their payload. Observation of general command line data should be a good indicator of an ICMP Shell. Channels that disguise their payload present a greater challenge, although in practice these are rare.
The use of ICMP Echo as a covert transport is by no means a new or revolutionary concept. Considering the general rate of technological advancement, this technique should fill a bedpan somewhere in a Malware Retirement Home. To this day, network intrusion detection has failed to produce a general and all encompassing method for detecting these and virtually all other covert channels, rendering them as useful as they were at the day of their inception into the intruder's toolkit.
This shortcoming is attributed to general NIDS architecture, which despite its name, was designed more for purposes of attack detection. Covert data channels occur post-attack in the compromise phase, and due to their versatile nature and inherent design, are relatively undetectable by conventional means. In other words, there is no general “covert channel signature” you can use to fingerprint these. Furthermore, network profiling is generally helpless since the attackers deliberately use channels common to the network so as to appear legitimate. Our networks are ultimately susceptible to a whole class of activity that conventional security technology has generally been at a loss to identify.
About the Author:
Justin Bingham is Chief Technology Officer of Intrusic, Inc. Intrusic solves the Insider Threat by tracking the fundamental changes between the network and its components. www.intrusic.com
Go Back
|
