Flag: Tornado! Hurricane!

Blogs >> adityaks's Blog

Created: Tuesday, December 4 2007 02:38.02 CST Modified: Tuesday, December 4 2007 03:31.04 CST
Printer Friendly ...
RDP Botnets : Malware Google Dorking - Not an Easy Task
Author: adityaks # Views: 9456

Concept Driven:
This post is a composite response to the post written on RDP Botnets designing. The point undertaken is very generic and nicely stated. The explanation works in subtle manner if you are able to bypass certain reliability factors of RDP protocol. Opening a process for looking specific functions work very fine. But the building of RDP botnets searching is not so easy as stated. The practcial citation will be delivered why this can not be accomplished in one step. Certain reasons which have to be looked carefully which are collectively stated as:

1. Due to SEO(Search Engine Optimization) the queries are well filtered. Stringent filters have been applied on PATH based Queries invloving characters like "/\". This was considered to be as problem because previously Google bypass metacharacters and give rogue queries to display false results that constitutes even malware stuff too. For more details:

Google Metacharacter Spamdexing Bug
The Cognitive Cause of Metacharacter Bug

This problem of searching specific texts were clearly explained in above provided documents.

2. The searching in Local Area Networks by simple scanning methods is quite easy but finding so much targets on remote positions not feasible as such. This is because the randomization factor is very high. The centralising of RDP targets is tough task.Even if you have seen about honeypots analysis of botnets , they usually compromise organizational networks or small public networks with weak window machines".For more details you can check:

http://www.honeynet.org/papers/bots/

If the user go through this document the most exploited ports are provided. The port 3389 (Remote Desktop Connection) have not yet been added or specified in so much threat related to Botnet Designing.

3. Most of the botnets attacks certain kind of worms that exploit windows functionality further. The penetration into networks is mostly a hardheaded process. Bot developers take everything into consideration for exploiting persistent vulnerabilities. The remote command control is also feasible if there is interconnection between different nodes persist by exploiting network components. The RDP in itself is remote driven but there are certain network factors comprising of authenticaation, the user access rights , privileges , presence of RDP port in open state etc  matters. So collaborating all these factors is very hard process.

4. The malware properties in a system state i.e Local subsystem and Remote type matters. Even if you like , RDP backward access is not as such specific you can walk along path to find certain thigs. But most of time it starts a window subsystem when a remote client is connected to as sub system process and results in remote desktop client. So the complexities are much more in RDP as such. Traversing along lot of web servers and systems easily as specific to RDP issue.

GOOGLE DORKING : MALWARE RESPONSE
Lets see the practical proof of searching for finding web targets. the bypassing of filters along google is not so easy as rightly stated above. Like searching path based strings:

1."\\tsclient\C\DOCUME~1\Owner\LOCALS~1\Temp\_TS7.tmp\_TS1.tmp
2."\LOCALS~1\Temp\_TS7.tmp\_TS1.tmp"
3."\C\DOCUME~1\Owner\LOCALS~1\Temp\"

Lets see what the intelligent search engine says GOOGLE:



So searching in reliable way is always not possible. It has been advised in this way search engines are now much more advanced and can trace virus prone signatures and specific path searching in web servers. This clears one of the point.

The Real State:
The issue relates to security. But every issue presented in this way cannot be exploited so stringently looking at the repercussions of it. No doubt the issue is of great concern. As port 139 , 445 , 3389 are some of the finest ports of system compromise from user centric point of view.The designing of as such RDP botnets are not so specific and stuff related to it. Practical applicability is not so easily to accomplish.

Your views are welcomed for more detail talk on this.

Regards
0kn0ck
http://www.secniche.org





Blog Comments
jms Posted: Tuesday, December 4 2007 09:52.40 CST
Not sure you really understand here, type this into Google:


ext:rdp rdp


Your above search is searching for a temporary file that could only reside on my machine at the time I wrote the blog entry. Sigh....seriously aditya.

adityaks Posted: Tuesday, December 4 2007 10:04.50 CST
No I have clearly mentioned about the security issue you have shown. I quite undertaken it well. But like the way you talk about creating of botnets through it , its an issue of real understanding.

Even after running this stuff on Google:

http://www.liscon.at/wiki/index.php/Connection.0.rdp
http://www.btmon.com/file/license.rdp
http://fresh.t-systems-sfr.com/unix/src/privat2/shorewall-common-4.0.5.tgz:a/shorewall-common-4.0.5/macro.RDP

Some of the links I have pasted above. Still how one can use this type of information to design Botnets. This I think is really a sarcastic statement. As far as the Botnet Designing is concerned it requires malformed resources and centralized commanding.

My motto of post is to put an issue related to this in front of people but Botnet designing is not so easy based on RDP.

Oh Seriosuly James , The understanding of this concept requires , thats why The issue have to be discussed. May be it is a better layout if more talk should be stated on this issue.

It will be a more learning experience.

Cheers.



jms Posted: Tuesday, December 4 2007 12:18.03 CST
What?

phantal Posted: Tuesday, December 4 2007 12:37.53 CST
  I really hate how this site handles not being logged in.  Yet again, lost another long post.

  Anyway.

  The point jms is trying to make:

1) User accesses a remote site using RDP and shares access to their local drives.
2) Attacker has something running that watches for incoming connections using RDP.  If \\tsclient is ever mapped, it immediately copies a virus/rootkit to a location on the remote machine that is likely to be executed
3) This attack only requires that the user access the machine.  The attack has diddly squat to do with google.  If  the attacker can get you to connect, it doesn't matter whether they used google indexing .rdp files or not.  Though jms tried to make it part of the focus of his post, the real point here (IMO) is: RDP gives an attacker another attack vector.

  Many businesses regularly use RD, win2k3 server, and Citrix for business needs.  I can't imagine it'd be hard to attack rdpclip.exe on a compromised machine to allow you to submit arbitrary requests to the remote machine in order to copy files from the remote to host machine, giving you the same attack in the opposite direction.  Using jms' example of overwriting files, just replace rdpclip.exe with a patched version -- though, this can be problematic.  XP and vista keep copy of sensitive files in a different location.  When files change they are compared against the original and replaced if they differ.  An attacker could just replace the backup forcing the system to think the real one is a fake, but now I'm just going into semantics.

  I can think of one organization that would be in a lot of danger should this attack be used against them.  They have a worldwide [private] network with 10s of thousands of machines, and all support personel (IT and phone support) use remote desktop on a regular basis instead of walking users through fixing things -- with a simple sequence that dictates the passwords for each machine.  Their remote sites are very insecure, regularly receiving as few as 10 or as many as hundreds of visitors regularly, adding to that the remote machines are easy to access.  An attack like this, particularly one that was capable of initiating its own remote desktop sessions (especially if executed using something like psexec, to hide the activity from the user) would spread like wildfire through their organization.

  Think of organizations where many employees use Citrix on a regular basis.  It would also spread like wildfire in their org.

  Finally, another attack vector is also opened up here: exploitation of running apps that monitor or use clipboard contents, and exploitation of printer drivers.

  RD defaults to giving access to clipboard & printers to the remote machine.  Older versions of RD don't have the ability to disable clipboard access, and I'm fairly certain the update to the latest version of RD doesn't come with the usual windows updates, they're only available on the windows update site as an optional update -- which most users won't do.  As a result, most people using RD won't have the ability to disable clipboard sharing to protect themselves.

  The update thing may have changed, but when I updated my RD clients, it was only optional.

-Brian

phantal Posted: Tuesday, December 4 2007 12:49.18 CST
  Oh, and one more thing.  When using shared printers, printer drivers get sent over the wire when using RDP.  If the drivers being sent are located on a compromised machine, it wouldn't be hard to add a printer driver with code designed to trigger actions to compromise a system, then add a printer that uses this driver.

-Brian

jms Posted: Tuesday, December 4 2007 13:12.44 CST
Yeah totally, you should add your first post to my thread and move off of this one. Anyone out there wanting to collaborate on a tool that intercepts all clipboard events and parses the trapped information looking for useful text? :)

adityaks Posted: Tuesday, December 4 2007 13:20.03 CST
Hi phantal

Its good and I am totally agree with the point you have stated. The prime point is generation fo new attack vector does not mean that infection can be carried out on large scale as such. This is no doubt a security issue but my point is the generation of botnets as such , it is haywhile with respect to rdp. The botnets creation needs different exploitation vectors.

So the stress is more towards the BOTNET DESIGNING based on RDP. My talk revolve around this. Rest what the issue stated is there. I have mentioned it clearly in the post.

So overall good discussion is going on. I want to have more core points to be scratched for this issue.


phantal Posted: Tuesday, December 4 2007 19:40.45 CST
  I disagree with you, though.  Certainly using google as the means of distributing the requisite drone software wouldn't be a good method of distribution,, but this attack vector -- though only useful for niche targets -- could and would be a good way to distribute a worm.

  I'll grant you that distribution through remote desktop is limited, since it relies on people connecting to other machines and not noticing the infection before they infect someone else, but it would still be a feasible means of infecting a large network that heavily relies on remote desktop.

jms:

  If I had the free time, sounds fun.  I'm too busy with my new baby (makes 3 so far), school (3 upper div. math classes), and work (full time), but good luck, and be sure to post something about your findings.

-Brian

adityaks Posted: Tuesday, December 4 2007 21:24.05 CST
Well

Certainly I am bit disagree with you too over this. The attack vector if it is randomized , its hard to centralize it.

0kn0ck

c1de0x Posted: Wednesday, December 5 2007 01:12.12 CST
jms:
ping me about clipboard stuff... I'm always looking for new projects ;)



Add New Comment
Comment:









There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit