Home > IT, Reviews, Security > [SecTor Review] TCP/IP Perversion

[SecTor Review] TCP/IP Perversion

November 22nd, 2007 Leave a comment Go to comments

SecTor Day #1
Speaker: Rares Stefan
Presentation (ppt)
Audio (wmv)

This was the first talk that I attended. Based on what I saw, it was the smallest of the three rooms, however I can't be sure as every talk I attended was in the same room. I rather enjoyed the intimate nature of the setting... a small, yet packed, room made for a great presentation environment (at least it did on the attendee side).

The subject was TCP/IP Perversion and the presenter was Rares Stefan, the Chief Security Architect at Third Brigade. The talk centered around inline drivers that could be placed low enough in the stack that they could modify data being sent without the OS taking notice. The idea was focused around malware, but the demonstration slides made use of what I believe is internal Third Brigade software for testing/development (Note to any Third Brigade employees that read this: I'd love to a chance to play with the software).

So here's an example of what was presented. You (192.168.1.100) fire up Wireshark and start sniffing, then you request a web page (Google.ca: 64.233.161.104):

Source: 192.168.1.100
Destination: 64.233.161.104

GET / HTTP/1.1
Host: www.google.ca
Connection: close

In Wireshark you see the request as you should, however the sniffer on the hub you are connected to sees the following request.

Source: 192.168.1.100
Destination: 82.165.158.149

POST / HTTP/1.1
Host: www.computerdefense.org
Connection: close

Data that has been inserted.

Your sniffer, and therefore any HIPS/HIDS that you have, will not have noticed this change. To any device further down the network (IDS/IPS/Proxy) this is a completely valid request. The network device hasn't seen the original message and your computer hasn't seen the modified message.

This was demonstrated/discussed using Pre-Vista Windows Operating Systems but that doesn't preclude Vista from the possibility of the same issues.

As I said in my SecTor Overview post, I had expected presentations that were quite a bit more technical. This presentation was actually great in that category... while the technical details weren't necessarily communicated, you could see what was happening in the debug window of the software used and the actions taking pace in those images were quite interesting to watch.

The concept of malware that could do this is frightening. If I remember correctly, it was mentioned that presently there isn't any malware taking these sort of actions, but that doesn't mean that we won't see it in the future.

The talk ended up being a great way to start off Day #1, and struck me as a topic that I would love to delve deeper into.

Categories: IT, Reviews, Security Tags: , , , , , , , ,

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

  1. pello
    January 19th, 2009 at 14:20 | #1
    Reply | Quote

    Nice concept!

  1. No trackbacks yet.