February 25, 2013

Proxy is transparent for malware

In this post I would like to break a myth for the people that know how to protect, but don't know how to attack. Proxy can be a good solution for performance, but not necessarily for security.

Proxy is good
  1. If a malicious user connects a computer to the network, then he might be limited in case the proxy requires authentication and protects against replay authentication attacks. 
  2. It is good for basic content filtering. 

Proxy is not enough
I would like to split the explanation to two scenarios - The first uses the framework's commands, while the second have direct access to windows API using non-frameworked language, e.g. C++.
First scenario:
Explanation
  1. In this scenario, the malware is based on Java/.NET. Therefore, It can access the methods of the frameworks in order to gain the proxy settings of Internet Explorer. e.g. in .NET, a malicious user is able to create WebClient that sends a request. Anyway, proxy settings are reflected from WebRequest.GetSystemProxy() method.
  2. The framework runs the code and calls the WinAPI in order to the the proxy settings. Note: this is invisible for the malware developer (black box).
  3. WinAPI returns the proxy settings.
  4. The framework returns the settings to the malware.
  5. The malware access to the proxy server as authorized user with the information that should be sent to the C&C. Since the malware have the IE settings, it uses the credentials to authenticate to the server exactly as IE does. Note: in order to reduce blocking by content filtering, the communication should be established over SSL.
  6. The C&C gets the information from the proxy server and responses. The Malware will be able to receive the response
Second scenario:


Explanation
  1. The malware creates WinAPI calls in order to get proxy configurations, e.g. WinHttpGetIEProxyConfigForCurrentUser (with few adjustments).
  2. The WinAPI updates the pointer that includes the proxy configurations.
  3. Exactly as step 5 in scenario 1 above.
  4. As step 6  in scenario 1 above.

Assumptions
  1. Antivirus does not recognize the Malware, e.g. by using thread timeouts, packers and all other cool stuff.
  2. Windows 8 does not allow to open network connections, unless it accepted in the UAC. Hence, an exploit or other way to gain higher privileges is required. 
  3. New JREs require re-authentication when accessing the internet.  

Acceptable solution
I don't think that the solution is unique, however, I would recommend to take into account the following actions:
  1. Install a sandbox solution that restricts access to proxy settings.
  2. Educate users to not allow unknown connections - java re-authentication request or windows UAC. (Sure... security awareness is only part of the solution...)
  3. All other action items to prevent malware infection.

20 comments:

  1. I browse your article and obtain vital data additionally if you've got any question concerning subjected topic
    access 1337x in UK

    ReplyDelete
  2. Your work is very simple art of work its really a helpful.
    access Mp3skull in UK

    ReplyDelete
  3. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a .Net developer learn from .Net Training in Chennai. or learn thru ASP.NET Essential Training Online . Nowadays Dot Net has tons of job opportunities on various vertical industry.

    ReplyDelete
  4. System supervisors are additionally mindful of intermediaries and every famous proxy are blocked.proxy mexico

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. VPN is very convenient, but it is not necessary https://novavpn.com/blog/popcorn-time/ if you want remote clients to connect to you Linux or Unix server.

    ReplyDelete
  7. Despite the fact that Perth wrongdoing rates isn't high, it is dependably to better to put resources into security and ensure that you have thought about the safety of everybody and everything than being left sad and bellowing at last since you have underestimated that one need in a man's survival. Security.security camera system reviews

    ReplyDelete
  8. I am all that much satisfied with the substance you have specified. I needed to thank you for this extraordinary article.  Read the reviews

    ReplyDelete
  9. This is really great work. Thank you for sharing such a good and useful information here in the blog for students.  maggiori informazioni

    ReplyDelete
  10. I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all,.. find out more

    ReplyDelete
  11. I would state, you do the genuinely amazing.This substance is made to a wonderful degree well. VPN

    ReplyDelete
  12. Wonderful article, thanks for putting this together! This is obviously one great post. Thanks for the valuable information and insights you have so provided here. get more privacy

    ReplyDelete
  13. Persons appreciate shopping for amazing, appealing, fascinating and from time to time attractive aromas for them selves and pertaining to others. This can be executed conveniently along with inexpensively in an on-line perfume shop. https://www.lemigliorivpn.com

    ReplyDelete
  14. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? privacyonline.com.br

    ReplyDelete
  15. This article gives the light in which we can watch the truth. This is exceptionally decent one and gives indepth data. A debt of gratitude is in order for this decent article.  privacyenbescherming.nl

    ReplyDelete
  16. Thanks for sharing nice information with us. I like your post and all you share with us is up to date and quite informative, I would like to bookmark the page so I can come here again to read you, as you have done a wonderful job. privatnostonline

    ReplyDelete
  17. pleasant post, stay aware of this fascinating work. It truly regards realize that this subject is being secured likewise on this site so cheers for setting aside time to talk about this! https://internetprivatsphare.ch

    ReplyDelete
  18. Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. vpn France

    ReplyDelete
  19. I appreciate several from the Information which has been composed, and especially the remarks posted I will visit once more.  vpn netflix

    ReplyDelete
  20. Check your availability by pinging a few Internet locales. In the event that that does not work, ping the loopback address 127.0.0.1. https://www.router-reset.com/how-clear-cache-ie11/

    ReplyDelete