Mirror ::Spamdoors::

This is a mirror of a document sent to various security mailing lists on 12 May 2003 from Vision Through Sound (echolation@hushmail.com) and is reproduced here with permission.
reznor::dot::com has nothing to do with the origination of this piece, technical accuracy, voided warranties, etc. You know the drill.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Release:  May 12, 2003

Spamdoors:  Using Spam As A Vector Of Back Door Communication
by Vision Through Sound 

I.	Introduction
II.	Back Doors
III.	Spam
IV.	Combining The Two
V.	Program Design
VI.	Prevention

I.	Introduction

This paper discusses the use of two existing problems, spam and back
doors.  Both problems have existed for some period, though the combination
of these two problems has not been immediately discussed.  This paper
documents a theoretical combination of two technologies, documenting
how these technologies could be used for nefarious purposes.

II.	Back Doors

Back door programs are nothing new.  Good back door programs provide
a stealthy means of unauthorized remote access to systems that have been
compromised.  A good back door program also provides a means of communication
that is obscured from the watchful eye of intrusion detection systems,
 and easily circumvents firewall systems.

The majority of these programs require a combination of factors.  One
such factor is poor security practices, such as the habitual assignment
of administrative privileges to regular users.  Inadequate software,
such as a lack of anti-virus, or anti-virus software that is poorly maintained
and not current on signatures, also plays a role.  When combined with
insecure practices such as the execution of programs from untrusted sources
and infrequent patching of systems, an attacker can very easily gain
access to the private systems of home and business users alike.

There are several good papers available on back door programs.  For more
information on back door programs, see available papers from your favorite
anti-virus vendor.

III.	Spam

Anybody that has used the Internet in the last ten years is familiar
with spam.  The fight against preventing spam is an arms race, with anti-
spam and spammers moving pawns in a never-ending game of chess.  With
each move by one side in the spam war, a counter-move of equal or greater
strategy is made from the opposing side.

Several methods are commonly employed by the anti-spam community with
questionable results and effects.  Of these, the most useful postures
seem to be the use of blacklists and Bayesian filtering.  These two types
of spam filtering work on different premises and in spite of their well
thought-out methodologies, are not one-hundred percent effective.

Blacklists are typically the result of subjective analysis of spam by
mail users.  When spam is received by a user, the user sends this mail
to a spam collection facility which analyzes it, then adds the origin
system to the list of hosts that are black holed.  The black hole list
is typically created using the DNS information or IP address of the mail
server, and disseminated to all systems that receive the blacklist.

Bayesian filters are designed to mathematically evaluate email to determine
the probability of it being spam.  Bayesian filters are built off of
the theories of probability first employed by Reverend Thomas Bayes,
an English Presbyterian minister and mathematician who was responsible
for the Bayes Theorem.  The principle of the theorem is to take existing
knowledge, and from the existing knowledge evaluate whether or not we
should change our beliefs in light of new information.  This theorem
is applied to email to determine whether or not the contents of the email
is in fact spam, based on words and content that is commonly associated
with spam.

IV.	Combining The Two

Until this point, spam and back doors posed separate problems independent
of one another.  However, a point comes where two separate technologies
merge to provide a new, enhanced, improved method of providing the resource
that previously existing technologies only marginally filled.  This is
the case of merging spam with back door programs.

As previously mentioned, back door programs require some means of remote
communication that allows an attacker to carry out instructions through
the back door, and thus through the compromised system.  Communicating
with the back door program presents a different set of obstacles that
must be overcome.  These obstacles are creating sufficiently undetectable
remote communication, and covert remote communication that cannot be
easily blocked.

Remotely communicating with a back door is, at best, easily detectable.
 Primitive back door programs typically use the metaphoric equivalent
of signal flares and marching bands when client-server communications
occur.  Communication is often clear-text, and using an easily identified
protocol and unauthorized ports, all of which are easily detected by
even the most basic of intrusion detection systems.  More advanced back
doors communicate via encrypted sessions, but are still at risk of easy
detection due to the oddity of encrypted traffic flying around the network
between a remote host and local system on ports that are not known to
communicate through such means.

Even in the event of a sound means of covert communication, it is often
difficult, if not impossible, to keep communication with the compromised
host.  This is due to the fact that most means of remote communication
with back door software can be easily tracked and blocked with sufficient
ingress and egress filtering at network boundaries, and stateful traffic
inspection policies implemented at network firewalls.  Covert communication
channels such as those implemented by the first generation of tools such
as Loki, which used a protocol to obscure detection and circumvent traffic
filtering, are now obsolete as roughly all such channels are filtered,
 analyzed by intrusion detection systems, and blocked due to potential
security implications.

Creating a back door system that uses spam for covert communication is
ideal for a number of reasons.  First, the spam problem has reached epidemic
proportions.  Estimates place spam in the range of forty to sixty percent
of all email traffic handled by enterprise networks.  The sheer volume
makes it possible to take advantage of the vector to pass traffic that
appears to be no more suspicious in nature than the norm.

Back door communication via spam also has the benefit of being difficult
to detect because of the means of delivery.  By using keyword or phrase-
based communication with the back door system, the email appears to be
ordinary spam.  This text can be varied by attacker specification.  This
makes detection via standard intrusion detection methods virtually impossible.
 When network anomaly detection matures to the point of being able to
identify abnormal network activity, this means of communication will
still be capable of subverting detection due to the nature of normal
email transactions.

Spam also has the added benefit of being difficult to block because it
uses a well-established mode of transport and widely accepted protocol.
 As previously stated, no means of blocking spam is 100% accurate or
effective.  The only means of completely mitigating the risk of back
door communication through spam would be to prohibit email entirely.

V.	Program Design

a.	Communications Vector

Creating a back door program that uses spam as a communication channel
requires a few deviations from standard back doors to create a successful,
 working model.  The design can be broken into two top-level categories,
 which are communications monitoring, and communications protocol.  Communications
monitoring can be thought of on both the client and server mail systems
as separate topics.  The separation exists because of the different requirements
of each of these types of systems.

One key component of the back door common to all back doors is the communications
monitoring system.  There are a few different methods communications
could be monitored.  Of them, there are the ideas of using a process
that monitors the network interface for incoming and outgoing SMTP requests.
 This approach has the benefit of being able to see email as it arrives
to the system, and being applicable to both the client and server environment.
 This design also circumvents the need to create code designed to monitor
specific mail implementations at a higher level than RFC-specified protocol.
 However, it also has the drawback of being extremely resource-intensive.

The next design of monitoring devised is the parasitic process-type;
a process that attaches to and monitors mail transport and mail user
agents.  This design has the benefit of being able to piggy-back on other
mail software processes when started.  The code requirements would be
much more esoteric, and while having the benefit of again being able
to monitor mail as it arrives, would sacrifice portability across platforms.
 Additionally, coding requirements would be much more intensive, as well
as error-prone.

The choice design of communications monitoring would seem to be mail
file monitoring.  This design has the lowest common denominator among
clients and servers alike, as the majority of email stored on clients
and servers is in one of a few common formats.  Additionally, it requires
far less in terms of resources to monitor plain text files.  The drawback
is that it does not offer the ability to monitor email at one point,
such as a network interface.  Also, it does not offer the simplicity
of monitoring one protocol such as SMTP, which can be applied across
multiple platforms with the maximum of portability.

In the client configuration, UNIX systems store mail in a few common
formats.  Two of the more frequently used formats are mbox, or mail box
format, and mail directory format, or maildir.  The mbox mail spool format
is also used by clients on other platforms, such as Netscape on Microsoft
Windows.  Outlook uses the Personal Folders (pst) format.

In the server configuration, again we see the same type of spooling.
 The same types of spooling exist in most UNIX mail servers, such as
sendmail, postfix, and exim.  The qmail mail transport agent differs
in that is capable of using maildir, though it can also be configured
to use mbox.  These formats are common with mail transport agents on
the Microsoft Windows platform, also.

As we can see, the method selected is a convergence of common denominators
across platforms and architectures.

b.	Communications Protocol

Communication between the client and server through spam can be tricky.
 Communication between these two hosts is generally blind, which is to
say a one-way communication protocol.  Commands sent to the back door
do not generate a response to notify the administrator of successful
receipt, though it may be possible to create a delayed confirmation mechanism
through a means such as file downloads.  However, this means should not
be used, or at least not used frequently, as it is likely to be noticed
as a network anomaly an arouse suspicion.

This policy, though it creates a communication vacuum, is also best for
maintaining the back door.  Confirmation of command receipt is information
leakage that could easily be identified by intrusion detection, or other
monitoring software.  This could lead to discovery of the back door.

c.	Basic Command Functionality

Basic command functionality of the back door program is of importance
of a magnitude equal to or greater than that of the stealth of communication.
 The command set should be simple to provide the most ease of use.  However,
 if the back door is to be of any use, it must be robust enough to provide
a set of commands, or the ability to add command sets that can give the
remote attacker the ability to control the back door and perform desired
activities.

The basic command set should consist minimally of four commands:

1. Download file.
2. Reconfigure.
3. Execute command.
4. Shut down.

The file download feature allows the program to gain access to modules
through the specified download protocol.  This protocol can be configured
on the back door side, but is probably best if configured using HTTP.
 This may allow delivery of executable module code through a vector such
as an image using a concealment tactic such as steganography, and making
the retrieval of the module code appear to be no more anomalous than
a valid web request.

The reconfigure command reloads the back door configuration.  The configuration
is contained in modular code, with each module added giving additional
configuration information to the back door program.  The reconfigure
reloads the modules into the running back door program, and creates a
list of the available commands internally.

The command execution functionality is relatively straightforward.  As
mentioned previously, expanded command functionality is made possible
by modules inserted into the running program.  Commands executed through
the back door are carried out by first an execute instruction, then an
argument to the execution instruction that invokes the desired functionality
within the program.  The functionality is contained within the loaded
command modules.

The shut down command is self-explanatory.  More information about the
interpretation of commands and the method through which commands are
interpreted is discussed in section 5d.

c.	Authentication

The ability of the program to successfully interpret spam with the minimum
of false command interpretation is imperative.  False command interpretation
could lead not only to the back door program performing an unintended
action on behalf of another spam sender, but could lead to the exposure
of the back door program.  At the same time, embedding commands in spam
for the back door program to carry out requires stealth in application.

The possibility of false positive requires that a back door using spam
implement some means of rudimentary authentication protocol.  To design
such a system, we can use two points of reference to create the schema.
 These points of reference are the United States Military challenge and
pass phrasing, and Nigerian 419 scam emails.

When the military goes to the field, sentries are placed at the borders
of the encampment to filter traffic.  These checkpoints are typically
manned by well-armed soldiers, capable of raining down hell on unwelcome
guests.  Additionally, these soldiers typically are in communication
with the Battle Operations Center, or BOC, through either field telephone
or radio.  Upon approaching one of these checkpoints, the challenge phrase
and pass phrase are used.  However, these are in the form of a sentence.

For example, suppose that the challenge word is "Carolina," and the password
is "Panthers."  Upon approaching a sentry, the sentry would issue a challenge
phrase such as "Boy, the Carolina mosquitoes and sun make the swamp unbearable."
 Upon hearing the challenge phrase, the approaching person with knowledge
of the challenge phrase would recognize this individual as a valid sentry,
 and would issue a phrase with the password such as, "Yeah, and I think
the Panthers in Charlotte should move to the state capitol Raleigh."
 This response will tell the sentry that this person knows the password,
 and is permitted to pass.

Nigerian 419 scam email is a common form of spam.  The frequency of receipt
makes these emails a perfect means of communication because of the structure,
 and though communication could be carried out using a different type
of email construction, we will use this type as an example for the rest
of this paper.  Each email typically contains the same content, such
as an apology for emailing one out of the clear blue, an introduction
to who the person is, why the person is emailing you, who their dead
rich relative is, some promise of a percentage of some astronomical amount
of money that belonged to this dead relative, and steps that the recipient
of the email must take to claim their stake in this enticing opportunity.

Below is an example of such a spam:

Date: Thu, 08 May 2003 14:47:50 +0200
From: BASHER MOBUTU 
Reply-To: bashermobutu00@fake.domain
Subject: ASSISTANCE NEEDED

Dear Sir,
You may be surprise to receive this email since you do not know me.
I am the son of the late president of Democratic Republic Of Zaire, President
Mobutu Sese Seko, ( now The Republic of Congo, under the leadership of
the son of Mr. Laurent Kabila).  I presume you are aware there is a financial
dispute between my family ( THEMOBUTUS ) and the present civilian Government.
This is based on what they believe as bad and corrupt governance on my
late father's part. May his soul rest in perfect peace. As you might
have heard how a lot of my father's bank account in Switzerland and North
America have been frozen. Following the above named reasons, I am soliciting
for your humble and confidential assistance to take custody of THIRTY
Million United States Dollars ( US$30,000,000.00 ), also to front for
me in the areas of business you desire profitable.

These funds have secretly been deposited into a confidential Security
Company, where it can easily be withdrawn or paid to a recommended beneficiary.
The funds will be released to you by the Security Company, based on my
recommendations, on that note, you will be presented as my partner who
will be fronting for me and my family in any subsequent ventures. Myself
and my mother have decided to give 20% to you if you are able to help
us claim this consignment. We have also decided to give you any money
spent on phone calls or traveling expenses in the course of this transaction
at the end of the transaction. Please, I need your entire support and
co-operation for the success of this transaction, your utmost confidentiality
and secrecy is highly required, due to my family's present predicament.

I sincerely will appreciate your willingness to assist us as soon as
possible. I am presently in the refugee camp here in the Netherlands
under the united nations refugee camp in Netherlands.All correspondence
must be by the email address bashermobutu@fake.domain I will give you
my Telephone number where you can contact me when I hear from you.for
more information on how we can proceed in this transaction. Please indicate
your interest by sending your telephone and fax number. I sincerely will
appreciate your acknowledgement as soon as possible.

Warmest regards,
Basher Mobutu Sese-Seko

Using a modified form of challenge word-password authentication, we could
present our authentication credentials in the email.  The spam obviously
must be readable and comprehendible to not arouse the suspicion of the
recipient or any parties monitoring communication between the sender
and receiver.

The easiest method for embedding authentication information is to design
the back door to parse the same location of incoming email for authentication
information.  As mentioned before in our summary of Nigerian 419 scam
email, this is usually the second thing mentioned in the spam.  Therefore,
 we could design our back door to search the second sentence, and compare
the contents of the text against an authentication database created for
the back door.

Authentication information could be stored in the form of MD5 hash groups
stored in an additional module.  A minimum of two hashes could be used,
 with three or more hashes grouped together to offer enhanced security.
 Storing hashes in this format makes it easy to remotely change authentication
information, as the process could simply store them in the new module.

When an incoming email is detected, the back door could simply parse
the expected location for each hash individually, and upon successful
discovery of all required hashes for authentication, determine that the
spam is intended to convey communication for the back door.  Additionally,
 there should be multiple challenge word and password pairs used in the
event that string-based blocking is performed on the client side.  A
long list of authentication credentials using several names and keyword
sets to perform authentication with the back door program prevents the
emails from presenting the same authentication credentials consistently.
 This acts as a stealthy means of authentication, and is less likely
to raise the suspicion of users of the compromised system.

d.	Command Interpretation

Spam that has been verified by the back door next must use some means
of command interpretation.  The command interpretation engine first should
be capable of being configured to search incoming spam for commands dynamically.
 Handling of command interpretation could be implemented modularly, allowing
the changing of command structure and interpretation to be reconfigured
on the fly.

Command interpretation should consist of parsing a section of the email
for commands based on hashes.  These hashes are saved in modules loaded
by the back door, and each hash corresponds to a command designed by
the administrator to be carried out by the back door.

For example, the MD5 hash of a sentence such as the following:

"Myself and my mother have decided to give 20% to you if you are able
to help us claim this consignment."

equates to 1dbfee3f4e008dffe0e1fe5e3da6ae86.  Upon parsing this hash
in the mail, this would instruct the back door to perform the command
associated with this hash.

This functionality could also be extended to take portions of the email
as arguments to the commands.  For example, in the situation of desiring
to download a module that provides additional functionality or configuration
to the code, the basic back door command functionality would be able
to recognize the hash of a sentence as a command, and parse the next
sentence for the Internet Address from which to download the new data.
 This data could come in the form of executable code contained within
an image on a web page, which the back door downloads in what looks like
a legitimate request for web resources.

VI.	Prevention

At this point in time, there is little that can be done to prevent spam.
 However, the pre-requisite of placing the back door still exists, which
can, to some extent, be prevented.

Preventing back door placement involves adhering to security industry
best practices.  Some measures that may be beneficial in preventing these
types of back doors from being successfully placed include:

1. Apply security patches to systems in a timely manner.
2. Design networks with security in mind, using DMZs and private networks
with sufficiently strict firewall rule policies.
3. Use network intrusion detection to identify unusual and potentially
dangerous network traffic.
4. Use proxy systems including mail and web gateways that prevent unauthorized
file types from entering networks.
5. Conduct regular security training with staff.

Thank you to all who offered their input on this paper:  you know who
you are.  Working proof of concept code will not be released; don't even
bother asking.

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl8EARECAB8FAj6/1DQYHGVjaG9sYXRpb25AaHVzaG1haWwuY29tAAoJEKkDTWJ4ilQt
V6wAn1fjRYgZuNb4kbrXMrxMTVRTIQeyAKCl15trDhlt45mrMA+Q9dQoRMbc1Q==
=9otL
-----END PGP SIGNATURE-----