Written by Chul Hyun Park - HAURI Virus Lab.

1. What is the Installation Guide System?

Installation Guide System is a solution to support batch installing of software, Windows Security Patch and Virus Vaccine program to all PC or selected PC. Typically, enterprises use group ware programs for general task and Anti-Virus programs for security matters; however, managing all those software and installing/deploying/updating the programs by administrator is somewhat difficult.

Due to these difficulties, Installation Guide System has been required to be developed. Through the system, administrator can deploy the selected programs by following the policy and install/deploy the programs to a selected PC.


2. How to work the Installation Guide System?

The basic work principle of Installation Guide System is based on hacking technology. During the normal communication, Installation Guide System cannot be worked, because it works by session hijacking.

Session hijacking refers to the created two terminals by protocol and hijacking attack for maintained sessions. TCP session hijacking is a sequence number used attack for ensuring connection trust, thus it is available to hijack almost all TCP used sessions like Telnet, FTP, HTTP, and etc.

2-1. TCP session hijacking

[PIC 1] TCP session hijacking attack sequence

Attack sequence

(1) Client and server have a session.
(2) Attacker forges packets from Client and sends RST to server.
(3) Temporary server status turns to CLOSED.
(4) For blocking Client's any attempt of connection to server, attacker can block the session by using RST/FIN.
(5) Attacker sends SYN message to server. Server gives a response by using SYN/ACK.
(6) Attacker sends ACK for response of SYN/ACK, and the renewed session between attacker and server is created.

3. Composition of Installation Guide System

Installation Guide System's operating environment could be different by network, but the basic installation type without network composition change is like below picture.


[PIC 2] Basic Installation Type without network composition change

For monitoring communication between PC and external webserver, administrator installs the Installation Guide System to switch's mirroring port. After all, Installation Guide System does scan web traffic, and analyze webpage request from the PC to external webserver, then hijacking server session. Installation Guide System that connected with PC session reproduces data for accessing to S/W deploy webserver, and sends them to PC. The PC receives the reproduced data, and user's web browser shows S/W deploy webserver's deploy page instead of external webserver's page.

5. Conclusion

So far, we've learned about Installation Guide System by using Session Hijacking which is one of the hacking technologies. Originally session hijacking technology was performed for hacking, but as a security aspect, it was applied to administrator's easy software deployment, then finally Installation Guide System was developed.

By using the Installation Guide System, software internal deployment, periodic software update, urgent Windows Security patch, Anti-Virus solution & security program installation can be installed easily. Installation Guide System is essential for applying fast security update and deploying programs.