Covering Tracks and Hiding

1
Covering Tracks and Hiding
2
In This Chapter

• Hiding evidence
• Altering log files
• Hidden files
• Practical covert channels

3
Intro

• Attacks happen
• See zone-h.com
• Some attackers want attention
• Recently, more stealthy attacks
• Silent attacks (botnets)
• Attacker must hide tracks

4
Altering Event Logs

• Even rootkits leave traces in log files
• With admin privilege
• Attacker could delete log files
• Probably a bad idea
• A better idea selectively edit logs
• How?

5
Logs in Windows

• EventLog is logging service
• Files ending with .LOG
• E.g., SECURITY, SYSTEM, APPLICATION
• This info moved to main event logs
• SECEVENT.EVT, SYSEVENT.EVT,
• The .EVT files read by admin using Windows Event
  Viewer

6
Windows Event Viewer
7
Windows Logs

• SECEVENT.EVT
• Failed logins, policy changes, attempts to access
  files without permission, etc.
• SYSEVENT.EVT
• E.g., details of driver failure
• APPEVENT.EVT
• Application-related issues

8
Windows Logs

• Altering event logs
• At minimum, must change SECEVENTs
• EVT files locked and binary format
• Cannot open/edit with usual tools
• With physical access
• boot to Linux and edit logs
• Not practical in most cases

9
Windows Logs

• Event editing tools
• None for XP (as of writing)
• Do exist for NT/2000
• WinZapper
• Attacker can selectively edit EVT files
• But, must reboot machine to restart EventLog
  service

10
WinZapper
11
UNIX Logging

• Log files usually in ASCII text
• With privilege, easy to edit
• Config file tells where log files located
• Attacker can locate files, and edit
• Also accounting files
• utmp, wtmp, lastlog
• Binary files, so harder to edit

12
UNIX Logging

• Tools to edit accounting files
• Many at www.packetstormsecurity.org
• Simple Nomad effect on many versions
• Others similar tools wtemped, marry, cloak,
  logwedit, wzap, zapper
• Accounting file editing tool is standard part of
  most rootkits

13
Shell History Files

• List of command line commands issued
• Attacker would like to edit this
• Files are in ASCII, easy to edit
• Can insert lines too
• Why might this be useful?
• Edit to shell file written to shell history
• When shell is exited gracefully
• How to get around this?

14
Defenses

• Activate logging
• Log according to some specified policy
• Periodically audit logging
• Allow plenty of space for logs
• Restrictive permissions on log files
• Use separate server for logging
• Logs redirected to logging server
• Not everything can be redirected

15
Defenses

• Encrypt log files
• Make log files append-only
• Little more than a speed bump
• Store logs on unalterable media
• E.g., non-rewritable CD/DVD

16
Hidden Files

• Why would attacker use hidden files?
• Store attack tools
• Save sniffed passwords, etc.
• What does hidden mean?
• Maybe just hard to find
• Or easily overlooked

17
Hidden Files

• In UNIX, prepend . to filename
• Use . followed by space(s)
• What the ?
• Other ideas?

18
Hidden Files in Windows

• Use hidden attribute
• Very lame

19
Hidden Files in Windows
20
Hidden Files in Windows

• Alternate Data Streams (ADS)
• Available in NTFS
• Multiple streams of data can be associated with a
  single file
• These streams can store any info
• Usual view is just one such stream
• Fairly effective means of hiding files

21
Defenses

• File integrity checking
• Host-based IDS
• In Windows, use ADS-aware tools
• CrucialADS, LADS, for example

22
Covert Channels

• Suppose attacker has
• Gotten access
• Installed evil code/tools
• Covered their tracks, etc.
• Attacker still needs to communicate
• How to do this without detection?
• Covert channel
• communication path not intended as such by
  systems designers

23
Covert Channels
24
Covert Channels

• In networked systems
• Covert channels are everywhere!
• When does a covert channel exist?
• Sender and receiver have a shared resource
• Sender able to vary property of resource that
  receiver can observe
• Communication between sender and receiver can be
  synchronized

25
Covert Channels

• Examples of covert channels?
• How to eliminate covert channels?
• Easy eliminate all communication and shared
  resources
• DoD gave up on eliminating covert channels
• Instead, try to reduce the capacity
• Does this solve the problem?
• Does it help?

26
Tunneling

• Q What is tunneling?
• A One protocol carries another
• E.g., SSH used to carry Telnet
• E.g., TCP/CP (RFC 1149 and RFC 2549)
• Tunneling used for covert channel
• We look at Loki, Reverse WWW Shell

27
Loki

• Suppose
• Attacker 0wns server
• Server network allows incoming ICMP
  (ping/traceroute)
• Loki pronounced low key
• Provides shell access over ICMP
• Better than TCP/UDP backdoors

28
Loki

• Trudy installs Loki server on server
• Lokid (low key dee)
• Must run as root
• Grabs incoming ICMP packets from kernel
• Trudy installs Loki client on her machine
• Data sent to Lokid using ICMP
• Under radar of most backdoor detection (Why?)
• ICMP has no concept of a port

29
Loki
30
Loki

• Optionally, uses UDP port 53
• Switch between ICMP/UDP on the fly
• Supports encryption
• Using Blowfish encryption
• Diffie-Hellman key exchange
• Other similar tools
• CCTT and MSNShell

31
Reverse WWW Shell

• Covert channel using HTTP
• Reverse WWW Shell installed on machine on network
• Every 60 seconds, it phones home
• I.e,. contacts external master server
• The reverse part it pulls in commands
• Looks like normal Web traffic

32
Reverse WWW Shell
33
Reverse WWW Shell

• Sometimes username/pwd required to access Web
• If known, Reverse WWW Shell can automate
• Note that other protocols could be used
• Reverse WWW Shell idea used by some legitimate
  software
• E.g., remote GUI access to machine
• See GoToMyPC.com

34
Covert Channels and Malware

• Consider spyware to steal passwords
• How to exfiltrate passwords?
• Piggyback on legitimate outbound traffic
• In Windows, IE is a natural choice
• HTTP/HTTPS
• Malware often designed as a Browser Helper Object
  (BHO) for IE

35
Headers as Covert Channels

• Lots of room for covert channels
• E.g., unused bits
• But possible to be more clever
• Tools
• Covert_TCP
• Nushu

36
IP TCP Headers
37
Covert_TCP

• Covert_TCP can make use of
• IP identification
• TCP sequence number
• TCP ACK number
• Lots of other possible covert channels
• Only 3 above used by Covert_TCP
• NAT or proxy will cause problems
• But IP ID may still work thru NAT

38
Covert_TCP

• IP identification
• Insert one ASCII character
• Read it at other end
• TCP sequence number
• Send SYN with ASCII character as initial sequence
  number
• Reply with RESET
• Ironically, RESET acts as ACK

39
Covert_TCP

• TCP ACK number
• Most sophisticated option
• Involves server (sender), client (receiver), and
  unwitting bounce server
• Data bounces off bounce server

40
Covert_TCP

• TCP ACK number
• Client send SYN packet to bounce server
• Source address spoofed to clients address
• ISN is one less than desired ASCII character
• Bounce server responds to client
• Either SYN ACK or RESET
• Either way, ISN incremented by 1
• Server recovers ASCII character (ISN)

41
Covert_TCP
42
Nushu

• Uses a passive covert channel
• Data sent from host to gateway
• Embeds info in other (real) packets
• Alters ISN to contain data
• Assumes attacker also controls gateway
• At gateway, read data from ISN and forward it
• How much data can be transferred?

43
Nushu
44
Nushu
45
Nushu
46
Nushu

• Implemented as Linux kernel module
• Creates issue with seq numbers
• Spse the good guys
• sniff packets on host
• and same packets elsewhere on LAN
• What anomaly will they see?

47
Defenses

• No effective defense against covert channels once
  attacker has access
• So, keep attackers out
• Secure configuration
• Apply patches
• Antivirus
• Monitor for BHOs in IE

48
Defenses

• Know what is normal
• Good luck!
• Network-based IDS
• Commercial Sourcefire Intrusion Sensors, ISS
  RealSecure, Cisco Secure IDS, Network Flight
  Recorder
• Freeware Snort

49
Conclusions
50
Summary