Covering Tracks and Hiding - PowerPoint PPT Presentation

About This Presentation
Title:

Covering Tracks and Hiding

Description:

E.g., SECURITY, SYSTEM, APPLICATION. This info moved to main ... Accounting file editing tool is standard part of most rootkits. Covering Tracks and Hiding 13 ... – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 51
Provided by: marks9
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Covering Tracks and Hiding


1
Covering Tracks and Hiding
2
In This Chapter
  • Hiding evidence
  • Altering log files
  • Hidden files
  • Practical covert channels

3
Intro
  • Attacks happen
  • See zone-h.com
  • Some attackers want attention
  • Recently, more stealthy attacks
  • Silent attacks (botnets)
  • Attacker must hide tracks

4
Altering Event Logs
  • Even rootkits leave traces in log files
  • With admin privilege
  • Attacker could delete log files
  • Probably a bad idea
  • A better idea selectively edit logs
  • How?

5
Logs in Windows
  • EventLog is logging service
  • Files ending with .LOG
  • E.g., SECURITY, SYSTEM, APPLICATION
  • This info moved to main event logs
  • SECEVENT.EVT, SYSEVENT.EVT,
  • The .EVT files read by admin using Windows Event
    Viewer

6
Windows Event Viewer
7
Windows Logs
  • SECEVENT.EVT
  • Failed logins, policy changes, attempts to access
    files without permission, etc.
  • SYSEVENT.EVT
  • E.g., details of driver failure
  • APPEVENT.EVT
  • Application-related issues

8
Windows Logs
  • Altering event logs
  • At minimum, must change SECEVENTs
  • EVT files locked and binary format
  • Cannot open/edit with usual tools
  • With physical access
  • boot to Linux and edit logs
  • Not practical in most cases

9
Windows Logs
  • Event editing tools
  • None for XP (as of writing)
  • Do exist for NT/2000
  • WinZapper
  • Attacker can selectively edit EVT files
  • But, must reboot machine to restart EventLog
    service

10
WinZapper
11
UNIX Logging
  • Log files usually in ASCII text
  • With privilege, easy to edit
  • Config file tells where log files located
  • Attacker can locate files, and edit
  • Also accounting files
  • utmp, wtmp, lastlog
  • Binary files, so harder to edit

12
UNIX Logging
  • Tools to edit accounting files
  • Many at www.packetstormsecurity.org
  • Simple Nomad effect on many versions
  • Others similar tools wtemped, marry, cloak,
    logwedit, wzap, zapper
  • Accounting file editing tool is standard part of
    most rootkits

13
Shell History Files
  • List of command line commands issued
  • Attacker would like to edit this
  • Files are in ASCII, easy to edit
  • Can insert lines too
  • Why might this be useful?
  • Edit to shell file written to shell history
  • When shell is exited gracefully
  • How to get around this?

14
Defenses
  • Activate logging
  • Log according to some specified policy
  • Periodically audit logging
  • Allow plenty of space for logs
  • Restrictive permissions on log files
  • Use separate server for logging
  • Logs redirected to logging server
  • Not everything can be redirected

15
Defenses
  • Encrypt log files
  • Make log files append-only
  • Little more than a speed bump
  • Store logs on unalterable media
  • E.g., non-rewritable CD/DVD

16
Hidden Files
  • Why would attacker use hidden files?
  • Store attack tools
  • Save sniffed passwords, etc.
  • What does hidden mean?
  • Maybe just hard to find
  • Or easily overlooked

17
Hidden Files
  • In UNIX, prepend . to filename
  • Use . followed by space(s)
  • What the ?
  • Other ideas?

18
Hidden Files in Windows
  • Use hidden attribute
  • Very lame

19
Hidden Files in Windows
20
Hidden Files in Windows
  • Alternate Data Streams (ADS)
  • Available in NTFS
  • Multiple streams of data can be associated with a
    single file
  • These streams can store any info
  • Usual view is just one such stream
  • Fairly effective means of hiding files

21
Defenses
  • File integrity checking
  • Host-based IDS
  • In Windows, use ADS-aware tools
  • CrucialADS, LADS, for example

22
Covert Channels
  • Suppose attacker has
  • Gotten access
  • Installed evil code/tools
  • Covered their tracks, etc.
  • Attacker still needs to communicate
  • How to do this without detection?
  • Covert channel
  • communication path not intended as such by
    systems designers

23
Covert Channels
24
Covert Channels
  • In networked systems
  • Covert channels are everywhere!
  • When does a covert channel exist?
  • Sender and receiver have a shared resource
  • Sender able to vary property of resource that
    receiver can observe
  • Communication between sender and receiver can be
    synchronized

25
Covert Channels
  • Examples of covert channels?
  • How to eliminate covert channels?
  • Easy eliminate all communication and shared
    resources
  • DoD gave up on eliminating covert channels
  • Instead, try to reduce the capacity
  • Does this solve the problem?
  • Does it help?

26
Tunneling
  • Q What is tunneling?
  • A One protocol carries another
  • E.g., SSH used to carry Telnet
  • E.g., TCP/CP (RFC 1149 and RFC 2549)
  • Tunneling used for covert channel
  • We look at Loki, Reverse WWW Shell

27
Loki
  • Suppose
  • Attacker 0wns server
  • Server network allows incoming ICMP
    (ping/traceroute)
  • Loki pronounced low key
  • Provides shell access over ICMP
  • Better than TCP/UDP backdoors

28
Loki
  • Trudy installs Loki server on server
  • Lokid (low key dee)
  • Must run as root
  • Grabs incoming ICMP packets from kernel
  • Trudy installs Loki client on her machine
  • Data sent to Lokid using ICMP
  • Under radar of most backdoor detection (Why?)
  • ICMP has no concept of a port

29
Loki
30
Loki
  • Optionally, uses UDP port 53
  • Switch between ICMP/UDP on the fly
  • Supports encryption
  • Using Blowfish encryption
  • Diffie-Hellman key exchange
  • Other similar tools
  • CCTT and MSNShell

31
Reverse WWW Shell
  • Covert channel using HTTP
  • Reverse WWW Shell installed on machine on network
  • Every 60 seconds, it phones home
  • I.e,. contacts external master server
  • The reverse part it pulls in commands
  • Looks like normal Web traffic

32
Reverse WWW Shell
33
Reverse WWW Shell
  • Sometimes username/pwd required to access Web
  • If known, Reverse WWW Shell can automate
  • Note that other protocols could be used
  • Reverse WWW Shell idea used by some legitimate
    software
  • E.g., remote GUI access to machine
  • See GoToMyPC.com

34
Covert Channels and Malware
  • Consider spyware to steal passwords
  • How to exfiltrate passwords?
  • Piggyback on legitimate outbound traffic
  • In Windows, IE is a natural choice
  • HTTP/HTTPS
  • Malware often designed as a Browser Helper Object
    (BHO) for IE

35
Headers as Covert Channels
  • Lots of room for covert channels
  • E.g., unused bits
  • But possible to be more clever
  • Tools
  • Covert_TCP
  • Nushu

36
IP TCP Headers
37
Covert_TCP
  • Covert_TCP can make use of
  • IP identification
  • TCP sequence number
  • TCP ACK number
  • Lots of other possible covert channels
  • Only 3 above used by Covert_TCP
  • NAT or proxy will cause problems
  • But IP ID may still work thru NAT

38
Covert_TCP
  • IP identification
  • Insert one ASCII character
  • Read it at other end
  • TCP sequence number
  • Send SYN with ASCII character as initial sequence
    number
  • Reply with RESET
  • Ironically, RESET acts as ACK

39
Covert_TCP
  • TCP ACK number
  • Most sophisticated option
  • Involves server (sender), client (receiver), and
    unwitting bounce server
  • Data bounces off bounce server

40
Covert_TCP
  • TCP ACK number
  • Client send SYN packet to bounce server
  • Source address spoofed to clients address
  • ISN is one less than desired ASCII character
  • Bounce server responds to client
  • Either SYN ACK or RESET
  • Either way, ISN incremented by 1
  • Server recovers ASCII character (ISN)

41
Covert_TCP
42
Nushu
  • Uses a passive covert channel
  • Data sent from host to gateway
  • Embeds info in other (real) packets
  • Alters ISN to contain data
  • Assumes attacker also controls gateway
  • At gateway, read data from ISN and forward it
  • How much data can be transferred?

43
Nushu
44
Nushu
45
Nushu
46
Nushu
  • Implemented as Linux kernel module
  • Creates issue with seq numbers
  • Spse the good guys
  • sniff packets on host
  • and same packets elsewhere on LAN
  • What anomaly will they see?

47
Defenses
  • No effective defense against covert channels once
    attacker has access
  • So, keep attackers out
  • Secure configuration
  • Apply patches
  • Antivirus
  • Monitor for BHOs in IE

48
Defenses
  • Know what is normal
  • Good luck!
  • Network-based IDS
  • Commercial Sourcefire Intrusion Sensors, ISS
    RealSecure, Cisco Secure IDS, Network Flight
    Recorder
  • Freeware Snort

49
Conclusions
50
Summary
Write a Comment
User Comments (0)
About PowerShow.com