Blackhat windows security 2004 data hiding on a live system
Download
1 / 25

- PowerPoint PPT Presentation


  • 239 Views
  • Uploaded on

BlackHat Windows Security 2004 Data Hiding on a Live System. by Harlan Carvey [email protected] Purpose. Present/discuss different techniques for hiding data on LIVE systems (NTFS) Address methods of preventing and detecting this activity What is NOT covered?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - astro


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Blackhat windows security 2004 data hiding on a live system l.jpg
BlackHat Windows Security2004Data Hiding on a Live System

by Harlan Carvey

[email protected]


Purpose l.jpg
Purpose

  • Present/discuss different techniques for hiding data on LIVE systems (NTFS)

  • Address methods of preventing and detecting this activity

  • What is NOT covered?

    • Maintenance tracks, boot sector, file slack, etc.


What is being hidden l.jpg
What is being hidden?

  • Data

    • Text

    • Output of commands (samdump, etc.)

  • Executables

    • Programs

    • Games

    • Rootkits


Who are we hiding it from l.jpg
Who are we hiding it from?

  • Other users

  • Administrators

  • Investigators/forensics analysts


Altering files l.jpg
Altering files

  • File Changes

    • Name

    • Extension

      • Information regarding extensions and associations is maintained in the Registry

      • ‘assoc’ command

    • File Signature (this is NOT a hash)


Altering names extensions l.jpg
Altering Names/Extensions

Samdump.log ->

C:\winnt\system32

\MSODBC32.DLL


Altering file signatures l.jpg
Altering file signatures

  • First 20 bytes of the file

  • Change JFIF/GIF89a in graphics file to something else

  • Executables (.exe, .dll, .sys, .ocx, .scr) begin w/ “MZ”

  • Sigs.pl performs signature analysis


Dos attributes l.jpg
DOS Attributes

  • 'Attrib' command

  • Explorer settings

  • 'dir' switch (dir /a[:h])

  • Perl ignores (opendir/readdir, glob)

  • hfind.exe (FoundStone)


File splitting l.jpg
File Splitting

  • File Splitting

    • Almost as old as DOS

    • Many programs available

    • Malicious uses


File splitting10 l.jpg
File Splitting

Original File

Arbitrarily sized segments


Touching files l.jpg
“touching” files

  • Alter the creation, last access, last modification dates

  • 'touch' in Unix

  • Microsoft SetFileTime() API

  • Used to hide from search tools

    • dir /t[:a]

    • afind.exe (FoundStone)

    • macmatch.exe (NTSecurity.nu)


File binding l.jpg
File Binding

  • Elite Wrap

  • Saran Wrap, Silk Rope


Ole com l.jpg
OLE/COM

  • MS OLE/COM API

  • “Structured Storage”, “Compound files”

    • “File system within a file”

  • MergeStreams Demo

    • May discover using “strings” or “grep”

  • wd.exe


Ntfs alternate data streams l.jpg
NTFS Alternate Data Streams

  • NTFS4 (NT) and NTFS5 (2K)

  • Creating

  • Using

  • Running executables hidden in ADSs

    • NTFS4 vs. NTFS5


Creating adss l.jpg
Creating ADSs

  • Type command

    • Type notepad.exe > myfile.txt:np.exe

  • Cp.exe from Resource Kit

  • Bind to file or directory listing

    • Notepad myfile.txt:hidden.txt

    • Notepad :hidden.txt


Executing adss l.jpg
Executing ADSs

  • Running executables hidden in ADSs

  • Native methods

    • NTFS4 - ‘start’ (FoundStone)

    • NTFS5 - several methods


Detecting adss l.jpg
Detecting ADSs

  • lads.exe, by Frank Heyne (heysoft.de)

  • sfind.exe (FoundStone)

  • streams.exe (SysInternals)

  • ads.pl (Perl)


Encryption l.jpg
Encryption

  • PGP

  • Fcrypt (ntsecurity.nu)

  • Perl (Crypt::TripleDES)


Steganography l.jpg
Steganography

  • The art of hiding information

    • S-Tools4

    • http://www.citi.umich.edu/u/provos/stego/


Registry l.jpg
Registry

  • Licensing information

  • Software installation dates and information

  • Contains binary and string data types


Hidden functionality l.jpg
"Hidden" Functionality

  • Registry keys

    • Used by various malware

    • The ubiquitous "Run" key

    • Services

  • ClearPagefileAtShutdown Registry key

  • StartUp directories


Rootkits l.jpg
Rootkits

  • Kernel-mode vs. user-mode

  • API Hooking/DLL Injection

    • NTRootkit

    • HackerDefender (DLL Injection)

    • AFX Rootkit 2003 (DLL Injection)

    • Vanquish (DLL Injection)

    • FU (DKOM)


How to prevent detect l.jpg
How to prevent/detect

  • Configuration Policies/Management

  • Monitoring

    • Event Logs

    • Additional monitoring applications

    • Scans



ad