1 / 50

Covering Tracks and Hiding

Covering Tracks and Hiding. In This Chapter…. Hiding evidence Altering log files Hidden files Practical covert channels. Intro. Attacks happen See zone-h.com Some attackers want attention Recently, more stealthy attacks “Silent” attacks (botnets) Attacker must hide tracks.

norina
Download Presentation

Covering Tracks and Hiding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Covering Tracks and Hiding Covering Tracks and Hiding 1

  2. In This Chapter… • Hiding evidence • Altering log files • Hidden files • Practical covert channels Covering Tracks and Hiding 2

  3. Intro • Attacks happen • See zone-h.com • Some attackers want attention • Recently, more stealthy attacks • “Silent” attacks (botnets) • Attacker must hide tracks Covering Tracks and Hiding 3

  4. Altering Event Logs • Even rootkits leave traces in log files • With admin privilege • Attacker could delete log files • Probably a bad idea… • A better idea: selectively edit logs • How? Covering Tracks and Hiding 4

  5. Logs in Windows • EventLog is logging service • Files ending with .LOG • E.g., SECURITY, SYSTEM, APPLICATION • This info moved to main event logs • SECEVENT.EVT, SYSEVENT.EVT, … • The .EVT files read by admin using Windows Event Viewer Covering Tracks and Hiding 5

  6. Windows Event Viewer Covering Tracks and Hiding 6

  7. Windows Logs • SECEVENT.EVT • Failed logins, policy changes, attempts to access files without permission, etc. • SYSEVENT.EVT • E.g., details of driver failure • APPEVENT.EVT • Application-related issues Covering Tracks and Hiding 7

  8. Windows Logs • Altering event logs • At minimum, must change SECEVENTs • EVT files “locked” and binary format • Cannot open/edit with usual tools • With physical access… • …boot to Linux and edit logs • Not practical in most cases Covering Tracks and Hiding 8

  9. Windows Logs • Event editing tools • None for XP (as of writing) • Do exist for NT/2000 • WinZapper • Attacker can selectively edit EVT files • But, must reboot machine to restart EventLog service Covering Tracks and Hiding 9

  10. WinZapper Covering Tracks and Hiding 10

  11. UNIX Logging • Log files usually in ASCII text • With privilege, easy to edit • Config file tells where log files located • Attacker can locate files, and edit • Also “accounting files” • utmp, wtmp, lastlog • Binary files, so harder to edit Covering Tracks and Hiding 11

  12. UNIX Logging • Tools to edit accounting files • Many at www.packetstormsecurity.org • Simple Nomad effect on many versions • Others similar tools: wtemped, marry, cloak, logwedit, wzap, zapper • Accounting file editing tool is standard part of most rootkits Covering Tracks and Hiding 12

  13. Shell History Files • List of command line commands issued • Attacker would like to edit this • Files are in ASCII, easy to edit • Can insert lines too • Why might this be useful? • Edit to shell file written to shell history • When shell is exited gracefully • How to get around this? Covering Tracks and Hiding 13

  14. Defenses • Activate logging • Log according to some specified policy • Periodically audit logging • Allow plenty of space for logs • Restrictive permissions on log files • Use separate server for logging • Logs redirected to logging server • Not everything can be redirected Covering Tracks and Hiding 14

  15. Defenses • Encrypt log files • Make log files append-only • Little more than a “speed bump” • Store logs on unalterable media • E.g., non-rewritable CD/DVD Covering Tracks and Hiding 15

  16. Hidden Files • Why would attacker use hidden files? • Store attack tools • Save sniffed passwords, etc. • What does “hidden” mean? • Maybe just hard to find • Or easily overlooked Covering Tracks and Hiding 16

  17. Hidden Files • In UNIX, prepend “.” to filename • Use “.” followed by space(s) • What the … ? • Other ideas? Covering Tracks and Hiding 17

  18. Hidden Files in Windows • Use “hidden” attribute • Very lame Covering Tracks and Hiding 18

  19. Hidden Files in Windows Covering Tracks and Hiding 19

  20. Hidden Files in Windows • Alternate Data Streams (ADS) • Available in NTFS • Multiple streams of data can be associated with a single file • These streams can store any info • “Usual” view is just one such stream • Fairly effective means of hiding files Covering Tracks and Hiding 20

  21. Defenses • File integrity checking • Host-based IDS • In Windows, use ADS-aware tools • CrucialADS, LADS, for example Covering Tracks and Hiding 21

  22. Covert Channels • Suppose attacker has… • Gotten access • Installed evil code/tools • Covered their tracks, etc. • Attacker still needs to communicate • How to do this without detection? • Covert channel • “communication path not intended as such by system’s designers” Covering Tracks and Hiding 22

  23. Covert Channels Covering Tracks and Hiding 23

  24. Covert Channels • In networked systems… • Covert channels are everywhere! • When does a covert channel exist? • Sender and receiver have a shared resource • Sender able to vary property of resource that receiver can observe • Communication between sender and receiver can be synchronized Covering Tracks and Hiding 24

  25. Covert Channels • Examples of covert channels? • How to eliminate covert channels? • Easy: eliminate all communication and shared resources • DoD gave up on eliminating covert channels • Instead, try to reduce the capacity • Does this solve the problem? • Does it help? Covering Tracks and Hiding 25

  26. Tunneling • Q: What is tunneling? • A: One protocol carries another • E.g., SSH used to carry Telnet • E.g., TCP/CP (RFC 1149 and RFC 2549) • Tunneling used for covert channel • We look at Loki, Reverse WWW Shell Covering Tracks and Hiding 26

  27. Loki • Suppose • Attacker 0wns server • Server network allows incoming ICMP (ping/traceroute) • Loki pronounced “low key” • Provides shell access over ICMP • “Better” than TCP/UDP backdoors Covering Tracks and Hiding 27

  28. Loki • Trudy installs Loki server on server • Lokid (“low key dee”) • Must run as root • Grabs incoming ICMP packets from kernel • Trudy installs Loki client on her machine • Data sent to Lokid using ICMP • Under radar of most backdoor detection (Why?) • ICMP has no concept of a port Covering Tracks and Hiding 28

  29. Loki Covering Tracks and Hiding 29

  30. Loki • Optionally, uses UDP port 53 • Switch between ICMP/UDP on the fly • Supports encryption • Using Blowfish encryption • Diffie-Hellman key exchange • Other similar tools • CCTT and MSNShell Covering Tracks and Hiding 30

  31. Reverse WWW Shell • Covert channel using HTTP • Reverse WWW Shell installed on machine on network • Every 60 seconds, it “phones home” • I.e,. contacts external master server • The “reverse” part: it pulls in commands • Looks like normal Web traffic Covering Tracks and Hiding 31

  32. Reverse WWW Shell Covering Tracks and Hiding 32

  33. Reverse WWW Shell • Sometimes username/pwd required to access Web • If known, Reverse WWW Shell can automate • Note that other protocols could be used • Reverse WWW Shell idea used by some legitimate software • E.g., remote GUI access to machine • See GoToMyPC.com Covering Tracks and Hiding 33

  34. Covert Channels and Malware • Consider spyware to steal passwords • How to exfiltrate passwords? • Piggyback on legitimate outbound traffic • In Windows, IE is a natural choice • HTTP/HTTPS • Malware often designed as a Browser Helper Object (BHO) for IE Covering Tracks and Hiding 34

  35. Headers as Covert Channels • Lots of room for covert channels • E.g., unused bits • But possible to be more clever • Tools • Covert_TCP • Nushu Covering Tracks and Hiding 35

  36. IP & TCP Headers Covering Tracks and Hiding 36

  37. Covert_TCP • Covert_TCP can make use of • IP identification • TCP sequence number • TCP ACK number • Lots of other possible covert channels • Only 3 above used by Covert_TCP • NAT or proxy will cause problems • But IP ID may still work thru NAT Covering Tracks and Hiding 37

  38. Covert_TCP • IP identification • Insert one ASCII character • Read it at other end • TCP sequence number • Send SYN with ASCII character as initial sequence number • Reply with RESET • Ironically, RESET acts as ACK Covering Tracks and Hiding 38

  39. Covert_TCP • TCP ACK number • Most sophisticated option • Involves server (sender), client (receiver), and unwitting “bounce server” • Data “bounces” off bounce server Covering Tracks and Hiding 39

  40. Covert_TCP • TCP ACK number • Client send SYN packet to bounce server • Source address spoofed to client’s address • ISN is one less than desired ASCII character • Bounce server responds to client • Either SYN ACK or RESET • Either way, ISN incremented by 1 • Server recovers ASCII character (ISN) Covering Tracks and Hiding 40

  41. Covert_TCP Covering Tracks and Hiding 41

  42. Nushu • Uses a “passive” covert channel • Data sent from host to gateway • Embeds info in other (real) packets • Alters ISN to contain data • Assumes attacker also controls gateway • At gateway, read data from ISN and forward it • How much data can be transferred? Covering Tracks and Hiding 42

  43. Nushu Covering Tracks and Hiding 43

  44. Nushu Covering Tracks and Hiding 44

  45. Nushu Covering Tracks and Hiding 45

  46. Nushu • Implemented as Linux kernel module • Creates “issue” with seq numbers • Spse the good guys • …sniff packets on host • …and same packets elsewhere on LAN • What anomaly will they see? Covering Tracks and Hiding 46

  47. Defenses • No effective defense against covert channels once attacker has access • So, keep attackers out • Secure configuration • Apply patches • Antivirus • Monitor for BHOs in IE Covering Tracks and Hiding 47

  48. Defenses • Know what is normal • Good luck! • Network-based IDS • Commercial: Sourcefire Intrusion Sensors, ISS RealSecure, Cisco Secure IDS, Network Flight Recorder • Freeware: Snort Covering Tracks and Hiding 48

  49. Conclusions Covering Tracks and Hiding 49

  50. Summary Covering Tracks and Hiding 50

More Related