1 / 25

BlackHat Windows Security 2004 Data Hiding on a Live System

BlackHat Windows Security 2004 Data Hiding on a Live System. by Harlan Carvey keydet89@yahoo.com. Purpose. Present/discuss different techniques for hiding data on LIVE systems (NTFS) Address methods of preventing and detecting this activity What is NOT covered?

astro
Download Presentation

BlackHat Windows Security 2004 Data Hiding on a Live System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BlackHat Windows Security2004Data Hiding on a Live System by Harlan Carvey keydet89@yahoo.com

  2. Purpose • Present/discuss different techniques for hiding data on LIVE systems (NTFS) • Address methods of preventing and detecting this activity • What is NOT covered? • Maintenance tracks, boot sector, file slack, etc.

  3. What is being hidden? • Data • Text • Output of commands (samdump, etc.) • Executables • Programs • Games • Rootkits

  4. Who are we hiding it from? • Other users • Administrators • Investigators/forensics analysts

  5. Altering files • File Changes • Name • Extension • Information regarding extensions and associations is maintained in the Registry • ‘assoc’ command • File Signature (this is NOT a hash)

  6. Altering Names/Extensions Samdump.log -> C:\winnt\system32 \MSODBC32.DLL

  7. Altering file signatures • First 20 bytes of the file • Change JFIF/GIF89a in graphics file to something else • Executables (.exe, .dll, .sys, .ocx, .scr) begin w/ “MZ” • Sigs.pl performs signature analysis

  8. DOS Attributes • 'Attrib' command • Explorer settings • 'dir' switch (dir /a[:h]) • Perl ignores (opendir/readdir, glob) • hfind.exe (FoundStone)

  9. File Splitting • File Splitting • Almost as old as DOS • Many programs available • Malicious uses

  10. File Splitting Original File Arbitrarily sized segments

  11. “touching” files • Alter the creation, last access, last modification dates • 'touch' in Unix • Microsoft SetFileTime() API • Used to hide from search tools • dir /t[:a] • afind.exe (FoundStone) • macmatch.exe (NTSecurity.nu)

  12. File Binding • Elite Wrap • Saran Wrap, Silk Rope

  13. OLE/COM • MS OLE/COM API • “Structured Storage”, “Compound files” • “File system within a file” • MergeStreams Demo • May discover using “strings” or “grep” • wd.exe

  14. NTFS Alternate Data Streams • NTFS4 (NT) and NTFS5 (2K) • Creating • Using • Running executables hidden in ADSs • NTFS4 vs. NTFS5

  15. Creating ADSs • Type command • Type notepad.exe > myfile.txt:np.exe • Cp.exe from Resource Kit • Bind to file or directory listing • Notepad myfile.txt:hidden.txt • Notepad :hidden.txt

  16. Executing ADSs • Running executables hidden in ADSs • Native methods • NTFS4 - ‘start’ (FoundStone) • NTFS5 - several methods

  17. Detecting ADSs • lads.exe, by Frank Heyne (heysoft.de) • sfind.exe (FoundStone) • streams.exe (SysInternals) • ads.pl (Perl)

  18. Encryption • PGP • Fcrypt (ntsecurity.nu) • Perl (Crypt::TripleDES)

  19. Steganography • The art of hiding information • S-Tools4 • http://www.citi.umich.edu/u/provos/stego/

  20. Registry • Licensing information • Software installation dates and information • Contains binary and string data types

  21. "Hidden" Functionality • Registry keys • Used by various malware • The ubiquitous "Run" key • Services • ClearPagefileAtShutdown Registry key • StartUp directories

  22. Rootkits • Kernel-mode vs. user-mode • API Hooking/DLL Injection • NTRootkit • HackerDefender (DLL Injection) • AFX Rootkit 2003 (DLL Injection) • Vanquish (DLL Injection) • FU (DKOM)

  23. How to prevent/detect • Configuration Policies/Management • Monitoring • Event Logs • Additional monitoring applications • Scans

  24. Questions?

More Related