BlackHat Windows Security

2004

Data Hiding on a Live System

by Harlan Carveyby Harlan Carveykeydet89@yahoo.comkeydet89@yahoo.com

Purpose

Present/discuss different techniques for hiding data on LIVE systems (NTFS)

Address methods of preventing and detecting this activity

What is NOT covered? Maintenance tracks, boot sector, file slack, etc.

What is being hidden?

Data Text Output of commands (samdump, etc.)

Executables Programs Games Rootkits

Who are we hiding it from?

Other users

Administrators

Investigators/forensics analysts

Altering files

File Changes Name Extension

Information regarding extensions and associations is maintained in the Registry

‘assoc’ command

File Signature (this is NOT a hash)

Altering Names/Extensions

Samdump.log ->

C:\winnt\system32

\MSODBC32.DLL

Altering file signatures

First 20 bytes of the file

Change JFIF/GIF89a in graphics file to something else

Executables (.exe, .dll, .sys, .ocx, .scr) begin w/ “MZ”

Sigs.pl performs signature analysis

DOS Attributes

'Attrib' command

Explorer settings

'dir' switch (dir /a[:h])

Perl ignores (opendir/readdir, glob)

hfind.exe (FoundStone)

File Splitting

File Splitting Almost as old as DOS Many programs available Malicious uses

File Splitting

Original File Arbitrarily sized segments

“touching” files

Alter the creation, last access, last modification dates

'touch' in Unix

Microsoft SetFileTime() API

Used to hide from search tools dir /t[:a] afind.exe (FoundStone) macmatch.exe (NTSecurity.nu)

File Binding

Elite Wrap

Saran Wrap, Silk Rope

OLE/COM

MS OLE/COM API

“Structured Storage”, “Compound files” “File system within a file”

MergeStreams Demo May discover using “strings” or “grep”

wd.exe

NTFS Alternate Data Streams

NTFS4 (NT) and NTFS5 (2K)

Creating

Using

Running executables hidden in ADSs

NTFS4 vs. NTFS5

Creating ADSs

Type command Type notepad.exe > myfile.txt:np.exe

Cp.exe from Resource Kit

Bind to file or directory listing Notepad myfile.txt:hidden.txt Notepad :hidden.txt

Executing ADSs

Running executables hidden in ADSs

Native methods NTFS4 - ‘start’ (FoundStone) NTFS5 - several methods

Detecting ADSs

lads.exe, by Frank Heyne (heysoft.de)

sfind.exe (FoundStone)

streams.exe (SysInternals)

ads.pl (Perl)

Encryption

PGP

Fcrypt (ntsecurity.nu)

Perl (Crypt::TripleDES)

Steganography

The art of hiding information S-Tools4 http://www.citi.umich.edu/u/provos/stego/

Registry

Licensing information

Software installation dates and information

Contains binary and string data types

"Hidden" Functionality

Registry keys

Used by various malware The ubiquitous "Run" key Services

ClearPagefileAtShutdown Registry key

StartUp directories

Rootkits

Kernel-mode vs. user-mode

API Hooking/DLL Injection NTRootkit HackerDefender (DLL Injection) AFX Rootkit 2003 (DLL Injection) Vanquish (DLL Injection) FU (DKOM)

How to prevent/detect

Configuration Policies/Management

Monitoring Event Logs Additional monitoring applications Scans

Questions?