+ All Categories
Home > Documents > Covering Tracks and Hiding

Covering Tracks and Hiding

Date post: 11-Feb-2016
Category:
Upload: cais
View: 81 times
Download: 0 times
Share this document with a friend
Description:
Covering Tracks and Hiding. In This Chapter…. Hiding evidence Altering log files Hidden files Practical covert channels. Intro. Attacks happen See zone-h.com Some attackers want attention Recently, more stealthy attacks “Silent” attacks (botnets) Attacker must hide tracks. - PowerPoint PPT Presentation
Popular Tags:
50
Covering Tracks and Hiding 1 Covering Tracks and Hiding
Transcript
Page 1: Covering Tracks and Hiding

Covering Tracks and Hiding 1

Covering Tracks and Hiding

Page 2: Covering Tracks and Hiding

Covering Tracks and Hiding 2

In This Chapter… Hiding evidence

o Altering log fileso Hidden files

Practical covert channels

Page 3: Covering Tracks and Hiding

Covering Tracks and Hiding 3

Intro Attacks happen

o See zone-h.com Some attackers want attention Recently, more stealthy attacks

o “Silent” attacks (botnets)o Attacker must hide tracks

Page 4: Covering Tracks and Hiding

Covering Tracks and Hiding 4

Altering Event Logs Even rootkits leave traces in log

files With admin privilege

o Attacker could delete log fileso Probably a bad idea…

A better idea: selectively edit logs How?

Page 5: Covering Tracks and Hiding

Covering Tracks and Hiding 5

Logs in Windows EventLog is logging service

o Files ending with .LOGo E.g., SECURITY, SYSTEM, APPLICATION

This info moved to main event logso SECEVENT.EVT, SYSEVENT.EVT, …o The .EVT files read by admin using

Windows Event Viewer

Page 6: Covering Tracks and Hiding

Covering Tracks and Hiding 6

Windows Event Viewer

Page 7: Covering Tracks and Hiding

Covering Tracks and Hiding 7

Windows Logs SECEVENT.EVT

o Failed logins, policy changes, attempts to access files without permission, etc.

SYSEVENT.EVTo E.g., details of driver failure

APPEVENT.EVTo Application-related issues

Page 8: Covering Tracks and Hiding

Covering Tracks and Hiding 8

Windows Logs Altering event logs

o At minimum, must change SECEVENTs EVT files “locked” and binary

formato Cannot open/edit with usual tools

With physical access…o …boot to Linux and edit logso Not practical in most cases

Page 9: Covering Tracks and Hiding

Covering Tracks and Hiding 9

Windows Logs Event editing tools

o None for XP (as of writing)o Do exist for NT/2000

WinZappero Attacker can selectively edit EVT fileso But, must reboot machine to restart

EventLog service

Page 10: Covering Tracks and Hiding

Covering Tracks and Hiding 10

WinZapper

Page 11: Covering Tracks and Hiding

Covering Tracks and Hiding 11

UNIX Logging Log files usually in ASCII text With privilege, easy to edit Config file tells where log files located Attacker can locate files, and edit Also “accounting files”

o utmp, wtmp, lastlogo Binary files, so harder to edit

Page 12: Covering Tracks and Hiding

Covering Tracks and Hiding 12

UNIX Logging Tools to edit accounting files

o Many at www.packetstormsecurity.org

o Simple Nomad effect on many versions

o Others similar tools: wtemped, marry, cloak, logwedit, wzap, zapper

Accounting file editing tool is standard part of most rootkits

Page 13: Covering Tracks and Hiding

Covering Tracks and Hiding 13

Shell History Files List of command line commands issued Attacker would like to edit this Files are in ASCII, easy to edit

o Can insert lines tooo Why might this be useful?

Edit to shell file written to shell historyo When shell is exited gracefullyo How to get around this?

Page 14: Covering Tracks and Hiding

Covering Tracks and Hiding 14

Defenses Activate logging

o Log according to some specified policy Periodically audit logging Allow plenty of space for logs Restrictive permissions on log files Use separate server for logging

o Logs redirected to logging servero Not everything can be redirected

Page 15: Covering Tracks and Hiding

Covering Tracks and Hiding 15

Defenses Encrypt log files Make log files append-only

o Little more than a “speed bump” Store logs on unalterable media

o E.g., non-rewritable CD/DVD

Page 16: Covering Tracks and Hiding

Covering Tracks and Hiding 16

Hidden Files Why would attacker use hidden

files?o Store attack toolso Save sniffed passwords, etc.

What does “hidden” mean?o Maybe just hard to findo Or easily overlooked

Page 17: Covering Tracks and Hiding

Covering Tracks and Hiding 17

Hidden Files In UNIX, prepend “.” to filename Use “.” followed by space(s)

o What the … ? Other ideas?

Page 18: Covering Tracks and Hiding

Covering Tracks and Hiding 18

Hidden Files in Windows Use

“hidden” attributeo Very lame

Page 19: Covering Tracks and Hiding

Covering Tracks and Hiding 19

Hidden Files in

Windows

Page 20: Covering Tracks and Hiding

Covering Tracks and Hiding 20

Hidden Files in Windows Alternate Data Streams (ADS)

o Available in NTFSo Multiple streams of data can be

associated with a single fileo These streams can store any infoo “Usual” view is just one such streamo Fairly effective means of hiding files

Page 21: Covering Tracks and Hiding

Covering Tracks and Hiding 21

Defenses File integrity checking Host-based IDS In Windows, use ADS-aware tools

o CrucialADS, LADS, for example

Page 22: Covering Tracks and Hiding

Covering Tracks and Hiding 22

Covert Channels Suppose attacker has…

o Gotten accesso Installed evil code/toolso Covered their tracks, etc.

Attacker still needs to communicateo How to do this without detection?

Covert channelo “communication path not intended as such

by system’s designers”

Page 23: Covering Tracks and Hiding

Covering Tracks and Hiding 23

Covert Channels

Page 24: Covering Tracks and Hiding

Covering Tracks and Hiding 24

Covert Channels In networked systems…

o Covert channels are everywhere! When does a covert channel exist?

1.Sender and receiver have a shared resource2.Sender able to vary property of resource

that receiver can observe3.Communication between sender and

receiver can be synchronized

Page 25: Covering Tracks and Hiding

Covering Tracks and Hiding 25

Covert Channels Examples of covert channels? How to eliminate covert channels?

o Easy: eliminate all communication and shared resources

o DoD gave up on eliminating covert channelso Instead, try to reduce the capacityo Does this solve the problem?o Does it help?

Page 26: Covering Tracks and Hiding

Covering Tracks and Hiding 26

Tunneling Q: What is tunneling? A: One protocol carries another

o E.g., SSH used to carry Telneto E.g., TCP/CP (RFC 1149 and RFC 2549

) Tunneling used for covert channel

o We look at Loki, Reverse WWW Shell

Page 27: Covering Tracks and Hiding

Covering Tracks and Hiding 27

Loki Suppose

o Attacker 0wns servero Server network allows incoming ICMP

(ping/traceroute) Loki pronounced “low key”

o Provides shell access over ICMPo “Better” than TCP/UDP backdoors

Page 28: Covering Tracks and Hiding

Covering Tracks and Hiding 28

Loki Trudy installs Loki server on server

o Lokid (“low key dee”)o Must run as rooto Grabs incoming ICMP packets from kernel

Trudy installs Loki client on her machineo Data sent to Lokid using ICMPo Under radar of most backdoor detection

(Why?)o ICMP has no concept of a port

Page 29: Covering Tracks and Hiding

Covering Tracks and Hiding 29

Loki

Page 30: Covering Tracks and Hiding

Covering Tracks and Hiding 30

Loki Optionally, uses UDP port 53

o Switch between ICMP/UDP on the fly Supports encryption

o Using Blowfish encryptiono Diffie-Hellman key exchange

Other similar toolso CCTT and MSNShell

Page 31: Covering Tracks and Hiding

Covering Tracks and Hiding 31

Reverse WWW Shell Covert channel using HTTP Reverse WWW Shell installed on

machine on networko Every 60 seconds, it “phones home”o I.e,. contacts external master servero The “reverse” part: it pulls in

commandso Looks like normal Web traffic

Page 32: Covering Tracks and Hiding

Covering Tracks and Hiding 32

Reverse WWW Shell

Page 33: Covering Tracks and Hiding

Covering Tracks and Hiding 33

Reverse WWW Shell Sometimes username/pwd required to

access Webo If known, Reverse WWW Shell can automate

Note that other protocols could be used Reverse WWW Shell idea used by some

legitimate softwareo E.g., remote GUI access to machineo See GoToMyPC.com

Page 34: Covering Tracks and Hiding

Covering Tracks and Hiding 34

Covert Channels and Malware

Consider spyware to steal passwords How to exfiltrate passwords?

o Piggyback on legitimate outbound traffic

o In Windows, IE is a natural choiceo HTTP/HTTPS

Malware often designed as a Browser Helper Object (BHO) for IE

Page 35: Covering Tracks and Hiding

Covering Tracks and Hiding 35

Headers as Covert Channels

Lots of room for covert channelso E.g., unused bitso But possible to be more clever

Toolso Covert_TCPo Nushu

Page 36: Covering Tracks and Hiding

Covering Tracks and Hiding 36

IP & TCP Headers

Page 37: Covering Tracks and Hiding

Covering Tracks and Hiding 37

Covert_TCP Covert_TCP can make use of

o IP identificationo TCP sequence numbero TCP ACK number

Lots of other possible covert channelso Only 3 above used by Covert_TCP

NAT or proxy will cause problemso But IP ID may still work thru NAT

Page 38: Covering Tracks and Hiding

Covering Tracks and Hiding 38

Covert_TCP IP identification

o Insert one ASCII charactero Read it at other end

TCP sequence numbero Send SYN with ASCII character as initial

sequence numbero Reply with RESETo Ironically, RESET acts as ACK

Page 39: Covering Tracks and Hiding

Covering Tracks and Hiding 39

Covert_TCP TCP ACK number

o Most sophisticated optiono Involves server (sender), client

(receiver), and unwitting “bounce server”

o Data “bounces” off bounce server

Page 40: Covering Tracks and Hiding

Covering Tracks and Hiding 40

Covert_TCP TCP ACK number Client send SYN packet to bounce

servero Source address spoofed to client’s addresso ISN is one less than desired ASCII character

Bounce server responds to cliento Either SYN ACK or RESETo Either way, ISN incremented by 1

Server recovers ASCII character (ISN)

Page 41: Covering Tracks and Hiding

Covering Tracks and Hiding 41

Covert_TCP

Page 42: Covering Tracks and Hiding

Covering Tracks and Hiding 42

Nushu Uses a “passive” covert channel

o Data sent from host to gateway Embeds info in other (real) packets Alters ISN to contain data Assumes attacker also controls gateway

o At gateway, read data from ISN and forward it

How much data can be transferred?

Page 43: Covering Tracks and Hiding

Covering Tracks and Hiding 43

Nushu

Page 44: Covering Tracks and Hiding

Covering Tracks and Hiding 44

Nushu

Page 45: Covering Tracks and Hiding

Covering Tracks and Hiding 45

Nushu

Page 46: Covering Tracks and Hiding

Covering Tracks and Hiding 46

Nushu Implemented as Linux kernel

module Creates “issue” with seq numbers Spse the good guys

o …sniff packets on hosto …and same packets elsewhere on LANo What anomaly will they see?

Page 47: Covering Tracks and Hiding

Covering Tracks and Hiding 47

Defenses No effective defense against

covert channels once attacker has access

So, keep attackers outo Secure configurationo Apply patcheso Antiviruso Monitor for BHOs in IE

Page 48: Covering Tracks and Hiding

Covering Tracks and Hiding 48

Defenses Know what is normal

o Good luck! Network-based IDS

o Commercial: Sourcefire Intrusion Sensors, ISS RealSecure, Cisco Secure IDS, Network Flight Recorder

o Freeware: Snort

Page 49: Covering Tracks and Hiding

Covering Tracks and Hiding 49

Conclusions

Page 50: Covering Tracks and Hiding

Covering Tracks and Hiding 50

Summary


Recommended