310 likes | 335 Vues
Explore techniques for hiding & detecting traces, delivery methods, malicious code launching, and protection mechanisms in operating systems. Learn about hooks, immutable laws of security, and how to respond to security breaches effectively.
E N D
Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces Paula Januszkiewicz Penetration Tester, MVP: Enterprise Security, MCT iDesign - CQURE: paula@idesign.net
Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary
Operating System Accountability Windows 7 is designed to be used securely • Achieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2 • Has C2 certification (Trusted Computer System Evaluation Criteria) • Passed the Common Criteria Certification process The above means that every step leaves some trace!
Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary
Operating System Logging Mechanisms • Event Log • Extendable • Supported by API • Plain text files (.log) • Kernel traces • Notifications • SQL (ODBC) • Application related http://www.clearci.com
demo http://stderr.pl/cqure/tools.zip
demo Logs Less & More Advanced
Hacker’s Delivery • Binaries are delivered • With files from the Internet • On the removable media • Through LAN • Through offline access • By manipulating legitimate files • Using vulnerabilities • Buffer overflows http://www.batwinas.com
demo Replacing Files
demo "Vulnerabilities"
demo Services & ACLs
Launching Evil Code • Cheating administrator • Using automated ways • Explorer • Services • Drivers • DLLs • Replacing files • Path manipulation • Injecting code • Hooking calls
demo Services (In)Security
demo From A to Z - DLLs
demo Stuxnet Drivers
Areas of Focus • Problem: • Too much information to control • Solution: • Select areas with high probability of infection • DLLs • Services • Executables • Drivers • This attitude works as a first step
Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary
Dirty Games: Protection Mechanisms • Introduced in Windows Vista • Part of Digital Rights Management • Protection is provided in two ways • Extension to the EPROCESS structure • Signing policy • ProtectedProcess bit
demo Protected Processes
Dirty Games: Hiding Mechanisms • Bypassing neighbored process objects • Pointing the pointer • nt!_eprocessActiveProcessLinksmanipulation • Does not affect software operation • Threads are still visible
demo Hidden Processes
Dirty Games: Hooks • Allow to run our code instead of the system code • Work on running code • Allow to intercept API Calls • Does not require special privileges • Useful for developers • … and for the ‘bad guys & girls’ http://www.lukechueh.com/
demo Hooking
3 of 10 Immutable Laws of Security • Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore • Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
demo Passwords In Operating System
Agenda Accountability Idea Hiding & Detecting 1 2 3 4 Delivery & Launch Summary
Summary • Learn how to detect malicious situations • Know your system when it is safe – you need a baseline • If you detect a successful attack – do not try to fight • Report the issue • Format your drive • Estimate the range of the attack • Know how to recover your data, when necessary
Related Content • Breakout Sessions (SIA203, SIA311, SIA304, SIA307) Find Me Later At TLC
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn
Evaluations Submit your evals online http://europe.msteched.com/sessions
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.