510 likes | 786 Vues
Covering Tracks and Hiding. In This Chapter…. Hiding evidence Altering log files Hidden files Practical covert channels. Intro. Attacks happen See zone-h.com Some attackers want attention Recently, more stealthy attacks “Silent” attacks (botnets) Attacker must hide tracks.
E N D
Covering Tracks and Hiding Covering Tracks and Hiding 1
In This Chapter… • Hiding evidence • Altering log files • Hidden files • Practical covert channels Covering Tracks and Hiding 2
Intro • Attacks happen • See zone-h.com • Some attackers want attention • Recently, more stealthy attacks • “Silent” attacks (botnets) • Attacker must hide tracks Covering Tracks and Hiding 3
Altering Event Logs • Even rootkits leave traces in log files • With admin privilege • Attacker could delete log files • Probably a bad idea… • A better idea: selectively edit logs • How? Covering Tracks and Hiding 4
Logs in Windows • EventLog is logging service • Files ending with .LOG • E.g., SECURITY, SYSTEM, APPLICATION • This info moved to main event logs • SECEVENT.EVT, SYSEVENT.EVT, … • The .EVT files read by admin using Windows Event Viewer Covering Tracks and Hiding 5
Windows Event Viewer Covering Tracks and Hiding 6
Windows Logs • SECEVENT.EVT • Failed logins, policy changes, attempts to access files without permission, etc. • SYSEVENT.EVT • E.g., details of driver failure • APPEVENT.EVT • Application-related issues Covering Tracks and Hiding 7
Windows Logs • Altering event logs • At minimum, must change SECEVENTs • EVT files “locked” and binary format • Cannot open/edit with usual tools • With physical access… • …boot to Linux and edit logs • Not practical in most cases Covering Tracks and Hiding 8
Windows Logs • Event editing tools • None for XP (as of writing) • Do exist for NT/2000 • WinZapper • Attacker can selectively edit EVT files • But, must reboot machine to restart EventLog service Covering Tracks and Hiding 9
WinZapper Covering Tracks and Hiding 10
UNIX Logging • Log files usually in ASCII text • With privilege, easy to edit • Config file tells where log files located • Attacker can locate files, and edit • Also “accounting files” • utmp, wtmp, lastlog • Binary files, so harder to edit Covering Tracks and Hiding 11
UNIX Logging • Tools to edit accounting files • Many at www.packetstormsecurity.org • Simple Nomad effect on many versions • Others similar tools: wtemped, marry, cloak, logwedit, wzap, zapper • Accounting file editing tool is standard part of most rootkits Covering Tracks and Hiding 12
Shell History Files • List of command line commands issued • Attacker would like to edit this • Files are in ASCII, easy to edit • Can insert lines too • Why might this be useful? • Edit to shell file written to shell history • When shell is exited gracefully • How to get around this? Covering Tracks and Hiding 13
Defenses • Activate logging • Log according to some specified policy • Periodically audit logging • Allow plenty of space for logs • Restrictive permissions on log files • Use separate server for logging • Logs redirected to logging server • Not everything can be redirected Covering Tracks and Hiding 14
Defenses • Encrypt log files • Make log files append-only • Little more than a “speed bump” • Store logs on unalterable media • E.g., non-rewritable CD/DVD Covering Tracks and Hiding 15
Hidden Files • Why would attacker use hidden files? • Store attack tools • Save sniffed passwords, etc. • What does “hidden” mean? • Maybe just hard to find • Or easily overlooked Covering Tracks and Hiding 16
Hidden Files • In UNIX, prepend “.” to filename • Use “.” followed by space(s) • What the … ? • Other ideas? Covering Tracks and Hiding 17
Hidden Files in Windows • Use “hidden” attribute • Very lame Covering Tracks and Hiding 18
Hidden Files in Windows Covering Tracks and Hiding 19
Hidden Files in Windows • Alternate Data Streams (ADS) • Available in NTFS • Multiple streams of data can be associated with a single file • These streams can store any info • “Usual” view is just one such stream • Fairly effective means of hiding files Covering Tracks and Hiding 20
Defenses • File integrity checking • Host-based IDS • In Windows, use ADS-aware tools • CrucialADS, LADS, for example Covering Tracks and Hiding 21
Covert Channels • Suppose attacker has… • Gotten access • Installed evil code/tools • Covered their tracks, etc. • Attacker still needs to communicate • How to do this without detection? • Covert channel • “communication path not intended as such by system’s designers” Covering Tracks and Hiding 22
Covert Channels Covering Tracks and Hiding 23
Covert Channels • In networked systems… • Covert channels are everywhere! • When does a covert channel exist? • Sender and receiver have a shared resource • Sender able to vary property of resource that receiver can observe • Communication between sender and receiver can be synchronized Covering Tracks and Hiding 24
Covert Channels • Examples of covert channels? • How to eliminate covert channels? • Easy: eliminate all communication and shared resources • DoD gave up on eliminating covert channels • Instead, try to reduce the capacity • Does this solve the problem? • Does it help? Covering Tracks and Hiding 25
Tunneling • Q: What is tunneling? • A: One protocol carries another • E.g., SSH used to carry Telnet • E.g., TCP/CP (RFC 1149 and RFC 2549) • Tunneling used for covert channel • We look at Loki, Reverse WWW Shell Covering Tracks and Hiding 26
Loki • Suppose • Attacker 0wns server • Server network allows incoming ICMP (ping/traceroute) • Loki pronounced “low key” • Provides shell access over ICMP • “Better” than TCP/UDP backdoors Covering Tracks and Hiding 27
Loki • Trudy installs Loki server on server • Lokid (“low key dee”) • Must run as root • Grabs incoming ICMP packets from kernel • Trudy installs Loki client on her machine • Data sent to Lokid using ICMP • Under radar of most backdoor detection (Why?) • ICMP has no concept of a port Covering Tracks and Hiding 28
Loki Covering Tracks and Hiding 29
Loki • Optionally, uses UDP port 53 • Switch between ICMP/UDP on the fly • Supports encryption • Using Blowfish encryption • Diffie-Hellman key exchange • Other similar tools • CCTT and MSNShell Covering Tracks and Hiding 30
Reverse WWW Shell • Covert channel using HTTP • Reverse WWW Shell installed on machine on network • Every 60 seconds, it “phones home” • I.e,. contacts external master server • The “reverse” part: it pulls in commands • Looks like normal Web traffic Covering Tracks and Hiding 31
Reverse WWW Shell Covering Tracks and Hiding 32
Reverse WWW Shell • Sometimes username/pwd required to access Web • If known, Reverse WWW Shell can automate • Note that other protocols could be used • Reverse WWW Shell idea used by some legitimate software • E.g., remote GUI access to machine • See GoToMyPC.com Covering Tracks and Hiding 33
Covert Channels and Malware • Consider spyware to steal passwords • How to exfiltrate passwords? • Piggyback on legitimate outbound traffic • In Windows, IE is a natural choice • HTTP/HTTPS • Malware often designed as a Browser Helper Object (BHO) for IE Covering Tracks and Hiding 34
Headers as Covert Channels • Lots of room for covert channels • E.g., unused bits • But possible to be more clever • Tools • Covert_TCP • Nushu Covering Tracks and Hiding 35
IP & TCP Headers Covering Tracks and Hiding 36
Covert_TCP • Covert_TCP can make use of • IP identification • TCP sequence number • TCP ACK number • Lots of other possible covert channels • Only 3 above used by Covert_TCP • NAT or proxy will cause problems • But IP ID may still work thru NAT Covering Tracks and Hiding 37
Covert_TCP • IP identification • Insert one ASCII character • Read it at other end • TCP sequence number • Send SYN with ASCII character as initial sequence number • Reply with RESET • Ironically, RESET acts as ACK Covering Tracks and Hiding 38
Covert_TCP • TCP ACK number • Most sophisticated option • Involves server (sender), client (receiver), and unwitting “bounce server” • Data “bounces” off bounce server Covering Tracks and Hiding 39
Covert_TCP • TCP ACK number • Client send SYN packet to bounce server • Source address spoofed to client’s address • ISN is one less than desired ASCII character • Bounce server responds to client • Either SYN ACK or RESET • Either way, ISN incremented by 1 • Server recovers ASCII character (ISN) Covering Tracks and Hiding 40
Covert_TCP Covering Tracks and Hiding 41
Nushu • Uses a “passive” covert channel • Data sent from host to gateway • Embeds info in other (real) packets • Alters ISN to contain data • Assumes attacker also controls gateway • At gateway, read data from ISN and forward it • How much data can be transferred? Covering Tracks and Hiding 42
Nushu Covering Tracks and Hiding 43
Nushu Covering Tracks and Hiding 44
Nushu Covering Tracks and Hiding 45
Nushu • Implemented as Linux kernel module • Creates “issue” with seq numbers • Spse the good guys • …sniff packets on host • …and same packets elsewhere on LAN • What anomaly will they see? Covering Tracks and Hiding 46
Defenses • No effective defense against covert channels once attacker has access • So, keep attackers out • Secure configuration • Apply patches • Antivirus • Monitor for BHOs in IE Covering Tracks and Hiding 47
Defenses • Know what is normal • Good luck! • Network-based IDS • Commercial: Sourcefire Intrusion Sensors, ISS RealSecure, Cisco Secure IDS, Network Flight Recorder • Freeware: Snort Covering Tracks and Hiding 48
Conclusions Covering Tracks and Hiding 49
Summary Covering Tracks and Hiding 50