BlackHat Windows Security 2004 Data Hiding on a Live System by Harlan Carvey

Purpose  Present/discuss different techniques for hiding data on LIVE systems (NTFS)  Address methods of preventing and detecting this activity  What is NOT covered?  Maintenance tracks, boot sector, file slack, etc.

What is being hidden?  Data  Text  Output of commands (samdump, etc.)  Executables  Programs  Games  Rootkits

Who are we hiding it from?  Other users  Administrators  Investigators/forensics analysts

Altering files  File Changes  Name  Extension  Information regarding extensions and associations is maintained in the Registry  ‘assoc’ command  File Signature (this is NOT a hash)

Altering Names/Extensions Samdump.log -> C:\winnt\system32 \MSODBC32.DLL

Altering file signatures  First 20 bytes of the file  Change JFIF/GIF89a in graphics file to something else  Executables (.exe,.dll,.sys,.ocx,.scr) begin w/ “MZ”  Sigs.pl performs signature analysis

DOS Attributes  'Attrib' command  Explorer settings  'dir' switch (dir /a[:h])  Perl ignores (opendir/readdir, glob)  hfind.exe (FoundStone)

File Splitting  File Splitting  Almost as old as DOS  Many programs available  Malicious uses

File Splitting Original File Arbitrarily sized segments

“touching” files  Alter the creation, last access, last modification dates  'touch' in Unix  Microsoft SetFileTime() API  Used to hide from search tools  dir /t[:a]  afind.exe (FoundStone)  macmatch.exe (NTSecurity.nu)

File Binding  Elite Wrap  Saran Wrap, Silk Rope

OLE/COM  MS OLE/COM API  “Structured Storage”, “Compound files”  “File system within a file”  MergeStreams Demo  May discover using “strings” or “grep”  wd.exe

NTFS Alternate Data Streams  NTFS4 (NT) and NTFS5 (2K)  Creating  Using  Running executables hidden in ADSs  NTFS4 vs. NTFS5

Creating ADSs  Type command  Type notepad.exe > myfile.txt:np.exe  Cp.exe from Resource Kit  Bind to file or directory listing  Notepad myfile.txt:hidden.txt  Notepad :hidden.txt

Executing ADSs  Running executables hidden in ADSs  Native methods  NTFS4 - ‘start’ (FoundStone)  NTFS5 - several methods

Detecting ADSs  lads.exe, by Frank Heyne (heysoft.de)  sfind.exe (FoundStone)  streams.exe (SysInternals)  ads.pl (Perl)

Encryption  PGP  Fcrypt (ntsecurity.nu)  Perl (Crypt::TripleDES)

Steganography  The art of hiding information  S-Tools4 

Registry  Licensing information  Software installation dates and information  Contains binary and string data types

"Hidden" Functionality  Registry keys  Used by various malware  The ubiquitous "Run" key  Services  ClearPagefileAtShutdown Registry key  StartUp directories

Rootkits  Kernel-mode vs. user-mode  API Hooking/DLL Injection  NTRootkit  HackerDefender (DLL Injection)  AFX Rootkit 2003 (DLL Injection)  Vanquish (DLL Injection)  FU (DKOM)

How to prevent/detect  Configuration Policies/Management  Monitoring  Event Logs  Additional monitoring applications  Scans

Questions?