Hiding files

NTFS Data Stream

NTFS is the file system that stores any file with the help of two data streams called NTFS data streams along with file attributes. The first data stream stores the security descriptor for the file to be stored such as permissions, and the second stores the data within a file. Alternate data streams are another type of named data stream that can be present within each file. FIGURE 6.56: NTFS Data Stream Alternate Data Stream (ADS) is any kind of data attached to a file, but not in the file on an NTFS system. The Master File Table of the partition will contain a list of all the data streams that a file contains, and where their physical location on the disk is. Therefore, alternate data streams are not present in the file, but attached to it through the file table. NTFS Alternate Data Stream (ADS) is a Windows hidden stream that contains metadata for the file such as attributes, word count, author name, and access and modification time of the files. ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities. ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user. ADSs provide attackers with a method of hiding rootkits or hacker tools on a breached system and allow user to execute them while hiding from the system's administrator. . Files with ADS are impossible to detect using native file browsing techniques like the command line or Windows Explorer. After attaching an ADS file to the original file, the size of the file will show as the original size of the file regardless of the size of the ADS added file. The only indication that the file was changed is the modification timestamp, which can be relatively innocuous.

Steps to create NTFS Streams:

1. Launch c:\>notepad myfile.txt:lion.txt and click 'Yes' to create the new file, enter some data and Save the file 2. Launch c:\>notepad myfile.txt:tiger.txt and click 'Yes' to create the new file, enter some data and Save the file 3. View the file size of myfile.txt (It should be zero) 4. To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad myfile.txt:lion.txt notepad myfile.txt:tiger.txt Note: Notepad is a stream compliant application. You should not use alternate streams for storing any critical information.

Application Level Rootkit:

Application level rootkit operates inside the victim's computer by replacing the standard application files (application binaries) with rootkits or by modifying behavior of present applications with patches, injected malicious code, and so on.

Hypervisor Level Rootkit:

Attackers create Hypervisor level rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits runs in Ring-1 and host the operating system of the target machine as a virtual machine and intercept all hardware calls made by the target operating system. This kind of rootkit works by modifying the system's boot sequence and gets loaded instead of the original virtual machine monitor.

Boot Loader Level Rootkit:

Boot loader level (bootkit) rootkits function either by replacing or modifying the legitimate bootloader with another one. The boot loader level (bootkit) can activate even before the operating system starts. So, the boot-loader-level (bootkit) rootkits are serious threats to security because they can help in hacking encryption keys and passwords.

Cross View-Based Detection

Cross view-based detection techniques function by assuming the operating system has been subverted in some way. This enumerates the system files, processes, and registry keys by calling common APIs. The tools compare the gathered information with the data set obtained through the use of an algorithm traversing through the same data. This detection technique relies upon the fact that the API hooking or manipulation of kernel data structure taints the data returned by the operating system APIs, with the low-level mechanisms used to output the same information free from DKOM or hook manipulation.

Integrity-Based Detection

Integrity based detection can be regarded as a substitute to both signatures and heuristics based detection. Initially, the user runs tools such as Tripware, AIDE, etc. on a clean system. These tools create a baseline of clean system files and store them in a database. Integrity-based detection functions by comparing a current file system, boot records, or memory snapshot with that trusted baseline. They notify the evidence or presence of malicious activity based on the dissimilarities between the current and baseline snapshots.

Library Level Rootkits:

Library level rootkits work higher up in the OS and they usually patch, hook, or supplant system calls with backdoor versions to keep the attacker unknown. They replace original system calls with fake ones to hide information about the attacker.

A few techniques adopted to defend against rootkits are:

Reinstall OS/applications from a trusted source after backing up the critical data Well-documented automated installation procedures need to be kept Perform kernel memory dump analysis to determine the presence of rootkits Harden the workstation or server against the attack Educate staff not to download any files/programs from untrusted sources Install network and host-based firewalls and check frequent updates Ensure the availability of trusted restoration media Update and patch operating systems and applications Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies Update antivirus and anti-spyware software regularly Keep the signatures of anti-malware up to date Avoid logging into an account with administrative privileges Adhere to the least privilege principle Ensure that the chosen antivirus software possesses rootkit protection Do not install unnecessary applications and also disable the features and services not in use Refrain from engaging in dangerous activities on the internet Close any unused ports Periodically scans the local system using Host-Based Security Scanners Harden the security of system such as use strong password, so that an attacker will not get root access on the system to install rootkits.

You should do the following to defend against malicious NTFS streams:

To delete hidden NTFS streams, move the suspected files to FAT partition Use third-party file integrity checker such as Tripwire File Integrity Monitoring to maintain integrity of NTFS partition files against unauthorized ADS Use third-party utilities to show and manipulate hidden streams such as EventSentry or adslist.exe Avoid writing important or critical data to alternate data streams Use up-to-date antivirus software on your system. Enable real-time antivirus scanning to protect against execution of malicious streams in your system. Use file-monitoring software such as Stream Detector (http://www.novirusthanks.org) and ADS Detector (https://sourceforge.net/projects/adsdetector/?source=directory)to help detect creation of additional or new data streams. You should use LADS(https://www.aldeid.com/wiki/LADS) software as a countermeasure for NTFS streams. The latest version of lads.exe is GUI-based and reports the existence of Alternate Data Streams. It searches for either single or multiple streams, reports the presence of ADSs, and provides the full path and length of each ADS found. Other means include copying the cover file to a FAT partition, and then moving it back to the NTFS. Where FAT file systems do not support Alternate Data Streams, this will effectively remove them from the original file. LNS (http://ntsecurity.nu/toolbox/lns) and Forensic Toolkit (https://www.mcafee.com) are another tools used to detect NTFS streams. This tool is useful in forensic investigation.

Objectives of rootkit:

To root the host system and gain remote backdoor access To mask attacker tracks and presence of malicious applications or processes To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access To store other malicious programs on the system and act as a server resource for bot updates

Steps to detect rootkits by examining file system

1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results 2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive and save the results 3. Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside).

Steps to detect rootkits by examining the registry

1. Run regedit.exe from inside the potentially infected operating system. 2. Export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file format. 3. Boot into a clean CD (such as WinPE). 4. Run regedit.exe. 5. Create a new key such as HKEY_LOCAL_MACHINE\Temp. 6. Load the Registry hives named Software and System from the suspect operating system. The default location will be c:\windows\system32\config\software and c:\windows\system32\config\system. 7. Export these Registry hives in text file format. (The Registry hives are stored in binary format and Steps 6 and 7 convert the files to text.) 8. Launch WinDiff from the CD, and compare the two sets of results to detect file-hiding malware (i.e., invisible inside, but visible from outside).

Hardware/Firmware Rootkit:

Hardware/firmware rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A firmware rootkit implies the use of creating a permanent delusion of rootkit malware.

Heuristic/Behavior-Based Detection

Heuristic detection works by identifying deviations in normal operating system patterns or behaviors. This kind of detection is also known as behavioral detection. Heuristic detection is capable of identifying new, previously unidentified rootkits. This ability lies in being able to recognize deviants in "normal" system patterns or behaviors. Execution path hooking is one such deviant that causes heuristic-based detectors to identify rootkits.

Signature-Based Detection

Signature-based detection methods work as a rootkit fingerprint. It compares characteristics of all system processes and executable files with a database of known rootkit fingerprints. You can compare the sequence of bytes from a file compared with another sequence of bytes that belong to a malicious program. The method mostly scans the system files. It can easily detect invisible rootkits by scanning the kernel memory. The success of signature-based detection is less due to the rootkit's tendency to hide files by interrupting the execution path of the detection software.

GrayFish Rootkit

Source: http://artemonsecurity.blogspot.in GrayFish is a Windows kernel rootkit that runs inside the Windows operating system and provides an effective mechanism, hidden storage and malicious command execution while remaining invisible. It injects its malicious code into the boot record which handles the launching of Windows at each step. It implements its own Virtual File System (VFS) to store the stolen data and its own auxiliary information. If we run rootkit driver on a machine and next scan it with various anti-rootkits, we will see no suspicious activity. This means that by default the rootkit sets no hooks on Windows kernel functions like other rootkits. The rootkit also does not register any callback functions, for example, on process creation or modules loading. GrayFish doesn't explore Windows kernel mode to monitor system's activity or hiding files on disk. At the same time, it contains the code for patching Windows kernel functions. This code can be activated later.

Stream Armor

Source: http://securityxploded.com Stream Armor is a tool used to discover hidden Alternate Data Streams (ADS) and clean them completely from your system. Its advanced auto analysis, coupled with an online threat verification mechanism, helps you eradicate any ADSs. It has a multi-threaded ADS scanner that recursively scans the entire system to quickly uncover all hidden streams. "System" displays all discovered streams using a specific color pattern, according to the threat level, which makes it easy to distinguish suspicious and normal streams. "Forensic Analysis" uncovers documents/images/audio/video/database/archive files in the ADSs.

Snow

Source: http://www.darkside.com.au Snow is a program for concealing messages in text files by appending tabs and spaces to the end of lines, and for extracting messages from files containing hidden messages. Tabs and spaces are invisible to most text viewers, hence the steganographic nature of this encoding scheme. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme, using alternating spaces and tabs to represent zeros and ones, but users rejected it because it uses fewer bytes but requires more columns per bit (4.5 vs. 2.67). An appended tab character is an indication of the start of the data, which allows the insertion of mail and news headers without corrupting the data.

Horse Pill

Source: http://www.pill.horse Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. This also allows it run covert networking systems, such as dns tunnels. It has three important moving parts: o klibc-horsepill.patch This is a patch to klibc, which provides run-init, which on modern Ubuntu systems runs the real init, systemd. This patches in the rootkit functionality, making a malicious run-init. This binary has a new section called DNSCMDLINE, which provides the command line options to dnscat, which is bundled within the patch. o horsepill_setopt This script takes in command-line arguments and puts them into the section referred to above. o horsepill_infect This will take the file to splat over run-init while assembling ramdisks as a command line argument. It then calls update-initramfs and splats over the run-init as the ramdisks is being assembled.

StegoStick

Source: https://sourceforge.net StegoStick is a steganographic Tool that lets you hide any file into any file. It is based on image, audio, or video steganography that hides any file or message into an image (BMP, JPG, GIF, etc.), Audio/Video (MPG, WAV, etc.) or any other file format (PDF, EXE, CHM, etc.).

Necurs

Source: https://www.f-secure.com Necurs is a kernel-mode driver component that can be used by an attacker (or added as a component to another malicious program) to perform unauthorized actions to take control of an operating system, without alerting the system's security mechanisms. Necurs contains backdoor functionality, allowing remote access and control of the infected computer. It monitors and filters network activity and has been observed to send spam and install rogue security software. It enables further compromise by providing the functionality to: o Download additional malware o Hide its components o Stop security applications from functioning.

Sirefef

Source: https://www.lifewire.com The Sirefef malware (aka ZeroAccess) can take on many forms. It is considered to be a multi-component family of malware, which means that it can be implemented in a variety of different ways such as a rootkit, virus, or a Trojan horse. It gives attackers full access to your system while using stealth techniques in order to hide its presence from the affected device. It hides itself by altering the internal processes of an operating system so that your antivirus and anti-spyware can't detect it. It includes a sophisticated self-defense mechanism which terminates any security-related processes that attempt to access it. Sirefef is a severe malware that can cause damage to your computer in a variety of ways. Once installed, Sirefef can make lasting modifications to your computer's security settings and can be difficult to remove. After installation in the system, it has the capability to do the following tasks: o Stops Windows Firewall o Stops Windows Defender Service o Contacts remote hosts o Changes Internet Browser settings o Creates a folder to store other malware.

Stinger

Source: https://www.mcafee.com McAfee Stinger is a standalone utility used to detect and remove specific viruses. It helps administrators and users when dealing with an infected system. Stinger performs rootkit scanning, and scan performance optimizations. It detects and removes threats identified under the "Threat List" option under advanced menu options in the Stinger application.

Gargoyle InvestigatorTM Forensic Pro

Source: https://www.wetstonetech.com Gargoyle InvestigatorTM Forensic Pro is a tool that conducts quick searches on a given computer or machine for known contraband and malicious programs. The tool can find remnants in a removed program as it conducts a search for individual files associated with a particular program. Its signature set contains over 20 categories, including botnets, Trojans, steganography, encryption, and keyloggers, and helps in detecting stego files created by using BlindSide, WeavWav, S-Tools, and others. It has the ability to perform a scan on a stand-alone computer or network resources for known malicious programs, the ability of scan within archive files, and so on. Features: o The program is capable to scan for known contraband and hostile programs on a stand-alone system or network resource o It is interoperable with popular forensic tools such as EnCaseTM o The program provides detailed forensic evidence reports with secure source time stamping, XML based, and is customizable.

How Rootkit Works

System hooking is a process of changing and replacing the original function pointer with the pointer provided by the rootkit in stealth mode. Inline function hooking is a technique where a rootkit changes some of the bytes of a function inside the core system DLLs (kernel32.dll and ntdll. dll), placing an instruction so that any process calls hit the rootkit first. FIGURE 6.45: Working of rootkit Direct Kernel Object Manipulation (DKOM) rootkits are able to locate and manipulate the "system" process in kernel memory structures and patch it. This can also hide processes and ports, change privileges, and misguide the Windows event viewer without any problem by manipulating the list of active processes of the operating system, altering data inside the PROCESS IDENTIFIERS structures. It has an ability to obtain read/write access \Device\Physical Memory object. It hides a process by unlinking it from the process list.

Runtime Execution Path Profiling

The Runtime Execution Path Profiling technique compares runtime execution path profiling of all system processes and executable files. The rootkit adds new code near to a routine's execution path to destabilize it. The method hooks a number of instructions executed before and after a certain routine, as it can be significantly different.

Kernel Level Rootkit:

The kernel is the core of the operating system. Kernel level rootkit runs in Ring-0 with highest operating system privileges. These cover backdoors on the computer and are created by writing additional code or by substituting portions of kernel code with modified code via device drivers in Windows or loadable kernel modules in Linux. If the kit's code contains mistakes or bugs, kernel-level rootkits affect the stability of the system. These have the same privileges of the operating system; hence, they are difficult to detect and intercept or subvert the operations of operating systems.

Least Significant Bit Insertion

The least-significant-bit Insertion technique is the most commonly used technique of image steganography, in which the least significant bit (LSB) of each pixel helps hold secret data. The LSB is the rightmost bit of each pixel of an image. In least significant bit insertion method, the binary data of the message is broken and inserted into the LSB of each pixel in the image file in a deterministic sequence. Modifying the LSB does not result in a noticeable difference because the net change is minimal and can be indiscernible to the human eye. If changed, the LSB has very little effect on the image; thus, its detection is difficult. To hide the message, first "break" it, then insert each bit in place of each pixel's LSB, so that the recipient can retrieve your message easily. .

NTFS Stream Manipulation

You can manipulate NTFS Streams to hide a malicious file in other files, such as text files, by doing the following: Hiding Trojan.exe (malicious program) into Readme.txt (stream): Use the following command to move the contents of Trojan.exe to Readme.txt (stream): c:\>type c:\Trojan.exe >c:\Readme.txt:Trojan.exe The "type" command hides file in an Alternate Data Streams (ADS) behind an existing file. The colon (:) operator tells the command to create or use an ADS. Creating a link to the Trojan.exe stream inside the Readme.txt file: After hiding the file Trojan.exe behind the Readme.txt file, you need to create a link to launch the Trojan.exe file from the stream. This creates a shortcut for Trojan.exe in the stream. C:\>mklink backdoor.exe Readme.txt:Trojan.exe Executing the Trojan: Type C:\>backdoor to run the Trojan that you have hidden behind Readme.txt. Here, the backdoor is the shortcut created in the previous step, which on execution installs the Trojan. Note: Use notepad to read the hidden file. For example, the command C:\>notepad sample.txt:secret.txtcreates the secret.txt stream behind the sample.txt file.