5.4 Hiding Files
- Rootkits are programs that hide their presence as well as attacker's malicious activities, granting them full access to the server or host at that time and also in future.
- Rootkits replace certain operating system calls and utilities with its own modified versions of those routines that in turn undermine the security of the target system causing malicious functions to be executed.
- A typical rootkit comprises backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC bots, etc.
- Attacker places a rootkit by:
- Scanning for vulnerable computers and servers on the web.
- Wrapping it in a special package like games.
- Installing it on the public computers or corporate computers through social engineering.
- Launching zero day attack (privilege escalation, buffer overflow, Windows kernel exploitation, etc.)
- Objectives of rootkit:
- To root the host system and gain remote backdoor access.
- To mask attacker tracks and presence of malicious applications or processes.
- To gather sensitive data, network traffic, etc. from the system to which attackers might be restricted or possess no access.
- To store other malicious programs on the system and act as a server resource for bot updates.
Types of Rootkits
- Hypervisor Level Rootkit: Acts as a hypervisor and modifies the boot sequence of the computer system to load the host operating system as a virtual machine.
- 利用CPU虛擬化，像是Intel VT和AMD-V
- Example: Blue Pill Rootkit
- Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity.
- Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes.
- Boot Loader Level Rootkit: Replaces the original boot loader with one controlled by a remote attacker.
- Application Level Rootkit: Replaces regular application binaries with fake Trojan, or modifies the behavior of existing applications by injecting malicious code.
- Library Level Rootkits: Replaces original system calls with fake ones to hide information about the attacker.
How Rootkit Works
Example for XP: hxdef Power On時看不到，要Power Off用memory forensics才看的到
- Avatar rootkit runs in the background and gives remote attackers access to an infected PC.
- It uses a driver infection technique twice: the first in the dropper so as to bypass detections by HIPS, and the second in the rootkit driver for surviving after system reboot.
- The infection technique is restricted in its capability (by code signing policy for kernel-mode modules) and it works only on x86 systems.
- Necurs contains backdoor functionality, allowing remote access and control of the infected computer.
- It monitors and filters network activity and has been observed to send spam and install rogue security software.
- It enables further compromise by providing the functionality to:
- Download additional malware
- Hide its components
- Stop security applications from functioning
- Azazel is a userland rootkit written in C based off of the original LD_PRELOAd technique from Jynx rootkit.
- ZeroAccess is a kernel-mode rootkit which uses advanced techniques to hide its presence.
- It is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer and acts as a sophisticated delivery platform for other malware.
- If running under 32-bit Windows, it will employ its kernel-mode rootkit. The rootkit's purpose is to:
- Hide the infected driver on the disk
- Enable read and write access to the encrypted files
- Deploy self defense
- The payload of ZeroAccess is to connect to a peer-to-peer botnet and download further files.
- Integrity-Based Detection: It compares a snapshot of the file system, boot records, or memory with a known trusted baseline.
- Signature-Based Detection: This technique compares characteristics of all system processes and executable files with a database of known rootkit fingerprints.
- Heuristic/Behavior-Based Detection: Any deviations in the system's normal activity or behavior may indicate the presence of rootkit.
- Runtime Execution Path Profiling: This technique compares runtime execution paths of all system processes and executable files before and after the rootkit infection.
- Cross View-Based Detection: Enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Any discrepancies between these two data sets indicate the presence of rootkit.
Steps for Detecting Rootkits
- Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
- Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive and save the results.
- Run a clean version of WinDiff on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside)
Note: There will be some false positives. Also, this does not detect stealth software that hides in BIOS, video card EEPROM, bad disk sectors, Alternate Data Streams, etc.
How to Defend against Rootkits
- Reinstall OS/applications from a trusted source after backing up the critical data.
- Well-documented automated installation procedures need to be kept.
- Perform kernel memory dump analysis to determine the presence of rootkits.
- Harden the workstation or server against the attack.
- Educate staff not to download any files/programs from untrusted sources.
- Install network and host-based firewalls.
- Ensure the availability of trusted restoration media.
- Update and patch operating systems and applications.
- Verify the integrity of system files regularly using cryptographically strong digital fingerprint technologies.
- Update antivirus and anti-spyware software regularly.
- Avoid logging in an account with administrative privileges.
- Adhere to the least privilege principle.
- Ensure the chosen antivirus software posses rootkit protection.
- Do not install unnecessary applications and also disable the features and services not in use.
- Stinger: Stinger scans rootkits, running processes, loaded modules, registry and directory locations known to be used by malware on the machine.
- UnHackMe: UnHackMe detects and removes malicious programs (rootkits/malware/adware/spyware/Trojans)
- GMER: GMER is an application that detects and removes rootkits. (很強的anti-rootkit)
Q1) A rootkit is a collection of tools (programs) that enable administrator-level access to a computer. This program hides itself deep into an operating system for malicious activity and is extremely difficult to detect. The malicious software operates in a stealth fashion by hiding its files, processes and registry keys and may be used to create a hidden directory or folder designed to keep out of view from a user's operating system and security software.
- User level privileges
- Ring 3 Privileges
- System level privileges
- Kernel level privileges
Q2) Which of the following are valid types of rootkits? (Choose three.)
- Hypervisor level
- Network level
- Kernel level
- Application level
- Physical level
- Data access level
Q3) How can a rootkit bypass Windows 7 operating system’s kernel mode, code signing policy?
- Defeating the scanner from detecting any code change at the kernel
- Replacing patch system calls with its own version that hides the rootkit (attacker's) actions
- Performing common services for the application process and replacing real applications with fake ones
- Attaching itself to the master boot record in a hard drive and changing the machine's boot sequence/options
Q4) Which of the following is the primary objective of a rootkit?
- It opens a port to provide an unauthorized service
- It creates a buffer overflow
- It replaces legitimate programs
- It provides an undocumented opening in a program
A4) Actually the objective of the rootkit is more to hide the fact that a system has been compromised and the normal way to do this is by exchanging, for example, ls to a version that doesn’t show the files and process implanted by the attacker.
Q5) _ is a tool that can hide processes from the process list, can hide files, registry entries, and intercept keystrokes.
- DoS tool
A5) Rootkits are tools that can hide processes from the process list,can hide files,registryentries,and intercept keystrokes.
Q6) What is the BEST alternative if you discover that a rootkit has been installed on one of your computers?
- Copy the system files from a known good system
- Perform a trap and trace
- Delete the files and try to determine the source
- Reload from a previous backup
- Reload from known good media
A6) If a rootkit is discovered,you will need to reload from known good media. This typically means performing a complete reinstall.
Q7) What is a rootkit?
- A simple tool to gain access to the root of the Windows system
- A Trojan that sends information to an SMB relay
- An invasive program that affects the system files, including the kernel and libraries
- A tool to perform a buffer overflow
A7) A rootkit is a program that modifies the core of the operating system: the kernel and libraries.
Q8) What type of attack can be disguised as an LKM?
- Spam virus
A8) A rootkit can be disguised as an LKM.
Q9) What type of rootkit will patch, hook, or replace the version of system call in order to hide information?
- Library level rootkits
- Kernel level rootkits
- System level rootkits
- Application level rootkits
A9) Library leve rootkits is the correct answer. Kerel level focuses on replaceing specific code while application level will concentrate on modifying the behavior of the application or replacing application binaries. The type, system level, does not exist for rootkits.
Q10) What is the most dangerous type of rootkit?
- Kernel level
- Library level
- System level
- Application level
A10) A kernel-level rootkit is the most dangerous because it infects the core of the system.
NTFS Data Stream
- NTFS Alternate Data Stream (ADS) is a Windows hidden stream which contains metadata for the file such as attributes, word count, author name, and access and modification time of the files.
- ADS is the ability to fork data into existing files without changing or altering their functionality, size, or display to file browsing utilities.
- ADS allows an attacker to inject malicious code in files on an accessible system and execute them without being detected by the user.
How to Create NTFS Streams
c:\>notepad myfile.txt:lion.txt, Click 'Yes' to create the new file, enter some data and Save the file.
c:\>notepad myfile.txt:tiger.txt, Click 'Yes' to create the new file, enter some data and Save the file.
- View the file size of myfile.txt (It should be zero)
- To view or modify the stream data hidden in step 1 and 2, use the following commands respectively:
- Multiple Stream File System:
- File, Record:
- ADS, ..., ..., ... (多筆)
- 查NTFS hidden file:
NTFS Stream Manipulation
- To move the contents of Trojan.ext to Readme.txt (stream):
C:\>type c:\Trojean.ext > c:\Readme.txt:Trojan.ext
- To create a link to the Trojan.exe stream inside the Readme.txt file:
C:\>mklink backdoor.exe Readme.txt:Trojan.exe
- To execute the Trojan.exe inside the Readme.txt (stream), type:
How to Defend against NTFS Streams
- To delete NTFS streams, move the suspected files to FAT partition.
- Use third-party file integrity checker such as Tripwire to maintain integrity of an NTFS partition files.
- Use programs such LADS and ADSSpy to detect streams.
NTFS Stream Detector: StreamArmor
- Stream Armor discovers hidden Alternate Data Streams (ADS) and cleans them completely from the system.
NTFS Stream Detectors
What is Steganography?
- Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data.
- Utilizing a graphic image as a cover is the most popular method to conceal the data in files.
- Attacker can use steganography to hide messages such as list of the compromised servers, source code for the hacking tool, plans for future attacks, etc.
Classification of Steganography
- Technical Steganography
- Linguistic Steganography:
- Visual Semagram
- Text Semagrams
- Open Codes:
- Covered Ciphers:
- Null Cipher
- Grille Cipher
- Jargon Code
- Covered Ciphers:
Types of Steganography based on Cover Medium
- Image Steganography
- Document Steganography
- Folder Steganography
- Video Steganography
- Audio Steganography
- White Space Steganography: In the white space steganography, user hides the message in ASCII text by adding white spaces to the end of the lines.
- Web Steganography
- Spam/Email Steganography
- DVDROM Steganography
- Natural Text Steganography: Natural text steganography is converting the sensitive information into a user-definable free speech such as a play.
- Hidden OS Steganography: Hidden OS Steganography is the process of hiding one operation system into other.
- C++ Source Code steganography: In the C++ source code Steganography, user hides the set of tools in the files.
Whitespace Steganography Tool: SNOW
- The program snow is used to conceal messages in ASCII text by appending whitespace to the end of lines.
- Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers.
- If the built-in encryption is used, the message cannot be read even if it is detected.
- In image steganography, the information is hidden in image files of different formats such as .PNG, .JPG, .BMP, etc.
- Image steganography tools replace redundant bits of image data with the message in such a way that the effect cannot be detected by human eyes.
- Image file steganography techniques:
- Least Significant Bit Insertion
- Masking and Filtering
- Algorithms and Transformation
Least Significant Bit Insertion
- The right most bit of a pixel is called the Least Significant Bit (LSB).
- In least significant bit insertion method, the binary data of the message is broken and inserted into the LSB of each pixel in the image file in a deterministic sequence.
- Modifying the LSB does not result in a noticeable difference because the net change is minimal and can be indiscernible to the human eye.
- Example: Given a string of bytes
- 00100111 11101001 11001000) (00100111 11001000 11101001) (11001000 00100111 11101001)
- The letter "H" is represented by binary ditits 01001000. To hide this "H" above stream acan be changed as:
- (00100110 11101001 11001000) (00100110 11001001 11101000) (11001000 00100110 11101001)
- To retrieve the "H" combine all LSB bits 01001000
Masking and Filtering
- Masking and filtering techniques are generally used on 24 bit and grayscale images.
- The masking technique hides data using a method similar to watermarks on actual paper, and it can be done by modifying the luminance of parts of the image.
- Masking techniques can be detected with simple statistical analysis but is resistant to lossy compression and image cropping.
- The information is not hidden in the noise but in the significant areas of the image.
Algorithms and Transformation
- Another steganography techniques is to hide data in mathematical functions used in the compression algorithms.
- The data is embedded in the cover image by changing the coefficients of a transform of an image.
- For example, JPEG images use the Discrete Cosine Transform (DCT) technique to achieve image compression.
- Types of transformation techniques:
- Fast fourier transformation
- Discrete cosine transformation
- Wavelet transformation
Image Steganography: QuickStego
- QuickStego hides text in pictures so that only other users of QuickStego can retrieve and read the hidden secret messages.
Image Steganography Tools
Document Steganography: wbStego
Document Steganography Tools
- Video steganography refers to hiding secret information into a carrier video file.
- In video steganography, the information is hidden in video files of different formats such as .AVI, .MPG4, .WMV, etc.
- Discrete Cosine Transform (DCT) manipulation is usded to add secret data at the time of the transformation process of video.
- The techniques used in audio and image files are used in video files, as video consists of audio and images.
- A large number of secret messages can be hidden in video files as every frame consists of images and sound.
Video Steganography Tools
- OmnHide PRO: OmniHide Pro hides a file within another file. Any file can be hidden within common image/music/video/document formats. The output file would work just as the original source file.
- Masker: Masker is a program that encrypts your files so that a password is needed to open them, and then it hides files and folders inside of carrier files, such as image files, videos, program or sound files.
- Audio steganography refers to hiding secret information in audio files such as .MP3, .RM, .WAV, etc.
- Information can be hidden in an audio file by using LSB or by using frequencies that are inaudible to the human ear (>20,000 Hz)
- Some of the audio steganography methods are echo data hiding, spread spectrum method, LSB coding, tone insertion, phase encoding, etc.
Audio Steganography: DeepSound
- DeepSound hides secret data into audio files - wave and flac.
- It enables extracting secret files directly from audio CD tracks.
- DeepSound might be used as a copyright marking software for wave, flac, and audio CD.
- It also supports encrypting secret files using AES-256 to improve data protection.
Audio Steganography Tools
Folder Steganography: Invisible Secrets 4
- Folder steganography refers to hiding secret information in folders.
Folder Steganography Tools
Spam/Email Steganography: Spam Mimic
- Spam steganography refers to hiding information in spam messages.
Steganography Tools for Mobile Phones
- Steganography Master
- SPY PIX
- Steganalysis is the art of discovering and rendering covert messages using steganography.
- Challenge of Steganalysis:
- Suspect information stream may or may not have encoded hidden data.
- Efficient and accurate detection of hidden content within digital images is difficult.
- The message might have been encrypted before inserting into a file or signal.
- Some of the suspect signals or files may have irrelevant data or noise encoded into them.
- 破解難 -> 找源頭:
Steganalysis Methods/Attacks on Steganography
- Stego-only: Only the stego object is available for analysis.
- Known-stego: Attacker has the access to the stego algorithm, and both the cover medium and the stego-object.
- Known-message: Attacker has the access to the hidden message and the stego object.
- Known-cover: Attacker compares the stego-object and the cover medium to identify the hidden message.
- Chosen-message: This attack generates stego objects from a known message using specific steganography tools in order to identify the steganography algorithms.
- Chosen-stego: Attacker has the access to the stego-object and stego algorithm.
Detecting Text and Image Steganography
- Text File:
- For the text files, the alterations are made to the character positions for hiding the data.
- The alterations are detected by looking for text patterns or disturbances, language used, and an unusual amount of blank spaces.
- Image File:
- The hidden data in an image can be detected by determining changes in size, file format, the last modified timestamp, and the color palette pointing to the existence of the hidden data.
- Statistical analysis method is used for image scanning.
Detecting Audio and Video Steganography
- Audio File:
- Statistical analysis method can be used for detecting audio steganography as it involves LSB modifications.
- The inaudio frequencies can be scanned for hidden information.
- The odd distortions and patterns show the existence of the secret data.
- Video File:
- Detection of the secret data in video files includes a combination of methods used in image and audio files.
Steganography Detection Tool: Gargoyle Investigator Forensic Pro
- Gargoyle Investigator Forensic Pro provides inspectors with the ability to conduct a quick search on a given computer or machine for known contraband and hostile programs.
- Its signature set contains over 20 categories, including Botnets, Trojans, Steganography, Encryption, Keyloggers, etc. and helps in detecting stego files created by using BlindSide, WeavWav, S-Tools, etc. steganography tools.
Steganography Detection Tools
Q1) Lori is a Certified Ethical Hacker as well as a Certified Hacking Forensics Investigator working as an IT security consultant. Lori has been hired on by Kiley Innovators, a large marketing firm that recently underwent a string of thefts and corporate espionage incidents. Lori is told that a rival marketing company came out with an exact duplicate product right before Kiley Innovators was about to release it. The executive team believes that an employee is leaking information to the rival company. Lori questions all employees, reviews server logs, and firewall logs; after which she finds nothing. Lori is then given permission to search through the corporate email system. She searches by email being sent to and sent from the rival marketing company.
She finds one employee that appears to be sending very large email to this other marketing company, even though they should have no reason to be communicating with them. Lori tracks down the actual emails sent and upon opening them, only finds picture files attached to them. These files seem perfectly harmless, usually containing some kind of joke. Lori decides to use some special software to further examine the pictures and finds that each one had hidden text that was stored in each picture.
What technique was used by the Kiley Innovators employee to send information to the rival marketing company?
- The Kiley Innovators employee used cryptography to hide the information in the emails sent
- The method used by the employee to hide the information was logical watermarking
- The employee used steganography to hide information in the picture attachments
- By using the pictures to hide information,the employee utilized picture fuzzing
Q2) Jason works in the sales and marketing department for a very large advertising agency located in Atlanta. Jason is working on a very important marketing campaign for his company's largest client. Before the project could be completed and implemented, a competing advertising company comes out with the exact same marketing materials and advertising, thus rendering all the work done for Jason's client unusable. Jason is questioned about this and says he has no idea how all the material ended up in the hands of a competitor.
Without any proof, Jason's company cannot do anything except move on. After working on another high profile client for about a month, all the marketing and sales material again ends up in the hands of another competitor and is released to the public before Jason's company can finish the project. Once again, Jason says that he had nothing to do with it and does not know how this could have happened. Jason is given leave with pay until they can figure out what is going on.
Jason's supervisor decides to go through his email and finds a number of emails that were sent to the competitors that ended up with the marketing material. The only items in the emails were attached jpg files, but nothing else. Jason's supervisor opens the picture files, but cannot find anything out of the ordinary with them. What technique has Jason most likely used?
- Stealth Rootkit Technique
- ADS Streams Technique
- Snow Hiding Technique
- Image Steganography Technique
Q3) Which Steganography technique uses Whitespace to hide secret messages?
Q4) Which of the following steganography utilities exploits the nature of white space and allows the user to conceal information in these white spaces?
- Image Hide
Q5) You work for Acme Corporation as Sales Manager. The company has tight network security restrictions. You are trying to steal data from the company's Sales database (Sales.xls) and transfer them to your home computer. Your company filters and monitors traffic that leaves from the internal network to the Internet. How will you achieve this without raising suspicion?
- Encrypt the Sales.xls using PGP and e-mail it to your personal gmail account
- Package the Sales.xls using Trojan wrappers and telnet them back your home computer
- You can conceal the Sales.xls database in another file like photo.jpg or other files and send it out in an innocent looking email or file transfer using Steganography techniques
- Change the extension of Sales.xls to sales.txt and upload them as attachment to your hotmail account
Q6) In which step Steganography fits in CEH System Hacking Cycle (SHC)
- Step 2: Crack the password
- Step 1: Enumerate users
- Step 3: Escalate privileges
- Step 4: Execute applications
- Step 5: Hide files
- Step 6: Cover your tracks
Q7) __ is found in all versions of NTFS and is described as the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer
- Alternate Data Streams
- Merge Streams
- NetBIOS vulnerability
Q8) Ricardo wants to send secret messages to a competitor company. To secure these messages, he uses a technique of hiding a secret message within an ordinary message, the technique provides 'security through obscurity'. What technique is Ricardo using?
- RSA algorithm
- Public-key cryptography
Q9) What is the process of hiding text within an image called?
- Keystroke logging
Q10) What are two methods used to hide files? (Choose all that apply.)
- NTFS file streaming
- Attrib command
- Steganography??? 這也是吧
- Encrypted File System
Q11) To hide information inside a picture, what technology is used?
- Image Rendering
A11) Steganography is the right answer and can be used to hide information in pictures, music, or videos.
Q12) What encryption process uses one piece of information as a carrier for another?
A12) Steganography is used to conceal information inside of other information, thus making it difficult to detect.