When dealing with network security, administrators often times don’t truly appreciate the lengths that a sophisticated hacker would go through to hide his tracks. Simple defacements and script kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach as an opportunity to progress further inside a network or to establish a new anonymous base from which other targets can be attacked.
In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks. With this, comes the need to hide the tools of his trade, and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.
One popular method used in Windows Systems is the use of Alternate Data Streams (ADS).
In summary, think of ADS as hidden files that are attached to the visible ones. The main reason they are so dangerous is that they are not well known, are generally hidden to the user, and that there are few security programs that can recognize them.
EXAMPE OF AN ADS:
1)Following figure shows the executable file for the standard windows program calculator, calc.exe, with the original size of 112KB and a date modified time stamp of 8/4/2004:5:30PM.
2) We then append an alternate data stream to calc.exe with another standard windows program, notepad.exe as shown below,
c:\ads>type c:\ads\notepad.exe > c:\ads\calc.exe:notepad.exe
-NOTE: i have copied "notepad.exe" and "calc.exe" to "ads" directory
ABOVE FIG also shows that while notepad.exe is 68KB, the file size of calc.exe has not changed from the original 112KB. We do see however that the date modified time stamp has changed.
3)NOW we execute the new ADS notepad.exe using the standard command start.
c:\ads>start c:\ads\calc.exe:notepad.exe
On our desktop, the program notepad is executed however, an examination of the Windows Task Manager shows the original file name calc.exe. (ABOVE FIG).
In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks. With this, comes the need to hide the tools of his trade, and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.
One popular method used in Windows Systems is the use of Alternate Data Streams (ADS).
In summary, think of ADS as hidden files that are attached to the visible ones. The main reason they are so dangerous is that they are not well known, are generally hidden to the user, and that there are few security programs that can recognize them.
EXAMPE OF AN ADS:
1)Following figure shows the executable file for the standard windows program calculator, calc.exe, with the original size of 112KB and a date modified time stamp of 8/4/2004:5:30PM.
2) We then append an alternate data stream to calc.exe with another standard windows program, notepad.exe as shown below,
c:\ads>type c:\ads\notepad.exe > c:\ads\calc.exe:notepad.exe
-NOTE: i have copied "notepad.exe" and "calc.exe" to "ads" directory
ABOVE FIG also shows that while notepad.exe is 68KB, the file size of calc.exe has not changed from the original 112KB. We do see however that the date modified time stamp has changed.
3)NOW we execute the new ADS notepad.exe using the standard command start.
c:\ads>start c:\ads\calc.exe:notepad.exe
No comments:
Post a Comment