Crouching Admin, Hidden HackerTechniques for Hiding and Detecting Traces

Paula JanuszkiewiczPenetration Tester, MVP: Enterprise Security, MCTiDesign - CQURE: paula@idesign.net

Agenda

Accountability Idea Hiding & Detecting

1 2 3 4

Delivery & Launch Summary

Operating System Accountability

The above means that every step leaves some trace!

Windows 7 is designed to be used securelyAchieved Evaluation Assurance Level (EAL) 4+ certification that meets Federal Information Processing Standard (FIPS) #140-2Has C2 certification (Trusted Computer System Evaluation Criteria)Passed the Common Criteria Certification process

Agenda

Accountability Idea Hiding & Detecting

1 2 3 4

Delivery & Launch Summary

Operating System Logging Mechanisms

http://www.clearci.com

Event LogExtendableSupported by API

Plain text files (.log)

Kernel traces

Notifications

SQL (ODBC)

Application related

demo

http://stderr.pl/cqure/tools.zip

demo

Logs Less & More Advanced

Hacker’s Delivery

htt

p:/

/ww

w.b

atw

inas.

com

Binaries are deliveredWith files from the InternetOn the removable mediaThrough LANThrough offline accessBy manipulating legitimate filesUsing vulnerabilitiesBuffer overflows

demo

Replacing Files

demo

"Vulnerabilities"

demo

Services & ACLs

Launching Evil Code

Cheating administrator

Using automated waysExplorerServicesDriversDLLs

Replacing files

Path manipulation

Injecting code

Hooking calls

demo

Services (In)Security

demo

From A to Z - DLLs

demo

Stuxnet Drivers

Areas of Focus

Problem: Too much information to control

Solution: Select areas with high probability of infection

DLLsServicesExecutablesDrivers

This attitude works as a first step

Agenda

Accountability Idea Hiding & Detecting

1 2 3 4

Delivery & Launch Summary

Dirty Games: Protection Mechanisms

Introduced in Windows VistaPart of Digital Rights Management

Protection is provided in two waysExtension to the EPROCESS structureSigning policy

ProtectedProcess bit

demo

Protected Processes

Dirty Games: Hiding Mechanisms

Bypassing neighbored process objects

Pointing the pointernt!_eprocess ActiveProcessLinks manipulation

Does not affect software operation

Threads are still visible

demo

Hidden Processes

Dirty Games: Hooks

http://www.lukechueh.com/

Allow to run our code instead of the system codeWork on running code

Allow to intercept API CallsDoes not require special privileges

Useful for developers… and for the ‘bad guys & girls’

demo

Hooking

3 of 10 Immutable Laws of Security

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

demo

Passwords In Operating System

Agenda

Accountability Idea Hiding & Detecting

1 2 3 4

Delivery & Launch Summary

Summary

Learn how to detect malicious situationsKnow your system when it is safe – you need a baseline

If you detect a successful attack – do not try to fight

Report the issueFormat your drive

Estimate the range of the attackKnow how to recover your data, when necessary

Related Content

Breakout Sessions (SIA203, SIA311, SIA304, SIA307)

Find Me Later At TLC

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be

a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.