windows systems and signs of compromise prepared by: rami al_khatib and omar al_zyadat supervised...

Windows Systems and Windows Systems and Signs of CompromiseSigns of Compromise

Prepared By: Rami Al_Khatib and Omar Al_ZyadatPrepared By: Rami Al_Khatib and Omar Al_ZyadatSupervised By: Dr. Lo’ai TawlabehSupervised By: Dr. Lo’ai Tawlabeh

New York Institute of Technology (NYIT)-New York Institute of Technology (NYIT)-Jordan’s campus-2006Jordan’s campus-2006

IntroductionIntroduction

All the following are not valid if you want to All the following are not valid if you want to use it a law enforcement act.use it a law enforcement act.

There are many ways for compromising There are many ways for compromising any computer system, such as:any computer system, such as: A machine was unpatched against a certainA machine was unpatched against a certainVulnerability.Vulnerability. The user is using weak passwords The user is using weak passwords

(particularly on Windows shares) (particularly on Windows shares) The user 'clicked on the wrong thing'.The user 'clicked on the wrong thing'.

Introduction (cont.)Introduction (cont.)

it is important to analyze the system to it is important to analyze the system to work out how the intruders got in. work out how the intruders got in.

as this will give you the means for as this will give you the means for preventing entry in the future.preventing entry in the future.

What to doWhat to do??

Before you begin, let us give you one Before you begin, let us give you one piece of advice. DON'T PANIC!piece of advice. DON'T PANIC!

Remove any physical network Remove any physical network connections. By removing the network connections. By removing the network cable.cable.

Contact your network administrators Contact your network administrators because they may have faced the same because they may have faced the same problem.problem.


you should take a notebook (a paper one, you should take a notebook (a paper one, not electronic) as this will be used to take not electronic) as this will be used to take notes in, such as:notes in, such as: time and date.time and date. Your IP address and machine name.Your IP address and machine name. Time zone that machine’s clock is set to.Time zone that machine’s clock is set to. Installed patches.Installed patches. The authorized user accounts.The authorized user accounts. How the problem was detected.How the problem was detected.


One of the best ways is to reboot the One of the best ways is to reboot the system in safe mode, by that you can stop system in safe mode, by that you can stop a large number of run key based malware a large number of run key based malware loading upon starting the machine.loading upon starting the machine.

This will give the user some control to the This will give the user some control to the user in order to perform a user in order to perform a Clean_Up_Tasks.Clean_Up_Tasks.

Checking File SystemChecking File System

There are well known tricks for hiding There are well known tricks for hiding malware on Windows systems, these malware on Windows systems, these include manipulation of the file system.include manipulation of the file system.


The recycled folder is system hidden, so The recycled folder is system hidden, so will not show up by default, and isn't will not show up by default, and isn't searched through by default.searched through by default.

Which leads us onto system and hidden Which leads us onto system and hidden folders - these are attributes that can be folders - these are attributes that can be very easily set by intruders, so you should very easily set by intruders, so you should turn off the 'hide system folders' and turn turn off the 'hide system folders' and turn on 'show hidden files'.on 'show hidden files'.

Checking File SystemChecking File System Running `cmd.exe' can often be the most Running `cmd.exe' can often be the most

powerful way of looking at a windows powerful way of looking at a windows filesystem.filesystem.

changing directory to the changing directory to the c:\winnt\c:\winnt\systems32systems32 directory and running “ directory and running “dir dir /o:d/o:d” one can quickly see when the ” one can quickly see when the majority of the OS was installed.majority of the OS was installed.

Now you can find out when the OS was Now you can find out when the OS was installed and the majority of the installed installed and the majority of the installed applications.applications.


The other useful tool, which comes with The other useful tool, which comes with Windows, is the search function. This can Windows, is the search function. This can be used if you have an idea of the date be used if you have an idea of the date and time the intrusion took place. and time the intrusion took place.

Use the advanced option to search for Use the advanced option to search for hidden folders and system files. hidden folders and system files.

This of course assumes that this feature This of course assumes that this feature has not been tampered.has not been tampered.


Intruders have a high propensity to call Intruders have a high propensity to call files and folders by legitimate looking files and folders by legitimate looking names. names.

Do not be surprised to see nvsvc32.exe or Do not be surprised to see nvsvc32.exe or serv1ces.exe in the system32 folder. serv1ces.exe in the system32 folder.

The aim is obfuscation, and goes hand in The aim is obfuscation, and goes hand in hand with hiding their automatic startup hand with hiding their automatic startup services.services.


Other places to look for things starting up is the registry.Other places to look for things starting up is the registry. specifically any of the keys under:specifically any of the keys under:

HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER or HKEY_USERS\.DEFAULTHKEY_USERS\.DEFAULT

\Software\Microsoft\Windows\CurrentVersion\Run\Software\Microsoft\Windows\CurrentVersion\Run \Software\Microsoft\Windows\CurrentVersion\RunOnce\Software\Microsoft\Windows\CurrentVersion\RunOnce \Software\Microsoft\Windows\CurrentVersion\RunOnceEx\Software\Microsoft\Windows\CurrentVersion\RunOnceEx \Software\Microsoft\Windows\CurrentVersion\RunServices\Software\Microsoft\Windows\CurrentVersion\RunServices \Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce \Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon


Do not rely on anti-virus products alone to detect Do not rely on anti-virus products alone to detect malware, for a number of reasons:malware, for a number of reasons: Malware continually evolves and you may have Malware continually evolves and you may have

something on the machine which has yet to be something on the machine which has yet to be included in your anti-virus products database.included in your anti-virus products database.

A number of infections have ways of turning off virus A number of infections have ways of turning off virus protection.protection.

A number of the programs used in a compromise are A number of the programs used in a compromise are legitimate but used in an illegitimate way.legitimate but used in an illegitimate way.

Batch FilesBatch Files

The current trend for compromises is very The current trend for compromises is very rarely against single boxes, the are more rarely against single boxes, the are more often against dozens of machine (within often against dozens of machine (within your campus) and hundreds / thousands your campus) and hundreds / thousands across the Internet.across the Internet.

For this reason the act of compromising a For this reason the act of compromising a machine is as automated as possible.machine is as automated as possible.


These batch files can be called anything - These batch files can be called anything - all they need to do is to run it.all they need to do is to run it.

The `bat' files can be very simple - from The `bat' files can be very simple - from adding registry entries to quite complex adding registry entries to quite complex scripts which affect the very set up of scripts which affect the very set up of windows, and its security.windows, and its security.


If you have the date and time of the If you have the date and time of the compromise, you can search for .bat files compromise, you can search for .bat files created within that timescale.created within that timescale.

The next few lines read:The next few lines read: dtreg -AddKey \HKLM\SYSTEM\RAdmindtreg -AddKey \HKLM\SYSTEM\RAdmin dtreg -AddKey \HKLM\SYSTEM\RAdmin\v2.0dtreg -AddKey \HKLM\SYSTEM\RAdmin\v2.0 dtreg -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Serverdtreg -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server dtreg -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server\Parametersdtreg -AddKey \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters

This is a manipulation of the registry - they are adding keys for the This is a manipulation of the registry - they are adding keys for the radmin program, so that when they actually install it there are no radmin program, so that when they actually install it there are no problems with registry errors. problems with registry errors.

If you don't use radmin, you may want to delete these keys. If you don't use radmin, you may want to delete these keys. The next lines populate the keys:The next lines populate the keys:

dtreg -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\dtreg -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000Parameters\DisableTrayIcon=01000000

dtreg -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\dtreg -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Port=e5080000Parameters\Port=e5080000

the batch file might be more complex than this, the batch file might be more complex than this, or be split into separate files. or be split into separate files.

So you may find a securing batch file which has So you may find a securing batch file which has entries such as,entries such as, net share /delete C$ /y >>del.lognet share /delete C$ /y >>del.log net share /delete D$ /y >>del.lognet share /delete D$ /y >>del.log

Which deletes the hidden windows shares (and Which deletes the hidden windows shares (and pipes the results to 'del.log'). pipes the results to 'del.log').

Once in the machine,they don't want anyone Once in the machine,they don't want anyone else breaking in and taking it away from them!else breaking in and taking it away from them!

Using Built-in ToolsUsing Built-in Tools

Many of the built-in tools on windows Many of the built-in tools on windows machines are also quite useful. machines are also quite useful.

For instance running a command prompt For instance running a command prompt (Start -> Run -> cmd.exe) on XP and (Start -> Run -> cmd.exe) on XP and running the command netstat -ano shows running the command netstat -ano shows pids (Process Identifiers) which can then pids (Process Identifiers) which can then be used to map ports to process names.be used to map ports to process names.

Checking System FilesChecking System Files

To run this, Click Start, click Run, type To run this, Click Start, click Run, type sigverif, and then click OK. sigverif, and then click OK.

Click the advanced option, select "Look for Click the advanced option, select "Look for other files that are not digitally signed“.other files that are not digitally signed“.

And then select c:\Windows or c:\winnt And then select c:\Windows or c:\winnt depending on the version of Windows.depending on the version of Windows.

This tool checks the digital signatures on This tool checks the digital signatures on all the system files, and will alert you of all the system files, and will alert you of any that aren't correct, or not signed.any that aren't correct, or not signed.

Useful ToolsUseful Tools SQL Critical Update KitSQL Critical Update Kit TCPViewTCPView TDIMonTDIMon FilemonFilemon Deleted File Analysis UtilityDeleted File Analysis Utility DumpSecDumpSec DumpRegDumpReg FportFport MBSAMBSA Spybot Search & DestroySpybot Search & Destroy AutorunsAutoruns Ad-awareAd-aware

Investigating Kernel RootkitsInvestigating Kernel Rootkits

The use of Kernel level rootkits is The use of Kernel level rootkits is becoming far more widespread. Once on a becoming far more widespread. Once on a machine, the hacker will try everything machine, the hacker will try everything they can to stay there. This document has they can to stay there. This document has already looked at obfuscation techniques,already looked at obfuscation techniques,

and batch files that secure the machine, and batch files that secure the machine, the next step is to make the system lie to the next step is to make the system lie to you.you.

Investigating Kernel RootkitsInvestigating Kernel Rootkits

A remote administration application such A remote administration application such as “VNC” or “radmin” is exactly that, an as “VNC” or “radmin” is exactly that, an application. application.

A rootkit, on the other hand, patches the A rootkit, on the other hand, patches the already existing paths within the target already existing paths within the target operating system.operating system.

There are currently only a small number of There are currently only a small number of applications which can help discover the applications which can help discover the presence of rootkits.presence of rootkits.

RKDetectRKDetect RKdetect runs remotely, enumerating services RKdetect runs remotely, enumerating services

through WMI (user level) and Services Control through WMI (user level) and Services Control Manager (kernel level).Manager (kernel level).

The tool then compares results and displays any The tool then compares results and displays any differences.differences.

This method allows you to find the hidden This method allows you to find the hidden services that start the rootkit. Process Explorer services that start the rootkit. Process Explorer and TCP/IP View (both from SysInternals) and TCP/IP View (both from SysInternals) should also be used in conjunction with should also be used in conjunction with RKDetect.RKDetect.

It is recommended that you use the sc.exe in the It is recommended that you use the sc.exe in the windows resource kit rather than the one windows resource kit rather than the one supplied by the Rkdetect authors.supplied by the Rkdetect authors.

RKDetectorRKDetector

Runs on the local machine and attempts to Runs on the local machine and attempts to provides information about hidden processes provides information about hidden processes and servicesand services

Once it identifies the hidden processes, Once it identifies the hidden processes, RKDetector will try to kill those hidden tasks and RKDetector will try to kill those hidden tasks and then scan the service database in order to then scan the service database in order to detect hidden services and hidden regkeys detect hidden services and hidden regkeys (Run, Runonce).(Run, Runonce).

RKDetector also contains a database of RKDetector also contains a database of common rootkits, which it can compare output common rootkits, which it can compare output from against which it will compare output.from against which it will compare output.

Blacklight, FsecureBlacklight, Fsecure The rootkit detector, Blacklight, from Fsecure is currently The rootkit detector, Blacklight, from Fsecure is currently

in beta form, so is likely to change at anytime. in beta form, so is likely to change at anytime. It also doubles up as an eliminator - so if it finds a rootkit, It also doubles up as an eliminator - so if it finds a rootkit,

it may be able to remove it from the system. It is it may be able to remove it from the system. It is currently a free download, which requires administrator currently a free download, which requires administrator privileges to run. privileges to run.

Once passed the licensing agreement, the window will Once passed the licensing agreement, the window will ask to perform a scan of the machine - you also have an ask to perform a scan of the machine - you also have an option to show all running processes. option to show all running processes.

Once the scan is complete, a summary will be presented Once the scan is complete, a summary will be presented showing if it has found anything, and the software will showing if it has found anything, and the software will allow you to move onto the cleaning process.allow you to move onto the cleaning process.

Rootkitrevealer, SysinternalsRootkitrevealer, Sysinternals Again it is a free download, requiring administrator Again it is a free download, requiring administrator

privileges to run (strictly speaking, the help file identifies privileges to run (strictly speaking, the help file identifies the permissions it requires, and administrator gets these the permissions it requires, and administrator gets these permissions by default). permissions by default).

Once again it works from within windows, and presents a Once again it works from within windows, and presents a small window which displays options and scan results.small window which displays options and scan results.

Rootkitrevealer will not clean the machine, it does, Rootkitrevealer will not clean the machine, it does, however, scan the hard drive and the registry for however, scan the hard drive and the registry for possibly problematic files / entries. possibly problematic files / entries.

These are then highlighted for the user to take action, if These are then highlighted for the user to take action, if required.required.

This has its own benefits and problems. Using Psexec, This has its own benefits and problems. Using Psexec, rootkitrevealer can also be run against a remote system.rootkitrevealer can also be run against a remote system.

UnhackmeUnhackme Unhackme can be downloaded for free, but has an Unhackme can be downloaded for free, but has an

evaluation version - the paid-for version comes with free evaluation version - the paid-for version comes with free support and updates.support and updates.

Unlike other rootkit detectors, unhackme requires Unlike other rootkit detectors, unhackme requires installation on the machine - which in turn requires installation on the machine - which in turn requires administrator privileges. It does come with a 'monitor' administrator privileges. It does come with a 'monitor' which will check your machine every minute (default which will check your machine every minute (default setting).setting).

Once in the application, it has a very simple interface Once in the application, it has a very simple interface which will allow you to scan the system, get help etc. which will allow you to scan the system, get help etc. The software will also act as a rootkit cleaner.The software will also act as a rootkit cleaner.

As it requires installation, this may be of more use to As it requires installation, this may be of more use to people wanting to keep their system secure, rather than people wanting to keep their system secure, rather than those responding to incidents.those responding to incidents.

RegdatXPRegdatXP This isn't strictly a rootkit detector - it is actually This isn't strictly a rootkit detector - it is actually

a raw registry editor. This means it can be used a raw registry editor. This means it can be used to load up the existing registries on a machine to load up the existing registries on a machine (files like ntuser.dat and usrClass.dat). (files like ntuser.dat and usrClass.dat).

It has good searching tools, so admins can look It has good searching tools, so admins can look for autoruns, suspicious registry keys etc. This for autoruns, suspicious registry keys etc. This has benefits over signature based detection, has benefits over signature based detection, although it requires a greater degree of time and although it requires a greater degree of time and effort. effort.

It bypasses the problems when a rootkit It bypasses the problems when a rootkit prevents the inbuilt RegEdit from working prevents the inbuilt RegEdit from working correctly. The software is shareware.correctly. The software is shareware.

Removing a RootkitRemoving a Rootkit

Insert the Windows OS Installation CD into Insert the Windows OS Installation CD into the Drive.the Drive.

Boot from the CDBoot from the CD Choose ‘R’ to enter the Rescue ConsoleChoose ‘R’ to enter the Rescue Console Choose the Windows installation you want Choose the Windows installation you want

to Clean from the list presented to you.to Clean from the list presented to you. Enter the Administrator Password.Enter the Administrator Password.

Removing a RootkitRemoving a Rootkit

Once in the recovery console, you have a few Once in the recovery console, you have a few commands for this, including:commands for this, including:

listsvc - lists services that can be enabled or listsvc - lists services that can be enabled or disabled enable <servicename> <start-type> - disabled enable <servicename> <start-type> - enables a service, with a service type,enables a service, with a service type, SERVICE_DISABLEDSERVICE_DISABLED SERVICE_BOOT_STARTSERVICE_BOOT_START SERVICE_SYSTEM_STARTSERVICE_SYSTEM_START SERVICE_AUTO_STARTSERVICE_AUTO_START SERVICE_DEMANDSERVICE_DEMAND

windows systems and signs of compromise prepared by: rami al_khatib and omar al_zyadat supervised...

Documents