Thứ Hai, 23 tháng 6, 2014

Ẩn file với streams mà windows không phát hiện ra

Windows has NTFS and FAT file systems, when NTFS is used, Alternative Data Streams can be created to hide malware within standard Windows Operating System files.  ADS cannot be detected using Explorer or Task Manager, both the executable and the processes are undetectable to the OS.  ADS was created to maintain compatibility with the MAC file system called HFS.

Step 1 – Create an ADS directory

Copy calc.exe and notepad.exe into this ADS directory – as you’ll be hiding the notepad.exe inside the calculator to prove how this works.



Step 2 – Check the filesize of both calc and notepad

Check the filesizes of both calc.exe and notepad.exe before you start, so that you can see the OS is unable to report the hidden or secret file inside calc.exe.



Step 3 – INJECTION SYNTAX (Inject notepad into calc)

type c:\windows\system32\notepad.exe > calc.exe: notepad.exe

or the safer option

type c:\ADS\notepad.exe > c:\ADS\calc.exe:notepad.exe



Step 4 – Recheck filesizes of calc

Notice how Windows can not detect the change in filesize.


Step 5 – Execute malware with “Start”

start c:\ads\calc.exe



Calc will run.

 Step 6 – Use taskmanager to check only calc.exe is shown

Step 7 – Download a special tool to enumerate Alternative NTFS data streams.



nstall streams.  Run a new cmd prompt, change to streams dir.

streams c:\ADS\calc.exe




Streams displays calc.exe:notepad.exe:$DATA 193546.
This is showing that calc.exe has notepad hidden inside it, but Windows can’t detect that.
The malware datasize is 193546.
$DATA is the name of the attribute or the PRIMARY DATA STREAM.
We are hiding programmes in the SECONDARY data stream – which uses the : as a separator.  Calc.exe:notepad.exe = the secret stream is notepad.exe.  The syntax to hide hacking malware is:

type c:\malware.exe > c:\windows\system32\calc.exe:malware.exe


Step 8 – How to hide Calc.exe inside a JPEG file

We will hide the calc program inside a JPEG.  ADS7.jpg was created for this article.

type c:\ads\calc.exe > ads7.jpg:calc.exe



Double Check our Injection has worked

Streams c:\ads\ads7.jpg




Streams reports that :calc.exe is hidden inside a secondary data stream.

We’ve INJECTED calc.exe into a very small JPEG file (65K).




So why is this important?

It’s important to realise that Windows 7 cannot detect secondary data streams – so rootkits and trojans can be hidden within windows system files or small photos.

So what?

You have created “malware” by hiding one program inside a windows system file or even a small photo.

Note how windows can’t detect the change in filesize or the running process.  This protects the hacker from discovery.

Only NTFS has ADS capabilities.

If you transfer a file from NTFS to FAT32 you’ll automatically destroy the Alternative Data Stream.

ADS CANNOT BE DISABLED IN WINDOWS.

The countermeasure is Tripwire – which runs a hash against the files – system file hashing will detect ADS.  That’s why hashes are so important as a safety net.

Không có nhận xét nào:

Đăng nhận xét