Windows security: File hiding

john_j · Jan 10, 2007

Hi guys!

New user/IT-noob here.

I was watching this video on window's security
on file hiding ( http://www.metacafe.com/watch/379519/windows_xp_security_hacking_hiding_files_ads/ )

Googling around for info on this area, all I could found is results on its threat, otherwise profound explaination
of its origins. Could anyone explain to me of its origin and purpose in simple? Is this feature necessary in the first place?

Cheers,
John

Ice_Czar · Jan 12, 2007

some of the search terms youd look for are
rootkit \ rootkits
ADS (Alternative Data Streams)
Hidden Files and Folders
Hidden Extensions

starting from the last

File Extentions Security, Hidden Files
This will keep most malware from disguising itself as something else
which then tricks you into executing it

Unless your in the habit of clicking any old file,
an .exe extension would likely give you pause,
especially if your not so sure of the source, but what if it was just a .txt file?
thats safe isnt it?
NO, well not till you do the following

Unhiding Part 1
Start > Programs > Accessories > Windows Explorer > Tools > Folder Options > View Tab
Check Show Hidden Files and Folders
Uncheck Hide file extensions for known file types
Uncheck Hide protected operating system files

while Im here I also
Check Display full path in the address bar
Check Display full path in title bar
(personal preference but a useful navigational aid)

HotTweaks.txt could actually be a dual extention HotTweaks.txt.exe
same goes for .mpg, .avi, ect, and could disguise .exe, .vbs or other real file extentions
that is till you do the above, however there are still some files that are hidden by default .shs, .shb, .pif files for instance and these are potentially dangerous

a few more
.cnf SpeedDial (Extension not visible)
.lnk Shortcut (Extension not visible)
.mad Microsoft Access Module Shortcut (Extension not visible)
.maf Microsoft Access Form Shortcut (Extension not visible)
.mag Microsoft Access Diagram Shortcut (Extension not visible)
.mam Microsoft Access Macro Shortcut (Extension not visible)
.maq Microsoft Access Query Shortcut (Extension not visible)
.mar Microsoft Access Report Shortcut (Extension not visible)
.mas Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat Microsoft Access Table Shortcut (Extension not visible)
.mav Microsoft Access View Shortcut (Extension not visible)
.maw Microsoft Access Data Access Page Shortcut (Extension not visible)
.pif Shortcut to MS-DOS Program (Extension not visible)
.scf Windows Explorer Command (Extension not visible, generic icon)
.shb Shortcut into a document (Extension not visible)
.shs Scrap object (Extension not visible)
.uls Internet Location Service (generic icon)
.url Internet Shortcut (Extension not visible)
.xnk Exchange Shortcut (Extension not visible)

with the exception of .url all pretty strange extentions for most of us
simply that till now they have been hidden

so you can still end up with a worm that is for instance HotTwaeks.txt.pif
(which is similar to a bat file, and could exectute code in the file via DOS)
or an .shs file (Shell Scrap Object) which is a type of "wrapper" for embedded objects, including .exe files calls on shscrap.dll, OpenScrap_RunDLL

Unhiding Part 2
for this youll need to use the registry editor
Start > run > (type) regedit
in the tree to the left select > HKEY_CLASSES_ROOT
then on the toolbar at the top > Edit > Find > and type > NeverShowExt
select the Key in the right panel "NeverShowExt" (highlighted)
and on the top toolbar > Edit > Delete >
"Are you sure you want to delete this value?" > Yes
and repeat till you cant find any more > Edit > Find Next >
(should be highlighted) Delete > Repeat till done
(note this process actually turned up my search queries for that key under my google deskbar (HKEY_SOFTWARE) as entered into the registry, no real need to delete those )
Click to expand...

Hidden Files and Folders in an OS are generally to keep the curious out of directories where changes have the potential for damage. Hidden file extensions are more an aesthetic decision to avoid too much "clutter" on the part of a system designer.

both are potentially dangerous decisions

Ice_Czar · Jan 12, 2007

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

What is a Rootkit

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
Click to expand...

there are several reasons rootkits have been employed by otherwise legitimate aps
to allow them to fool other software (daemon tools employed a rootkit to allow it to mount a virtual CD drive inorder to facilitate copying a game or disk) the most famous rootkit was the one SonyBMG placed on its CDs inorder to impose their DRM scheme

Ice_Czar · Jan 12, 2007

http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

A relatively unknown compatibility feature of NTFS, Alternate Data Streams (ADS) provides hackers with a method of hiding root kits or hacker tools on a breached system and allows them to be executed without being detected by the systems administrator.

When dealing with network security, administrators often times don’t truly appreciate the lengths that a sophisticated hacker would go through to hide his tracks. Simple defacements and script kiddies aside, a sophisticated hacker with more focused goals looks to a perimeter system breach as an opportunity to progress further inside a network or to establish a new anonymous base from which other targets can be attacked.

In order to achieve this task, a sophisticated hacker would need time and resources to install what is known as a root kit or hacker tools with which he can execute further attacks. With this, comes the need to hide the tools of his trade, and prevent detection by the systems administrator of the various hacking applications that he might be executing on the breached system.

One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.

Amazingly enough, Alternate Data Streams are extremely easy to make and require little or no skill on the part o the hacker. Common DOS commands like “type” are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.

MORE>
Click to expand...

http://en.wikipedia.org/wiki/Fork_(filesystem)

In computer file systems, a fork is additional data associated with a file system object. A file system might support only one fork per file or might support multiple named forks. Unlike extended attributes, which are typically limited to be less than some small value in size, a fork can be large, perhaps as large as the file's data.

Filesystem forks are traditionally associated with Apple's Hierarchical File System (HFS)[1], however they are also available in Microsoft's NTFS filesystem, where they are known as Alternate Data Streams (ADS)[2].

In 1993, Microsoft released the first version of the Windows NT operating system which introduced the NTFS filesystem. This filesystem includes support for multiple named forks as alternate data streams for compatibility with pre-existing operating systems that support forks. With Windows 2000, Microsoft started using alternate data streams in NTFS to store things such as author or title file attributes[7] and image thumbnails.[8] With Service Pack 2 for Windows XP, Microsoft introduced the Attachment Execution Service that stores details on the origin of downloaded files in alternate data streams attached to files, in an effort to protect users from downloaded files that may present a risk.[9]
Click to expand...

ADS has been a potential concern for over 6 years (which is when I first started using LADS) but was largely unemployed by malware authors till recently. Some applications allowed you to scan ADS for hidden malware (TDS3 for instance) The rise in rootkits in general has been the largest development in the last few years with an ongoing war between creation and detection, but the latest twist has been this new generation of ADS rootkits specifically

Security researchers have discovered a new type of rootkit they believe will greatly increase the difficulty of detecting and removing malicious code. Rustock.A uses a mixture of old techniques and new ideas to make it "totally invisible on a compromised computer when installed."

Rustock’s use of NTFS’ Alternate Data Streams (ADS) as one significant example of its advanced behavior. "Saving your data into Alternate Data Streams is usually enough to hide from many tools."

"However, in this case, the stream is further hidden using rootkit techniques ... because Mailbot.AZ is hiding something that’s not readily visible; it’s very likely that many security products will have a tough time dealing with this one."

According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn’t hook into any native API, and controls kernel functions via special IRP functions. It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample.

Rustock also scans for loaded rootkit scanners, then changes its behavior to avoid detection, according to Florio.
Click to expand...

very very nasty
which is why Im actually making fundamental changes in how I approach security with integrating virtualization to isolate the major attack vectors (browse view email and IM in a sandbox or virtual machine) and running any application from an untrusted source through a zoo first. And finally getting serious about setting up a packet sniffer IDS between me and the net in an attempt to spot subversion.

for the security neophyte virtualization would be my recommendation and give up on any applications with a shady pedigree or source......period.

(read: freeware from folks you dont know and trust or that hasnt been widely vetted by others and all applications from P2P sources) That doesnt even address data\media that might be able to be infected via exploits or by disguise. Keep informed, virtualize it where possible, and otherwise isolate it as much as possible.

Log in or Sign up

Windows security: File hiding

john_j Registered Member

Ice_Czar Registered Member

Ice_Czar Registered Member

Ice_Czar Registered Member

Log in or Sign up

Windows security: File hiding

john_j Registered Member

Ice_Czar Registered Member

Ice_Czar Registered Member

Ice_Czar Registered Member

Useful Searches