Tuesday, January 24, 2006

Hide, Go Seek

Where could I find hidden files?

  • There's the "hidden" attribute. The hidden attribute can be set on directories, not just files.
  • The "hide in plan sight" strategy is at least as old as Poe's "The Purloined Letter." Its longevity reflects its effectiveness. Finding files that don't belong amongst the hundreds of files that do is a challenge. Using a utility to find unsigned executables and confirming that the signatures that are found are authenticate will produce a long list that includes many benign conditions. See sigcheck from Sysinternals. (sigcheck -s -v c:\ >result.csv)
  • Suspect recent files in C:\Winnt\System32 (or C:\Windows\System32). The date stamp is rarely modified. Similarly, suspect recent files in C:\Winnt (or C:\Windows) and in the user's temporary files (C:\Documents and Settings\\Local Settings\Temp).
  • Hide in a system folder, such as "C:\Windows\Downloaded Program Files" (or "C:\Winnt\Downloaded Program Files"). There's a real folder of that name, but you won't see its contents when you're using Windows Explorer. Use a command window instead. Expect hidden, system files and search subdirectories. (dir "C:\Winnt\Downloaded Program Files" /ah /s) (dir "C:\Winnt\Downloaded Program Files" /s)
  • Hide using the Directory and System attributes. Foundstone's hfind utility hunts for files with the hidden attribute, directories with the hidden attribute and directories with the system attribute. There are a lot of hidden files and folders, a lot of benevolent conditions. (hfind \\remote\c$ >> remote.txt)
  • Hide behind other files, using Alternate Data Streams (ADS). Foundstone's sfind utility searches for just the streams. (Windows Explorer caches thumbnails using ADS. XP SP2 attaches a "Zone.Identifier" tag to downloaded files using ADS. These are benign uses.) There's also an LADS utility that can search for ADS on the network. The Sysinternals streams utility can also be used to search for Alternate Data Streams. (streams -s *.* to find ADS, streams -s -d *.jpg to delete the cached thumbnails).
  • Sysinternals' Rootkit Revealer is time consuming and reports some benevolent conditions. When used in conjunction with psexec, it can scan remote systems. (psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log)
  • Stegdetect (stegdetect *.jpg) can be used to find steganographic content (hidden information) in JPEG images.


At 8:49 PM, Blogger pen said...

On February 1, SANS ISC reversed their block recommendation of InterCage.


Post a Comment

<< Home