Tài liệu Backups and Hidden Data doc

Trang 1

Backups and Hidden Data

Hello, I am Stephen Northcutt again and welcome back for the second section of our course Next,

we will learn about fundamental threats that affect organizations and cause them loss For all that

you read about hackers, they are only one source of harm and in well defended organizations,

hackers are not able to cause much, if any, damage

Trang 2

2

Forget Hackers!

( Major Loss Vectors )

• Backups, or the lack of

• Viruses and other malicious code

• Hiding data

Contrast this with the average home (and dare I say workplace as well) system The anti-virus

signatures are out of date In fact, the only reason there is anti-virus code at all was that it came

factory installed The system hasn’t been backed up – ever Perhaps three or four important files

were copied off to a floppy, but that is it Hard disks are generally rated with a Mean Time Between

Failure (MTBF) The question isn’t if the disk will fail, but when The newest viruses are fairly

destructive and delete files so the combination of out of date virus signatures and no backups is really

getting scary We will also discuss how systems might be very open to attack from networks and

ways that people may be hiding data from you right on your own computer systems

Trang 3

Failure to Backup

I want to be clear, MSBACKUP for Windows 95/98 is not the way I backup these operating

systems I prefer tools that use the Archive bit to manage backups and MSBACKUP doesn’t I used

it once helping out in a Perl class (Perl is a most wonderful programming language) where the

students were told to bring their laptops Now you would think that if you were coming to take a

class in Perl and they told you to bring your laptop, you would load Perl ahead of time So we are

faced with this class of students that don’t have Perl and it is bigger than a floppy disk’s capacity

even when zipped and some of them don’t have CD-ROM drives What to do? Well, I remembered

that NT had a backup facility that could write the backup across multiple disks, even floppies, so I

did a CTRL-F on my C:\ drive and typed in backupand sure enough, my Windows 95 box had a

backup utility and it worked We were able to make a “backup” of Perl and write it to a couple

floppies and restore it to the other systems Very quickly we ran into a gotcha that I am sure is

“fixed in the next release” The Windows 98 and NT backup programs were not compatible so we

had to make 2 backups

Trang 4

4

The Archive Bit (Windows)

• Used by backup programs to decide

which files require safekeeping

• Files with “A” bit need to be saved!

Windows systems use a special tag called an archive bit to signal backup programs that the file has

changed since the previous backup operation The archive attribute exists in both FAT and NTFS

file systems We use the ATTRIBprogram to see the attributes files have In this slide, seven files

are shown, three have their archive bit set “on” and the others do not A backup program will use

these "bits" to capture files the next time we backup this computer and, may reset (turn off) this bit

depending on the type of backup performed

In Windows NT and WIN2K you or the backup software you utilize must have at least the Backup

Operator privilege to perform backups If you do not have Backup Operator or Administrator

privileges, you may not be able to backup system files or the system registry

We are going to discuss three backup techniques: full, incremental, and differential We will

lightly touch on best practice, but I am far more concerned that you know how to do a backup, or

why files might NOT get backed up, than the theory and practice of backups

Trang 5

Full Backups

• Capture the entire system configuration

• Clear files’ archive bits

• Are expected to safely copy the system

registry

• Require full permission to the system

Full Full backups are typically performed on a weekly basis, disregard the archive "bit", and capture

all files A full backup is needed to restore a system from a catastrophic failure but will not restore

files that changed since the backup was performed Differential and Incremental

backups address this issue but do so in different ways

Differential backups leave the archive bit after saving the changed file When I perform a full

backup on Sunday, and then a differential backup on Monday, Monday’s tape will contain only the

information that changed between Sunday and Monday A differential backup on Tuesday will store

files that changed on Monday and Tuesday If one assumes that at least one file changes each day

of the week, then the size of the differential backup will grow each day of the week

Incremental backups turn off the archive bit after they backup, so they only backup changed files

Assuming a full backup on Sunday, then on Mondays, incremental and differential backups will

require the same quantity of space and time to complete On Fridays, incremental backups will only

be backing up the files that have changed since the last incremental backup and will be faster and

require less space than differential backups

Trang 6

6

Partial Backup Methods

• Incremental

– Checks for the archive bits

– Stores copies of files with bit set

– Clears the archive bit

• Differential

– Does not clear the archive bit

An incremental backup is a backup that scans the server for data changes that have occurred since

the last full or incremental backup This is done by scanning the file system and looking for files that

have their archive bit turned on When an incremental backup is completed, all the files examined

will have their archive bits turned off Combining full and incremental backups techniques allow

administrators to save the system configuration using a full backup, then quickly capture the

information that has changed since the last full backup One big problem exists with incremental

backups If I perform a full backup on Sunday, then incremental backups Monday through Friday,

restoring data is a major challenge To properly restore a system from full loss, the system

administrator must first restore from the full backup tape, then restore from every incremental

backup that was made in the order in which they were made This means that if you don’t have good

log notes and good labeling, you should stick with full backups

WARNING: Do not mix Differential and Incremental backups between Full backups An

Incremental backup resets the archive "bit" thereby preventing a Differential backup from

identifying files to capture

Trang 7

NTBackup

Windows NT has a backup tool as well called NTBackup Click Start, select programs, select

“Administative Tools (Common)” then “Backup” to run NTBackup If you are not streaming your

audio, please take a minute and run whichever backup program you have, Windows 9x or NT

4.0/Windows 2000 Get familiar with it now before you are under fire You don’t have to do the

whole disk You can select a folder or even a file Run the attribcommand before and after You

can even experiment with the attribcommand to foil the backup process Below are best practices

for backups:

• Full backups (all files) when possible Why perform incremental or differential backups if we can

obtain a full backup every day?

• When full backups cannot be performed on a daily basis, use differential backups, not

incrementals since differentials are easier if you need to recover A full restore requires either the

last full backup followed by the last differential backup or the last full backup followed by

each incremental backup in the correct order

• Place legible, unique labels on all tapes

• Create a log in which you record which tapes are used and on which servers Note any errors or

pertinent events every day

Trang 8

8

TAR (Tape Archive –Unix)

• Create tar file

tar cvf archive file

• Extract tar file

tar xvf archive file

• List contents of tar archive

tar tvf archive file

• Copy current directory to another

tar cpf - | ( cd newdir; tar xvpf - )

– Where

• “Archive” is a file or tape device

• “File” is the file or directory to archive

Unix has three primary backup tools, tar, dump/restoreand dd Taris ideal for backing up a

particular directory tree Tar’s primary functions:

- Create an archive, tar c The slide shows tar cvf The vmeans verbose mode When this is

set, tartells what it is doing and that is helpful fis always followed by the filename of the tarfile

you are creating, extracting from, or creating a table of contents from If you are having trouble with

tar, odds are you didn’t follow the fwith the filename of the tarfile

-Extract files using tar, the TApe aRchive, tar –x

-Table of contents, tar -t

The fourth bullet is a bit advanced, but please notice the vertical bar “|” or pipe symbol This says

take the tarfile being created on the left, change directory “cd” to a new directory and extract the

tarfile there Unix allows you to pipe (|) information Try ls /dev | wcto see how many files

are in /dev (wcis useful for counting things - it gives lines, words, and bytes)

Trang 9

dump and dd (Unix)

• Full dump of /usr:

dump 0uf /dev/nrst0 /usr

• Image copy of a file system

dd if=/dev/hd0a of=/dev/nrst0

dumpand dd, if misused, can be dangerous dumpis the primary tool for whole system backup and

works with restore If your Unix system is in production, make sure a senior system admin

guides you through these your first time

The simplest form of the dumpcommand is: dump, dump level, u(update dumpdates file), f

(device name) and the file system to dump The last parameter may be specified as a mount point

like /usror a disk device name -/dev/hd0a

ddis a utility that reads input files block by block If you specify a disk device, you can capture file

system metadata, blocks of “data” marked deleted that could be useful for evidence gathering

following a break in This data would be missed if using taror dumpwhich rely on the UNIX file

system ddthen, is preferred for forensics

Unix files do not have an archive bit, so the date of the file is used to determine whether it needs to

be backed up Unix backup scripts will often have some way of checking the date, or last backup

time

Trang 10

• Disks crash, or have sectors go bad

• Fires, floods, and smoke damage happen

• Make backups, label them well, keep a set

offsite

• Test backups, randomly select files and

restore

You know the philosophy of this course by now We are hoping you will experiment with a

Windows backup tool and at least taron Unix Remember, these are tools that you know will

always be available If you have used them before you are under fire, you will be one step ahead of

the game I would like to close this section with an exhortation to take backups seriously

When I was writing the book Network Intrusion Detection, I was really paranoid I backed up every

day and once a week I would carry a zip disk to my neighbor’s house in case I suffered a disk crash

When I teach for SANS, I carry a CDROM with a backup of all my course files as well as a zip disk

That way, if my laptop goes belly up, I can still teach using the CD and someone else’s computers

Your data is valuable, in some sense it is the embodiment of your time Take care of it! One reason

to be religious about your backups is the threat from the nasty new viruses and malicious code that

destroy files They are the subject of the next section in this course

Trang 11

Virus

A computer virus is a self-replicating program

containing code that explicitly copies itself and that can

"infect" other programs by modifying them or their

environment such that a call to an infected program

implies a call to a possibly evolved copy of the virus

The two basic types are:

• File Infectors

• Boot Record Infectors

http://www.faqs.org/faqs/computer-virus/faq/index.html

Many people use the term virus to cover any sort of program that tries to hide its malicious function

and tries to spread onto as many computers as possible Though some of these programs may more

correctly be called "worms" or "Trojan Horses.” We will cover these definitions, but the important

thing is that we know how these things spread and how to kill them

I am recording this section in October 2000 What a year it has been… massive DDOS attacks in

February, now the ILOVEYOU and friends virus attacks not to mention the crazy worms like KAK

and QAZ All we need now is the joining of the three! I imagine it won’t be all that long until we

see a virus that does something really endearing like a massive denial of service attack, there are

already hints of this on the internet It requires a concerted effort from computer users to be

"virus-aware," rather than continuing the ambivalence that has allowed computer viruses to become such a

problem Computer viruses are actually a special case of something known as “malicious logic” or

“malware” Malware accounts for a huge and growing reason for loss of data, time and resources.

A couple of interesting notes, Jerusalem (one of the 1st viruses) took over 9 years to propagate,

Melissa took about 2 days, while ILOVEYOU took about 4 hours Second, with a few rare

exceptions, which we will cover, most malware require some form of human intervention to start

propagating be installing a program, clicking an email attachment, etc

And, while we are on the subject, virus hoaxes are email intended to scare people about non-existent

threat and are often forwarded to fellow workers as an alert Hoaxes represent a serious threat to

email systems due to the traffic they generate

Trang 12

12

Worm

A computer WORM is a self-reproducing program (or

set of programs), that is able to spread functional copies

of itself (or its segments) to other computer systems,

usually via network connections WORM is also being

used to describe malware that propagates with no direct

action by a user

Viruses, unlike worms, require a host program, they are

not self contained

Worm is currently being used primarily to describe malware that propagates with no action from the

user The textbooks and FAQs may need a bit of time to catch up The primary in-the-wild

examples are KAK and now QAZ which both rely on unprotected shares, but when you take this

course, no doubt another variant will be running

There are two types of worms host computer worms and network worms Host computer worms

are entirely contained in the computer they run on and use network connections only to copy

themselves to other computers With host computer worms, the original terminates itself after

launching a copy on another host (so there is only one copy of the worm running somewhere on the

network at any given moment) These are sometimes called "rabbits." Network worms consist of

multiple parts (called "segments"), each running on different machines (and possibly performing

different actions) They use the network for several communication purposes Propagating a segment

from one machine to another is only one of those purposes

Trang 13

Trojan Horse

A TROJAN HORSE is a program that does something

undocumented that the programmer intended, but that

some users or system owners almost certainly would not

approve of if they knew about it

We all know the story of Troy and the Trojan Horse; why is this relevant today? Trojan Horse code

could exist in anything you download One of the most well known examples is the RingZero

Trojan The reason for the early discovery was that a cable modem user named Roland Grefer

noticed a TCP scan pattern of ports 80, 8080, 3128 and remarked that it was odd When we asked

around, the pattern was being seen all over the world Over seven thousand infections were detected

in less than a week Users downloaded an attachment thinking, at least in some cases, they were

getting some free software, but they were loading the Trojan The famous Melissa virus is in some

sense loosely related to Trojans It originally spread from an alt.sex newsgroup Users thought they

were downloading pictures, but were either doing auto download or were not checking file

extensions I am sure this comment will offend some malware taxonomy purist, since Melissa is not,

strictly speaking, a Trojan, but it does emphasize that deception of one form or another is a big part

of how these attacks spread

Trang 14

14

COM program infectors

COM program

START

END

COMVIRUS

VIRUS

JUMP COM1

2

3

6

How do program files become infected? We will consider com and exe files

COM file viruses attach themselves to their target in one of three ways - by prepending to the

beginning, by appending to the end, or by overwriting part of the file

A prepending virus gains control when the first instruction of the infected COM file is executed

The virus runs and then passes control to the original program Because of this, users may not notice

anything different

An appending virus writes an instruction to jump at the first instruction in the file This jump will

take execution to the virus which later returns control to the COM program

Overwriting viruses simply write their code to the beginning of the file These viruses therefore

destroy the original program More sophisticated overwriting viruses will make a copy of the

portion that they overwrite which can later be executed - all in an effort to remain covert

Trang 15

EXE program infectors

Original EXE Program Infected EXE Program

Header

Load

Image

VCS VIPSIZE+V

VIRUS START

CS IPSIZE

CS IP

.com files are small enough, 64k, to have a single part or code segment The larger executables

(.exe) consist of two parts - the header, and the load image The header contains, among other

things, a pointer that points to the first instruction to be executed in the load image The pointer

(CS:IP) consists of a pair of values - the code segment (CS), and instruction pointer (IP) A header

entry named SIZE stores the size of the load image

When the executable is infected, these header entries are altered CS:IP becomes VCS:VIP and now

points to the start of the appended viral code SIZE increases to VSIZE and measures the size of the

infected load image Running the infected program will cause a jump to the virus load image When

completed, the viral code hands execution back to the original program

Trang 16

16

Boot Sector Infector

• Floppy boot record (FBR)

• Master boot record (MBR)

• Dos boot sector (DBS or PBR)

• No network spreading potential

Memory resident boot sector viruses will attempt to intercept calls to Anti-Virus s/w.

The next virus we'll examine is the boot infector Every disk has a boot sector (regardless of

whether or not it is actually bootable) When a computer is powered up, it looks for boot information

according to a list provided by the computer BIOS If any of the media in the drives specified in the

BIOS list has a boot sector virus, the infection will get transferred to the boot drive Once the

infection is complete, the virus will get loaded into memory at startup From there the virus can be

spread to every disk that is read after startup Results of the infection can range from nuisance (if at

all) to destruction of boot information, to need for a complete format of the hard disk Floppy disks

contain a floppy boot record (FBR) which can harbor a virus If a system is booted from such a

floppy, the virus will load and infect the hard disk Viruses on hard disks infect either the master

boot record (MBR) or the partition boot record (PBR) The MBR is the first place the BIOS

looks when booting from a hard drive

[Editors note: since the boot sector code is executed before applications are loaded this gives boot

sector viruses an advantage over Anti-Virus software.]

Trang 17

• Monitors disk I/O, redirects attempts to

read an infected disk area to a disk area

where the original disk boot sector

information is stored

If a boot sector virus is present, it can seize control of the hardware before the operating system even

sees the light of day! PBR’s are executed after the bootstrap program in the MBR passes on control

to the active partition Operating system files that are present on a partition are loaded according to

instructions in the PBR Like the MBR infection, if a virus is present it will be loaded before the

operating system

It will be beneficial to compare two early viruses, Brain and Stoned Brain, the first virus, has all but

died out Mostly because it only knows how to write on 360k floppies, which also have all but died

out It is NOT because people are running anti-virus software It does no harm, and puts a volume

Trang 18

• Triggered 1 in 8 times writing 'Your computer

is now stoned Legalize marijuana.'

• Many variants over time

• To investigate, run CHKDSK or MEM on

suspect floppy and also on clean floppy,

these are good commands to know.

Brain is a great case in point for the danger of malicious code The first virus was stealthed If you

saw the disk label and then tried to read your boot sector, it would transfer the read to a clean copy of

the original information This meant a user might compare a clean disk and an infected disk and not

find a difference

A year after Brain was created in 1987, the most common virus in the world in terms of total

infections, the Stoned virus, was unleashed It is still active today Walk to any high school in the

country and scan the disks the student’s have You should find the Stoned virus When we point out

threats in this course, try to keep in mind this isn’t science fiction, this is history

Now we are going to look at two tools that may help you discover what is going on if you have a

virus, CHKDSK and MEM.

Trang 19

A:\>chkdsk

Volume Serial Number is 1112-15D8

1,457,664 bytes total disk space

67,072 bytes in 1 user files

1,390,592 bytes available on disk

512 bytes in each allocation unit 2,847

total allocation units on disk, 2,716

available allocation units on 655,360

total bytes memory 615,120 bytes free

The best way to find any virus will normally be by running anti-virus software, but when a virus is

first released, signatures may not be available We already introduced CHKDSKin the previous

section, but as we look at these two specific tools, we want to establish a general principal for

investigating security incidents

If the system is infected with malware and an anti-virus signature is not available yet, then what we

may need to do is use tools to investigate the system and compare this against a known good system

or our records from earlier work This is why using tools like Dr Watson or ScanDisk and creating a

log for reference later is a wise idea

As you have already seen from the examples of com and exe viruses, these will tend to change the

size of the programs Also, memory resident viruses will affect the amount of memory available

Trang 20

Total Expanded (EMS) 63M (66,469,888 bytes)

Free Expanded (EMS) 16M (16,777,216 bytes)

Largest executable program size 600K (614,832 bytes)

Largest free upper memory block 0K (0 bytes)

MS-DOS is resident in the high memory area

This slide shows the use of memto determine how memory is being used on this system Now,

unless you have two systems that are exactly alike, a very unlikely scenario, you will need a record

before an infection occurs

C:\>mem > mem.txtwill put the contents of meminto the file mem.txtso that you have it for

reference If you want to make sure it worked you can enter:

C:\>type mem.txt

Multipartite viruses are hybrids of boot infectors and program viruses When executed as a

program, boot sectors become infected, and vice versa - if multipartite infected media are booted,

program files get infected Multipartite viruses provide a mechanism by which boot-sector viruses

can get around on networks (they travel as program files) Boot-sector viruses can not, on their own,

infect across networks This is because the MS network protocols do not support direct write, sector

level operations Boot sector viruses travel by exchange of physical media such as floppy disks

Trang 21

Macro Virus

• Macro viruses

– Targets are data files e.g *.doc

– Written in ‘macro languages’

– e.g Melissa, ILOVEYOU, Resume macro

viruses – See commands using Visual Basic Editor

• High network spreading potential!

A macro virus Macro viruses can spread when documents are shared or as email attachments When

a document or email is opened, the malicious virus is executed without the user's knowledge

Document macros infect templates and all future documents that are opened Malicious email

macros access the user's address book and forward email with the virus macro attached For this

reason, macro viruses have a huge potential to spread over networks The W97M/Class or

"Microsoft Word 97 Macro Class virus" is an example that is very common This malicious macro

travels in the This Document module of Word 97, which is present in all documents

It executes on any language version of Word even if SR-1, which stops most other viruses, is

installed These macros use a temporary file to copy their code, turn off Word's virus protection,

which is shown on the screen above, turn off prompts to save templates such as NORMAL.DOT,

and other user alerts, all in an effort to hide from detection It is not uncommon for the malicious

code to exhibit polymorphism characteristics and insert semi-random comments between their lines

of code The game of the malware author is to exploit application characteristics to avoid detection

Tiêu đề	Backups and Hidden Data
Tác giả	Stephen Northcutt
Trường học	Secure System Administration - SANS GIAC
Chuyên ngành	System Administration
Thể loại	Báo cáo
Năm xuất bản	2001

Định dạng
Số trang	42
Dung lượng	792,11 KB