Covering tracks — Hiding files on Windows/Linux/MacOS By Blackhat pakistan 2023
Today In This article we will learn about Covering tracks[Hiding files on Windows/Linux/MacOS ].
An introduction to file hiding[Covering tracks]
After gaining access to a system, a hacker must normally cover his tracks to avoid detection. Many antiviruses work by scanning a list of files stored in the computer’s file system and comparing them to the signatures of known malware variants. If a hacker can hide the existence of their files from AV or other security tools, the likelihood of their detection is dramatically reduced.
Hide files
There are a number of different options when trying to hide files on your computer. In general, there is a trade-off between the effectiveness of obfuscation techniques and the level of privileges necessary to achieve them. While some methods can be extremely difficult for users to figure out, they also require elevated privileges on the system. More accessible methods, on the other hand, are much easier to detect.
Also read:Cryptography fundamentals for hackers Complete Guide by Blackhat Pakistan 2023
Different methods of hiding files may be specific to different operating systems, but many are generally applicable. Some of the options for hiding files on the system include:
- Hidden files and folders
- Unexpected places
- Alternative data streams
- Edit function
- Hooking function
In this section, we provide a brief introduction to each of these techniques and an overview of some of their advantages and disadvantages.
Hidden files and folders
One of the simplest and most well-known methods of hiding files is to use the hidden files attribute. This feature is built into most operating systems to ensure users don’t mess around with files they shouldn’t.
On Windows, files can be marked as hidden using the attrib.exe file or File Explorer. In Linux, any file whose filename begins with a dot is marked as hidden by default.
While this technique is probably the simplest means of hiding files, it is also the easiest to detect. This technique is well known and it is easy to set Windows File Explorer or ls on *nix to show hidden files as well.
Unexpected places
Another simple way to hide files from the user is to place them in unexpected places. While a user can easily view these files if they search for them, they are unlikely to do so.
One example is placing a malicious file in the Windows Recycle Bin. Most users ignore the Recycle Bin and may think that everything in there has already been taken care of by the antivirus. However, files placed there can execute and cause damage.
Another example of an unusual location is the System32 folder in Windows. Since this folder contains files vital to the operation of the operating system, most users will not look there, let alone exit or delete a potentially suspicious file located there.
Alternative data streams
Alternate Data Streams (ADS) is a feature of the NTFS file system. They allow you to attach additional data or even files to a file. These streams are not by default, so they are a good place to hide malicious files or executables.
However, ADS is easy to detect if the user or tool knows what they are doing. Windows’ Streams tool is one way to detect them, and PowerShell has a built-in function for this. Consequently, ADSs are best used to hide files from accidental detection.
Edit function
On both Windows and *nix, there are certain applications designed to provide lists of files located on a file system. For example, Linux uses the ls command to provide this list.
These applications can be modified to hide the presence of certain files on the system. A modified version of ls can be configured to specifically ignore certain files owned by the attacker.
This technique is effective if the user does not detect the fact that ls has been changed. Modifications can be easily detected by comparing the hash of the binary against a known good hash, and many security tools are designed to perform this comparison and generate an alert if a discrepancy is detected.
Hooking function
For those who want to hide their files not only from regular users, using function hooks is a good option. The hacking feature is a technique used by rootkits to hide malware in the system.
When an application requests a list of files stored on the computer, running processes, and so on, it calls a low-level function of the operating system. This function runs, generates a list, and then sends it back to the calling application.
Using the hooking feature, the rootkit intercepts all calls and responses between applications and these low-level functions. This allows the program to ensure that the provided file lists do not contain any files that the rootkit wants to remain hidden.
Functional coupling is possible due to the fact that many of these low-level functions operate in the operating system kernel while the application runs in user mode. On Windows, applications call kernel functions through interrupts or model-specific registers (MSRs). Both can be mounted with a rootkit, which ensures that the rootkit controls all kernel calls.
Alternatively, the System Service Descriptor Table (SSDT) is a table in the kernel containing pointers to all kernel functions. If a rootkit modifies this table to direct certain functions to code under its control, the rootkit ensures that it will inspect any attempts to read file lists in the operating system.
Regardless of the specific method used, hacking is one of the most effective means of hiding files on a system. However, it also often requires elevated levels of access because kernel-level data structures must be modified.
Conclusion: Covering your tracks
Hiding files on a compromised computer is a common step in covering your tracks after gaining access. All the methods described here have their pros and cons, but they provide the ability to hide hacked files from anyone, from a clueless user to a sophisticated antivirus.
Sources
- Windows Rootkit Overview, Symantec
- Hidden Files and Directories, MITRE
- Introduction to Alternate Data Streams, Malwarebytes Labs
