Someone stopped me in the hall this morning to ask about the talk Tim Tomes and I gave recently at Hackercon called “Lurking in the Shadows”. In that talk Tim and I discuss hiding Malware in Volume Shadow Copies and executing directly from the Volume Shadow Copies.
http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows
In our talk we also discuss Matt Graeber’s awesome discovery of embedded ADS streams in reserved names.
http://www.exploit-monday.com/2011/09/stealth-alternate-data-streams-and.html
A bit of history: Last year after watching Dan Crowly’s talk about bypassing IDS signatures using Kernel Device Object names I discovered that I could use those device names to create file object with reserved device names such as “CON”, “AUX”, “LPT1”, etc. Since these names have special meaning, Windows will not normally allow you to create files with those names. But by prepending our path with “?” we can bypass that restriction. Old school UnIx hackers can even create a “.. ” (dot dot space) directory using the syntax mkdir ?c:temp”.. “. Once these files are created, they are very difficult for someone to delete who doesn’t know about the “?” syntax. Then Matt discovered that if you add an alternate data stream to the reserved names that they are hidden from a “dir /r”
C:temp>mkdir ?c:temp".. "
C:temp>echo "dodge this" > ?c:tempCON
C:temp>echo "Matt's Stealth stream" > ?c:tempCON:stream1.txt
C:temp>type toolsputty.exe > ?c:tempCON:putty.exe
C:temp>dir /r c:temp
Volume in drive C has no label.
Volume Serial Number is 2CE0-6D68
Directory of c:temp
12/05/2011 09:41 AM <DIR> .
12/05/2011 09:41 AM <DIR> ..
12/05/2011 09:41 AM <DIR> ..
11/10/2011 03:08 PM <SYMLINKD> AUX [...]
11/20/2011 09:44 PM 13 CON
10/28/2011 01:10 PM 9 file.txt
483,328 file.txt:putty.exe:$DATA
11/21/2011 08:57 AM <SYMLINKD> tofile [c:tempfile.txt]
2 File(s) 22 bytes
4 Dir(s) 21,102,100,480 bytes free
In this directory there is a file called “CON” that has some alternate data streams attached to it. Even though “dir /r” shows you the ADS attached to “file.txt” it doesn’t show you the ADS attached to CON. There is also a file called “AUX” in this folder that is a symbolic link to somewhere, but it doesn’t tell us where. These “reserve device name” files are difficult to use if you don’t know to prepend your commands with “?”. But with the correct syntax you can access data stored in these files or execute programs stored in the streams.
NOTE: Although it is not the focus of this post, the reserved name of “.. ” (dot dot space) has some interesting attribute. You can’t change into that directory from the command prompt (ie cd ?c:temp”.. ” doesn’t work). But you can put files in to the directory and execute files from the directory! If you try to browse the directory with Explorer it behaves oddly and doesn’t change to that directory the FIRST time you click it, but it does the SECOND time. When you drill down and see the files in that directory, you will only have a very limited ability to interact with them.
Back to our story.. This morning someone asked if there was any way to detect the use of Stealth ADS Streams using built in tools. The answer is, “of course!” If you provide “dir /r” with the full path to a directory and you prepend the directory with “?” you will be able to see the otherwise hidden Alternate Data Stream.
C:temp>dir /r ?c:temp
Volume in drive ?c: has no label.
Volume Serial Number is 2CE0-6D68
Directory of ?c:temp
12/05/2011 09:41 AM <DIR> .
12/05/2011 09:41 AM <DIR> ..
12/05/2011 09:41 AM <DIR> ..
11/10/2011 03:08 PM <SYMLINKD> AUX [?GLOBALROOTDeviceHarddiskVolumeShadowCopy15]
11/20/2011 09:44 PM 13 CON
483,328 CON:putty.exe:$DATA
13 CON:stream1.txt:$DATA
10/28/2011 01:10 PM 9 file.txt
483,328 file.txt:putty.exe:$DATA
11/21/2011 08:57 AM <SYMLINKD> tofile [c:tempfile.txt]
2 File(s) 22 bytes
4 Dir(s) 21,102,100,480 bytes free
C:temp>
Notice that this time we see the streams attached to the CON file. We can also see that the AUX file points to a device name for a volume shadow copy. I wonder what that is all about. :)
Follow me on Twitter @MarkBaggett
Join me and Ed Skoudis for SANS 560 Network Penetration Testing and Ethical Hacking vLive ! Starting January 10, 2012 CLICK HERE for more information.
