Anti-Forensic Rootkits – Darren Bilby

March 7, 2008

Anti-Forensic Rootkits – Darren Bilby

 

Incident response and digital forensics are fast moving fields which have made significant progress over the last couple of years. This means new techniques and tools, one of these is live forensic capture. Live forensics capture means taking an image of a machine while the machine is still running, this is brilliant for the investigators and is becoming common practice.Unfortunately the rootkit premise of “whoever hooks lowest wins” kicks in. So, despite assurances from major forensics software vendors it is possible to give an investigator seemingly valid but completely spurious data.

To prove this isn’t just theoretical (as has been claimed) I created an implementation called “ddefy” which is a kernel mode anti-forensic rootkit for Windows systems. This talk will be relatively low level, covering NTFS internals, NT storage architecture, Windows kernel rootkit methods, forensic techniques and their corresponding anti-forensic counterpart. Check out the Powerpoint presentation here. Note neither source nor binaries have been made available for this.

Bio:

Darren Bilby is a principal consultant at Security-Assessment.com and is currently based in Auckland, New Zealand. Darren has worked in a variety of places from Linux development houses to banks. When he isn’t performing intrusion testing for clients, he is regularly involved in incident response in both UNIX and Windows environments and is technical lead for the Security-Assessment.com CSIRT team. This means bit wrangling with all forms of custom and targeted malware, and gathering evidence for presentation in court.
BR> He is an active researcher and codesmith and his current projects include new forensic and anti-forensic techniques as well as VoIP hacking tools.

ID Cards will be unha-ha-ha-ckable…

March 7, 2008

From TheRegister

By John Leyden, Friday March 7 2008.

” Security experts have rubbished claims by the Home Secretary that databases for the controversial National ID Cards will be “unhackable” because they are being kept off the public internet.

In an interview with BBC Radio 4’s Today programme on Thursday, Jacqui Smith said “none of the [ID card] databases will be online, so it won’t be possible to hack into them”. Experts, such as GCHQ accredited penetration testing firm SecureTest, said the Home Secretary’s claims demonstrate complete lack of understanding of the security issues affecting databases.

“There are numerous routes to compromise a database that is not available on the public internet,” SecureTest managing director Ken Munro told El Reg.

Internal attacks, where a database could be compromised by an employee or visitor from the inside, and attacks via email are both possible vectors. If an external hacker was able to deliver an exploit to an unsuspecting internal user via email he might be able to get access to a machine that in turn allowed him access to the database.

“The Government Secure Intranet (GSI) mail filtering systems are not sufficient to prevent an unknown [zero day] vulnerability being delivered by email. Using this, the exploited machine would connect outbound to a third party, giving a degree of remote address, and potentially access to the database,” Munro explained.

The UK’s National Infrastructure Security Co-ordination Centre (NISCC), and other government agencies, have periodically warned of the active use of this kind of targeted attack since at least June 2005. The GSI’s mail filtering system is well designed and blocks many of these attacks, but it would be foolish to think it provides complete protection against such assaults.

Munro describes Smith’s faith in the inherent security of databases kept off the internet as “misguided” and symptomatic of wider government IT security shortcomings. “The minister’s lack of appreciation gives us great concern that government ministers have no significant understanding of security, as evidenced by the recent data losses on CD,” he said. “What hope have we got that the National ID card database will be any more secure?”

The Home Secretary’s interview with Today can be found here. Smith’s interview starts about the 12:00 minute mark and her comment on database security for the National ID Cards project can be found after the 18:20 mark.

In the course of her interview, Smith goes on to explain a revised rollout of ID cards, initially targeting non-EU foreign nationals and young adults. El Reg’s take on this “boil a frog” plan can be found here. “