Control of File and Folder Integrity

Previous page
Table of content
Next page

To conceal their presence in the affected system, intruders often change or substitute various programs in such a way that the replacement programs perform the same functions, except those that would reveal the intruder's presence. After such changes, some programs can perform other specific actions than those ones designed by the developer.

Quite often, intruders modify log files in order to delete the records containing information on unauthorized activity.

Furthermore, intruders can write new files to your disk - executable files, for example - that allow them to bypass existing access-control mechanisms. Besides programs, user files also often become the targets of attack targets. Unauthorized access to user files can result in the exposure of confidential information or, for example, the alteration of recipient data in a user-generated invoice.

Sometimes intruders are also interested in public information, such as Internet servers. The example illustrated in Fig. 5.2 is rather interesting. Take a look at the banner in the upper part of the window, which is the evidence that the site has been hacked. But wait it was not the SecurityFocus site that was hacked, but rather the site of the Thruport company that places its advertising materials on the SecurityFocus site.

click to expand
Fig. 5.2. The hacked www.securityfocus.com server

Of course, you can go further than simply controlling changes to files and directories. Sometimes it is useful to control specific fields within a file, such as database fields or system-registry keys. Most unauthorized programs (especially "Trojan horses") use various components of the system registry to start automatically during booting of the operating system. These keys include:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKEY_USERS\DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

For example, the Donald Dick Trojan can be identified by the presence of the HKLM\System\CurrentControlSet\Service\VxD\VMLDR registry key (for Windows 9x), or the HKLM\SYSTEM\CurrentControlSet\Control\SessionManager registry key (for Windows NT). The BackOrifice Trojan can leave traces of its activity in HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices. This registry key, along with other keys, such as Run, RunOnce, RunServicesOnce, and RunOnceEx, is frequently used by various Trojans that need to load automatically at the system startup. For example, the NetBus Trojan can be detected by the presence of a key named after the Patch.exe file (Fig. 5.3).

click to expand
Fig. 5.3. Control over the Windows registry

The list of registry keys used by Trojans is constantly growing. For example, the Internet Scanner system, besides the keys that were already mentioned above, checks the following registry branches:

  • HKLM\Software\Microsoft\Windows\currentVersion\App Paths

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Controls Folder

  • HKLM\Software\Microsoft\Windows\CurrentVersion\DeleteFiles

  • HKIM\Software\Microsoft\Windows\CurrentVersion\Explorer

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Extensions

  • HKIM\Software\Microsoft\Windows\CurrentVersion\ExtShellViews

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings

  • HKTM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RenameFiles

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Setup

  • HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\drivers.desc

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\0

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Embedding

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI Extensions

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Ports

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\WOW

To minimize the possibility of "Trojan horses," just do not allow them to register themselves in the Windows registry. This can be done by means of editing the default access rights to the above-listed registry keys. In Windows NT/2000, this task is performed using the built-in Regedt32.exe utility, while, in Windows XP, the same task is performed using Regedit.exe (Fig. 5.4).

click to expand
Fig. 5.4. Changing access rights to the system-registry keys


Previous page
Table of content
Next page
Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152
Authors: A. Lukatsky, Alex Lukatsky
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
C++ GUI Programming with Qt 3
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Web Systems Design and Online Consumer Behavior
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy