Hidden Files

You might suspect that malicious code exists on a machine because …

• It accessed a web site or IP address known to have hosted malicious code.
• Anti-virus software detected malicious code. That’s a good reason to suspect additional malicious code escaped the anti-virus software. Anti-virus software could be making a false report, of course. Before you remediate (which usually means “reimage”), you should learn if there is any additional malicious code that has gone undetected.

What steps you can take to confirm (or partially deny) your suspicions? You look at running processes, but after you’ve looked at running processes and you still think there’s something malicious, look for the files that someone has made an effort to hide. “Hidden” is not synonymous with “invisible;” to go unnoticed will do.

Where could I find hidden files?

• • The “hide in plan sight” strategy is at least as old as Poe’s “The Purloined Letter.” Its longevity reflects its effectiveness. Finding files that don’t belong amongst the hundreds of files that do is a challenge. Having a table of known good files and their hash codes can help eliminate suspects. Using a utility to find unsigned executables and confirming that the signatures that are found are authentic will produce a long list that includes many benign conditions. See, for example, sigcheck from Sysinternals.

sigcheck -s -v c:\ >result.csv

• • Suspect recently created files in C:\Winnt\System32 (or C:\Windows\System32). The date stamp is often unmodified. Similarly, suspect recently created files in C:\Winnt (or C:\Windows) and in the user’s temporary files (C:\Documents and Settings\Local Settings\Temp). These files often have names like svchost.exe, spoolsv.eve, symwsc.exe, swupdtmr.exe or winservices.exe, names which resemble Windows components but are not.
  • Suspect files that do not sort “correctly”. In an attempt to “hide in plain sight,” malware may use extended ASCII characters to create innocent looking filenames. Use the Character Map application to review the available ASCII characters, such as U+0441. While it is a Cyrillic small letter Es, it strongly resembles a Latin small letter c. Using the Cyrillic characters, a file named “C:\Program Files\Common Files\Οracle\wіnlogon.exe” can be created; but the “i” in winlogon.exe is not a Latin “i” and the “O” in Oracle is not a Latin “O”. The Cyrillic characters will not sort as their Latin counterparts do.
  • The non-breaking space character (decimal 160, hexadecimal A0) can be used as a file name or folder name character. (Alt+160 on the numeric keypad types a non-breaking space character.) A file and a folder has an icon as well, but the Properties Customize tab, Change Icon button reveals many clear icons. The result is an easily missed file or folder name.
  • Hide in a system folder, such as “C:\Windows\Downloaded Program Files” (or “C:\Winnt\Downloaded Program Files”) or “C:\$RECYCLE.BIN”. There is a real “Downloaded Program Files” folder, but you won’t see its contents using Windows Explorer. Use a command window instead. Expect hidden, system files and search subdirectories.

dir "C:\Windows\Downloaded Program Files" /ah /s
dir "C:\Windows\Downloaded Program Files" /s

• • Hide using the Directory and System attributes. Foundstone’s hfind utility hunts for files with the hidden attribute, directories with the hidden attribute and directories with the system attribute. There are a lot of hidden files and folders, a lot of benevolent conditions to ignore.

hfind C: >> local.txt
hfind \\remote\c$ >> remote.txt

• • Hide behind other files, using Alternate Data Streams (ADS). Foundstone’s sfind utility searches for just the streams. (Windows Explorer caches thumbnails using ADS. XP SP2 attaches a “Zone.Identifier” tag to downloaded files using ADS. These are benign uses.) The Heysoft LADS (List Alternate Data Streams) utility that can search for ADS on the network. The Sysinternals streams utility can also be used to search for Alternate Data Streams.

streams -s *.*

• • Rootkit technologies employ techniques to hide files from standard file system utilities. There are many utilities to find these technoolgies and what they are hiding. Sysinternals’ Rootkit Revealer reports some benevolent conditions. When used in conjunction with psexec (also a Sysinternals utility), it can scan remote systems.

psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log

See Invoke-PsExec when invoking psexec on multiple targets.

Note that the above are aggressive but not exhaustive measures. To search rigorously for rootkits, for example, boot from an alternate drive and to search the suspect drive. The measures given show how you can search for undetected malware at little cost.

Hidden data is a larger subject. There are many more places to hide data, within files, within slack space and within space no file is using (including sectors that have been marked as “bad”). If malware was hidden using these approaches, then non-standard file system drivers would be required to execute it. Find those files, the driver files, in order to find the additional hidden malware.

Adapted from my MyITForum post.

Exercise: What additional mechanisms for hiding executables are mentioned in Joanna Rutkowska’s Rootkit Hunting vs. Compromise Detection, Black Hat Federal 2006