 |
|
|
by Tan Chew Keong
Release Date: 15 June 2004
Sebek
is a data capture tool designed to capture the attackers activities on a honeypot, without the attacker (hopefully) knowing it. It has two components. The first is a client that runs on the honeypots, its purpose is to capture all of the attackers activities (keystrokes, file uploads, passwords) then covertly send the data to the server. The second component is the server which collects the data from the honeypots. The server normally runs on the Honeywall gateway.
This advisory shows that it is possible for an attacker to detect the presence of Sebek on a Win32 honeypot using various techniques.
Win32 Sebek 2.1.5 on Win2K SP4
The techniques that can be used to detect Sebek depends on the type of access that the attacker have on the
compromised honeypot.
Administrator or LOCAL SYSTEM Access
If the attacker manages to get Administrator or LOCAL SYSTEM access to the honeypot, he may use a kernel rootkit
detection tool to detect the presence of Sebek. The kernel rootkit detection tool that we used in this test is
KProcCheck 0.1. This detection tool is able to detect
loaded modules by direct traversal of the PsLoadedModuleList. It is also able to detect Native APIs that are hooked
by various modules. This tool works by loading a kernel driver, and thus, must be run by a user with SeLoadDriver
privilege (i.e Administrator or LOCAL SYSTEM).
The following screen dump shows the modules that are enumerated by traversing PsLoadedModuleList.
C:\>kproccheck -d
KProcCheck Version 0.1 Proof-of-Concept by SIG^2 (www.security.org.sg)
80400000 - \WINNT\System32\ntoskrnl.exe
80062000 - \WINNT\System32\hal.dll
F7410000 - \WINNT\System32\BOOTVID.DLL
F7000000 - pci.sys
F7010000 - isapnp.sys
F7500000 - intelide.sys
F7280000 - \WINNT\System32\DRIVERS\PCIIDEX.SYS
F7288000 - MountMgr.sys
BFFE3000 - ftdisk.sys
F7502000 - Diskperf.sys
F75C8000 - \WINNT\System32\Drivers\WMILIB.SYS
F7504000 - dmload.sys
BFFC1000 - dmio.sys
F7414000 - PartMgr.sys
BFFAB000 - atapi.sys
F7290000 - disk.sys
F7020000 - \WINNT\System32\DRIVERS\CLASSPNP.SYS
BFF99000 - KSecDD.sys
BFF16000 - Ntfs.sys
BFEEC000 - NDIS.sys
F7298000 - SEBEK.sys
F7418000 - \WINNT\system32\drivers\TDI.SYS
BFED6000 - Mup.sys
The following screen dump shows the Native APIs that are hooked by SEBEK.sys
C:\>kproccheck -t
KProcCheck Version 0.1 Proof-of-Concept by SIG^2 (www.security.org.sg)
Checks SDT for Hooked Native APIs
ZwClose 18 SEBEK.sys [F729A092]
ZwCreateFile 20 SEBEK.sys [F729A98C]
ZwCreateKey 23 SEBEK.sys [F729AD10]
ZwEnumerateKey 3C SEBEK.sys [F729AE02]
ZwEnumerateValueKey 3D SEBEK.sys [F729AA50]
ZwOpenFile 64 SEBEK.sys [F729A8E6]
ZwOpenKey 67 SEBEK.sys [F729AD88]
ZwQueryDirectoryFile 7D SEBEK.sys [F729A4CC]
ZwQuerySystemInformation 97 SEBEK.sys [F729A5F0]
ZwReadFile A1 SEBEK.sys [F7299CF0]
ZwRequestWaitReplyPort B0 SEBEK.sys [F7299F14]
ZwSecureConnectPort B8 SEBEK.sys [F7299FE6]
ZwWriteFile ED SEBEK.sys [F7299D48]
Number of Service Table entries hooked = 13
In addition, if the attacker is able to map to a shared drive on the honeypot, he will be able to obtain
a directory listing of c:\winnt\system32\drivers\ and see the Sebek driver being listed. This is
illustrated below.
D:\>net use z: \\10.0.0.12\c$ /u:Administrator
The password or user name is invalid for \\10.0.0.12\c$.
Type the password for \\10.0.0.12\c$:
The command completed successfully.
D:\>z:
Z:\>cd\winnt\system32\drivers
Z:\WINNT\system32\drivers>dir se*
Volume in drive Z has no label.
Volume Serial Number is BC03-1AEF
Directory of Z:\WINNT\system32\drivers
01/23/2004 11:29a 23,808 SEBEK.sys
06/19/2003 12:05p 14,160 serenum.sys
06/19/2003 12:05p 62,736 serial.sys
09/25/1999 10:34a 17,136 sermouse.sys
4 File(s) 117,840 bytes
0 Dir(s) 3,139,506,176 bytes free
Z:\WINNT\system32\drivers>
Normal User Access
If the attacker only manages to get normal user access to the system, he may perform the following simple tests to
determine whether Sebek is installed. These tests assume that Sebek is installed using the default filename
SEBEK.sys, and not following the recommended procedures to rename the driver.
Test One
C:\>echo 1 > sebek.sys
The system cannot find the file specified.
Normally, the above error should not have occurred. However, this error happens when Sebek is loaded due to the hooking
of ZwCreateFile and returning STATUS_NO_SUCH_FILE whenever the string "SEBEK.sys" is detected in the filename. This
is regardless of whether the request is to open an existing file or to create a new one.
Test Two
Sebek does not hook ZwQueryAttributesFile, and hence, a program may be written to detect the presence of SEBEK.sys
using this API. Calling ZwQueryAttributesFile directly is not necessary since it is used internally by
the GetFileAttributes API, which is exported by kernel32.dll. The following code fragment demonstrates this.
DWORD ret = GetFileAttributes(SEBEK_FULLNAME);
if(ret == INVALID_FILE_ATTRIBUTES)
{
printf("[-] SEBEK Not Detected with GetFileAttributes().\n");
printError();
}
else
{
printf("[+] SEBEK Detected with GetFileAttributes.\n");
}
Test Three
It is also possible to check for the presence of SEBEK.sys using the SearchPath API as shown below.
char buffer[MAX_PATH];
char *ptr;
if(SearchPath(SEBEK_PATH, SEBEK_NAME, NULL, MAX_PATH, buffer, &ptr) != 0)
{
printf("[+] SEBEK Detected with SearchPath().\n");
}
else
{
printf("[-] SEBEK Not Detected with SearchPath().\n");
printError();
}
- Strictly follow the recommended procedures of using Sebek by using a unique name for Sebek's driver on each
honeypot. Do not use the default filename (SEBEK.sys). If possible, install Sebek's driver to a different
directory.
- Antidetection code should unlink SEBEK's entry from PsLoadedModuleList.
- Antidetection code should also hook ZwQueryAttributesFile to prevent the attacker from obtaining
the file attributes of SEBEK.sys
For further questions and enquries, email them to the following.
Overall-in-charge: Tan Chew Keong
webmaster@security.org.sg
|
 |
