MD5 (was Re: Antivirus software will ignore FBI spyware: solutions)
Karsten Self writes:
on Mon, Nov 26, 2001 at 01:12:53PM -0800, Tim May (tcmay@got.net) wrote:
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing.
I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.)
Defeat: create a log buffer file of fixed size, logged activity changes its contents, but not the size of the file. E.g.: a filesystem image file under GNU/Linux. Techniques could be used to maintain a constant global MD5 checksum to defeat other detection attempts.
What techniques could be used to do this? MD5 has some weaknesses, but creating collisions still is not trivial. Unless you know something I don't. - GH _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing. I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.)
Especially on Microsoft OSs, it's too easy to create logging that doesn't look like a regular file for which you can watch size or checksum changes. Hidden files are trivial to use, though many utilities ignore their hiddenness, but with more work any good virus-writer can do a better job of hiding a file. Or you can find things that are always changing for obscure Microsoftish reasons, or look like devices that can't be checksummed. Or you can store the data in the "unused" space at the end of the last block in a file - especially as disks get larger, disk blocks also get larger, so there's more space at the ends, and any utilities that are checksumming files won't notice, because it's not in the file. Or you can store the data in "unused" disk blocks, if you can keep the file system from reaping them, though diskwipe utilities will occasionally catch these. The unused block space _might_ sometimes be hidden or overwritten by encrypted file systems, if you're using them; YMMV. At 12:45 PM 12/03/2001 +0000, Gil Hamilton wrote:
What techniques could be used to do this? MD5 has some weaknesses, but creating collisions still is not trivial. Unless you know something I don't.
Hans Dobbertin's work a couple of years ago makes MD5 sounds pretty shaky, but you could also use SHA-1 for your checksums, or your favorite non-crypto fast checksum. But that's more work than the Fedz will bother with; much easier to hide stuff on Windows than to hack checksums.
size or checksum changes. Hidden files are trivial to use, though many utilities ignore their hiddenness,
Let's not forget the NT "alternate data streams" "feature". This is where almost anything can be held, and no known virus scanner can touch it. -- Yours, J.A. Terranson sysadmin@mfn.org If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place... --------------------------------------------------------------------
Gil Hamilton wrote:
Karsten Self writes:
Defeat: create a log buffer file of fixed size, logged activity changes its contents, but not the size of the file. E.g.: a filesystem image file under GNU/Linux. Techniques could be used to maintain a constant global MD5 checksum to defeat other detection attempts.
What techniques could be used to do this? MD5 has some weaknesses, but creating collisions still is not trivial. Unless you know something I don't.
I interpreted that not as working around MD5, but as working around the procedure which would use MD5 to get a single number for an entire file system. Example: mark the logging software's keylog file as a device file, which wouldn't be processed by the file system checksum procedure. When the logger needs to write to its log, the file type is changed to "ordinary" and then back to "device" again. -- Steve Furlong, Computer Condottiere Have GNU, will travel
on Mon, Dec 03, 2001 at 12:45:49PM +0000, Gil Hamilton (gil_hamilton@hotmail.com) wrote:
Karsten Self writes:
on Mon, Nov 26, 2001 at 01:12:53PM -0800, Tim May (tcmay@got.net) wrote:
Some interesting tips (bottome of this message) for detecting FBI/SS snoopware that NAI/McAfee is now assisting the FBI in installing.
I especially like the idea of "type hundreds of random key strokes and see which files increase in size." (Or just look for any file size changes, as most of us type tens of thousands of keystrokes per day.)
Defeat: create a log buffer file of fixed size, logged activity changes its contents, but not the size of the file. E.g.: a filesystem image file under GNU/Linux. Techniques could be used to maintain a constant global MD5 checksum to defeat other detection attempts.
What techniques could be used to do this? MD5 has some weaknesses, but creating collisions still is not trivial. Unless you know something I don't.
My bad. I don't.
--
Karsten M. Self
participants (5)
-
Bill Stewart -
Gil Hamilton -
Karsten M. Self -
measl@mfn.org -
Steven Furlong