Thursday, 8 December 2011

Hiding Your Goody Basket

All of the above menu methods, as well as many of the techniques explained earlier regarding simulating network login sequences and capturing keystrokes, result in a file being saved to disk. There are two things you have to worry about: That your file will be discovered, and that your file will be read. Let's look at how we can prevent both of these from occurring.

The thing is, since most of this takes place on public computers, anyone at all may locate your precious files. This includes the people who run the computer labs, those who fix the computers, other hackers, and the oh-so-curious general public. It also includes the computer itself.

Most public computers you encounter will have a self-cleaning routine installed. Weekly, monthly, or perhaps every night, the computers will have all their old data files erased, to keep room on the drives for new material.

Most public word processing computers have notes attached that beg people to bring their own disks on which to save their work, but there usually is a special USERS directory, or some other area where anyone can save files. The cleaning program is used to clear away old files from this directory. The program will often scan the rest of the drive, clearing away files that users have stored in other directories. Often on public computers you will see dozens of empty di-rectories scattered about; usually these directories have human names to them. These are private di-rectories that people made for themselves in the hopes that other users wouldn't read or delete their files - never realizing that their files would be de-leted by the computer. Often the cleaning program is too dumb to recognize that the directory, too, should be deleted.

Before you put your altered menu program or whatever onto a public computer, you must do some experimenting to see what kind of cleaning system it has, if any. There's no sense in spending hours on a project only to have it erased soon after it's implemented.

If a cleaning program does exist on the computer, you should have it copied over, along with everything else, from your initial investigation of the computer. Take a look at the program; there will be plenty of ways to defeat it. The cleaner probably has a data file that holds information on which directories it should examine, what should be done with the outdated files it detects, what cal-endar date constitutes "oldness," and other perti-nent variables. You may be able to use this file to your advantage by adjusting it so that your own special directory or program will be ignored by the cleaner.

If the computer activates the cleaning program automatically, your explorations might lead you to find the trigger that sets it off and causes it to delete certain files and not others. For example, the cleaning program could be connected with a logoff function, so that before the computers are shut down for the night, the drives are scanned and un-wanted files are removed. The cleaner could also be activated as part of a start-up routine, or a regu-larlyperformed maintenance check. In any case, a careful exploration of the files on the
system will reveal the pattern they follow. Once you find the program that sets the cleaner off, you will be able to make alterations to your own file so that it is ignored, rather than deleted.

Often the cleaning program is an all-or-nothing monster that wipes out everything in its path as it crosses the hard drive. However, there are consid-erate versions that only delete old files. You can get around these gentler kinds by writing a simple program. Here is an example of an MS-DOS batch file that changes the date
of your hidden goody basket in the example (a text file called "filename") to one far in the future. Append this batch file to the end of the AUTOEXEC.BAT, or to the point in the system's maintenance routines directly before the cleaner is activated.

Your file will never be erased.
@echo off
ctty nul
date < commandl > temp edlin temp < cornmand2 date 12-31-1999 edlin filename
< command3 edlin commandl < command3 edlin command.2 < command3 edlin
command3 < command3 date < temp, del *.bak
del temp.* ctty con

For this to work, you need to make up three auxiliary files. Here we are calling them commandl,"  "command.2," and "command3," but you would want to name them something more in-nocuous. "Commandl" contains a single carriage return (Control-M). "Cornmand3" is a file containing only the letter e. "Command2" is a bit longer:
2d
I rCurrent date is
1rSun
Irmon
IrTue
IrWed
IrThu
1rFri
IrSat
e
The batch file works by using the "date" command to change the date to December 31, 1999. EDLIN is invoked to save the password file (containing the goods), and the three auxiliary files, under this new date to protect them. a y, the date is returned to normal. Note that MS-DOS can be set up to display the date under
various formats. You might have to alter the batch file and "Command2" if your target computer is set up in an irregular way. Also, realize that "temp" is a common filename. You would do best to use something exotic in your own program.

AUTOEXEC.BAT files get changed often, and a batch file like this sample is bound to be noticed by the maintenance staff. To keep your coding discreet you may want to keep this and similar batches in a separate file far away on the hard drive from the AUTOEXEC. BAT. At the point in the AUTOEXEC where your Trojan batch would have been executed, you can use the DOS "call" command ("call BATCH.BAT" will
execute your Trojan and, once it's done, return to the ALJTOEXEC batch file). Your batch file can be suitably camouflaged as described below, and there is now only one imposter line in the AUTOEXEC batch for a maintenance worker to notice. Also remember that under certain operating systems, such as MS-DOS, the "ATTRIB" command can be used to make filenames invisible in the directory listing ("attrib FILENAME +h" turns on the hide factor). ATTRIBing a filename is not really secure, as there are many ways someone can either accidentally or purposely find out about invisible files on a hard drive. But eliminating the name the from the directory certainly does much to halt casual discovery of your Trojan files.