1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Backups and Hidden Data
Hello, I am Stephen Northcutt again and welcome back for the second section of our course. Next,
we will learn about fundamental threats that affect organizations and cause them loss. For all that
you read about hackers, they are only one source of harm and in well defended organizations,
hackers are not able to cause much, if any, damage.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
Forget Hackers!
( Major Loss Vectors )
•Backups, or the lack of
• Viruses and other malicious code
• Hiding data
Contrast this with the average home (and dare I say workplace as well) system. The anti-virus
signatures are out of date. In fact, the only reason there is anti-virus code at all was that it came
factory installed. The system hasn’t been backed up – ever. Perhaps three or four important files
were copied off to a floppy, but that is it. Hard disks are generally rated with a Mean Time Between
Failure (MTBF). The question isn’t if the disk will fail, but when. The newest viruses are fairly
destructive and delete files so the combination of out of date virus signatures and no backups is really
getting scary. We will also discuss how systems might be very open to attack from networks and
ways that people may be hiding data from you right on your own computer systems.
3
3
Secure System Administration - SANS GIAC
© 2000, 2001
Failure to Backup

I want to be clear, MSBACKUP for Windows 95/98 is not the way I backup these operating
systems. I prefer tools that use the Archive bit to manage backups and MSBACKUP doesn’t. I used
it once helping out in a Perl class (Perl is a most wonderful programming language) where the
students were told to bring their laptops. Now you would think that if you were coming to take a
class in Perl and they told you to bring your laptop, you would load Perl ahead of time. So we are
faced with this class of students that don’t have Perl and it is bigger than a floppy disk’s capacity
even when zipped and some of them don’t have CD-ROM drives. What to do? Well, I remembered
that NT had a backup facility that could write the backup across multiple disks, even floppies, so I
did a CTRL-F on my C:\ drive and typed in backup and sure enough, my Windows 95 box had a
backup utility and it worked. We were able to make a “backup” of Perl and write it to a couple
floppies and restore it to the other systems. Very quickly we ran into a gotcha that I am sure is
“fixed in the next release”. The Windows 98 and NT backup programs were not compatible so we
had to make 2 backups.
4
4
Secure System Administration - SANS GIAC
© 2000, 2001
The Archive Bit (Windows)
• Used by backup programs to decide
which files require safekeeping
• Files with “A” bit need to be saved!
C:\>attrib
SCANDISK.LOG C:\SCANDISK.LOG
A AUTOEXEC.BAT C:\AUTOEXEC.BAT
A CONFIG.SYS C:\CONFIG.SYS
A COMMAND.COM C:\COMMAND.COM
MYFILE.TXT C:\MYFILE.TXT
SHR IO.SYS C:\IO.SYS
SHR MSDOS.SYS C:\MSDOS.SYS
C:\>

Windows systems use a special tag called an archive bit to signal backup programs that the file has
changed since the previous backup operation. The archive attribute exists in both FAT and NTFS
file systems. We use the ATTRIB program to see the attributes files have. In this slide, seven files
are shown, three have their archive bit set “on” and the others do not. A backup program will use
these "bits" to capture files the next time we backup this computer and, may reset (turn off) this bit
depending on the type of backup performed.
In Windows NT and WIN2K you or the backup software you utilize must have at least the Backup
Operator privilege to perform backups. If you do not have Backup Operator or Administrator
privileges, you may not be able to backup system files or the system registry.
We are going to discuss three backup techniques: full, incremental, and differential. We will
lightly touch on best practice, but I am far more concerned that you know how to do a backup, or
why files might NOT get backed up, than the theory and practice of backups.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
Full Backups
• Capture the entire system configuration
• Clear files’ archive bits
• Are expected to safely copy the system
registry
• Require full permission to the system
Full Full backups are typically performed on a weekly basis, disregard the archive "bit", and capture
all files. A full backup is needed to restore a system from a catastrophic failure but will not restore
files that changed since the backup was performed. Differential and Incremental
backups address this issue but do so in different ways.
Differential backups leave the archive bit after saving the changed file. When I perform a full
backup on Sunday, and then a differential backup on Monday, Monday’s tape will contain only the
information that changed between Sunday and Monday. A differential backup on Tuesday will store
files that changed on Monday and Tuesday. If one assumes that at least one file changes each day

of the week, then the size of the differential backup will grow each day of the week..
Incremental backups turn off the archive bit after they backup, so they only backup changed files.
Assuming a full backup on Sunday, then on Mondays, incremental and differential backups will
require the same quantity of space and time to complete. On Fridays, incremental backups will only
be backing up the files that have changed since the last incremental backup and will be faster and
require less space than differential backups.
6
6
Secure System Administration - SANS GIAC
© 2000, 2001
Partial Backup Methods
• Incremental
– Checks for the archive bits
– Stores copies of files with bit set
– Clears the archive bit
• Differential
– Does not clear the archive bit
An incremental backup is a backup that scans the server for data changes that have occurred since
the last full or incremental backup. This is done by scanning the file system and looking for files that
have their archive bit turned on. When an incremental backup is completed, all the files examined
will have their archive bits turned off. Combining full and incremental backups techniques allow
administrators to save the system configuration using a full backup, then quickly capture the
information that has changed since the last full backup. One big problem exists with incremental
backups. If I perform a full backup on Sunday, then incremental backups Monday through Friday,
restoring data is a major challenge. To properly restore a system from full loss, the system
administrator must first restore from the full backup tape, then restore from every incremental
backup that was made in the order in which they were made. This means that if you don’t have good
log notes and good labeling, you should stick with full backups.
WARNING: Do not mix Differential and Incremental backups between Full backups. An
Incremental backup resets the archive "bit" thereby preventing a Differential backup from

identifying files to capture.
7
7
Secure System Administration - SANS GIAC
© 2000, 2001
NTBackup
Windows NT has a backup tool as well called NTBackup. Click Start, select programs, select
“Administative Tools (Common)” then “Backup” to run NTBackup. If you are not streaming your
audio, please take a minute and run whichever backup program you have, Windows 9x or NT
4.0/Windows 2000. Get familiar with it now before you are under fire. You don’t have to do the
whole disk. You can select a folder or even a file. Run the attrib command before and after. You
can even experiment with the attrib command to foil the backup process. Below are best practices
for backups:
• Full backups (all files) when possible. Why perform incremental or differential backups if we can
obtain a full backup every day?
• When full backups cannot be performed on a daily basis, use differential backups, not
incrementals since differentials are easier if you need to recover. A full restore requires either the
last full backup followed by the last differential backup or the last full backup followed by
each incremental backup in the correct order.
• Place legible, unique labels on all tapes.
• Create a log in which you record which tapes are used and on which servers. Note any errors or
pertinent events every day.
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
TAR (Tape Archive –Unix)
• Create tar file
tar cvf archive file
• Extract tar file

tar xvf archive file
• List contents of tar archive
tar tvf archive file
• Copy current directory to another
tar cpf - . | ( cd newdir; tar
xvpf - )
–Where
• “Archive” is a file or tape device
• “File” is the file or directory to archive
Unix has three primary backup tools, tar, dump/restore and dd. Tar is ideal for backing up a
particular directory tree. Tar’s primary functions:
-Create an archive, tar c. The slide shows tar cvf. The v means verbose mode. When this is
set, tar tells what it is doing and that is helpful. f is always followed by the filename of the tarfile
you are creating, extracting from, or creating a table of contents from. If you are having trouble with
tar, odds are you didn’t follow the f with the filename of the tarfile.
-Extract files using tar, the TApe aRchive, tar –x
-Table of contents, tar -t
The fourth bullet is a bit advanced, but please notice the vertical bar “|” or pipe symbol. This says
take the tarfile being created on the left, change directory “cd” to a new directory and extract the
tarfile there. Unix allows you to pipe (|) information. Try ls /dev | wc to see how many files
are in /dev (wc is useful for counting things - it gives lines, words, and bytes).
9
9
Secure System Administration - SANS GIAC
© 2000, 2001
dump and dd (Unix)
• Full dump of /usr:
dump 0uf /dev/nrst0 /usr
• Image copy of a file system
dd if=/dev/hd0a of=/dev/nrst0

dump and dd, if misused, can be dangerous. dump is the primary tool for whole system backup and
works with restore. If your Unix system is in production, make sure a senior system admin
guides you through these your first time.
The simplest form of the dump command is: dump, dump level, u (update dumpdates file), f
(device name) and the file system to dump. The last parameter may be specified as a mount point
like /usr or a disk device name - /dev/hd0a.
dd is a utility that reads input files block by block. If you specify a disk device, you can capture file
system metadata, blocks of “data” marked deleted that could be useful for evidence gathering
following a break in. This data would be missed if using tar or dump which rely on the UNIX file
system. dd then, is preferred for forensics.
Unix files do not have an archive bit, so the date of the file is used to determine whether it needs to
be backed up. Unix backup scripts will often have some way of checking the date, or last backup
time.
10
10
Secure System Administration - SANS GIAC
© 2000, 2001
Backup Summary
• Files and file systems are accidentally deleted
everyday
• Disks crash, or have sectors go bad
• Fires, floods, and smoke damage happen
• Make backups, label them well, keep a set
offsite
• Test backups, randomly select files and
restore
You know the philosophy of this course by now. We are hoping you will experiment with a
Windows backup tool and at least tar on Unix. Remember, these are tools that you know will
always be available. If you have used them before you are under fire, you will be one step ahead of
the game. I would like to close this section with an exhortation to take backups seriously.

When I was writing the book Network Intrusion Detection
, I was really paranoid. I backed up every
day and once a week I would carry a zip disk to my neighbor’s house in case I suffered a disk crash.
When I teach for SANS, I carry a CDROM with a backup of all my course files as well as a zip disk.
That way, if my laptop goes belly up, I can still teach using the CD and someone else’s computers.
Your data is valuable, in some sense it is the embodiment of your time. Take care of it! One reason
to be religious about your backups is the threat from the nasty new viruses and malicious code that
destroy files. They are the subject of the next section in this course.
11
11
Secure System Administration - SANS GIAC
© 2000, 2001
Virus
A computer virus is a self-replicating program
containing code that explicitly copies itself and that can
"infect" other programs by modifying them or their
environment such that a call to an infected program
implies a call to a possibly evolved copy of the virus.
The two basic types are:
• File Infectors
• Boot Record Infectors
/>Many people use the term virus to cover any sort of program that tries to hide its malicious function
and tries to spread onto as many computers as possible. Though some of these programs may more
correctly be called "worms" or "Trojan Horses.” We will cover these definitions, but the important
thing is that we know how these things spread and how to kill them.
I am recording this section in October 2000. What a year it has been… massive DDOS attacks in
February, now the ILOVEYOU and friends virus attacks not to mention the crazy worms like KAK
and QAZ.. All we need now is the joining of the three! I imagine it won’t be all that long until we
see a virus that does something really endearing like a massive denial of service attack, there are
already hints of this on the internet. It requires a concerted effort from computer users to be "virus-

aware," rather than continuing the ambivalence that has allowed computer viruses to become such a
problem. Computer viruses are actually a special case of something known as “malicious logic” or
“malware”. Malware accounts for a huge and growing reason for loss of data, time and resources.
A couple of interesting notes, Jerusalem (one of the 1st viruses) took over 9 years to propagate,
Melissa took about 2 days, while ILOVEYOU took about 4 hours. Second, with a few rare
exceptions, which we will cover, most malware require some form of human intervention to start
propagating be installing a program, clicking an email attachment, etc.
And, while we are on the subject, virus hoaxes are email intended to scare people about non-existent
threat and are often forwarded to fellow workers as an alert. Hoaxes represent a serious threat to
email systems due to the traffic they generate.
12
12
Secure System Administration - SANS GIAC
© 2000, 2001
Worm
A computer WORM is a self-reproducing program (or
set of programs), that is able to spread functional copies
of itself (or its segments) to other computer systems,
usually via network connections. WORM is also being
used to describe malware that propagates with no direct
action by a user.
Viruses, unlike worms, require a host program, they are
not self contained.
Worm is currently being used primarily to describe malware that propagates with no action from the
user. The textbooks and FAQs may need a bit of time to catch up. The primary in-the-wild
examples are KAK and now QAZ which both rely on unprotected shares, but when you take this
course, no doubt another variant will be running.
There are two types of worms -- host computer worms and network worms. Host computer worms
are entirely contained in the computer they run on and use network connections only to copy
themselves to other computers. With host computer worms, the original terminates itself after

launching a copy on another host (so there is only one copy of the worm running somewhere on the
network at any given moment). These are sometimes called "rabbits." Network worms consist of
multiple parts (called "segments"), each running on different machines (and possibly performing
different actions). They use the network for several communication purposes. Propagating a segment
from one machine to another is only one of those purposes.
13
13
Secure System Administration - SANS GIAC
© 2000, 2001
Trojan Horse
A TROJAN HORSE is a program that does something
undocumented that the programmer intended, but that
some users or system owners almost certainly would not
approve of if they knew about it.
We all know the story of Troy and the Trojan Horse; why is this relevant today? Trojan Horse code
could exist in anything you download. One of the most well known examples is the RingZero
Trojan. The reason for the early discovery was that a cable modem user named Roland Grefer
noticed a TCP scan pattern of ports 80, 8080, 3128 and remarked that it was odd. When we asked
around, the pattern was being seen all over the world. Over seven thousand infections were detected
in less than a week. Users downloaded an attachment thinking, at least in some cases, they were
getting some free software, but they were loading the Trojan. The famous Melissa virus is in some
sense loosely related to Trojans. It originally spread from an alt.sex newsgroup. Users thought they
were downloading pictures, but were either doing auto download or were not checking file
extensions. I am sure this comment will offend some malware taxonomy purist, since Melissa is not,
strictly speaking, a Trojan, but it does emphasize that deception of one form or another is a big part
of how these attacks spread.
14
14
Secure System Administration - SANS GIAC
© 2000, 2001

COM program infectors
Prepended virus Appended virusCOM program
START
END
COM
VIRUS
VIRUS
JUMP
COM
1
2
3
4
5
6
How do program files become infected? We will consider .com and .exe files.
COM file viruses attach themselves to their target in one of three ways - by prepending to the
beginning, by appending to the end, or by overwriting part of the file.
A prepending virus gains control when the first instruction of the infected COM file is executed.
The virus runs and then passes control to the original program. Because of this, users may not notice
anything different.
An appending virus writes an instruction to jump at the first instruction in the file. This jump will
take execution to the virus which later returns control to the COM program.
Overwriting viruses simply write their code to the beginning of the file. These viruses therefore
destroy the original program. More sophisticated overwriting viruses will make a copy of the
portion that they overwrite which can later be executed - all in an effort to remain covert.
15
15
Secure System Administration - SANS GIAC
© 2000, 2001

EXE program infectors
Original EXE Program Infected EXE Program
Header
Load
Image
VCS VIP
SIZE+V
VIRUS START
CS IP
SIZE
START
START
CS IP
.com files are small enough, 64k, to have a single part or code segment. The larger executables
(.exe) consist of two parts - the header, and the load image. The header contains, among other
things, a pointer that points to the first instruction to be executed in the load image. The pointer
(CS:IP) consists of a pair of values - the code segment (CS), and instruction pointer (IP). A header
entry named SIZE stores the size of the load image.
When the executable is infected, these header entries are altered. CS:IP becomes VCS:VIP and now
points to the start of the appended viral code. SIZE increases to VSIZE and measures the size of the
infected load image. Running the infected program will cause a jump to the virus load image. When
completed, the viral code hands execution back to the original program.
16
16
Secure System Administration - SANS GIAC
© 2000, 2001
Boot Sector Infector
• Floppy boot record (FBR)
• Master boot record (MBR)
• Dos boot sector (DBS or PBR)

• No network spreading potential
Memory resident boot sector viruses will attempt to intercept calls to Anti-Virus s/w.
The next virus we'll examine is the boot infector. Every disk has a boot sector (regardless of
whether or not it is actually bootable). When a computer is powered up, it looks for boot information
according to a list provided by the computer BIOS. If any of the media in the drives specified in the
BIOS list has a boot sector virus, the infection will get transferred to the boot drive. Once the
infection is complete, the virus will get loaded into memory at startup. From there the virus can be
spread to every disk that is read after startup. Results of the infection can range from nuisance (if at
all) to destruction of boot information, to need for a complete format of the hard disk. Floppy disks
contain a floppy boot record (FBR) which can harbor a virus. If a system is booted from such a
floppy, the virus will load and infect the hard disk. Viruses on hard disks infect either the master
boot record (MBR) or the partition boot record (PBR). The MBR is the first place the BIOS
looks when booting from a hard drive.
[Editors note: since the boot sector code is executed before applications are loaded this gives boot
sector viruses an advantage over Anti-Virus software.]