The concept of misinformation can present itself in many ways. Let’s go back to
the military scenario. Suppose that guards are posted at various observation points
in the field, and one of them observes the enemy’s reconnaissance team.The
guard alerts superiors, who send out their own reconnaissance team to find out
exactly who is spying on them.
Now, you can guess that the enemy general has already thought about this
scenario. Equally likely, he has also considered his options. He could hide all of
his troops and make it appear as if nobody is there.“But what if somebody saw
my forces entering the area” would be his next thought. And if the other side
were to send a “recon” team to scope out his position and strength, discovering
his army greater than theirs, they would likely either fortify their position, or
move to a different position where they would be more difficult to attack, or
where they could not be found.
Therefore, he wants to make his forces seem like less of a threat than they
really are. He hides his heavy weapons, and the greater part of his infantry, while
allowing visibility of only a small portion of his force.This is the same idea
behind misinformation.
Standard Intrusion Procedure
The same concept of misinformation applies to systems.When an attacker has
compromised a system, much effort is made to hide her presence and leave as
much misinformation as possible. Attackers do this in any number of ways.
One vulnerability in Sun Solaris can be taken advantage of by an attacker to
send various types of misinformation.The problem is due to the handling of
ACLs on pseudo-terminals allocated by the system. Upon accessing a terminal,
the attacker could set an access control entry, then exit the terminal.When
another user accessed the system using the same terminal, the previous owner of
the terminal would retain write access to the terminal, allowing the previous
owner to write custom-crafted information to the new owner’s terminal.The
following sections look at some of the methods used.
Log Editing
One method used by an attacker to send misinformation is log editing.When an
attacker compromises a system, the desire is to stay unnoticed and untraceable as
long as possible. Even better is if the attacker can generate enough noise to make
the intrusion unnoticeable or to implicate somebody else in the attack.
Let’s go back to the previous discussion about DoS.We talked about generating
events to create log entries. An attacker could make an attempt to fill the
log files, but a well-designed system will have plenty of space and a log rotation
facility to prevent this. Instead, the attacker could resort to generating a large
amount of events in an attempt to cloak their activity. Under the right circumstances,
an attacker could create a high volume of various log events, causing one
or more events that look similar to the entry made when an exploit is initiated.
If the attacker gains administrative access on the system, any hopes of log
integrity are lost.With administrative access, the attacker can edit the logs to
remove any event that may indicate intrusion, or even change the logs to implicate
another user in the attack. In the event of this happening, only outside systems
that may be collecting system log data from the compromised machine or
network intrusion detection systems may offer data with any integrity.
Some tools include options to generate random data and traffic.This random
data and traffic is called noise, and is usually used as either a diversionary tactic or
an obfuscation technique. Noise can be used to fool an administrator into
watching a different system or believing that a user other than the attacker, or
several attackers, are launching attacks against the system.
The goal of the attacker editing the logs is to produce one of a few effects. One
effect would be the state of system well-being, as though nothing has happened.
Another effect would be general and total confusion, such as conflicting log entries
or logs fabricated to look as though a system process has gone wild—as said earlier,
noise. Some tools, such as Nmap, include decoy features.The decoy feature can
create this effect by making a scan look as though it is coming from several different
Another means of misinformation is the rootkit. A rootkit is a ready-made program
designed to hide an attacker’s activities inside a system. Several different
types of rootkits exist, all with their own features and flaws. Rootkits are an
attacker’s first choice for keeping access to a system on a long-term basis.
A rootkit works by replacing key programs on the system, such as ls, df, du, ps,
sshd, and netstat on UNIX systems, or drivers, and Registry entries on Windows
systems.The rootkit replaces these programs, and possibly others with the programs
it contains, which are customized to not give administrative staff reliable
details. Rootkits are used specifically to cloak the activity of the attacker and hide
his presence inside the system.
These packages are specifically designed to create misinformation.They create
an appearance of all being well on the system. In the meantime, the attacker controls
the system and launches attacks against new hosts, or he conducts other
nefarious activities.
Kernel Modules
Kernel modules are pieces of code that may be loaded and unloaded by a running
kernel. A kernel module is designed to provide additional functionality to a
kernel when needed, allowing the kernel to unload the module when it is no
longer needed to lighten the memory load. Kernel modules can be loaded to
provide functionality such as support of a non-native file system or device control.
Kernel modules may also have facinorous purposes.
Malicious kernel modules are similar in purpose to rootkits.They are
designed to create misinformation, leading administrators of a system to believe
that all is well on the host.The module provides a means to cloak the attacker,
allowing the attacker to carry out any desired deeds on the host.
The kernel module functions in a different way from the standard rootkit.
The programs of the rootkit act as a filter to prevent any data that may be
incriminating from reaching administrators.The kernel module works on a much
lower level, intercepting information queries at the system call level, and filtering
out any data that may alert administrative staff to the presence of unauthorized guests.This allows an attacker to compromise and backdoor a system without the
danger of modifying system utilities, which could lead to detection.
Kernel modules are becoming the standard in concealing intrusion. Upon
intrusion, the attacker must simply load the module, and ensure that the module
is loaded in the future by the system to maintain a degree of stealth that is difficult
to discover. From that point on, the module may never be discovered unless
the drive is taken offline and mounted under a different instance of the operating