File Integrity Checkers
Recently I discussed my experience regarding web application testing, how to ease report writing, mitigation of common low impact vulnerabilities etc. This article is based on the scenario in which the host/application is already hacked and the admin/owner/user is not aware of this incident. Some times attackers compromise and backdoor targets in such sophisticated manner that admin don’t suspect malicious activity. Sometimes even IDS/Anti virus is not able to spot malicious activity in network applications, and in such case the attacker continues with his malicious activities without the admin realizing that the system/application has been hacked.
Lets assume one day the admin realizes that a system or application has been compromised. Obviously the next step by the admin will be to remove all possible backdoors from the system and to restore the system application in the previous safe state. Here the question is, how will admins ensure that there are no backdoors left on system/application? How can admins be sure that the rest of the files and settings are legitimate? These are valid questions that require much though and foresight to be able to tackle.
If the admin is not using proper strategies for such scenarios, the risk of backdoor infections is both extremely high and likely. However if admin is smart enough, he must have some kind of setup on his system to keep track of files that are modified, added or deleted, as well as any kind of change in the system settings (including installation of new software, running services, firewall config changes etc). Just by analyzing the list of changed files and setting, an admin can figure out the location of attacker’s backdoor.
File Integrity checker:
A file integrity checker is a software which maintains a database of system files and their properties like inode, permissions, modification time and file contents. Once an admin runs file integrity checker, it will update its database for files available on the system and afterwards will keep checking those files updated values with values saved in its database. If a discrepancy is found within file integrity checker, it must be immediately reported.
Some file integrity checkers also check for changed registry file settings to detect intrusion in OSs which rely on registry settings (Windows is one of such OS).
When an attacker break into system or application, he will place a backdoor or edit existing files to maintain his access which can be detected by file integrity checking tool. Even if an attacker is escalating privileges, adding new user or placing new binary which he started with power of admin/root user, file integrity checker will notify the administrator of these changes.
Both open source and paid, file integrity checkers are available in market. Ultimately it’s up to the system admin and organization for which tool they want to use.
Take home message: File Integrity Checkers are an essential tool in combatting cyber security breaches. Administrators must use all available tools to check changes in registry files on a daily basis.