by January 31, 2004 0 comments

Despite your best efforts to secure your system from attacks, chances are that some intruder might be successful in breaking in. The attacker may even change system logs so as to avoid detection of the extent of damage caused to the system. He may install Trojans or create backdoors into the system by changing important system files. You need to worry not just about these attackers, but also Internet worms that manipulate important system files to spread further. Manual detection and replacement of important files being changed or deleted or unwanted files being added is a lengthy, painful and, in some cases, unfeasible process.

How W32.Welchia works
The notorious W32.Welchia worm infects the system by copying itself to the file %System%\Wins\Dllhost.exe and by making a copy of the file
%System%\Dllcache\Tftpd.exe as %System%\Wins\svchost.exe. Then it changes a few registry keys, and adds the two changed files as system services. It uses these two services to further spread itself to other machines.
An attacker attacking your system may replace the original file telnet.exe on Windows or telnetd on Linux with a different file, which can permit backdoor entries into the system.

To quickly detect and repair undesired changes to your clients and/or servers, you need an integrity checker. An integrity-checking program computes a cryptographic checksum of every important file on your computer and stores it in a database. Then the program scans the list of monitored files, computes the checksum again for each file and compares the current value against the value stored in the database. If there is a difference between the two, it generates an error report indicating a change in the particular file. This can be done manually or automatically at scheduled intervals. 

In this article, we’ll look at two such free programs, one for Windows and the other for Linux.

GFI LANguard works by checking whether files have been changed, added or deleted on a Win 2000 system and informs the administrator by e-mail. It uses MD5 Message Digest Algorithm to create the cryptographic checksum of monitored files. The MD5 algorithm takes any length of data and creates a 128-bit fingerprint or message digest of it. LANguard logs file changes in the Windows Security Event Log giving an undeletable log of changes to system files. You can download GFI LANguard from or take it from out\r this month’s PCQ Essential CD. 

The configuration console lets you create new scan jobs and alter
existing jobs

Installation and configuration
To install GFI LANGuard just run the setup file, which will prompt you for an e-mail address and mail server name to be able to send notifications. Next it asks you whether to enable default scan job and set its scan interval. You can set 2, 4 or 24 hours as the scan interval. The default scan job will monitor key Windows system files and will notify you of changes. After installation the configuration console opens up. From here you can modify the properties of the default scan job and create new scan jobs. With different scan jobs, you can monitor different types of files at different intervals. The properties that you can set for a scan job are e-mail settings such as from, to and subject, schedule and the files/folders that the scan job will monitor. A new scan job also requires these settings. The general settings let you define file extensions, which will not be scanned by the program. This way, you can exclude, say BMP files, from being monitored, or for that matter any other file extension. 

After you have defined which files you have to monitor, at what schedules and under which scan jobs, it is time to analyze the output generated by the program. LANguard notifies you of any changes detected in monitored files in two ways. First, by creating an event log entry in the GFI LANguard System Integrity Monitor event log and second by sending an e-mail notification. You can see these events using the Microsoft Event Viewer. A file change can be legitimate caused by, say, as a service-pack installation or the it can be due to an attack. The administrator then has to take an action by either accepting the change or undoing it by restoring original files or by deleting undesirable files. 

The Linux version of Tripwire is free, while commercial versions for Windows and Solaris are available from Tripwire uses El Gamma 1024-bit asymmetric cryptography to create the checksum for files that are to be verified.

The e-mail notification consists of details of the changed files compared to the last known details

Installation and configuration
Install Tripwire by running the command # rpm —ivh tripwire*.rpm. After installation a new directory /etc/tripwire is created, which contains the configuration files. Now run the configuration script # /etc/tripwire/, which will prompt you to set a site passphrase and a local passphrase. Passphrases are special passwords used to digitally sign files. Choose a good passphrase containing letters, digits and punctuation marks. Next the configuration file is created and will be digitally signed, so you will be required to enter the site passphrase. After that the policy file is created and signed, so you are again prompted to enter your site passphrase. Tripwire is now installed and ready to run.

Creating the Tripwire database
The Tripwire database contains the cryptographic checksums of your system files. To create the database, run the following command. # tripwire –init. It will ask you for your local passphrase. Enter the passphrase and the database will be built. The database file will be stored as /var/lib/tripwire/host. twd, where host is replaced by the computer’s host name. Tripwire selects the files and directories to checksum by examining its policy file. The default policy file is appropriate for most Linux distributions, but the chances are that it may be looking for files that may not be present on your system. In that case you will see an error message saying that the particular file is missing. Though these errors do not stop the database creation, they can make it difficult to recognize real error messages.

Configuring the policy file
A text version of the policy file is kept as /etc/tripwire/twpol.txt. Open the file in a text editor and comment out lines containing references to files that are not present on your system. Now you have to digitally sign the policy file. So run the command # tripwire –update-policy /etc/tripwire/twpol.txt. You will be asked to enter your site passphrase again. Rebuild the database using the # tripwire –init command. Now you should not get any error messages. To add new files to be included in the checksum database, add references to those files in the policy file and rebuild the

Checking the integrity of files
To check the integrity of files on your system, run the command # tripwire –check. Ideally, you should not get any error message, but if any files/folders have been changed, deleted or added, you will get an error message indicating the type of error. Now you should take appropriate actions to add, replace or delete files..

Updating the database
If the file change is expected, which could be in the case of installing a new program, then you should update the database to reflect the change. For that run the command # tripwire –update. This command updates the database to reflect changes and is faster than rebuilding the entire database using the #tripwire –init

which files and folders to monitor
You should monitor all important system files and folders such as the \”windows” or \”winnt” and \”program files” folder in Windows and important directories in Linux such as /etc, /bin, /sbin, /usr/bin and /usr/sbin. You may not want to monitor user directories as they are expected to add or remove files to their respective directories. Also do not monitor directories that contain log files as these files change continuously and you may get too many error messages. Decide which other files and folders you need to monitor, depending on your setup.

The two file-integrity programs discussed above alert you whenever a change is made to your system files, but what when an attacker or a worm changes the integrity program itself. It may modify the checksum or log settings so that a file change could not be detected. GFI System Integrity Monitor stores file changes in the Windows event log that is read only and cannot be modified. Apart from that it stores the checksum database in the folder ‘c:\program files\GFI\System Integrity Monitor 3’.

You can copy the database to a read only media such as CDs or floppy disks, then when you need to check the files on your system copy the database from the CD to the original location. The same can be done for Tripwire, its database and even the program executable binaries and settings can be copied to a read-only media. For checking the files the program can be run from the read-only media itself and configured to use the database, which is also stored on the read-only media.

Coming to the frequency of checking files for changes, it depends largely on the system in question. For critical systems you may want to check files after every few hours and if it is not very important then the files can be checked once every week. But it is a good idea to do a check at least once in a day.

Anoop Mangla

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.