1
1
Secure System Administration - SANS GIAC
© 2000, 2001
Backups and Hidden Data
Hello, I am Stephen Northcutt again and welcome back for the second section of our course. Next,
we will learn about fundamental threats that affect organizations and cause them loss. For all that
you read about hackers, they are only one source of harm and in well defended organizations,
hackers are not able to cause much, if any, damage.
2
2
Secure System Administration - SANS GIAC
© 2000, 2001
Forget Hackers!
( Major Loss Vectors )
•Backups, or the lack of
• Viruses and other malicious code
• Hiding data
Contrast this with the average home (and dare I say workplace as well) system. The anti-virus
signatures are out of date. In fact, the only reason there is anti-virus code at all was that it came
factory installed. The system hasn’t been backed up – ever. Perhaps three or four important files
were copied off to a floppy, but that is it. Hard disks are generally rated with a Mean Time Between
Failure (MTBF). The question isn’t if the disk will fail, but when. The newest viruses are fairly
destructive and delete files so the combination of out of date virus signatures and no backups is really
getting scary. We will also discuss how systems might be very open to attack from networks and
ways that people may be hiding data from you right on your own computer systems.
3
3
Secure System Administration - SANS GIAC
© 2000, 2001
Failure to Backup

Windows systems use a special tag called an archive bit to signal backup programs that the file has
changed since the previous backup operation. The archive attribute exists in both FAT and NTFS
file systems. We use the ATTRIB program to see the attributes files have. In this slide, seven files
are shown, three have their archive bit set “on” and the others do not. A backup program will use
these "bits" to capture files the next time we backup this computer and, may reset (turn off) this bit
depending on the type of backup performed.
In Windows NT and WIN2K you or the backup software you utilize must have at least the Backup
Operator privilege to perform backups. If you do not have Backup Operator or Administrator
privileges, you may not be able to backup system files or the system registry.
We are going to discuss three backup techniques: full, incremental, and differential. We will
lightly touch on best practice, but I am far more concerned that you know how to do a backup, or
why files might NOT get backed up, than the theory and practice of backups.
5
5
Secure System Administration - SANS GIAC
© 2000, 2001
Full Backups
• Capture the entire system configuration
• Clear files’ archive bits
• Are expected to safely copy the system
registry
• Require full permission to the system
Full Full backups are typically performed on a weekly basis, disregard the archive "bit", and capture
all files. A full backup is needed to restore a system from a catastrophic failure but will not restore
files that changed since the backup was performed. Differential and Incremental
backups address this issue but do so in different ways.
Differential backups leave the archive bit after saving the changed file. When I perform a full
backup on Sunday, and then a differential backup on Monday, Monday’s tape will contain only the
information that changed between Sunday and Monday. A differential backup on Tuesday will store
files that changed on Monday and Tuesday. If one assumes that at least one file changes each day

identifying files to capture.
7
7
Secure System Administration - SANS GIAC
© 2000, 2001
NTBackup
Windows NT has a backup tool as well called NTBackup. Click Start, select programs, select
“Administative Tools (Common)” then “Backup” to run NTBackup. If you are not streaming your
audio, please take a minute and run whichever backup program you have, Windows 9x or NT
4.0/Windows 2000. Get familiar with it now before you are under fire. You don’t have to do the
whole disk. You can select a folder or even a file. Run the attrib command before and after. You
can even experiment with the attrib command to foil the backup process. Below are best practices
for backups:
• Full backups (all files) when possible. Why perform incremental or differential backups if we can
obtain a full backup every day?
• When full backups cannot be performed on a daily basis, use differential backups, not
incrementals since differentials are easier if you need to recover. A full restore requires either the
last full backup followed by the last differential backup or the last full backup followed by
each incremental backup in the correct order.
• Place legible, unique labels on all tapes.
• Create a log in which you record which tapes are used and on which servers. Note any errors or
pertinent events every day.
8
8
Secure System Administration - SANS GIAC
© 2000, 2001
TAR (Tape Archive –Unix)
• Create tar file
tar cvf archive file
• Extract tar file

dump and dd, if misused, can be dangerous. dump is the primary tool for whole system backup and
works with restore. If your Unix system is in production, make sure a senior system admin
guides you through these your first time.
The simplest form of the dump command is: dump, dump level, u (update dumpdates file), f
(device name) and the file system to dump. The last parameter may be specified as a mount point
like /usr or a disk device name - /dev/hd0a.
dd is a utility that reads input files block by block. If you specify a disk device, you can capture file
system metadata, blocks of “data” marked deleted that could be useful for evidence gathering
following a break in. This data would be missed if using tar or dump which rely on the UNIX file
system. dd then, is preferred for forensics.
Unix files do not have an archive bit, so the date of the file is used to determine whether it needs to
be backed up. Unix backup scripts will often have some way of checking the date, or last backup
time.
10
10
Secure System Administration - SANS GIAC
© 2000, 2001
Backup Summary
• Files and file systems are accidentally deleted
everyday
• Disks crash, or have sectors go bad
• Fires, floods, and smoke damage happen
• Make backups, label them well, keep a set
offsite
• Test backups, randomly select files and
restore
You know the philosophy of this course by now. We are hoping you will experiment with a
Windows backup tool and at least tar on Unix. Remember, these are tools that you know will
always be available. If you have used them before you are under fire, you will be one step ahead of
the game. I would like to close this section with an exhortation to take backups seriously.

already hints of this on the internet. It requires a concerted effort from computer users to be "virus-
aware," rather than continuing the ambivalence that has allowed computer viruses to become such a
problem. Computer viruses are actually a special case of something known as “malicious logic” or
“malware”. Malware accounts for a huge and growing reason for loss of data, time and resources.
A couple of interesting notes, Jerusalem (one of the 1st viruses) took over 9 years to propagate,
Melissa took about 2 days, while ILOVEYOU took about 4 hours. Second, with a few rare
exceptions, which we will cover, most malware require some form of human intervention to start
propagating be installing a program, clicking an email attachment, etc.
And, while we are on the subject, virus hoaxes are email intended to scare people about non-existent
threat and are often forwarded to fellow workers as an alert. Hoaxes represent a serious threat to
email systems due to the traffic they generate.
12
12
Secure System Administration - SANS GIAC
© 2000, 2001
Worm
A computer WORM is a self-reproducing program (or
set of programs), that is able to spread functional copies
of itself (or its segments) to other computer systems,
usually via network connections. WORM is also being
used to describe malware that propagates with no direct
action by a user.
Viruses, unlike worms, require a host program, they are
not self contained.
Worm is currently being used primarily to describe malware that propagates with no action from the
user. The textbooks and FAQs may need a bit of time to catch up. The primary in-the-wild
examples are KAK and now QAZ which both rely on unprotected shares, but when you take this
course, no doubt another variant will be running.
There are two types of worms -- host computer worms and network worms. Host computer worms
are entirely contained in the computer they run on and use network connections only to copy

© 2000, 2001
COM program infectors
Prepended virus Appended virusCOM program
START
END
COM
VIRUS
VIRUS
JUMP
COM
1
2
3
4
5
6
How do program files become infected? We will consider .com and .exe files.
COM file viruses attach themselves to their target in one of three ways - by prepending to the
beginning, by appending to the end, or by overwriting part of the file.
A prepending virus gains control when the first instruction of the infected COM file is executed.
The virus runs and then passes control to the original program. Because of this, users may not notice
anything different.
An appending virus writes an instruction to jump at the first instruction in the file. This jump will
take execution to the virus which later returns control to the COM program.
Overwriting viruses simply write their code to the beginning of the file. These viruses therefore
destroy the original program. More sophisticated overwriting viruses will make a copy of the
portion that they overwrite which can later be executed - all in an effort to remain covert.
15
15
Secure System Administration - SANS GIAC

• Dos boot sector (DBS or PBR)
• No network spreading potential
Memory resident boot sector viruses will attempt to intercept calls to Anti-Virus s/w.
The next virus we'll examine is the boot infector. Every disk has a boot sector (regardless of
whether or not it is actually bootable). When a computer is powered up, it looks for boot information
according to a list provided by the computer BIOS. If any of the media in the drives specified in the
BIOS list has a boot sector virus, the infection will get transferred to the boot drive. Once the
infection is complete, the virus will get loaded into memory at startup. From there the virus can be
spread to every disk that is read after startup. Results of the infection can range from nuisance (if at
all) to destruction of boot information, to need for a complete format of the hard disk. Floppy disks
contain a floppy boot record (FBR) which can harbor a virus. If a system is booted from such a
floppy, the virus will load and infect the hard disk. Viruses on hard disks infect either the master
boot record (MBR) or the partition boot record (PBR). The MBR is the first place the BIOS
looks when booting from a hard drive.
[Editors note: since the boot sector code is executed before applications are loaded this gives boot
sector viruses an advantage over Anti-Virus software.]