An attacker needs to destroy evidence of his presence and activities for several reasons like being able to maintain access and evade detection (and the resulting punishment). Erasing evidence of a compromise is a requirement for any attacker who wants to remain obscure and evade trace back. This usually starts with erasing the contaminated logins and any possible error messages that may have been generated from the attack process. For instance, a buffer overflow attack usually leaves a message in the system logs. Next, attention is turned to affecting changes so that future logins are not logged. By manipulating and tweaking the event logs, the system administrator can be convinced that the output of her system is correct and no intrusion or compromise actually took place.
Since, the first thing a system administrator does to monitor unusual activity is check the system log files, it is common for intruders to use a utility to modify the system logs. In some extreme cases, rootkits can disable logging altogether and discard all existing logs. This happens if the intruders intend to use the system for a longer period of time as a launch base for future intrusions. They remove only those portions of logs that can reveal their presence.
It is imperative for attackers to make the system look like it did before they gained access and established backdoors for their use. Any files that were modified need to be changed back to their original attributes.
Trojans such as ps or netcat come in handy for any attacker who wants to destroy the evidence from the log files or replace the system binaries with the same. Once the Trojans are in place, the attacker can be assumed to have gained total control of the system. Rootkits are automated tools designed to hide the presence of the attacker. By executing the script, a variety of critical files are replaced with trojanned versions, hiding the attacker with ease.
Other techniques include Steganography and tunneling. Steganography is the process of hiding the data, for instance in images and sound files. Tunneling takes advantage of the transmission protocol by carrying one protocol over another. Even the extra space (e.g. unused bits) in the TCP and IP headers can be used for hiding information. An attacker can use the system as a cover to launch fresh attacks against other systems or use it as a means of reaching another system on the network without being detected. Thus, this phase of attack can turn into a new cycle of attack by using reconnaissance techniques all over again.
Excerpted from Leonard Chin's white paper, 5 Phases Every Hacker Must Follow which has been reprinted with permission from http://iclass.eccouncil.org
Certified Ethical Hacker v7