Yes, attackers can hide their network activity from tools like netstat using various techniques and tools.
In order to hide network activity from netstat, an attacker can either:
1. Use a Kernel Rootkit that modifies the kernel's behavior, allowing the attacker to hide processes and network connections from system monitoring tools, including netstat.
2. A rootkit like Adore-ng can be used to completely hide our connection from any monitoring commands like netstat, ps, or lsof.
3. Another way is to replace the netstat binary on the target machine with a compromised version. Here, we can modify the original netstat command to exclude their own connections.
4. So, if an attacker is able to gain access to the target system. They can copy the netstat binary, edit the code to exclude connections associated with their malicious activities, and replace the original binary with the modified one.
5. Now, this new netstat will exclude any connections from the attacker's IP address.
For example, this is what netstat without a backdoor looks like:
netstat -tulnp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.10:5555 attacker_ip:12345 ESTABLISHED 1234/python
And this is how a backdoored netstat looks like:
netstat -tulnp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.10:8080 192.168.1.11:443 ESTABLISHED 6789/apache2
Here, the attacker's connection (on port 5555) is removed from the output which makes it undetectable for the system user.
Now, talking about the defence mechanisms:
1. We can use tools like Tripwire to monitor system files, including binaries like netstat for unauthorized changes.
2. Tools like Wireshark or tcpdump can be used to monitor network traffic at a lower level, bypassing any local manipulations to system tools.
This will allow us to detect and prevent attackers from hiding their activity on the system.