Detecting Intrusions and Malware - Eric Vanderburg - JurInnov

© 2012 JurInnov Ltd. All Rights Reserved.

Detecting Intrusions and Malware

August, 2012

Eric Vanderburg, MBA, CISSPJurInnov, Ltd.

© 2012 JurInnov Ltd. All Rights Reserved.2

Malware

• Malware – Software that enters a computer system

without the owner’s knowledge or consent– Performs unwanted and usually harmful action

• Malware objectives– Rapidly spread its infection– Conceal its purpose– Make profit for its creators


Malware – Virus

• Viruses – Malicious computer code

that reproduces on a single computer

– An FBI survey revealed that despite protection programs, 82% of organizations have been infected by a virus.

Virus Worm

Trojan

Bot


Malware - Virus

• Methods of spreading virus– Virus appends itself to a file– Virus changes the beginning of the file

• Adds jump instruction pointing to the virus– Swiss cheese infection

• Injects portions of code throughout program’s executable code

Virus Worm

Trojan

Bot


Malware – Virus

• Virus actions– Causing computer to crash repeatedly– Displaying an annoying message– Erasing files from hard drive– Making copies of itself to consume all space

on the hard drive– Turning off security settings– Reformatting the hard drive

Virus Worm

Trojan

Bot


Malware – Virus

• Virus can only replicate on host computer– Cannot spread between computers

without user action• Types of viruses– Program virus

• Infects program executable files– Macro virus

• Stored within a user document

Virus Worm

Trojan

Bot


Malware - Worm

• Worms – Malicious program

designed to take advantage of a vulnerability in an application or operating system

– Searches for another computer with same vulnerability

– Sends copies of itself over the network

Virus Worm

Trojan

Bot


Malware - Worm

• Worm actions– Consume network resources– Allow computer to be controlled remotely– Delete files

Virus Worm

Trojan

Bot


Malware - Trojan

• Trojan horses – install malicious software

under the guise of doing something else

– Executable program containing hidden malware code

– Program advertised as performing one activity but actually does something else

Virus Worm

Trojan

Bot


Malware - Trojan

• Trojan may be installed on user’s system with user’s approval

• Trojans typically do not replicate to same computer or another computer

Virus Worm

Trojan

Bot


Malware – Spyware / Adware /Scareware• Spyware

– A dangerous, prolific code that logs a users activity and collects personnel information, which it then sends to a third party.

• Adware– A relative of spyware. Typically found with

free software, they display advertisements when the program is running. They may also contain spyware.

• Scareware– Software that is meant to prompt a user to

action or incite panic

Virus Worm

Trojan

Bot


Malware – Spyware / Adware /Scareware• Spyware’s negative effects on an infected

computer– Slow system performance– Create system instability– Add browser toolbars or menus– Add shortcuts– Hijack a home page– Increase pop-ups

Virus Worm

Trojan

Bot


Malware – Spyware / Adware /Scareware

• Adware– Software program that delivers advertising

content:• In an unexpected and unwanted manner

• Adware actions– Display pop-up ads and banners– Open Web browsers at random intervals– May display objectionable content– May interfere with user productivity– May track and monitor user actions

Virus Worm

Trojan

Bot


Malware – Spyware / Adware /Scareware• Scareware– Software that displays a fictitious warning– Tries to impel user to take action– Uses legitimate trademarks or icons– Pretends to perform a security scan and find

serious problems– Offers purchase of full version of software to

fix problems– Victim provides credit card number to

attacker• Attacker uses number to make fraudulent purchases

Virus Worm

Trojan

Bot


Malware - Rootkit

• Rootkit– Set of software tools used by an attacker– Conceals presence of other malicious software– Actions

• Deleting logs• Changing operating system to ignore malicious

activity

Virus Worm

Trojan

Bot


Malware - Keylogger

• Keylogger– Hardware or software that captures

keystrokes– Information can be retrieved by an attacker

• Hardware keylogger– Installed between computer keyboard and

USB port• Software keylogger– Hides itself from detection by the user

Virus Worm

Trojan

Bot


Malware - Bots• Bots

– A type of malware that allows an attacker to gain control over the infected computer (also called “zombie computers”) and allow them to use a company’s network to send spam, launch attacks and infect other computers.

Virus Worm

Trojan

Bot


Threat defined – What is done with botnets?• DDoS• Spam• Distribute copyrighted material– Torrents

• Data mining• Hacking• Spread itself


History

19

1999 Pretty Park• Used IRC for C&C &

updates• ICQ & email harvesting• DoS

1999 SubSeven• Used IRC for C&C• Keylogger• Admin shell access

2000 GTBot• Bounce (relay) IRC traffic• Port scan• DDoS• Delivery: email

2002 SDBot• Keylogger• Delivery: WebDav and

MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors

2002 AgoBot• Modular design• DDoS• Hides with rootkit tech• Turns off antivirus• Modifies host file• Delivery: P2P (Kazaa,

Grokster, BearShare, Limewire)

2003 SpyBot• Builds on SDBot• Customizable to avoid

detection• DDoS, Keylogger, web form

collection, clipboard logging, webcam capture

• Delivery: SDBot + P2P

2003 RBot• Encrypts itself• Admin shell access

2004 PolyBot• Builds on AgoBot• Polymorphs through

encrypted encapsulation2005 MyTob• DDoS, Keylogger, web form

collection, webcam capture• Delivery: email spam using

MyDoom w/ own SMTP server

1999 2003 200520042000 20062002


History

2006 Rustock• Spam, DDoS• Uses rootkit to hide• Encrypts spam in TLS• Robust C&C network (over

2500 domains)• Delivery: email

2007 Cutwail• Spam, DDoS• Harvests email addresses• Rootkit• Delivery: Email

2008 TDSS• Sets up a proxy that is

rented to other for anonymous web access

• Delivery: Trojan embedded in software

20082006 2007

2007 Storm• Spam• Dynamic fast flux C&C

DNS• Malware re-encoded

twice/hr• Defends itself with DDoS• Sold and “licensed”• Delivery: Email

enticement for free music

2007 Zeus• Phishing w/ customizable

data collection methods• Web based C&C• Stealthy and difficult to

detect• Sold and “licensed” to

hackers for data theft• Delivery: Phishing, Social

Networking

2008 Mariposa (Butterfly)• Rented botnet space for

spam, DDoS, and theft of personal information

• Delivery: MSN, P2P, USB


History

2009 Koobface• Installs pay-per-install

malware• Delivery: Social

Networking

200920082006 2007


Life Cycle

• Exploit– Malicious code– Unpatched vulnerabilities– Trojan– Password guessing– Phish

• Rally - Reporting in– Log into designated IRC channel and PM master– Make connection to http server– Post data to FTP or http form

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat

e Execute Report Clean up


Life Cycle

• Preserve– Alter A/V dll’s– Modify Hosts file to prevent A/V

updates– Remove default shares (IPC$,

ADMIN$, C$)– Rootkit– Encrypt– Polymorph– Retrieve Anti-A/V module– Turn off A/V or firewall services– Kill A/V, firewall or debugging processes

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat


<preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/></preserve>

Agobot host control commands


Life Cycle

• Inventory– determine capabilities such as RAM, HDD,

Processor, Bandwidth, and pre-installed tools• Await instructions from C&C server• Update– Download payload/exploit– Update C&C lists

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat



Life Cycle

• Execute commands– DDoS– Spam– Harvest emails– Keylog– Screen capture– Webcam stream– Steal data

• Report back to C&C server• Clean up - Erase evidence

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat



Propagation

• Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list– Remember to use strong passwords

Agobot propagation functions


Propagation

• Use backdoors from common trojans• P2P – makes files available with enticing

names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications

• Social networking – Facebook posts or messages that provides a link (Koobface worm)


Propagation

• SPIM– Message contact list– Send friend requests to contacts from email

lists or harvested IM contacts from the Internet

• Email– Harvests email addresses from ASCII files such

as html, php, asp, txt and csv– uses own SMTP engine and guesses the mail

server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.


Command and Control

• C&C or C2• Networked with redundancy• Dynamic DNS with short TTL for C&C IP

(weakness is the DNS, not the C&C server)

• Daily rotating encrypted C&C hostnames• Alternate control channels (Ex:

Researchers in 2004 redirected C&C to monitoring server)


Detecting bots

• Monitor port statistics on network equipment and alert when machines utilize more than average– Gather with SNMP, netflow, or first stage probes

(sniffers) attached to port mirrored ports on switches. • Wireshark• Real time netflow analyzer- Solarwinds free

netflow tool• Small Operation Center or MRTG – free

SNMP/syslog server with dashboard• SNARE – event log monitoring (Linux & Windows

agents)


Who Are the Attackers?

• Cybercriminals• Script kiddies• Spies• Insiders• Cyberterrorists• Hacktivists• Government agencies

Skills required


Cybercriminals / Organized Crime

• Generic definition– People who launch attacks against other users

and their computers• Specific definition– Loose network of highly motivated attackers– Many belong to organized gangs of attackers

• Targets– Individuals and businesses– Businesses and governments


Cybercriminals / Organized Crime

• Lee Klein compromised the Lexis-Nexis system and may have stolen personal data of up to 13,000 users and sold the data to the Bonanno crime family.

• Groups based in the former Soviet Union have been repeatedly implicated in significant computer breaches.


Cybercriminals / Organized Crime• In 2005, federal agents conducted a sting

operation in order to arrest members of a group known as ‘ShadowCrew’. This gang was a group of hackers working together to conduct a variety of computer crimes including identity theft.

• This phenomenon is international in scope. Korean authorities have also arrested gangs of online criminals

• The most common crime for these groups is identity theft.


Script Kiddies

• Attackers who lack knowledge necessary to perform attack on their own

• Use automated attack software• Can purchase “exploit kit” for a fee from

other attackers• Over 40 percent of attacks require low or

no skills


Spies

• People hired to break into a computer and steal information

• Do not randomly search for unsecured computers– Hired to attack a specific computer or system

• Goal – Break into computer or system – Take information without drawing attention to

their actions• Generally possess excellent computer skills


Spies• It is generally believed by security experts that

many companies have purchased information from freelance individuals without asking where that information came from.

• In 2008, the SANS institute ranked cyber espionage as the third greatest threat on the internet.

• In 1993, General Motors (GM) and one if its partners began to investigate a former executive, Inaki Lopez. GM alleged that Lopez and seven other former GM employees had transferred GM proprietary information to Volkswagen (VW) in Germany via GM's own network.


Spies• CIO Magazine examined the issue of

government based cyber espionage in a 2009 article. Their article discusses the possibility that the Chinese government was behind a widespread infiltration of over 1200 computers owned by over 100 countries, with the express purpose of spying on the activities of those countries.

• One week before Christmas 2009, the story broke that hackers had stolen secret defense plans of the United States and South Korea.


Insiders

• An organization’s own employees, contractors, and business partners

• One study showed 48 percent of data breaches are caused by insiders accessing information

• Most insider attacks: sabotage or theft of intellectual property

• Most sabotage comes from employees who have recently been demoted, reprimanded, or left the company


Cyberterrorists

• Goals of a cyberattack– Deface electronic information

• Spread misinformation and propaganda– Deny service to legitimate computer users– Cause critical infrastructure outages and

corrupt vital data• Attacks may be ideologically motivated


Cyberterrorists

• According to the FBI “cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.”

• In 2008 and 2009 there have been growing reports of attacks on various systems tracing back to South Korea or China.


Hacktivists

• Motivated by ideology• Direct attacks at specific Web sites• May promote a political agenda– Or retaliate for a specific prior event


Governments

• May instigate attacks against own citizens or foreign governments

• Examples of attacks by government agencies– Malware Flame targeted at computers in

Eastern Europe– Malware Stuxnet targeted a nuclear power

plant near Persian Gulf– Iranian government reads e-mail messages of

30,000 citizens• Attempt to track down dissidents


Governments

• Attacks are– Premeditated, politically-motivated attacks

against computer systems– Intended to cause panic, provoke violence, or

cause financial catastrophe• Possible targets– Banking industry– Air traffic control centers– Water systems


Governments• This can mean attempting to spread disinformation

in an attempt to mislead the enemy or propaganda in order to undermine the enemy’s morale.

• The first way in which the internet is used in information warfare is in the realm of propaganda. Every stakeholder in any situation has their own interpretation of events and news.

• Law enforcement agencies have successfully used fake websites, fake craigslist ads, and other techniques to help capture criminals. It is also possible to utilize the internet to feed misinformation to criminals and terrorists.


Networking Concepts

• TCP/IP• IP Addressing• Packet Fragmentation• ICMP• Wireless• Other Protocols– DNS– DHCP– PPTP, SSTP, L2TP


OSI Reference Model

Application Application

Presentation Presentation

Session Session

Transport Transport

Network Network

Datalink Datalink

Physical PhysicalMedium


Encapsulation

• Enclosing some data within another thing so that the included data is not apparent.


Application – Layer 7

• Where programs access network services

• FTP, HTTP, Client Software• Problems at this layer:–Misconfigured settings– Incompatible commands


Presentation – Layer 6

• Formats data• Protocol conversion• Encryption• Compression• Character set (ASCII, Unicode,

EBCDIC)• Problems at this layer:– Cannot decrypt–Wrong conversion


Redirector

• Sends requests for services to the appropriate network device.

• RDR can sometimes stand for redirector– Rdr.sys–Windows redirector registry entries

stored in• HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\ LanmanWorkstation\Parameters and • HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\Rdr


Session – Layer 5

• Manages communication• Identification• Window size• Keep alive messages• ACK, NAK• Name resolution

– DNS– NetBIOS

• Logon• Problems at this level:

– Incorrect or no name resolution


Transport – Layer 4

• Segmenting• Sequencing• Error checking• Flow control – as much data as can

handle• TCP & SPX• Problems at this layer:– Overly large segments


Network – Layer 3

• Logical addressing• Routing• QOS• Deals with packets• IP & IPX• Problems at this layer:– Incorrect routing (bad config)– Incorrect routing table– Incorrect routing protocol– Incorrect IP configuration


Datalink – Layer 2

• Physical Addressing• Deals with frames• Discards bad frames• Convert to bits• Problems at this layer:– Collisions– Bad frames– Faulty NIC– Incorrect bridging tables


Datalink Sublayers

• MAC–Manages multiple NICs– Creates frame and sends to physical– Sense carrier– Pass tokens

• LLC– Error recovery– Integrity checking


Physical – Layer 1

• Encoding - Convert bits to signals– 101001011001

• Problems at this level:– Interference–Noise– Cable not connected


OSI & TCP/IP

OSI Model TCP/IPApplication ApplicationPresentationSession TransportTransportNetwork InternetDatalink NetworkPhysical


IP Addresses• Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh

– First bit 0; 7 network bits; 24 host bits – Initial byte: 0 - 127 – 126 Class As exist (0 and 127 are reserved) – 16,777,214 hosts

• Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh – First two bits 10; 14 network bits; 16 host bits – Initial byte: 128 - 191 – 16,384 Class Bs exist – 65,532 hosts

• Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh – First three bits 110; 21 network bits; 8 host bits – Initial byte: 192 - 223 – 2,097,152 Class Cs exist – 254 hosts


Packet Fragmentation

• Data is split into many packets • Encapsulation, de-encapsulation and

padding causes additional fragmentation• Reassembled by sequence number


ICMP – To Ping or not to Ping

• Internet Control Message Protocol– Checks host alive status– Susceptible to attacks

• Smurf- broadcast pings with spoofed address• PoD (Ping of Death) – ICMP packet larger than

65,535 bytes – causes buffer overflow upon reassembly

– Can be used to footprint


Wireless - Overview

• How does it work?• What are the risks?• What security controls are available?


Wireless – How it works

• Spread Spectrum Technologies– Uses multiple frequencies

• Less interference• Redundancy

– Frequency Range: 902-928MHz,2.4GHz– Frequency Hopping

• Changes at regular intervals• Lower bandwidth, more secure

– Direct-sequence Modulation• Send different data chunks along multiple

frequencies• Low frequencies (just above noise)



• 802.11a– 54Mbps– 5GHz

• 802.11b– 11Mbps– 2.4GHz

• 802.11g– 54Mbps – 2.4GHz– WPA Support

• 802.11n– 300Mbps– 2.4GHz



• BSA (Basic Service Area)– Influence of the WAPs– Depends on:• Power of the transmitter• Environment

• BSS (Basic Service Set)– Stations belonging to an AP


Attacks Through Wireless Networks• Popular types of wireless networks– Wi-Fi– Bluetooth

• Wi-Fi networks– Wireless local area network (WLAN)– Use radio frequency (WF) transmissions– Devices in range of a connection device can

send and receive information• Estimate: 1.4 billion wireless devices

shipped in 2014


Attacks Through Wireless Networks

• Wi-Fi equipment– Mobile device needs a wireless client interface

card adapter (wireless adapter)– Special software to translate between device

and adapter– Wireless broadband router or access point

• Base station for sending and receiving signals• Gateway to the Internet



• Attacks on home Wi-Fi networks relatively easy– Signal not confined within home walls– Many users do not understand how to

configure router security– Some users consider security an

inconvenience• Types of attacks– Stealing data– Reading wireless transmissions– Injecting malware– Downloading harmful content



• Free or fee-based wireless network rarely protected

• Evil twin– Attacker’s wireless device– Mimics an authorized Wi-Fi device– Attacker can use to send malware directly to

victim’s computer


Wireless – Detecting networks

• Netstumbler• inSSIDer• Commercial enterprise tools


Bluetooth

• Bluetooth– Common wireless technology– Short-range

• Up to 33 feet; 1Mbps transmission rate – See Figure 5-5

• Bluetooth attacks– Bluejacking

• Sending text messages– Bluesnarfing

• Accessing unauthorized information


Other Protocols

• DNS• DHCP• PPTP, SSTP, L2TP


Firewalls

• Packet filters – allow or deny based on…– Source or destination IP address– Source or destination port– Blocked IP lists, blacklists and whitelists

• Session-layer proxies – stateful allow or deny decisions– Middle-man between source and destination– Decrypted content inspection

• Application proxies – examine one or more layer 7 traffic types such as email, SQL or HTTP.


Firewall features

• NAT• DHCP• VPN tunneling• Load balancing• Failover• Stateful packet inspection• Performance monitoring• Centralized management• SNMP• Application proxy


Common interfaces

• Console – serial (DB9) or USB• Secure Shell (SSH)• Secure Copy (SCP) and SSH FTP (SFTP)• Telnet• Simple Network Management Protocol

(SNMP)• Trivial File Transfer Protocol (TFTP)• Web interfaces


Auditing

• Policy• Logs


Intrusion Detection and Prevention Systems• IDS – audit only• IPS – audit and respond• Problem with tuning down and exceptions• Types– Port mirrored– Inline– Integrated


IPS functionality

• Detection– Signature– Behavior– Malformed data/protocols

• Analysis– Protocol reassembly– Normalization

• Rules


IPS functionality

• Alerts– Email– Syslog– SNMP– Database

• Tracing– Summary information– Packet captures


IPS Limitations

• Verify scope – sensors may be configured differently


IPS Brands

• CheckPoint IPS-1• Cisco IPS• Corero Network Security• Entrasys IPS• HP TippingPoint IPS• IMB Security NIPS• Sourcefire 3D System• Custom built (Snort or Bro)


Snort

• Open Source IDS• Extensible• Most widely used


Snort Architecture

Capture

packets on

bound interface(s)

Reassemble and

analyze protocol

Anomaly detection• protoc

ol• frame• packet

Passed to rule

engine

Determine actions• Drop and log

(pcap)• Drop, no log• Accept• Accept and log

(pcap)• Notify


Rule Matching

Directionality -> <- <>

Protocol

Source IP, network or port• Log tcp !192.168.1.0/24 any -> 192.168.1.0/24 • Matches data from outside the network (192.168.1.0)

Destination IP, network or port• log udp any any -> 192.168.1.0/24 1:1024 • log udp traffic coming from any port and destination ports ranging from 1

to 1024Content• alert tcp !192.168.1.0/24 any -> 192.168.1.19/24 80 (content:

“web.config“; msg: “outside request for web.config”;)• Find requests for web.config from the outside and send an alert


Rule matching – additional options

Minfrag – min size for packet fragments

Dsize – packet payload size• Dsize: >100 and < 1000;

Depth – how far to search in the packet

Offset – start searching after this point

Example• alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-

bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF attack";)


Rule matching – additional options

• TTL – match on specific TTL• ID – match on specific fragment ID – some

known hacking tools use specific IDs• Logto – create separate output file• Session – records what is typed in telnet,

rlogin, ftp, etc.– log tcp any any <> 192.168.1.0/24 23

(session: printable; logto: “.\telnet\telnet-records.log”;)

– Records telnet sessions


Rule matching - Flags

• F - FIN • S – SYN – synchronize (request connection)• R - RST• P – PSH – push data up stack before waiting

for additional data• A - ACK• U – URG - urgent• 2 - Reserved bit (used in fingerprinting)• alert any any -> 192.168.1.0/24 any (flags:

SF; msg: "Possible SYN FIN scan";)


Event Collection – Windows logs

Windows NT – 2003• Application• Security • System• Special

– Directory Service– DNS Server– File Replication Service– Powershell

Server 2008 /2008 R2• Includes 2003 logs

plus:– Administrative events– Setup– Server roles

• Organized by installed roles with custom filters


Event Collection – Mac Logs

• Stored in library/logs• Over 100 logs including:– System.log– Mail.log– Appfirewall.log

• Aug 27 11:10:54 Iceberg Firewall[113]: Stealth Mode connection attempt to UDP 192.168.0.25:49747 from 192.168.0.1:53

• Unexpected UDP connection attempt– Install.log


Event Collection – Linux Logs

• Logs based on syslog• Organized by facility such as mail or web• Syslog-ng – supports TLS encryption for

shipped logs• Rsyslogd – Supports IPv6, RELP (Reliable

Event Logging Protocol), TLS, timestamping and zone logging


Event Collection – Linux Logs• /var/log/faillog : This log file contains failed user logins. This can be

very important when tracking attempts to crack into the system.• /var/log/kern.log : This log file is used for messages from the

operating system’s kernel. This is not likely to be pertinent to most computer crime investigations.

• /var/log/lpr.log : This is the printer log and can give you a record of any items that have been printed from this machine. It can be useful in corporate espionage cases.

• /var/log/mail.* : This is the mail server log and can be very useful in any computer crime investigation. Emails can be a component in any computer crime, and even in some non-computer crimes such as fraud.

• /var/log/mysql.* : This log records activities related to the MySQL database server and will usually be of less interest to a computer crime investigation.


• /var/log/apache2/* : If a machine is running the Apache web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server.

• /var/log/lighttpd/* : If a machine is running the Lighttpd web server, then this log will show related activity. This can be very useful in tracking attempts to hack into the web server.

• /var/log/apport.log : This records application crashes. Sometimes these can reveal attempts to compromise the system, or the presence of a virus or spyware.

• /var/log/user.log : These contain user activity logs and can be very important to a criminal investigation.



• There are several shell commands one can enter to view system logs in Linux. For example, to view the printer log any of the following would work, though some won’t be supported by every Linux shell:

• # tail -f /var/log/lbr.log• # less /var/log/ lbr.log• # more -f /var/log/ lbr.log• # vi /var/log/ lbr.log



Chat Room Logs

• Most chat software keeps at least a temporary log of conversations. This is true for MSN Messenger, Yahoo Messenger and many others.

• The exact path for viewing those logs will vary from product to product.


How Logs Get Cleared

• Clearing the log. Any user with administrative privileges can simply wipe out a log. However, this will be obvious when you see an empty event log.

• Using auditpol.exe. This is an administrative utility that exists in Windows systems. It won’t show on the desktop or in the programs—you have to know it’s there and go find it. But using auditpol \\ipaddress /disable turns off logging. Then when the criminal exits, they can use auditpol \\ipaddress /enable to turn it back on.

• There are a number of utilities on the web that will assist an attacker in this process. For example WinZapper allows one to selectively remove certain items from event logs in Windows.


Event Collection - Tools

• WinRM – Microsoft tool that runs on Server 2008 R2

• Argus• Softflowd• Cisco MARS (Monitoring, Analysis and

Response System)


Event Collection - Tools

• SNARE (System iNtrusion Analysis and Reporting Environment) – open source

• Splunk (only free for 500MB/day)• SCOM (System Center Operations

Manager)• DAD (Distributed log Aggregation for

Data analysis)


SIEM

• Security Information and Event Management– Log aggregation– Correlation– Normalization– Alerting– Dashboards– Views– Compliance reports– Retention


Automated responses

• Throttle• Drop• Shun• Island


Packet Filtering

• Sensor – monitors traffic flow, extracts flow records and sends to collectors

• Collector – receives flow records and stores them

• Aggregator – central collection point when multiple collectors are used

• Analysis – tool that organizes and makes sense of the collected data


Network Analysis

• Network schematic• Server roles• Baselining – normal profile– Destination IP addresses– Ports– Protocols– Volume of data and directionality


Analysis

• Activity pattern matching• Packet analysis– Libpcap and WinPcap– Wireshark

• Traffic analysis– Networkminer

• Persistent packet sniffing– Data available when needed– High disk and CPU requirement– Must be highly secure


Wireshark - Interface

Packet list

Packet details

Packet bytes


Wireshark

• Filtering– Frame contains “search term”

• Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request,

File delivery, checksum, acknowledgment, termination

– Flow record – subset of information from a flow such as source and destination IP, protocol, date or time


Wireshark – Encrypted content

• TLS/SSL– Obtain server or workstation private key– Decrypt session keys with private key– Decrypt message stream with session keys– Record session key changes and continue

decrypting message stream– Go to preferences Protocols SSL Edit

RSA keys list New point to private key and enter IP address, port, protocol and password


Networkminer

• Traffic analysis tool• Graphical breakdown of…– Hosts– Images– Files– Email– DNS– Sessions


Wireshark / Networkminer demo

• Capture data– Send email

• [email protected]• IknowIT2!

– Visit web site– Run lansearch and copy files

• End capture• Export to pcap• View in Networkminer

mailto:[email protected]


Vulnerability scanning

• Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose

• Free for up to 32 IP– OpenVAS (Vulnerability Assessment System)

• Linux• VM available (resource intensive)

– Greenbone Desktop Suite (uses OpenVAS)• Windows XP/Vista/7

– MBSA (Microsoft Baseline Security Analyzer)– Secunia PSI (local Windows machine scanning only)


Architecting a Solution

– How does it fit in the security strategy?– Scope– Scalability– Regulations and Standards– Structure

• Distributed• Centralized

– Platforms• Black box• Open Source• Commercial Application


IDS/IPS

• Active or Passive• Host, Network or Both• Centralized or decentralized


Event Logging

• Placement– Perimeter– VLAN or Workgroup– Wireless– Choke points – maximize collection capacity

within budget and ability to process and analyze

– Minimize duplication– Sync time– Normalize– Secure collector transmission pathways


Event Logging

• Local• Remote– Centralized– Decentralized– Concerns

• Time stamping• Network reliability• Confidentiality and integrity


Quick and Fast Rules

• Compromised hosts generally send out more information

• Patterns (sending perspective)– Many-to-one – DDoS, Syslog, data repository,

email server– One-to-many – web server, email server, SPAM

bot, warez, port scanning– Many-to-many – P2P, virus infection– One-to-one – normal communication, targeted

attack

Technology

Detecting Intrusions and Malware - Eric Vanderburg - JurInnov