Detecting Intrusions and Malware - Eric Vanderburg - JurInnov

Detecting Intrusions and Malware
August, 2012
Eric Vanderburg, MBA, CISSP
JurInnov, Ltd.
© 2012 JurInnov Ltd. All Rights Reserved.

1
Malware
• Malware
– Software that enters a computer system without the
owner’s knowledge or consent
– Performs unwanted and usually harmful action
• Malware objectives
– Rapidly spread its infection
– Conceal its purpose
– Make profit for its creators

2
Malware – Virus
• Viruses
– Malicious computer code that
reproduces on a single
computer
– An FBI survey revealed that
despite protection programs,
82% of organizations have been
infected by a virus.
Virus
Worm
Bot
Trojan

3
Malware - Virus
• Methods of spreading virus
– Virus appends itself to a file
– Virus changes the beginning of the file
• Adds jump instruction pointing to the virus
– Swiss cheese infection
Virus
Bot
• Injects portions of code throughout program’s executable
code
Worm
Trojan

4
Malware – Virus
• Virus actions
Virus
Bot
– Causing computer to crash repeatedly
– Displaying an annoying message
– Erasing files from hard drive
– Making copies of itself to consume all space on the
hard drive
– Turning off security settings
– Reformatting the hard drive
Worm
Trojan

5
Malware – Virus
• Virus can only replicate on host
computer
– Cannot spread between computers without
user action
• Types of viruses
– Program virus
• Infects program executable files
– Macro virus
• Stored within a user document
Virus
Worm
Bot
Trojan

6
Malware - Worm
• Worms
– Malicious program designed to
take advantage of a
vulnerability in an application
or operating system
– Searches for another computer
with same vulnerability
– Sends copies of itself over the
network
Virus
Worm
Bot
Trojan

7
Malware - Worm
• Worm actions
– Consume network resources
– Allow computer to be controlled remotely
– Delete files
Virus
Worm
Bot
Trojan

8
Malware - Trojan
• Trojan horses
– install malicious software
under the guise of doing
something else
– Executable program containing
hidden malware code
– Program advertised as
performing one activity but
actually does something else
Virus
Worm
Bot
Trojan

9
Malware - Trojan
Virus
Bot
• Trojan may be installed on user’s system with
user’s approval
• Trojans typically do not replicate to same
computer or another computer
Worm
Trojan

10
Malware – Spyware / Adware /
Scareware
• Spyware
– A dangerous, prolific code that logs a users activity
and collects personnel information, which it then
sends to a third party.
• Adware
– A relative of spyware. Typically found with free
software, they display advertisements when the
program is running. They may also contain
spyware.
• Scareware
– Software that is meant to prompt a user to action or
incite panic
Virus
Worm
Bot
Trojan

11
Scareware
• Spyware’s negative effects on an infected
computer
– Slow system performance
– Create system instability
– Add browser toolbars or menus
– Add shortcuts
– Hijack a home page
– Increase pop-ups
Virus
Worm
Bot
Trojan

12
Scareware
• Adware
Bot
– Software program that delivers advertising content:
• In an unexpected and unwanted manner
• Adware actions
– Display pop-up ads and banners
– Open Web browsers at random intervals
– May display objectionable content
– May interfere with user productivity
– May track and monitor user actions
Virus
Worm
Trojan

13
Scareware
• Scareware
Virus
Bot
– Software that displays a fictitious warning
– Tries to impel user to take action
– Uses legitimate trademarks or icons
– Pretends to perform a security scan and find serious
problems
– Offers purchase of full version of software to fix
problems
– Victim provides credit card number to attacker
• Attacker uses number to make fraudulent purchases
Worm
Trojan

14
Malware - Rootkit
• Rootkit
Virus
Bot
– Set of software tools used by an attacker
– Conceals presence of other malicious software
– Actions
• Deleting logs
• Changing operating system to ignore malicious activity
Worm
Trojan

15
Malware - Keylogger
• Keylogger
Bot
– Hardware or software that captures keystrokes
– Information can be retrieved by an attacker
• Hardware keylogger
– Installed between computer keyboard and USB port
• Software keylogger
– Hides itself from detection by the user
Virus
Worm
Trojan

16
Malware - Bots
• Bots
– A type of malware that allows
an attacker to gain control over
the infected computer (also
called “zombie computers”)
and allow them to use a
company’s network to send
spam, launch attacks and infect
other computers.
Virus
Worm
Bot
Trojan

Threat defined – What is done with botnets?
17
• DDoS
• Spam
• Distribute copyrighted material
– Torrents
• Data mining
• Hacking
• Spread itself

2002 AgoBot
• Modular design
• DDoS
• Hides with rootkit tech
• Turns off antivirus
• Modifies host file
• Delivery: P2P (Kazaa, Grokster,
18
History
18
1999 Pretty Park
• Used IRC for C&C & updates
• ICQ & email harvesting
• DoS
1999 SubSeven
• Used IRC for C&C
• Keylogger
• Admin shell access
2000 GTBot
• Bounce (relay) IRC traffic
• Port scan
• DDoS
• Delivery: email
2002 SDBot
• Keylogger
• Delivery: WebDav and
MSSQL vulnerabilities,
DameWare remote mgmt
software, password guessing
on common MS ports &
common backdoors
BearShare, Limewire)
2003 SpyBot
• Builds on SDBot
• Customizable to avoid detection
• DDoS, Keylogger, web form
collection, clipboard logging,
webcam capture
• Delivery: SDBot + P2P
2003 RBot
• Encrypts itself
• Admin shell access
2004 PolyBot
• Builds on AgoBot
• Polymorphs through encrypted
encapsulation
2005 MyTob
• DDoS, Keylogger, web form
collection, webcam capture
• Delivery: email spam using
MyDoom w/ own SMTP server
1999 2000 2002 2003 2004 2005 2006

2006 2007 2008
19
History
2007 Cutwail
• Spam, DDoS
• Harvests email addresses
• Rootkit
• Delivery: Email
2006 Rustock
• Spam, DDoS
• Uses rootkit to hide
• Encrypts spam in TLS
• Robust C&C network (over
2500 domains)
• Delivery: email
2008 TDSS
• Sets up a proxy that is rented
to other for anonymous web
access
• Delivery: Trojan embedded
in software
2007 Storm
• Spam
• Dynamic fast flux C&C DNS
• Malware re-encoded
twice/hr
• Defends itself with DDoS
• Sold and “licensed”
• Delivery: Email enticement
for free music
2007 Zeus
• Phishing w/ customizable data
collection methods
• Web based C&C
• Stealthy and difficult to detect
• Sold and “licensed” to hackers
for data theft
• Delivery: Phishing, Social
Networking
2008 Mariposa (Butterfly)
• Rented botnet space for spam,
DDoS, and theft of personal
information
• Delivery: MSN, P2P, USB

2006 2007 2008 2009
20
History
2009 Koobface
• Installs pay-per-install
malware
• Delivery: Social Networking

Exploit Rally Preserve Inventory
Await
instructions
Update Execute Report
21
Life Cycle
• Exploit
– Malicious code
– Unpatched vulnerabilities
– Trojan
– Password guessing
– Phish
• Rally - Reporting in
– Log into designated IRC channel and PM master
– Make connection to http server
– Post data to FTP or http form
Clean
up

Await
instructions
Agobot host control commands
22
Life Cycle
• Preserve
– Alter A/V dll’s
– Modify Hosts file to prevent A/V
updates
– Remove default shares (IPC$,
ADMIN$, C$)
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes
Clean
up
<preserve>
<pctrl.kill “Mcdetect.exe”/>
< pctrl.kill “avgupsvc.exe”/>
< pctrl.kill “avgamsvr.exe”/>
< pctrl.kill “ccapp.exe”/>
</preserve>

Await
instructions
23
Life Cycle
• Inventory
– determine capabilities such as RAM, HDD, Processor,
Bandwidth, and pre-installed tools
• Await instructions from C&C server
• Update
– Download payload/exploit
– Update C&C lists
Clean
up

Await
instructions
24
Life Cycle
• Execute commands
– DDoS
– Spam
– Harvest emails
– Keylog
– Screen capture
– Webcam stream
– Steal data
• Report back to C&C server
• Clean up - Erase evidence
Clean
up

25
Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passwords from list
– Remember to use strong passwords
Agobot propagation functions

26
Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded. File names consist of
celebrity or model names, games, and popular
applications
• Social networking – Facebook posts or messages
that provides a link (Koobface worm)

27
Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts from the Internet
• Email
– Harvests email addresses from ASCII files such as
html, php, asp, txt and csv
– uses own SMTP engine and guesses the mail server by
putting mx, mail, smpt, mx1, mail1, relay or ns in
front of the domain name.

28
Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames
• Alternate control channels (Ex: Researchers in
2004 redirected C&C to monitoring server)

29
Detecting bots
• Monitor port statistics on network equipment and
alert when machines utilize more than average
– Gather with SNMP, netflow, or first stage probes (sniffers)
attached to port mirrored ports on switches.
• Wireshark
• Real time netflow analyzer- Solarwinds free netflow
tool
• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard
• SNARE – event log monitoring (Linux & Windows
agents)

30
Who Are the Attackers?
• Cybercriminals
• Script kiddies
• Spies
• Insiders
• Cyberterrorists
• Hacktivists
• Government agencies
Skills required

31
Cybercriminals / Organized Crime
• Generic definition
– People who launch attacks against other users and
their computers
• Specific definition
– Loose network of highly motivated attackers
– Many belong to organized gangs of attackers
• Targets
– Individuals and businesses
– Businesses and governments

32
• Lee Klein compromised the Lexis-Nexis system
and may have stolen personal data of up to
13,000 users and sold the data to the Bonanno
crime family.
• Groups based in the former Soviet Union have
been repeatedly implicated in significant
computer breaches.

33
• In 2005, federal agents conducted a sting operation
in order to arrest members of a group known as
‘ShadowCrew’. This gang was a group of hackers
working together to conduct a variety of computer
crimes including identity theft.
• This phenomenon is international in scope. Korean
authorities have also arrested gangs of online
criminals
• The most common crime for these groups is identity
theft.

34
Script Kiddies
• Attackers who lack knowledge necessary to
perform attack on their own
• Use automated attack software
• Can purchase “exploit kit” for a fee from other
attackers
• Over 40 percent of attacks require low or no
skills

35
Spies
• People hired to break into a computer and steal
information
• Do not randomly search for unsecured
computers
– Hired to attack a specific computer or system
• Goal
– Break into computer or system
– Take information without drawing attention to their
actions
• Generally possess excellent computer skills

36
Spies
• It is generally believed by security experts that many
companies have purchased information from freelance
individuals without asking where that information came
from.
• In 2008, the SANS institute ranked cyber espionage as
the third greatest threat on the internet.
• In 1993, General Motors (GM) and one if its partners
began to investigate a former executive, Inaki Lopez. GM
alleged that Lopez and seven other former GM
employees had transferred GM proprietary information
to Volkswagen (VW) in Germany via GM's own network.

37
Spies
• CIO Magazine examined the issue of government
based cyber espionage in a 2009 article. Their article
discusses the possibility that the Chinese
government was behind a widespread infiltration of
over 1200 computers owned by over 100 countries,
with the express purpose of spying on the activities
of those countries.
• One week before Christmas 2009, the story broke
that hackers had stolen secret defense plans of the
United States and South Korea.

38
Insiders
• An organization’s own employees, contractors,
and business partners
• One study showed 48 percent of data breaches
are caused by insiders accessing information
• Most insider attacks: sabotage or theft of
intellectual property
• Most sabotage comes from employees who have
recently been demoted, reprimanded, or left the
company

39
Cyberterrorists
• Goals of a cyberattack
– Deface electronic information
• Spread misinformation and propaganda
– Deny service to legitimate computer users
– Cause critical infrastructure outages and corrupt vital
data
• Attacks may be ideologically motivated

40
Cyberterrorists
• According to the FBI “cyber terrorism is the
premeditated, politically motivated attack against
information, computer systems, computer
programs, and data which result in violence against
noncombatant targets by sub national groups or
clandestine agents.”
• In 2008 and 2009 there have been growing reports
of attacks on various systems tracing back to South
Korea or China.

41
Hacktivists
• Motivated by ideology
• Direct attacks at specific Web sites
• May promote a political agenda
– Or retaliate for a specific prior event

42
Governments
• May instigate attacks against own citizens or
foreign governments
• Examples of attacks by government agencies
– Malware Flame targeted at computers in Eastern
Europe
– Malware Stuxnet targeted a nuclear power plant near
Persian Gulf
– Iranian government reads e-mail messages of 30,000
citizens
• Attempt to track down dissidents

43
Governments
• Attacks are
– Premeditated, politically-motivated attacks against
computer systems
– Intended to cause panic, provoke violence, or cause
financial catastrophe
• Possible targets
– Banking industry
– Air traffic control centers
– Water systems

44
Governments
• This can mean attempting to spread disinformation in an
attempt to mislead the enemy or propaganda in order to
undermine the enemy’s morale.
• The first way in which the internet is used in information
warfare is in the realm of propaganda. Every stakeholder
in any situation has their own interpretation of events
and news.
• Law enforcement agencies have successfully used fake
websites, fake craigslist ads, and other techniques to help
capture criminals. It is also possible to utilize the
internet to feed misinformation to criminals and
terrorists.

45
Networking Concepts
• TCP/IP
• IP Addressing
• Packet Fragmentation
• ICMP
• Wireless
• Other Protocols
– DNS
– DHCP
– PPTP, SSTP, L2TP

OSI Reference Model
Application Application
Presentation Presentation
Session Session
Transport Transport
Network Network
Datalink Datalink
Physical Medium Physical

47
Encapsulation
• Enclosing some data within another thing so
that the included data is not apparent.

48
Application – Layer 7
• Where programs access network services
• FTP, HTTP, Client Software
• Problems at this layer:
– Misconfigured settings
– Incompatible commands

49
Presentation – Layer 6
• Formats data
• Protocol conversion
• Encryption
• Compression
• Character set (ASCII, Unicode, EBCDIC)
– Cannot decrypt
– Wrong conversion

50
Redirector
• Sends requests for services to the appropriate
network device.
• RDR can sometimes stand for redirector
– Rdr.sys
– Windows redirector registry entries stored in
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetSe
rvices LanmanWorkstationParameters and
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetSe
rvicesRdr

51
Session – Layer 5
• Manages communication
• Identification
• Window size
• Keep alive messages
• ACK, NAK
• Name resolution
– DNS
– NetBIOS
• Logon
• Problems at this level:
– Incorrect or no name resolution

52
Transport – Layer 4
• Segmenting
• Sequencing
• Error checking
• Flow control – as much data as can handle
• TCP & SPX
– Overly large segments

53
Network – Layer 3
• Logical addressing
• Routing
• QOS
• Deals with packets
• IP & IPX
– Incorrect routing (bad config)
– Incorrect routing table
– Incorrect routing protocol
– Incorrect IP configuration

54
Datalink – Layer 2
• Physical Addressing
• Deals with frames
• Discards bad frames
• Convert to bits
– Collisions
– Bad frames
– Faulty NIC
– Incorrect bridging tables

55
Datalink Sublayers
• MAC
– Manages multiple NICs
– Creates frame and sends to physical
– Sense carrier
– Pass tokens
• LLC
– Error recovery
– Integrity checking

56
Physical – Layer 1
• Encoding - Convert bits to signals
– 101001011001
• Problems at this level:
– Interference
– Noise
– Cable not connected

OSI & TCP/IP
OSI Model TCP/IP
Application Application
Presentation
Session Transport
Transport
Network Internet
Datalink Network
Physical

58
IP Addresses
• Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh
– First bit 0; 7 network bits; 24 host bits
– Initial byte: 0 - 127
– 126 Class As exist (0 and 127 are reserved)
– 16,777,214 hosts
• Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh
– First two bits 10; 14 network bits; 16 host bits
– 16,384 Class Bs exist
– 65,532 hosts
• Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh
– First three bits 110; 21 network bits; 8 host bits
– 2,097,152 Class Cs exist
– 254 hosts

59
Packet Fragmentation
• Data is split into many packets
• Encapsulation, de-encapsulation and padding
causes additional fragmentation
• Reassembled by sequence number

60
ICMP – To Ping or not to Ping
• Internet Control Message Protocol
– Checks host alive status
– Susceptible to attacks
• Smurf- broadcast pings with spoofed address
• PoD (Ping of Death) – ICMP packet larger than 65,535 bytes
– causes buffer overflow upon reassembly
– Can be used to footprint

61
Wireless - Overview
• How does it work?
• What are the risks?
• What security controls are available?

62
Wireless – How it works
• Spread Spectrum Technologies
– Uses multiple frequencies
• Less interference
• Redundancy
– Frequency Range: 902-928MHz,2.4GHz
– Frequency Hopping
• Changes at regular intervals
• Lower bandwidth, more secure
– Direct-sequence Modulation
• Send different data chunks along multiple frequencies
• Low frequencies (just above noise)

63
• 802.11a
– 54Mbps
– 5GHz
• 802.11b
– 11Mbps
– 2.4GHz
• 802.11g
– 54Mbps
– 2.4GHz
– WPA Support
• 802.11n
– 300Mbps
– 2.4GHz

64
• BSA (Basic Service Area)
– Influence of the WAPs
– Depends on:
• Power of the transmitter
• Environment
• BSS (Basic Service Set)
– Stations belonging to an AP

65
Attacks Through Wireless Networks
• Popular types of wireless networks
– Wi-Fi
– Bluetooth
• Wi-Fi networks
– Wireless local area network (WLAN)
– Use radio frequency (WF) transmissions
– Devices in range of a connection device can send and
receive information
• Estimate: 1.4 billion wireless devices shipped in
2014

66
• Wi-Fi equipment
– Mobile device needs a wireless client interface card
adapter (wireless adapter)
– Special software to translate between device and
adapter
– Wireless broadband router or access point
• Base station for sending and receiving signals
• Gateway to the Internet

67
• Attacks on home Wi-Fi networks relatively easy
– Signal not confined within home walls
– Many users do not understand how to configure
router security
– Some users consider security an inconvenience
• Types of attacks
– Stealing data
– Reading wireless transmissions
– Injecting malware
– Downloading harmful content

68
• Free or fee-based wireless network rarely
protected
• Evil twin
– Attacker’s wireless device
– Mimics an authorized Wi-Fi device
– Attacker can use to send malware directly to victim’s
computer

69
Wireless – Detecting networks
• Netstumbler
• inSSIDer
• Commercial enterprise tools

70
Bluetooth
• Bluetooth
– Common wireless technology
– Short-range
• Up to 33 feet; 1Mbps transmission rate
– See Figure 5-5
• Bluetooth attacks
– Bluejacking
• Sending text messages
– Bluesnarfing
• Accessing unauthorized information

71
Other Protocols
• DNS
• DHCP
• PPTP, SSTP, L2TP

72
Firewalls
• Packet filters – allow or deny based on…
– Source or destination IP address
– Source or destination port
– Blocked IP lists, blacklists and whitelists
• Session-layer proxies – stateful allow or deny
decisions
– Middle-man between source and destination
– Decrypted content inspection
• Application proxies – examine one or more layer
7 traffic types such as email, SQL or HTTP.

73
Firewall features
• NAT
• DHCP
• VPN tunneling
• Load balancing
• Failover
• Stateful packet inspection
• Performance monitoring
• Centralized management
• SNMP
• Application proxy

74
Common interfaces
• Console – serial (DB9) or USB
• Secure Shell (SSH)
• Secure Copy (SCP) and SSH FTP (SFTP)
• Telnet
• Simple Network Management Protocol (SNMP)
• Trivial File Transfer Protocol (TFTP)
• Web interfaces

75
Auditing
• Policy
• Logs

Intrusion Detection and Prevention Systems
76
• IDS – audit only
• IPS – audit and respond
• Problem with tuning down and exceptions
• Types
– Port mirrored
– Inline
– Integrated

77
IPS functionality
• Detection
– Signature
– Behavior
– Malformed data/protocols
• Analysis
– Protocol reassembly
– Normalization
• Rules

78
IPS functionality
• Alerts
– Email
– Syslog
– SNMP
– Database
• Tracing
– Summary information
– Packet captures

79
IPS Limitations
• Verify scope – sensors may be configured
differently

80
IPS Brands
• CheckPoint IPS-1
• Cisco IPS
• Corero Network Security
• Entrasys IPS
• HP TippingPoint IPS
• IMB Security NIPS
• Sourcefire 3D System
• Custom built (Snort or Bro)

81
Snort
• Open Source IDS
• Extensible
• Most widely used

82
Snort Architecture
Capture
packets
on
bound
interfac
e(s)
Reassemble
and analyze
protocol
Anomaly
detection
• protocol
• frame
• packet
Passed
to rule
engine
Determine actions
• Drop and log
(pcap)
• Drop, no log
• Accept
• Accept and log
(pcap)
• Notify

83
Rule Matching
Directionality -> <- <>
Protocol
Source IP, network or port
• Log tcp !192.168.1.0/24 any -> 192.168.1.0/24
• Matches data from outside the network (192.168.1.0)
Destination IP, network or port
• log udp any any -> 192.168.1.0/24 1:1024
• log udp traffic coming from any port and destination ports ranging from 1 to 1024
Content
• alert tcp !192.168.1.0/24 any -> 192.168.1.19/24 80 (content: “web.config“; msg:
“outside request for web.config”;)
• Find requests for web.config from the outside and send an alert

84
Rule matching – additional options
Minfrag – min size for packet fragments
Dsize – packet payload size
• Dsize: >100 and < 1000;
Depth – how far to search in the packet
Offset – start searching after this point
Example
• alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf";
offset: 3; depth: 22; msg: "CGI-PHF attack";)

85
Rule matching – additional options
• TTL – match on specific TTL
• ID – match on specific fragment ID – some
known hacking tools use specific IDs
• Logto – create separate output file
• Session – records what is typed in telnet, rlogin,
ftp, etc.
– log tcp any any <> 192.168.1.0/24 23 (session:
printable; logto: “.telnettelnet-records.log”;)
– Records telnet sessions

86
Rule matching - Flags
• F - FIN
• S – SYN – synchronize (request connection)
• R - RST
• P – PSH – push data up stack before waiting for
additional data
• A - ACK
• U – URG - urgent
• 2 - Reserved bit (used in fingerprinting)
• alert any any -> 192.168.1.0/24 any (flags: SF; msg:
"Possible SYN FIN scan";)

87
Event Collection – Windows logs
Windows NT – 2003
• Application
• Security
• System
• Special
– Directory Service
– DNS Server
– File Replication Service
– Powershell
Server 2008 /2008 R2
• Includes 2003 logs plus:
– Administrative events
– Setup
– Server roles
• Organized by installed roles
with custom filters

88
Event Collection – Mac Logs
• Stored in library/logs
• Over 100 logs including:
– System.log
– Mail.log
– Appfirewall.log
• Aug 27 11:10:54 Iceberg Firewall[113]: Stealth Mode
connection attempt to UDP 192.168.0.25:49747 from
192.168.0.1:53
• Unexpected UDP connection attempt
– Install.log

89
Event Collection – Linux Logs
• Logs based on syslog
• Organized by facility such as mail or web
• Syslog-ng – supports TLS encryption for shipped
logs
• Rsyslogd – Supports IPv6, RELP (Reliable Event
Logging Protocol), TLS, timestamping and zone
logging

90
• /var/log/faillog : This log file contains failed user logins. This can be
very important when tracking attempts to crack into the system.
• /var/log/kern.log : This log file is used for messages from the
operating system’s kernel. This is not likely to be pertinent to most
computer crime investigations.
• /var/log/lpr.log : This is the printer log and can give you a record of
any items that have been printed from this machine. It can be useful
in corporate espionage cases.
• /var/log/mail.* : This is the mail server log and can be very useful in
any computer crime investigation. Emails can be a component in
any computer crime, and even in some non-computer crimes such as
fraud.
• /var/log/mysql.* : This log records activities related to the MySQL
database server and will usually be of less interest to a computer
crime investigation.

• /var/log/apache2/* : If a machine is running the Apache web server,
91
then this log will show related activity. This can be very useful in
tracking attempts to hack into the web server.
• /var/log/lighttpd/* : If a machine is running the Lighttpd web
server, then this log will show related activity. This can be very
useful in tracking attempts to hack into the web server.
• /var/log/apport.log : This records application crashes. Sometimes
these can reveal attempts to compromise the system, or the presence
of a virus or spyware.
• /var/log/user.log : These contain user activity logs and can be very
important to a criminal investigation.

92
• There are several shell commands one can enter to
view system logs in Linux. For example, to view the
printer log any of the following would work, though
some won’t be supported by every Linux shell:
• # tail -f /var/log/lbr.log
• # less /var/log/ lbr.log
• # more -f /var/log/ lbr.log
• # vi /var/log/ lbr.log

93
Chat Room Logs
• Most chat software keeps at least a temporary
log of conversations. This is true for MSN
Messenger, Yahoo Messenger and many others.
• The exact path for viewing those logs will vary
from product to product.

94
How Logs Get Cleared
• Clearing the log. Any user with administrative privileges can
simply wipe out a log. However, this will be obvious when you
see an empty event log.
• Using auditpol.exe. This is an administrative utility that exists in
Windows systems. It won’t show on the desktop or in the
programs—you have to know it’s there and go find it. But using
auditpol ipaddress /disable turns off logging. Then when
the criminal exits, they can use auditpol ipaddress /enable
to turn it back on.
• There are a number of utilities on the web that will assist an
attacker in this process. For example WinZapper allows one to
selectively remove certain items from event logs in Windows.

95
Event Collection - Tools
• WinRM – Microsoft tool that runs on Server
2008 R2
• Argus
• Softflowd
• Cisco MARS (Monitoring, Analysis and
Response System)

96
Event Collection - Tools
• SNARE (System iNtrusion Analysis and
Reporting Environment) – open source
• Splunk (only free for 500MB/day)
• SCOM (System Center Operations Manager)
• DAD (Distributed log Aggregation for Data
analysis)

97
SIEM
• Security Information and Event Management
– Log aggregation
– Correlation
– Normalization
– Alerting
– Dashboards
– Views
– Compliance reports
– Retention

98
Automated responses
• Throttle
• Drop
• Shun
• Island

99
Packet Filtering
• Sensor – monitors traffic flow, extracts flow
records and sends to collectors
• Collector – receives flow records and stores them
• Aggregator – central collection point when
multiple collectors are used
• Analysis – tool that organizes and makes sense
of the collected data

100
Network Analysis
• Network schematic
• Server roles
• Baselining – normal profile
– Destination IP addresses
– Ports
– Protocols
– Volume of data and directionality

101
Analysis
• Activity pattern matching
• Packet analysis
– Libpcap and WinPcap
– Wireshark
• Traffic analysis
– Networkminer
• Persistent packet sniffing
– Data available when needed
– High disk and CPU requirement
– Must be highly secure

102
Wireshark - Interface
Packet list 
Packet details 
Packet bytes 

103
Wireshark
• Filtering
– Frame contains “search term”
• Flow – sequence of packets comprising a single
communication segment.
– EX: Connection, Negotiation, File Request, File
delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow such
as source and destination IP, protocol, date or time

104
Wireshark – Encrypted content
• TLS/SSL
– Obtain server or workstation private key
– Decrypt session keys with private key
– Decrypt message stream with session keys
– Record session key changes and continue decrypting
message stream
– Go to preferences  Protocols  SSL  Edit RSA
keys list  New  point to private key and enter IP
address, port, protocol and password

105
Networkminer
• Traffic analysis tool
• Graphical breakdown of…
– Hosts
– Images
– Files
– Email
– DNS
– Sessions

106
Wireshark / Networkminer demo
• Capture data
– Send email
• Msmith-jur2012@hotmail.com
• IknowIT2!
– Visit web site
– Run lansearch and copy files
• End capture
• Export to pcap
• View in Networkminer

107
Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect machines that could be
potential bots.
– Nexpose
• Free for up to 32 IP
– OpenVAS (Vulnerability Assessment System)
• Linux
• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)
• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)
– Secunia PSI (local Windows machine scanning only)

108
Architecting a Solution
– How does it fit in the security strategy?
– Scope
– Scalability
– Regulations and Standards
– Structure
• Distributed
• Centralized
– Platforms
• Black box
• Open Source
• Commercial Application

109
IDS/IPS
• Active or Passive
• Host, Network or Both
• Centralized or decentralized

110
Event Logging
• Placement
– Perimeter
– VLAN or Workgroup
– Wireless
– Choke points – maximize collection capacity within
budget and ability to process and analyze
– Minimize duplication
– Sync time
– Normalize
– Secure collector transmission pathways

111
Event Logging
• Local
• Remote
– Centralized
– Decentralized
– Concerns
• Time stamping
• Network reliability
• Confidentiality and integrity

112
Quick and Fast Rules
• Compromised hosts generally send out more
information
• Patterns (sending perspective)
– Many-to-one – DDoS, Syslog, data repository, email
server
– One-to-many – web server, email server, SPAM bot,
warez, port scanning
– Many-to-many – P2P, virus infection
– One-to-one – normal communication, targeted attack

Detecting Intrusions and Malware - Eric Vanderburg - JurInnov

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Detecting Intrusions and Malware - Eric Vanderburg - JurInnov

Similar a Detecting Intrusions and Malware - Eric Vanderburg - JurInnov (20)

Más de Eric Vanderburg

Más de Eric Vanderburg (20)

Último

Último (20)

Detecting Intrusions and Malware - Eric Vanderburg - JurInnov