Types of Malicious Code Attacks: Even Kevlar Will not Stop all Attacks

 < Day Day Up > 



As a matter of course, investigators are tasked to address rogue code attacks. Handling such an attack presents challenges in terms of priorities. For example, certain types of attacks spread very quickly affecting computers on networks in large numbers. The Morris Internet Worm was one such attack.

There are many demands placed on the responders once they are aware of a potential critical incident. The clear first priority is isolating the attack. Infected computers must be isolated from the surrounding system to prevent the infecting code from spreading to other systems. With this done, responders should ask themselves if it is important to determine the origins of the infection, or not. If the network and its connecting systems are cleansed of the rogue code, the evidence of its origin may be erased; however, if the systems containing the code are isolated, they remain inoperable until the investigation is completed, negatively affecting productivity.

Viruses

In a virus attack, it is very likely the virus has infected many systems. The responder's likely priority is isolating the infected machines, clean them, and return them to their users. In these cases, analyzing the virus and its origins is secondary. Tracing the virus is difficult, if not impossible in a large system, but there are some considerations that can be made:

  • Make a forensically sound copy of one of the infected hard drives.

  • Treat the hard drive as if it were evidence and a crime scene in its own right.

  • Make a second forensic copy of the drive and use it as a work copy for future analysis.

  • If the first infected computer in the system can be identified by timestamp analysis, it may be possible to identify the origin of the infestation.

Experience Note 

It is extremely difficult to identify the person who introduced a virus into a network. Anti-virus software must be constantly updated and users trained not to open e-mail attachments. Usually the best that can be done is to isolate the systems, cleanse them, return the systems to the production environment, and train users.

Trojan Horses and Logic Bombs

In many regards, these examples of malware code are easier to handle than viruses because they are usually confined to one machine. The problem is that they might remain dormant or unused on that machine until a triggering event takes place. Triggering events are items such as calendar dates, keystrokes made in a specific order, or the execution of program code. Once the triggering event takes place, the user discovers the malicious code and administrators take appropriate restoration steps. With the malicious code running, it's going to be fairly obvious where it is located. For example, if there is a logic bomb planted in a billing program, it is possible that users will know it when they try to execute the application and it does its damage.

With the execution of a logic bomb, the damage is done. Depending on the extent of possible legal action, the best solution is to cleanse the victim system and reinstall the software with clean backed-up data. It is possible that evidence could be collected, timestamps compared, and an attacker identified. Conducting such an investigation can be very time-consuming and resource intensive; consequently, it must be determined if it is worth the effort or not.

In the event of a suspected logic bomb hidden in an application, there are some specific steps that can be taken to prevent it from executing and doing its damage. It is important that a forensically sound copy of the suspected drive is made and preserved as evidence. Copy the evidence drive for performing all analyses and return a clean drive to the original system. The best way to locate the malicious code is to compare the victim system, where the malicious code is resident, with a clean backup copy. Investigators should review the date of the last change in the target media and compare it to the date of the last change for the same file in the backup copy. Continue to compare backups as far as is practical and compare dates. If there is a timestamp date change that cannot be explained or is not documented, the altered file is probably the guilty one.

If the investigators can gain visibility into the programmer's code (this may or may not be possible) there are editors that will automate the line by line comparison revealing any changes.

In the event of suspected malicious code, here are a few types of event logging that will help:

  • Login and logoff

  • File deletion

  • Privilege changes

  • Access by all root

  • Failed login attempts

  • Unused or dormant account access

  • SU (Switch User) activity in UNIX-based systems

  • System reboots

  • Remote access of target system

  • New user accounts

Things to Do after a Malicious Code Attack

If a system has been the victim of a malicious code attack or denial-of-service attack, either as a result of outside or inside activity, here are a few suggested measures:

  • Contain the potential problem. The most efficient way to accomplish this is to simply remove the Ethernet cable from the NIC card, or isolate the affected systems from the rest of the network by some other means. If this cannot be accomplished, disable the power to the target machine. If you do not disconnect the target machine from the network, infections or attackers will cause havoc because they will continue to have access to the system.

    Experience Note 

    Managers should not be lulled into the idea that attackers having penetrated a system will not return. Once in, they will continuously attempt to intrude or deny service.

  • Preserve the target media as evidence. This probably will mean making a forensic copy of the target drive and preserving it for evidence.

  • Cleanse the original drive and return it to service. Make forensic copies of media containing the malicious code and preserve them as evidence. This will preserve the timestamp dates of infection. Cleansing media may consist of media degaussing, reformatting the drive, or launching a forensic erasing tool where the entire drive is overwritten several times destroying the offending code.

  • A completely clean reinstallation will be more time consuming, but will ensure correct functionality rather than running the anti-virus software to delete or quarantine the offender.

Digital Bloodhounds

For matters that are going to be pursued to levels of litigation, it is important for investigators to discover the identities of those responsible for causing system damage. In many cases, civil and criminal legal processes can be, and should be, pursued on parallel tracks. It is not unusual for an individual to be criminally charged while the damaged parties file lawsuits to recover their losses. Considering all the different technologies that can be employed to conceal the attacker's identity such as anonymous e-mail re-mailers and compromised server accounts, it would seem attackers have a definite advantage over investigators.

Experience Note 

The Director of Risk Management for a credit card company noted that there were chat rooms dedicated to trading and verifying credit card information. After engaging several of the chat room operators in conversations over the course of many weeks, it was discovered many of them resided in countries that had few, if any, laws making credit card fraud a criminal act. Further, it was discovered the subjects knew they were acting criminally and fully acknowledged they could not be extradited due to a lack of international treaties. Consequently, they knew they could steal credit card information, sell it, commit fraud with it, and not suffer any punishment.

IP Addresses

When investigators begin looking for evidence in an attacked a system, the most logical place to begin searching is the IP address. IP addresses create areas of difficulties when locating the offender.

It is possible, and indeed quite likely, that the source IP address is spoofed and not correctly resolved to the attacker.

It is possible, and indeed likely, that the source IP address used for an attack is many hops away from the actual origin of the attack. Experienced attackers will pass through multiple systems before actually launching an attack. It is very common for investigators to have to obtain information from the administrators of multiple systems in the attack-chain before arriving at the attacker's origin.

Experience Note 

Much of IP tracing depends on the investigator's skill and luck. This is not to say it is not successful, but realistically it can be difficult and discouraging.

The IP address is assigned to an individual machine. It may be difficult to determine who was using a particular machine at a particular time in a shared environment like a school or library.

Resolving IP Addresses

By way of review, IP addresses consist of four sets of numbers, such as 166.70.6.40. The resolution of this IP address is as follows:

  • OrgName: XMission

  • OrgID: XMIS

  • NetRange: 166.70.0.0 - 166.70.255.255

  • CIDR: 166.70.0.0/16

  • NetName: XMISSION-166-70-0-0

  • NetHandle: NET-166-70-0-0-1

  • Parent: NET-166-0-0-0-0

  • NetType: Direct Assignment

  • NameServer: NS.XMISSION.COM

  • NameServer: NS1.XMISSION.COM

  • NameServer: NS2.XMISSION.COM

  • Comment: Please use the <abuse@xmission.com> e-mail address for all complaints regarding UCE (spam), copyright violations, security intrusions, and other suspected network abuse sourcing from XMission networks. DO NOT COPY your complaint to any other ARIN XMission POCs or e-mail addresses on the XMission network. Failure to comply with this statement will result in your complaint being ignored.

  • RegDate: 1997-02-19

  • Updated: 2002-09-19

  • AbuseHandle: NETAB-ARIN

  • AbuseName: Netabuse Manager

  • AbusePhone: 801-539-0852

  • AbuseEmail: <abuse@xmission.com>

  • NOCHandle: NETWO22-ARIN

  • NOCName: Network Manager

  • NOCPhone: 801-539-0852

  • NOCEmail: <net-manager@xmission.com>

  • TechHandle: TECHN5-ARIN

  • TechName: Technical Support

  • TechPhone: 801-539-0852

  • TechEmail: <support@xmission.com>

  • OrgAbuseHandle: NETAB-ARIN

  • OrgAbuseName: Netabuse Manager

  • OrgAbusePhone: 801-539-0852

  • OrgAbuseEmail: <abuse@xmission.com>

  • OrgNOCHandle: NETWO22-ARIN

  • OrgNOCName: Network Manager

  • OrgNOCPhone: 801-539-0852

  • OrgNOCEmail: <net-manager@xmission.com>

  • OrgTechHandle: TECHN5-ARIN

  • OrgTechName: Technical Support

  • OrgTechPhone: 801-539-0852

  • OrgTechEmail: <support@xmission.com>

  • # ARIN Whois database, last updated 2002-11-09 19:05

  • # Enter ? for additional hints on searching ARIN's Whois database.

As can be seen, the IP address fell within the block of IP addresses assigned to xmission.com. The Domain Name Servers connect the IP address to the Fully Qualified Domain Name, FQDN, which is xmission.com in this case. Using the SamSpade tool to resolve the IP address revealed the screen shown in Exhibit 12.

Exhibit 12: IP Resolution in SamSpade

start example

click to expand

end example

Of course, using a tool like SamSpade or nslookup to resolve the IP address related to suspicious activities or attacks provides one of the first steps in the investigation. The resolution may lead to the address of a compromised system in a long chain of systems that are being used to launch more attacks. It is important to remember that the DNS system merely maps IP addresses to FQDNs.

Trace Route

There are two very useful tools that determine the route a packet follows getting from the origin to the destination. Trace route uses the IP's Time To Live (TTL) data field to obtain an Internet Control Message Protocol (ICMP) response from each router along the packet's path. Trace route is another of the tools available in the SamSpade application. Investigators can use trace route to determine the approximate geographical location of a system of interest. It is possible that the registered information for the domain owner may reveal her location to be in Maryland, yet the system of interest may be physically located in New York. Tracing the packet's routing may be helpful in revealing the real physical location of a system when considering legal jurisdiction.

Experience Note 

There are trace route tools that display their data in visual form available at www.visualware.com. This tool combines IP resolution, geographical information, and trace route information in one tool.

Of course, there is a built-in tool located in Windows operating systems called Tracert. It can be launched through the DOS prompt and by entering tracert, followed by the domain name at the prompt; for example, C:\\windows> tracert www.fbi.gov. This utility will count and display the hops, times, and connections.

Dynamic Host Control Protocol Tracing

DHCP provides dynamically assigned IP addresses to hosts accessing the network. This is the usual method that users are assigned IP addresses who are dialing up their ISP for Internet access. The process of assigning an IP address to a user is known as "leasing." In most cases, DHCP is normally a logged event regardless of whether the server platform is UNIX or Windows-based. By reviewing the DHCP server logs, investigators should be able to determine the leased IP addresses identifying connected machines.

In the case of UNIX platforms, the DHCP service is handled by the dhcpd program and uses the syslogd program to handle the IP address leases. In Windows platforms, the DHCP service is logged by the DhcpSrvLog file. With the DHCP address identified with a specific network card and matching it to the timestamp, it should be a simple matter of reviewing the organization's latest equipment inventory and matching the machine's identification with the assigned owner.

Investigating the Identity of the Attacker

It is sometimes worth the time, effort, and expense of discovering who is attacking the system and there are times that it is not. Investigators are advised to consult with their legal counsel before wasting resources in chasing a bandit down a blind alley. However, if investigators are inclined to discover their attacker's identity, here are some areas that may be fruitful. Use the SamSpade suite or similar tools to discover the domain registration of the attacker's IP address (Exhibit 13).

Exhibit 13: SamSpade Tools

start example

click to expand

end example

  • Ping will discover if the target IP is online. Many administrators disable this service, so it should not be considered reliable.

  • Nslookup will resolve the attacker's IP address and will provide relevant domain registration information. This information should provide a name, address, and telephone number of a responsible party with whom contact may be made to extend the investigation one more step backwards. It is often found the administrator of the previous system was unaware that her system was a launching pad for an attack on another system.

  • Trace route will provide the route of information packets traveling from router to router.

Investigators may find situations where the attacker's trail passes through a system where activity logs do not exist or are insufficient to make the next hop toward the attacker. Talking to senior administrators, at these occasions, may reveal that they have relevant information identifying the next system back.

Experience Note 

Investigators are advised just because the administrator does not have complete logs, does not mean she does not have other helpful information.

In this same vein, just because an investigator finds an IP address going back many hops does not necessarily mean this is the attacker's address. It is very possible that the attacker was using a compromised account, and the administrator of that system will have to review logs and timestamps to determine the extent of the attacker's activity.

Convincing an administrator that this is an effort worthy of his time can be somewhat of a challenge in itself.

Experience Note 

Information collected by administrators and non-law enforcement investigators may be provided to law enforcement authorities. In some cases, law enforcement authorities are going to need international treaty enforcement or other processes to obtain this information depending on the location of the attacker.

This is a potential problem in that the administrator, along the attacker-trail, might be the attacker herself. So, it is important for non-law enforcement investigators to coordinate their efforts with law enforcement authorities and their respective legal counsel before proceeding. Failing to do so may have serious consequences. For example, if a corporate investigator alerted an attacker that she was under investigation by law enforcement authorities. As a result of this warning, the attacker destroyed evidence of her activities. In this case, the corporate investigator could possibly be charged with obstructing an investigation and evidence tempering.

Domain Registration Payments

There are times when investigators seem to hit a wall in their pursuit of their attacker's identity. Domain registration information is an extremely valuable resource. Registrations often provide some degree of information even if most of the registration information is false. Most domain registration entities require their clients to use credit cards or cashier's checks. Contacting the domain registration agency may provide the credit card number and other identifying information for the attacker's domain. It is possible the credit card was stolen, so law enforcement authorities may start a trail on the credit card number that might lead to the identity of the attacker and to charges of mail or interstate fraud.

Nicks and Monikers

Attackers frequently use monikers, also known as "Nicks," when boasting of their misdeeds in chat rooms. Sometimes these nicks are registered with chat room services similar to Dalnet or Undernet with valid e-mail addresses or other information. Do not forget that chat room servers may maintain user activity logs that will reveal the IP address of someone identified with an attack.

Experience Note 

Inexperienced attackers enjoy boasting of their destructive activities and often post their deeds in chat rooms or in Newsgroups. Monitoring relevant chat rooms immediately after an attack and logging the conversations will sometimes reveal the bragging-attacker and provide essentially a detailed confession. More than one investigator has maintained membership in such chat rooms specifically for this purpose.

Sometimes Nick-owners use anonymous Web-based mail thinking this will conceal their identities when they are logged on as chat room users. Such services as Yahoo and Hotmail provide Web-based e-mail services that may be used to thinly shield the user's identity. It is important to note that Web-based mail services carry the sender's IP address within the header content. If the sender were using a dynamically assigned IP address, this address would be contained in the header content. Web-based e-mail services usually maintain user logging.

If an attacker is using DHCP to connect to the network, this will not conceal her identity, as most ISPs maintain user-logging records that will reveal the leased IP address to a specific computer logged on to their system. If the attacker is located inside an organization's network, viewing the NAT (Network Address Translation) and firewall logs will generally reveal which user was using a particular IP address and was logged on the system at a particular time.

Searching the Newsgroups for an attacker's Nick or IP address or domain is another way of ascertaining an attacker's identity. Many attackers frequent Newsgroups looking for information or to engage in "flame-wars." They use their Nicks as identifiers and provide information about their interests and activities. Doing a bit of homework can reveal significant amounts of information about an attacker's interests and background. Newsgroups may be easily searched for information through search engines like www.google.com providing exact word or term searches.

Anonymous Re-Mailers

Frequently, questions about anonymous re-mailers arise and the degree of success investigators have in obtaining logs and other relevant information. The purpose of anonymous re-mailers is to conceal the user's true identity. Their philosophy is that privacy is assured by anonymity. People use re-mailers for the following reasons:

  • Whistle blowing

  • Discussion of personal or taboo issues

  • Journalistic correspondence

  • Spam protection

  • Future anonymity

  • Political speech

  • Censorship avoidance

  • Corporations and other organizations tend to use anonymous re-mailers for these reasons:

    • Research of competitors

    • Out-of-band communications

    • Avoidance of information leakage

    • Thwarting industrial espionage

    • Employee feedback

Anonymous re-mailers do not usually maintain user logs citing disk space and resource limitations. Often the truth is these entities are interested in user privacy concerns.

Experience Note 

Depending on the re-mailer owner's concerns for legal matters, they may be persuaded to be helpful in locating and identifying their users either through log analysis or active system monitoring.

It is possible for law enforcement officers to obtain relevant information from remailers. With legal authority such as search warrants, court orders, or subpoenas, remailers can be compelled to save specific incoming and outgoing messages. Second, it may be possible for officers to obtain a copy of a message from the sender, such as during the execution of a search warrant. It may be possible, with these message copies, that officers can obtain evidence from the ISP in the way of the time and date the sender logged on and sent the e-mail of interest.

To successfully obtain evidence from anonymous re-mailers, investigators must be prepared to obtain search warrants, court orders, and court ordered wiretaps. It is not impossible to obtain information from re-mailers; it depends on their degree of cooperation and the legal resources available to the investigators and prosecutors.



 < Day Day Up > 



Critical Incident Management
Critical Incident Management
ISBN: 084930010X
EAN: 2147483647
Year: 2004
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net