Tuesday, April 21, 2009

How to Track Peer 2 Peer networks.

The most technically difficult crime to conduct online is to create a “bot-net”, (Leyden et all)[i]. “Bot Net’s” are networks of infected machines that utilize a Trojan and or “Root kit” to do the bidding of their respective masters.

These include distributed denial of service attacks, online extortion, distribution of child pornography and or hosting of child porn sites, and the most common is the relaying of bulk email (spam distribution). The setup of the various famous bot net’s includes the following; as defined by Stewart[ii].

Created

Name

Estimated Count

Spam Capacity

Aliases

?

Conficker

10,000,000

10 billion / day

DownUp, DownAndUp, DownAdUp, Kido

?

Kraken

495,000

9 billion / day

Kracken

31-Mar-07

Srizbi

450,000

60 billion / day

Cbeplay, Exchanger

?

Bobax

185,000

9 billion / day

Bobic, Oderoor, Cotmonger, Hacktool.Spammer,

Full details of this list are taken directly from the Wikipedia article on bot-nets available here:

http://en.wikipedia.org/wiki/Bot_net

This list is not complete but offers a sample of the top bot-nets in operation online today.

To examine and explore the appropriate forensic investigation techniques; I will focus on the most recent and the largest bot-net “Confiker”.

Conficker was initially spread as a “Worm” exploiting a vulnerability within the Windows Server RPC service which was patched by MS08-067.(Microsoft)[iii], the date of the initial Conficker Infection is Was reported on November 22nd 2008, only one month after the patch was released; October 23rd 2008.(Ma et al.)[iv]

Methods used to track any virus and vulnerability are those involving network monitoring and active network heuristics on global scales; These include “Honey Netting”, “Intrusion Detection Analysis” and general Anti Virus reporting. For the purposes of brevity we will define “Honey Netting” as placing monitored versions of unpatched operating systems online to determine attack vectors and methods.(Honey Net)[v] The monitors of these systems are placed around them within the same network behind far more secure firewalls and these monitoring systems utilize remote logging, Intrusion detection and network traffic analysis in real time to determine whether or not a compromise has occurred.

A good metaphor of the above is to attract bears to a trap using Honey. In this case the bears are malicious “Black Hat’s”, “Viri” and “Worms”.

Once a system is compromised it is removed from the network and then forensic analysis is conducted using all the tools we have used in this course (FTK, Autopsy, IDS Logs) on said box to determine the method of attack, it’s vector; i.e. which applications or server services were compromised and allowed the intruder, worm, virus to gain access to the box.

Peer to Peer networking is one of the many foundations of the internet, as the WWW is a peer to peer network where the Domain Name system and servers may be considered indexes to reach other peers distributed globally. A much more detailed definition and over view is available here:

http://en.wikipedia.org/wiki/Peer-to-peer_networking

Now how does Conficker utilize Peer to peer networking? How do we know that Confikcker uses peer to peer networking to download payloads? And how can we track Confickers activity?

The honeynet project conducted some reverse engineering on the conficker virus to determine it’s behaviour and control mechanisms, it’s a very complex worm; within their white paper Leder and Werner discuss how conficker utilizes encryption to send signed control messages to it’s peers and servers, thus preventing code injection from unauthorized servers or nodes.

Conficker initially infects a system by exploiting the MS08-067 vulnerability in the Server RPC service on Microsoft Windows Based operating sytems, once isnstalled it uses randomly generated URL’s via a predefined algorithm to search for control servers from which to download and update itself. As part of it’s infection it also modifies the MS08-067 vulnerability to prevent others from utilizing this attack vector thus “Secureing” the infected host. (Leder et al)[vi] Conficker’s goal is to send spam and generate profit by allowing businesses to use conficker to send their spam, however conficker did not download it’s instructions until sometime after April 2nd 2009. Conficker also prevents others form installing their bots on the affected machines and will reject any unsigned messages that are attempted to be sent to an infected machine because it utilizes RSA encrypted control messages. Thus it is both peer aware and control server aware.

The primary tool used to track and view conficker is Snort, snort is an “Intrusion Detection System” that utilized real-time live wire packet capture from a Unix program called TCPDUMP in promiscuous mode to capture network information and store it in a database to determine if it matches any known attack signatures. This is the same method used by “Anti-Virus” Software only that it track’s packets on the wire as opposed to executables and hex-code on a hard drive or file system.(Snort)[vii]

Once a host becomes infected with conficker it first begins scanning all other hosts on it’s subnet to locate any other vulnerable hosts to infect, at the same time it also patches it’s own infection method, thus as a “Worm” conficker was able to spread incredibly rapidly. The CAIDA project maps the topology of the entire internet and has created an amazing time lapsed view of the conficker epidemic. A post-mortem view of the epidemic is available here:

http://www.caida.org/research/security/ms08-067/telescope.tcp445.nov21.linear.animated.gif

This GIF utilizes data imported by Intrusion detection systems at various telescopes around the world in conjunction with geo-lcation to show a global view of the epidemics spread, by co-realiating port scans for the MS08-067 vulnerability and geo-location by ip assignment.

The methods and techniques used to track, detect and prevent worm’s and various infections like conficker involve first using “Honeypotting”, then conducting post mortem and network intrusion analysis and if possible reverse engineering the binary code of the virus itself.

The tools available for each of these are any network and remote silent log monitoring systems such as Snort, SyslogD, Firewalls and what not. (Spitzner)[viii] Once a honey pot has been compromised a post mortem is conducted utilizing FTK and autopsy, and then cross referencing system & intrusion detection logs to determine the method used to infect the machine. This includes pouring over gigabytes of data generated by Snort in a database and co-relating the time stamped information to develop a “Timeline”.

Once a timeline has been developed the virus and or root kit disassembly begins, the favourite tool for binary level disassembly is IDA (the Interactive Disassembler) and the sole purpose of IDA is to reverse engineer software by analyzing the binary code and it’s instructions. (Guilfanov)[ix]

One of the major issues with modern worms and viri is Polymorphism and widespread use of encryption.

Usually various Security research firms will conduct this research, these include Symantec, McAfee, The Honeynet Project, Kaspersky et cetera ad nosium. Any business with a vested interest in computer security will often setup honeypot’s and honeynet’s to capture and anaylize data to improve their own product offerings; whereas the Honeynet project’s goal is far more altruistic.


References


[i] Leyden, John (The Register, September 9th 2004) Telenor takes down 'massive' botnet [Online] World Wide Web, Available from: http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/ (Accessed on April 20th 2009)

[ii] Stewart, Joe (Secure Works, April 8th 2008) Top spam botnets exposed [Online] World Wide Web, available from: http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets (Accessed on April 20th 2009)

[iii] N.a. (Microsoft, October 23rd 2008) Vulnerability in Server Service Could Allow Remote Code Execution (958644) [Online] World Wide Web, Available from: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx (Accessed on April 20th 2009)

[iv] Ma Alex; Kantor, Brian; Savage, Stephan; Wesson, Rick; Enright, Brandon; Phorras, Phil; Yegneswaran, Vinod; John, Wolfgang; Castro, Sebastian (CAIDA, Tuesday April 7th 2009) Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope [Online] World Wide Web, Available from: http://www.caida.org/research/security/ms08-067/conficker.xml (Accessed on April 20th 2009)

[v] N.a. (Honey Net Project, n.d.) About the Honey Net Project [Online] World Wide Web, Available from: http://www.honeynet.org/about (Accessed on April 20th 2009)

[vi] Leder, Felix; Werner, Tillmann (The Honeynet Project, 7th April 2009) Know your Enemy: Containing Conficker, to Tame Malware [Online] PDF Document, Available from: http://www.honeynet.org/files/KYE-Conficker.pdf (Accessed on April 20th 2009)

[vii] N.a. (The Snort Project, 2009) Snort Project Information Page [Online] World Wide Web, Available from: http://www.snort.org/ (Accessed on April 20th 2009)

[viii] Spitzner, Lance (RootPrompt.org, March 20th 2000) Building A honey Pot [Online] World Wide Web, Available from: http://www.rootprompt.org/article.php3?article=210 (Accessed on April 20th 2009)

[ix] Guilfanov, Ilfak (Hex-Rays, 2009) IDA Pro Information Page [Online] World Wide Web, Available from: http://www.hex-rays.com/idapro/ (Accessed on April 20th 2009)

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)