1 / 20

Internet Vulnerabilities & Criminal Activity

Internet Vulnerabilities & Criminal Activity. Internet Forensics 12.1 April 26, 2010. Internet Forensics & Computer Forensics. Computer Forensics Computer off / power it off Hard drive is imaged Examination made of hard drive copy No live capture of memory Internet Forensics

liam
Download Presentation

Internet Vulnerabilities & Criminal Activity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010

  2. Internet Forensics & Computer Forensics • Computer Forensics • Computer off / power it off • Hard drive is imaged • Examination made of hard drive copy • No live capture of memory • Internet Forensics • Done while computer is on • May or may not examine memory • Network activity is captured and analyzed

  3. Malware Analysis • Goal - provide insight into attackers • Malware has two purposes • Steal information from victim computers • Commander victim computer’s resources for attacker’s use • Malware secondary features • Propagation • Locate & terminate security programs & competing malware • Hide itself from system administrators

  4. Malware Programs • Most derived from a small, stable base of existing code • Small changes to obfuscation scheme • Command & control credentials change • No need to change what works • Custom programmed malware unlikely to be identified by security software

  5. Extracting Information • Author vs Attacker • More interested in the attacker • Information that can lead to attackers identity • How malware interacts with the Internet • What type of information is being targeted • Commonalities with previously analyzed software

  6. Malware Network Interactions • Receiving commands • Command & control site • Exfiltrate data • Drop site • Unique identifier (advertising fraud)

  7. Identifying Advertising Revenue • Advertising fraud • Pay-per-view, pay-per-click, pay-per-install • To receive revenue, web site operator must be identified • Tracking number • May be found in malware • May be found in the URL for the advertisement • Extracted tracking number starting point to identifying recipient

  8. Identifying Drop Sites • Malware that steals data will upload data to a specific site for later retrieval • Passwords, keystrokes, network traffic, documents • Data may be uploaded to drop site using: • HTTP • FTP • E-mail

  9. Identifying Drop Sites cont. • Drop site location • May be hard coded into malware • May be found by query to web site or IRC channel • Possible actions once drop site is located • Analyze traffic to site to help find attacker • Analyze data at drop site & inform victims and financial institutions • Shut down drop site • Will only work with a hard coded site

  10. Forensic Examination • Computer is off • Image the hard drive on site • Transport computer to lab and image the hard drive • Examine image in a lab environment • Computer is on • Observe & document the following before shutting machine down • Running processes • Open ports • Memory • Use of encryption

  11. Examination of Malware • Malware files should be: • Located, recovered, neutralized to prevent accidental execution, analyzed • Antivirus testing • Can identify known malware • Information can be obtained from antivirus web site • Cannot identify network contact sites • Anti-virus sites not detailed or accurate enough for court

  12. Examination of Malware cont. • Study strings in the binary • Locates embedded text • Text may be packed to further obfuscate • Indicates malware has specific targets • Runtime Analysis • Run malware in an isolated environment • Use simulation of the Internet & targeted sites • Use network tools to observe malware’s behavior • Look for : • Method used to transfer data • Address where data is sent

  13. Examination of Malware cont. • Reverse Engineering • Converts file back to source code • Need some understanding of programming • Identify sites used for Command & Control (C&C) • Central point of communication between malware & attacker • C&C sites usually illegally hosted on compromised servers • Look for host name / IP number of C&C site • Attack will normally connect to C&C site using a proxy or other compromised host

  14. Examination of Malware cont. • Identify C&C site continued • Malware identifies C&C site using IP address or DNS resource record • IP address more vulnerable as IP address can be shut down • DNS resource record can just be resolved to new IP number • Nature of DNS record can provide leads • Contact & payment details • Other DNS records with same contact information • Other IP addresses associated with DNS record • Attackers choice of type of host or network can provide information on attacker’s activities

  15. Extracting Incidental Artifacts • Can find other information stored in malware with investigative value • Use “strings” command • Messages or comments from the author or attacker • Metadata about the development environment • May be placed in malware to intentionally mislead investigators • May lead to author not attacker

  16. More to Learn from Malware • Two different malwares using the same C&C site may belong to the same attacker • Why not go after the author? • Prosecution requires: • Knowledge • Intent • Damages & monetary loss • Techniques used by malware authors point out weaknesses in network security

  17. Attackers • Will balance cost, risk & potential profit • Sophistication is expensive • Will only employ sophisticated techniques when there is sufficient profit • Will use what ever techniques work • Understand social behavior • Security professionals have limited time / resources, work fixed hours • Infrastructure used for attack will eventually be shut down • Schedule attacks to maximize time till attack is noticed

  18. Attackers cont. • Understand the culture of victims being targeted • E-mail, application icons, programs named to be as enticing as possible • Exploit jurisdictions & geography • Know the law enforcement difficulties working internationally • Use several proxies in different counties to route connections • Know which countries are weak on cyber enforcement

  19. Attackers cont. • Monetary thresholds & other crimes • Know that most countries have monetary limits on crimes pursued • Internet provides “protection” for attackers • Rules for juveniles different - attackers exploit this • Study & evade network defenses • Understand how firewalls & antivirus software works • Have learned how to circumvent security measures • Outbound connections to C&C and drop sites • Use ubiquitous HTTP protocol

  20. Supporting Other Investigations • Malware code analysis may assist in other computer forensic investigations • Combating the “Malware on the Machine” defense • Defendants claim illegal materials on computer due to malware • Examine malware on the machine • Examine network traffic records • Could the malware have committed the crime • Is functionality present in the malware to commit the attack

More Related