The purpose of this article is to show some different techniques for attack and
infection detection. While there is no one method to show all, the methods
outline here will help you to identify and detect the majority of attacks and
infections on your computer(s).
Three Components of Security
There are three components to system security and while ‘Prevention’ might get
all the headlines, the other two components are just as important.
Preventing infection is a universal goal for everyone who owns a computer, and
likely represents the bulk of their investment in security as everyone who is
connected to the internet should be running a current Anti-Virus and Firewall
and keeping up on their OS and software patches. These are examples of
preventative measures are they are meant to prevent attacks against your systems
from being successful.
Detection answers the age old question are my preventative defenses keeping me
safe. There are two forms of detection, monitoring of existing defensives and
detection of defense failures. In this article we will show samples of both.
As a wise saying goes ‘a failure to plan, is a plan for failure’ remediation is
your plan on how to return to a secure state if you find that your system has
been infected or has otherwise rendered unusable or unreliable. Examples of this
would include backups, system restore plans etc. While I’m not going to cover
any of these in this article you should have current backups and remediation
plans in hand.
System and Network Configuration
Our goal was to allow a computer to become exploited while monitoring the
network traffic and behavior of the system during and after the attack so we
could capture some of the key indicators that the average user could see and
understand. While these methods are targeted at the average user, security
professionals can also benefit from methods shown in this article.
Our victim computer was a XP system running SP1 and with no further patches,
which while not recommended, unfortunately does represent far too many systems
connected to the internet. The system was setup in the default configuration and
no other software was installed on it as the idea was to have an ‘out of the box
Once the system was built then we would expose it directly to the internet by
placing it in the ‘DMZ’ of the consumer level hardware firewall. It should be
mentioned that use of the DMZ in consumer grade routers and firewalls is highly
dangerous and could lead to compromise of every system on your network (see our
article on DMZ Dangers). A second computer was attached to the WAN Firewall, but
behind its own firewall to collect the firewall logs.
The ISP used for these experiments was Shaw in Calgary, which is a high speed
residential cable provider and hence representative of most home users. Shaw
does not filter any ports or traffic. The system was not used for surfing,
email, or anything else. It was simply turned on and connected to the internet
such that it would be exploited by network based attacks.
This test was repeated several times at different times of the day and night and
after each test the system was nuked paved (meaning rebuilt from the hard drive
partitions up to ensure a clean install each time). Each time the system was
exposed directly to the internet it was attacked and infected within minutes (no
system lasted longer then five minutes before being compromised).
Messenger SpamMessenger spam takes advantage of Windows built in Alert Messenger service to
display advertisements. The Alert Messenger service was originally intended to
display messages from things like network printers or as a way for network
administrators to send out notices. These messages can be very annoying as they
pop to the front of your screen and interrupt what you are doing. They appear as
a text message with an OK button at the bottom. Given the dubious nature of this
marketing scheme, these web sites and products should be viewed with a large
degree of suspicion if not avoided entirely.
Messenger Spam attempt in Link Logger. The spammer uses multiple ports
(typically 1025 – 1029) as the Messenger Service typically runs on one of these
Typically the messages themselves are harmless (but usually very bogus), but
their presence tends to indicate two very important facts, first you are
connected directly to the internet otherwise the firewall would have blocked
them, and second you are not running the latest set of OS patches which
typically disabled this service.
In Link Logger we try to indicate which attacks were blocked by your firewall
and which ones were not. Typically most network based worms have a two part
attack. The first part is where they try to exploit some vulnerability in your
operating system or some application. The second part is where they download the
rest of the worm, or otherwise contact a bot command and control center. The
idea behind patching is if you deny the attacker the exploit then the attack is
foiled. There has yet to be a mass worm attack where it has exploited a zero day
exploit, meaning that every worm thus far as taken advantage of exploits for
which there were patches already available for, or other terms if people patched
their systems quickly enough, no worm thus far would have been successful in
making headline news.
Sample of Link Logger showing blocked scan and attack attempts. Notice the
‘banned’ icon which indicates the attack was blocked by the firewall.
Link Logger chart showing the Inbound attacks during our tests. It should be
noted that this number of attacks is common for most systems connected to the
Download of Infection
There are many mechanism for downloading the rest of the worm, but typically
there are four principle methods, tftp, ftp, http, and remote command shells.
In this sample Link Logger tracks an ICMP scan and attack on TCP port 135 which
resulted in a successful attack and the victim system then contacted the
attacker via TFTP (UDP port 69) to download and execute the rest of the worm.
In this attack the attacker tries to exploit a vulnerability on TCP Port 135 and
part of the attack includes creating a remote command shell on TCP port 4460 to
which the attacker sends instructions to the victim to download the worm from
TCP port 18394 and then execute it. You can see more detailed captures of this
type of attack and command shell commands that I posted at:
IRC bots are particularly dangerous as once the system is infected with a bot,
it can control and modified remotely to suit whatever purpose the bot master has
in mind. Any outbound traffic to TCP port 6667 should be investigated
immediately, but note that IRC channels can be configured to use other ports
Sample of an attack which then communicates to an IRC server for further
instructions. The attack from 18.104.22.168 exploit a vulnerability on port 135
which caused the victim to communicate back to the attacker to download and
execute the rest of the worm via TCP port 6122 which then contacts an IRC server
for further instructions.
Typically exploits which use buffer overflows tend to crash the service or
application they exploited, and sometimes Windows might display an Alert Windows
to advise you of a problem. These should be taken seriously as more often then
not they indicate that someone has successfully hacked the service and your
system is now suspect for infection.
The unexpected appearance of popups on your screen advertising products and
services is frequently an indication that something has infected your system as
this is a common revenue generation scheme for the hacker. Some software does
use adware as a form of compensation for the author of software, but reputable
software should indicate this upon installation, so it is best to read the user
agreements when installing software on your system.
Sample adware popup, note the adware knows we are located in Alberta (and likely
in Calgary from looking up who our ISP is from our IP Address). This is an
example of a browser popup.
Example of MacroMedia based adware popup appearing on top of MSPaint.
The sudden appearance of repeated error messages on a system which previously
ran cleanly would also tend to be an indicator that something has infected your
system. Approximately 80% of Doc Watson dumps (shown below) that Microsoft
receives are the caused by infections or poorly written malware.
Microsoft Error Report
Some times you will receive a response from Microsoft; in this case the problem
was caused by the Sasser worm.
An example of a crash caused by poorly written malware.
As with Adware, browser modifications are another way for hackers to generate
revenue from your infected system or as a possible social engineering attack to
get you to go a site and exposure you to further infection via a browser based
attack or to subject you to a phishing attempt (obtain personal information
pertaining to your identity or financial information for example). If your
browser unrepentantly changes its appearance or your search or error pages
change unexpectedly then it is likely your system has become infected.
After, note the addition of toolbar and other features which were installed by
Often systems which have been exploited are used to find and exploit other
systems. We have seen many cases where an infected system was scanning well over
a hundred thousand scans/attacks per hour. Typically most worms use a weighted
algorithm focusing on local IP Addresses to scan and attack. This means once a
system is infected other systems on the same network or in the same netblock
will typically be scanned or attacked.
Link Logger Outbound Traffic for ports 135 and 445 which were the ports that
infected systems scanned out and attacked on. Every infection except one went
into a scan/attack mode.
Link Logger showing outbound attacks at over 50,000 IP Addresses per hour from
the infected system.
Link Logger Outbound Port usage showing that ports used for scans/attacks easily
dominate the usage chart (Port 445 - 86%, Port 135 – 13%).
Link Logger Alerts for Outbound attacks and scans.
Link Logger showing the infected system in attack mode.
Link Logger chart showing that most of the scans and attacks targeted the local
netblock of 192.168.x.x. This is significant in that placing a vulnerable system
in the DMZ would result in a scan/attack on every other system behind our
firewall from the infected system.
One infection used ICMP pings to locate system on the local netblock.
Link Logger showing a spike in Outbound ICMP traffic.
Link Logger showing the infected system in ICMP scan mode.
The DOS 'netstat –A' command is way to see what network connections are open on
your system. On a typical system you don’t have a lot of active network
connections, but on an infected system which is scanning and attacking other
computers on the internet the netstat results are likely to be several pages
Typical 'netstat –A' results on a clean system
Results of a 'netstat –A' command on a system which is infected and scanning
Another way to check for unauthorized network activity is to check the
Networking performance in the Windows Task Manager. There were no browser open
or any other desktop applications which would use network traffic yet the worm
was active on the network.
Hopefully this article has shown you what some indicators are of an infected or
otherwise unhealthy system. Of course the indicators can vary in different cases
and even be totally absent in the case of a system infected with a root kit. In
the case of a root kit infection you can no longer trust the system to reliable
report its status to you as the very purpose of a root kit is to hide files,
processes, etc from the user. In the case of a root kit infection traffic logs
from your firewall can make all the difference in detection.
Pillars of Security
How do you keep a system free of infection? Simple question, difficult goal as
hackers tend to be rather creative and the attack surface is huge, in that it
includes both technical and social attack surfaces, but there are some simple
steps you can take which can greatly increase your security.
Keep all systems and software fully patched. With Windows this is easy and can
even be set to automatically download and install patches. Patching applications
that you use can be a little more difficult, but remember as your OS vendor
increases the security of your OS, then hackers will be forced to look at
applications as their next door to install their malware on your system.
Run a current Anti-Virus, which means your Anti-Virus has the latest virus
signatures. Most Anti-Viruses can be configured to automatically check for and
download updates. Remember an out of data Anti-Virus is only marginally better
then no Anti-Virus at all.
Firewalls are designed to protect you from unsolicited inbound traffic, which
simply means any network based attacks will be safely blocked at the firewall
before they can reach and infect the systems behind the firewall.
Monitoring your system’s behavior and your defenses is essential. If you notice
strange behaviors from your system, or alerts from your defenses like your
AntiVirus, Firewall, etc, then you should investigate to ensure your systems are
not infected and hopefully this article has given you idea as to what behaviors
or indicators you can monitor.
Knowledge is always the most powerful tool, and by practicing such measures as
not executing unsolicited email attachments, refraining from surfing to unknown
or otherwise untrusted sites, and being careful not to give out personal
information, etc, then you will have taken huge steps to ensuring your security
Page last updated on
November 26, 2006