Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

Detection
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

Additional ResourcesMy Articles

My BlogMy Blog

Introduction


The purpose of this article is to show some different techniques for attack and infection detection. While there is no one method to show all, the methods outline here will help you to identify and detect the majority of attacks and infections on your computer(s).

Three Components of Security

There are three components to system security and while ‘Prevention’ might get all the headlines, the other two components are just as important.

Prevention

Preventing infection is a universal goal for everyone who owns a computer, and likely represents the bulk of their investment in security as everyone who is connected to the internet should be running a current Anti-Virus and Firewall and keeping up on their OS and software patches. These are examples of preventative measures are they are meant to prevent attacks against your systems from being successful.
 

Detection

Detection answers the age old question are my preventative defenses keeping me safe. There are two forms of detection, monitoring of existing defensives and detection of defense failures. In this article we will show samples of both.
 

Remediation

As a wise saying goes ‘a failure to plan, is a plan for failure’ remediation is your plan on how to return to a secure state if you find that your system has been infected or has otherwise rendered unusable or unreliable. Examples of this would include backups, system restore plans etc. While I’m not going to cover any of these in this article you should have current backups and remediation plans in hand.

 

System and Network Configuration

Our goal was to allow a computer to become exploited while monitoring the network traffic and behavior of the system during and after the attack so we could capture some of the key indicators that the average user could see and understand. While these methods are targeted at the average user, security professionals can also benefit from methods shown in this article.

Our victim computer was a XP system running SP1 and with no further patches, which while not recommended, unfortunately does represent far too many systems connected to the internet. The system was setup in the default configuration and no other software was installed on it as the idea was to have an ‘out of the box system’.

Once the system was built then we would expose it directly to the internet by placing it in the ‘DMZ’ of the consumer level hardware firewall. It should be mentioned that use of the DMZ in consumer grade routers and firewalls is highly dangerous and could lead to compromise of every system on your network (see our article on DMZ Dangers). A second computer was attached to the WAN Firewall, but behind its own firewall to collect the firewall logs.

The ISP used for these experiments was Shaw in Calgary, which is a high speed residential cable provider and hence representative of most home users. Shaw does not filter any ports or traffic. The system was not used for surfing, email, or anything else. It was simply turned on and connected to the internet such that it would be exploited by network based attacks.

This test was repeated several times at different times of the day and night and after each test the system was nuked paved (meaning rebuilt from the hard drive partitions up to ensure a clean install each time). Each time the system was exposed directly to the internet it was attacked and infected within minutes (no system lasted longer then five minutes before being compromised).

 

Attack Detection

Messenger Spam

Messenger spam takes advantage of Windows built in Alert Messenger service to display advertisements. The Alert Messenger service was originally intended to display messages from things like network printers or as a way for network administrators to send out notices. These messages can be very annoying as they pop to the front of your screen and interrupt what you are doing. They appear as a text message with an OK button at the bottom. Given the dubious nature of this marketing scheme, these web sites and products should be viewed with a large degree of suspicion if not avoided entirely.
 


 

Messenger Spam attempt in Link Logger. The spammer uses multiple ports (typically 1025 – 1029) as the Messenger Service typically runs on one of these ports.

Typically the messages themselves are harmless (but usually very bogus), but their presence tends to indicate two very important facts, first you are connected directly to the internet otherwise the firewall would have blocked them, and second you are not running the latest set of OS patches which typically disabled this service.

Attack

In Link Logger we try to indicate which attacks were blocked by your firewall and which ones were not. Typically most network based worms have a two part attack. The first part is where they try to exploit some vulnerability in your operating system or some application. The second part is where they download the rest of the worm, or otherwise contact a bot command and control center. The idea behind patching is if you deny the attacker the exploit then the attack is foiled. There has yet to be a mass worm attack where it has exploited a zero day exploit, meaning that every worm thus far as taken advantage of exploits for which there were patches already available for, or other terms if people patched their systems quickly enough, no worm thus far would have been successful in making headline news.

Sample of Link Logger showing blocked scan and attack attempts. Notice the ‘banned’ icon which indicates the attack was blocked by the firewall.



Link Logger chart showing the Inbound attacks during our tests. It should be noted that this number of attacks is common for most systems connected to the internet.

Download of Infection

There are many mechanism for downloading the rest of the worm, but typically there are four principle methods, tftp, ftp, http, and remote command shells.

In this sample Link Logger tracks an ICMP scan and attack on TCP port 135 which resulted in a successful attack and the victim system then contacted the attacker via TFTP (UDP port 69) to download and execute the rest of the worm.
 

In this attack the attacker tries to exploit a vulnerability on TCP Port 135 and part of the attack includes creating a remote command shell on TCP port 4460 to which the attacker sends instructions to the victim to download the worm from TCP port 18394 and then execute it. You can see more detailed captures of this type of attack and command shell commands that I posted at:
http://www.dslreports.com/forum/remark,14144036?hilite=70

IRC

IRC bots are particularly dangerous as once the system is infected with a bot, it can control and modified remotely to suit whatever purpose the bot master has in mind. Any outbound traffic to TCP port 6667 should be investigated immediately, but note that IRC channels can be configured to use other ports then 6667.

Sample of an attack which then communicates to an IRC server for further instructions. The attack from 70.71.13.43 exploit a vulnerability on port 135 which caused the victim to communicate back to the attacker to download and execute the rest of the worm via TCP port 6122 which then contacts an IRC server for further instructions.

Warnings

Typically exploits which use buffer overflows tend to crash the service or application they exploited, and sometimes Windows might display an Alert Windows to advise you of a problem. These should be taken seriously as more often then not they indicate that someone has successfully hacked the service and your system is now suspect for infection.


 

Infection Detection

Adware

The unexpected appearance of popups on your screen advertising products and services is frequently an indication that something has infected your system as this is a common revenue generation scheme for the hacker. Some software does use adware as a form of compensation for the author of software, but reputable software should indicate this upon installation, so it is best to read the user agreements when installing software on your system.

Sample adware popup, note the adware knows we are located in Alberta (and likely in Calgary from looking up who our ISP is from our IP Address). This is an example of a browser popup.


Example of MacroMedia based adware popup appearing on top of MSPaint.

Warnings

The sudden appearance of repeated error messages on a system which previously ran cleanly would also tend to be an indicator that something has infected your system. Approximately 80% of Doc Watson dumps (shown below) that Microsoft receives are the caused by infections or poorly written malware.

Microsoft Error Report

Some times you will receive a response from Microsoft; in this case the problem was caused by the Sasser worm.

An example of a crash caused by poorly written malware.

 

Browser Modifications

As with Adware, browser modifications are another way for hackers to generate revenue from your infected system or as a possible social engineering attack to get you to go a site and exposure you to further infection via a browser based attack or to subject you to a phishing attempt (obtain personal information pertaining to your identity or financial information for example). If your browser unrepentantly changes its appearance or your search or error pages change unexpectedly then it is likely your system has become infected.


Before



After, note the addition of toolbar and other features which were installed by the infection.

Outbound Scans

Often systems which have been exploited are used to find and exploit other systems. We have seen many cases where an infected system was scanning well over a hundred thousand scans/attacks per hour. Typically most worms use a weighted algorithm focusing on local IP Addresses to scan and attack. This means once a system is infected other systems on the same network or in the same netblock will typically be scanned or attacked.

Link Logger Outbound Traffic for ports 135 and 445 which were the ports that infected systems scanned out and attacked on. Every infection except one went into a scan/attack mode.

Link Logger showing outbound attacks at over 50,000 IP Addresses per hour from the infected system.

Link Logger Outbound Port usage showing that ports used for scans/attacks easily dominate the usage chart (Port 445 - 86%, Port 135 – 13%).

Link Logger Alerts for Outbound attacks and scans.

Link Logger showing the infected system in attack mode.

Link Logger chart showing that most of the scans and attacks targeted the local netblock of 192.168.x.x. This is significant in that placing a vulnerable system in the DMZ would result in a scan/attack on every other system behind our firewall from the infected system.

One infection used ICMP pings to locate system on the local netblock.

Link Logger showing a spike in Outbound ICMP traffic.

Link Logger showing the infected system in ICMP scan mode.

The DOS 'netstat –A' command is way to see what network connections are open on your system. On a typical system you don’t have a lot of active network connections, but on an infected system which is scanning and attacking other computers on the internet the netstat results are likely to be several pages long.

Typical 'netstat –A' results on a clean system
 

Results of a 'netstat –A' command on a system which is infected and scanning out.

Another way to check for unauthorized network activity is to check the Networking performance in the Windows Task Manager. There were no browser open or any other desktop applications which would use network traffic yet the worm was active on the network.

 

Conclusion

Hopefully this article has shown you what some indicators are of an infected or otherwise unhealthy system. Of course the indicators can vary in different cases and even be totally absent in the case of a system infected with a root kit. In the case of a root kit infection you can no longer trust the system to reliable report its status to you as the very purpose of a root kit is to hide files, processes, etc from the user. In the case of a root kit infection traffic logs from your firewall can make all the difference in detection.

Pillars of Security

How do you keep a system free of infection? Simple question, difficult goal as hackers tend to be rather creative and the attack surface is huge, in that it includes both technical and social attack surfaces, but there are some simple steps you can take which can greatly increase your security.

Patch

Keep all systems and software fully patched. With Windows this is easy and can even be set to automatically download and install patches. Patching applications that you use can be a little more difficult, but remember as your OS vendor increases the security of your OS, then hackers will be forced to look at applications as their next door to install their malware on your system.

Anti Virus

Run a current Anti-Virus, which means your Anti-Virus has the latest virus signatures. Most Anti-Viruses can be configured to automatically check for and download updates. Remember an out of data Anti-Virus is only marginally better then no Anti-Virus at all.

Firewall

Firewalls are designed to protect you from unsolicited inbound traffic, which simply means any network based attacks will be safely blocked at the firewall before they can reach and infect the systems behind the firewall.

Monitor

Monitoring your system’s behavior and your defenses is essential. If you notice strange behaviors from your system, or alerts from your defenses like your AntiVirus, Firewall, etc, then you should investigate to ensure your systems are not infected and hopefully this article has given you idea as to what behaviors or indicators you can monitor.

Safe Hex

Knowledge is always the most powerful tool, and by practicing such measures as not executing unsolicited email attachments, refraining from surfing to unknown or otherwise untrusted sites, and being careful not to give out personal information, etc, then you will have taken huge steps to ensuring your security online.
 

Page last updated on November 26, 2006