* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Internet Vulnerabilities & Criminal Activity
Survey
Document related concepts
Citizen Lab wikipedia , lookup
Cyberwarfare wikipedia , lookup
Mobile device forensics wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Cyberattack wikipedia , lookup
Cross-site scripting wikipedia , lookup
Denial-of-service attack wikipedia , lookup
Antivirus software wikipedia , lookup
Computer security wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Social engineering (security) wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
Transcript
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics & Computer Forensics Computer Forensics Computer off / power it off Hard drive is imaged Examination made of hard drive copy No live capture of memory Internet Forensics Done while computer is on May or may not examine memory Network activity is captured and analyzed Malware Analysis Goal - provide insight into attackers Malware has two purposes Steal information from victim computers Commander victim computer’s resources for attacker’s use Malware secondary features Propagation Locate & terminate security programs & competing malware Hide itself from system administrators Malware Programs Most derived from a small, stable base of existing code Small changes to obfuscation scheme Command & control credentials change No need to change what works Custom programmed malware unlikely to be identified by security software Extracting Information Author vs Attacker More interested in the attacker Information that can lead to attackers identity How malware interacts with the Internet What type of information is being targeted Commonalities with previously analyzed software Malware Network Interactions Receiving commands Command & control site Exfiltrate data Drop site Unique identifier (advertising fraud) Identifying Advertising Revenue Advertising fraud Pay-per-view, pay-per-click, pay-per-install To receive revenue, web site operator must be identified Tracking number May be found in malware May be found in the URL for the advertisement Extracted tracking number starting point to identifying recipient Identifying Drop Sites Malware that steals data will upload data to a specific site for later retrieval Passwords, keystrokes, network traffic, documents Data may be uploaded to drop site using: HTTP FTP E-mail Identifying Drop Sites cont. Drop site location May be hard coded into malware May be found by query to web site or IRC channel Possible actions once drop site is located Analyze traffic to site to help find attacker Analyze data at drop site & inform victims and financial institutions Shut down drop site Will only work with a hard coded site Forensic Examination Computer is off Image the hard drive on site Transport computer to lab and image the hard drive Examine image in a lab environment Computer is on Observe & document the following before shutting machine down Running processes Open ports Memory Use of encryption Examination of Malware Malware files should be: Located, recovered, neutralized to prevent accidental execution, analyzed Antivirus testing Can identify known malware Information can be obtained from antivirus web site Cannot identify network contact sites Anti-virus sites not detailed or accurate enough for court Examination of Malware cont. Study strings in the binary Locates embedded text Text may be packed to further obfuscate Indicates malware has specific targets Runtime Analysis Run malware in an isolated environment Use simulation of the Internet & targeted sites Use network tools to observe malware’s behavior Look for : Method used to transfer data Address where data is sent Examination of Malware cont. Reverse Engineering Converts file back to source code Need some understanding of programming Identify sites used for Command & Control (C&C) Central point of communication between malware & attacker C&C sites usually illegally hosted on compromised servers Look for host name / IP number of C&C site Attack will normally connect to C&C site using a proxy or other compromised host Examination of Malware cont. Identify C&C site continued Malware identifies C&C site using IP address or DNS resource record IP address more vulnerable as IP address can be shut down DNS resource record can just be resolved to new IP number Nature of DNS record can provide leads Contact & payment details Other DNS records with same contact information Other IP addresses associated with DNS record Attackers choice of type of host or network can provide information on attacker’s activities Extracting Incidental Artifacts Can find other information stored in malware with investigative value Use “strings” command Messages or comments from the author or attacker Metadata about the development environment May be placed in malware to intentionally mislead investigators May lead to author not attacker More to Learn from Malware Two different malwares using the same C&C site may belong to the same attacker Why not go after the author? Prosecution requires: Knowledge Intent Damages & monetary loss Techniques used by malware authors point out weaknesses in network security Attackers Will balance cost, risk & potential profit Sophistication is expensive Will only employ sophisticated techniques when there is sufficient profit Will use what ever techniques work Understand social behavior Security professionals have limited time / resources, work fixed hours Infrastructure used for attack will eventually be shut down Schedule attacks to maximize time till attack is noticed Attackers cont. Understand the culture of victims being targeted E-mail, application icons, programs named to be as enticing as possible Exploit jurisdictions & geography Know the law enforcement difficulties working internationally Use several proxies in different counties to route connections Know which countries are weak on cyber enforcement Attackers cont. Monetary thresholds & other crimes Know that most countries have monetary limits on crimes pursued Internet provides “protection” for attackers Rules for juveniles different - attackers exploit this Study & evade network defenses Understand how firewalls & antivirus software works Have learned how to circumvent security measures Outbound connections to C&C and drop sites Use ubiquitous HTTP protocol Supporting Other Investigations Malware code analysis may assist in other computer forensic investigations Combating the “Malware on the Machine” defense Defendants claim illegal materials on computer due to malware Examine malware on the machine Examine network traffic records Could the malware have committed the crime Is functionality present in the malware to commit the attack