Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Published bySusan Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010."— Presentation transcript:

1 Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010

2 Internet Forensics & Computer Forensics  Computer Forensics  Computer off / power it off  Hard drive is imaged  Examination made of hard drive copy  No live capture of memory  Internet Forensics  Done while computer is on  May or may not examine memory  Network activity is captured and analyzed  Computer Forensics  Computer off / power it off  Hard drive is imaged  Examination made of hard drive copy  No live capture of memory  Internet Forensics  Done while computer is on  May or may not examine memory  Network activity is captured and analyzed

3 Malware Analysis  Goal - provide insight into attackers  Malware has two purposes  Steal information from victim computers  Commander victim computer’s resources for attacker’s use  Malware secondary features  Propagation  Locate & terminate security programs & competing malware  Hide itself from system administrators  Goal - provide insight into attackers  Malware has two purposes  Steal information from victim computers  Commander victim computer’s resources for attacker’s use  Malware secondary features  Propagation  Locate & terminate security programs & competing malware  Hide itself from system administrators

4 Malware Programs  Most derived from a small, stable base of existing code  Small changes to obfuscation scheme  Command & control credentials change  No need to change what works  Custom programmed malware unlikely to be identified by security software  Most derived from a small, stable base of existing code  Small changes to obfuscation scheme  Command & control credentials change  No need to change what works  Custom programmed malware unlikely to be identified by security software

5 Extracting Information  Author vs Attacker  More interested in the attacker  Information that can lead to attackers identity  How malware interacts with the Internet  What type of information is being targeted  Commonalities with previously analyzed software  Author vs Attacker  More interested in the attacker  Information that can lead to attackers identity  How malware interacts with the Internet  What type of information is being targeted  Commonalities with previously analyzed software

6 Malware Network Interactions  Receiving commands  Command & control site  Exfiltrate data  Drop site  Unique identifier (advertising fraud)  Receiving commands  Command & control site  Exfiltrate data  Drop site  Unique identifier (advertising fraud)

7 Identifying Advertising Revenue  Advertising fraud  Pay-per-view, pay-per-click, pay-per-install  To receive revenue, web site operator must be identified  Tracking number  May be found in malware  May be found in the URL for the advertisement  Extracted tracking number starting point to identifying recipient  Advertising fraud  Pay-per-view, pay-per-click, pay-per-install  To receive revenue, web site operator must be identified  Tracking number  May be found in malware  May be found in the URL for the advertisement  Extracted tracking number starting point to identifying recipient

8 Identifying Drop Sites  Malware that steals data will upload data to a specific site for later retrieval  Passwords, keystrokes, network traffic, documents  Data may be uploaded to drop site using:  HTTP  FTP  E-mail  Malware that steals data will upload data to a specific site for later retrieval  Passwords, keystrokes, network traffic, documents  Data may be uploaded to drop site using:  HTTP  FTP  E-mail

9 Identifying Drop Sites cont.  Drop site location  May be hard coded into malware  May be found by query to web site or IRC channel  Possible actions once drop site is located  Analyze traffic to site to help find attacker  Analyze data at drop site & inform victims and financial institutions  Shut down drop site  Will only work with a hard coded site  Drop site location  May be hard coded into malware  May be found by query to web site or IRC channel  Possible actions once drop site is located  Analyze traffic to site to help find attacker  Analyze data at drop site & inform victims and financial institutions  Shut down drop site  Will only work with a hard coded site

10 Forensic Examination  Computer is off  Image the hard drive on site  Transport computer to lab and image the hard drive  Examine image in a lab environment  Computer is on  Observe & document the following before shutting machine down  Running processes  Open ports  Memory  Use of encryption  Computer is off  Image the hard drive on site  Transport computer to lab and image the hard drive  Examine image in a lab environment  Computer is on  Observe & document the following before shutting machine down  Running processes  Open ports  Memory  Use of encryption

11 Examination of Malware  Malware files should be:  Located, recovered, neutralized to prevent accidental execution, analyzed  Antivirus testing  Can identify known malware  Information can be obtained from antivirus web site  Cannot identify network contact sites  Anti-virus sites not detailed or accurate enough for court  Malware files should be:  Located, recovered, neutralized to prevent accidental execution, analyzed  Antivirus testing  Can identify known malware  Information can be obtained from antivirus web site  Cannot identify network contact sites  Anti-virus sites not detailed or accurate enough for court

12 Examination of Malware cont.  Study strings in the binary  Locates embedded text  Text may be packed to further obfuscate  Indicates malware has specific targets  Runtime Analysis  Run malware in an isolated environment  Use simulation of the Internet & targeted sites  Use network tools to observe malware’s behavior  Look for :  Method used to transfer data  Address where data is sent  Study strings in the binary  Locates embedded text  Text may be packed to further obfuscate  Indicates malware has specific targets  Runtime Analysis  Run malware in an isolated environment  Use simulation of the Internet & targeted sites  Use network tools to observe malware’s behavior  Look for :  Method used to transfer data  Address where data is sent

13 Examination of Malware cont.  Reverse Engineering  Converts file back to source code  Need some understanding of programming  Identify sites used for Command & Control (C&C)  Central point of communication between malware & attacker  C&C sites usually illegally hosted on compromised servers  Look for host name / IP number of C&C site  Attack will normally connect to C&C site using a proxy or other compromised host  Reverse Engineering  Converts file back to source code  Need some understanding of programming  Identify sites used for Command & Control (C&C)  Central point of communication between malware & attacker  C&C sites usually illegally hosted on compromised servers  Look for host name / IP number of C&C site  Attack will normally connect to C&C site using a proxy or other compromised host

14 Examination of Malware cont.  Identify C&C site continued  Malware identifies C&C site using IP address or DNS resource record  IP address more vulnerable as IP address can be shut down  DNS resource record can just be resolved to new IP number  Nature of DNS record can provide leads  Contact & payment details  Other DNS records with same contact information  Other IP addresses associated with DNS record  Attackers choice of type of host or network can provide information on attacker’s activities  Identify C&C site continued  Malware identifies C&C site using IP address or DNS resource record  IP address more vulnerable as IP address can be shut down  DNS resource record can just be resolved to new IP number  Nature of DNS record can provide leads  Contact & payment details  Other DNS records with same contact information  Other IP addresses associated with DNS record  Attackers choice of type of host or network can provide information on attacker’s activities

15 Extracting Incidental Artifacts  Can find other information stored in malware with investigative value  Use “strings” command  Messages or comments from the author or attacker  Metadata about the development environment  May be placed in malware to intentionally mislead investigators  May lead to author not attacker  Can find other information stored in malware with investigative value  Use “strings” command  Messages or comments from the author or attacker  Metadata about the development environment  May be placed in malware to intentionally mislead investigators  May lead to author not attacker

16 More to Learn from Malware  Two different malwares using the same C&C site may belong to the same attacker  Why not go after the author?  Prosecution requires:  Knowledge  Intent  Damages & monetary loss  Techniques used by malware authors point out weaknesses in network security  Two different malwares using the same C&C site may belong to the same attacker  Why not go after the author?  Prosecution requires:  Knowledge  Intent  Damages & monetary loss  Techniques used by malware authors point out weaknesses in network security

17 Attackers  Will balance cost, risk & potential profit  Sophistication is expensive  Will only employ sophisticated techniques when there is sufficient profit  Will use what ever techniques work  Understand social behavior  Security professionals have limited time / resources, work fixed hours  Infrastructure used for attack will eventually be shut down  Schedule attacks to maximize time till attack is noticed  Will balance cost, risk & potential profit  Sophistication is expensive  Will only employ sophisticated techniques when there is sufficient profit  Will use what ever techniques work  Understand social behavior  Security professionals have limited time / resources, work fixed hours  Infrastructure used for attack will eventually be shut down  Schedule attacks to maximize time till attack is noticed

18 Attackers cont.  Understand the culture of victims being targeted  E-mail, application icons, programs named to be as enticing as possible  Exploit jurisdictions & geography  Know the law enforcement difficulties working internationally  Use several proxies in different counties to route connections  Know which countries are weak on cyber enforcement  Understand the culture of victims being targeted  E-mail, application icons, programs named to be as enticing as possible  Exploit jurisdictions & geography  Know the law enforcement difficulties working internationally  Use several proxies in different counties to route connections  Know which countries are weak on cyber enforcement

19 Attackers cont.  Monetary thresholds & other crimes  Know that most countries have monetary limits on crimes pursued  Internet provides “protection” for attackers  Rules for juveniles different - attackers exploit this  Study & evade network defenses  Understand how firewalls & antivirus software works  Have learned how to circumvent security measures  Outbound connections to C&C and drop sites  Use ubiquitous HTTP protocol  Monetary thresholds & other crimes  Know that most countries have monetary limits on crimes pursued  Internet provides “protection” for attackers  Rules for juveniles different - attackers exploit this  Study & evade network defenses  Understand how firewalls & antivirus software works  Have learned how to circumvent security measures  Outbound connections to C&C and drop sites  Use ubiquitous HTTP protocol

20 Supporting Other Investigations  Malware code analysis may assist in other computer forensic investigations  Combating the “Malware on the Machine” defense  Defendants claim illegal materials on computer due to malware  Examine malware on the machine  Examine network traffic records  Could the malware have committed the crime  Is functionality present in the malware to commit the attack  Malware code analysis may assist in other computer forensic investigations  Combating the “Malware on the Machine” defense  Defendants claim illegal materials on computer due to malware  Examine malware on the machine  Examine network traffic records  Could the malware have committed the crime  Is functionality present in the malware to commit the attack

Download ppt "Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.

McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Extended Learning Module H Computer Crime and Digital Forensics.
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Securing Information Systems

Securing Information Systems
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.

Phishing and Intrusion Prevention Tod Beardsley, TippingPoint (a division of 3Com), 02/15/06 – IMP-201.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Cyber Crimes.

Cyber Crimes.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Similar presentations

Ads by Google