Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Transcription

1 Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC Host based Analysis {Himanshu Pareek, {C-DAC Hyderabad, 1

2 Reference to previous lecture Bots use ICMP for passing commands Covert channel hacking SYN flooding attacks Key logger attacks Current Patch Process Autorun.INF Runs as a DLL attached to svchost.exe 2

3 Outline Introduction Network monitoring tools Analysis for malicious activities Application level analysis Developer s Call Implementing software packet capture 3

4 Prerequisites What is a socket Socket is the interface between the application layer and transport layer within a host Three way TCP handshake ARP HTTP Headers for Request and Response TCP Segment and UDP Datagram 4

5 HTTP : Request 5

6 HTTP : Response 6

7 Three way TCP Handshake 7

8 States for a TCP Client CLOSED Send SYN Receive FIN, send ACK TIME_WAIT SYN_SENT Receive SYN & ACK, Send SYN FIN_WAIT_2 ESTABLISHED Receive ACK, send nothing FIN_WAIT_1 Send FIN 8

9 States for a TCP Server Receive ACK, Send nothing CLOSED LAST_ACK LISTENING Send FIN Receive SYN, Send SYN and ACK CLOSE_WAIT SYN_RECVD Receive FIN, Send ACK ESTABLISHED Receive ACK, Send nothing 9

10 TCP Segment SRC PORT DST PORT SEQUENCE NUMBER ACKNOWLEDGEMENT NUMBER FLAGS RECV WINDOW CHECKSUM URGENT DATA PTR OPTIONS DATA 10

11 IPv4 Datagram Version Header Length Identification Type of Service FLAGS Total Length Fragment Offset TTL Protocol Header Checksum 32 BIT SOURCE IP ADDRESS 32 BIT DST IP ADDRESS OPTIONS DATA 11

12 Ethernet Frame Preamble SRC MAC Address DST MAC Address Type Data ARP IP IPv6 IPX 0x806 0x800 0x86DD 0x8137 Trailer/CRC 12

13 Analysis of mal-activities Automated Analysis for detecting attacks Using HIDS / HIPS / Network Security Solution OSSEC, OSIRIS, EnSAFE, Sana, Server IPS Manual analysis Why it is important A simple case Cost of ownership should be compared. Ability to handle encryption Useful in reversing the malware No single point of failure as in case of NIDS/NIPS 13

14 LAN Antivirus updated IDS Infected node 1. makes a silent scan of network 2. Detects a Vista system 3. Trying to connect at

15 Do it regular Checked ARP entries with command arp a Found a suspicious entry x.x.x.12 Started WIRESHARK It was sending ARPs to all the hosts in a small intervals of time Allowed to scan my system Sent SYNs to 137 Use TCP View to check concerned process (to ports) on both the victim system You can carry out the manual malware cleaning then. 15

16 Continued Network packet monitoring WIRESHARK (wireshark.org) Network Miner (networkminer.wiki.sourceforge.net) MS Network Monitor (Microsoft) Application level Want to monitor application behavior Anomaly detection at system call level System call interception Is it feasible with growing security requirements? 16

17 Traffic analysis of mal-activities IP Scanner 17

18 Traffic analysis of mal-activities A scan of a particular system 18

19 Traffic analysis of mal-activities Ms vulnerability getting exploited through a system Stack overflow in LSASS service Bulletin/MS mspx 19

20 20

21

22 Other Tools For Analysis PacketMon IP Sniffer Network Probe Sniff_hit UfaSoft Sniff for capturing packets at Wi-Fi links CaptureBAT (Honeynet Project) 22

23 Tip: help in reversing malware binary Run malware binary using virtualized OS MS Virtual PC Sun xvm VirtualBox Use any tool to monitor its network activity Use snort to monitor the activity http request packet analysis 23

24 Windows networking architecture Microsoft Windows sockets application (32 bit) Winsock 2.0 API Winsock 2.0 SPI Ws2_32.dll Layered Service Provider Mswsock.dll Msafd.dll User Mode 24

25 Contd. TDI Layer Afd.sys TDI Clients Kernel Mode NDIS exported Interface TCPIP.SYS Network protocol drivers NDIS Intermediate Driver Miniport Driver NDIS.SYS 25

26 Application level analysis System call interception Not supported Rootkits Documented interfaces LSP WSP APIs in the SDKs, direct mapping for network related calls. WFP Provides APIs in user mode to filter the packets Doesn t support MAC based filtering Callout Drivers Write kernel mode drivers to develop firewalls, IDS, application based filtering 26

27 Application level analysis Windows application (32 bit) 1. Uses IOCTL to talk TDI Client 2. Bypasses Winsock TDI Layer TDI Clients Kernel Mode 1. Use TDIMON Network stack 27

28 Modeling approaches Behavior based approaches Knowing the bad behavior and protecting against them Knowing the good behavior of the application FSM Artificial Neural Networks N-gram Probability Suffix Trees Anomaly Detection Issues with system call hooking Discouraged by OS vendors Used by rootkits not supported on 64 bit windows (carry patch guard) 28

29 Implementing packet capture NDIS IM Filter Driver Miniport Driver Protocol Driver 29

30 Relationships Between NDIS, Miniport Drivers, and Protocol Drivers TCP / IP Other Protocols NDIS Miniport Driver NDIS.SYS NIC Device 30

31 Intermediate Driver in the NDIS Driver Stack. TCP / IP Other Protocols NDIS Intermediate Driver Miniport Driver NDIS.SYS NIC Device 31

32 Intermediate Driver Layered Between Miniport Driver and Transport Driver Transport Driver Protocol Xxx Media X Miniport Xxx Media X Intermediate Driver Protocol Xxx Media Y Miniport Xxx Media Y Miniport Driver NDIS.SYS NIC Device 32

33 Simple NDIS_PACKET Illustration NDIS_PACKET ( Descriptor (Packet Private.Head NDIS Buffer ( Descriptor (Buffer Next StartVa NULL ( Bytes Packet Data ( 74 33

34 A More Complex NDIS_PACKET Representation NDIS_PACKET ( Descriptor (Packet Private.Head NDIS Buffer ( Descriptor (Buffer Next StartVa NDIS Buffer ( Descriptor (Buffer Next StartVa NULL ( Bytes Packet Data ( 0-13 ( Bytes Packet Data (

35 Research opportunities Secure development practices. Apple Mac, Windows Azure. Malware with Virtualization. Type 3 Malware. 35

36 References Further Reading Wireshark documentation Computer Networking: A Top Down Approach (Kurose/Ross) MS-Windows Platform SDK Microsoft Windows Driver Kit Fighting malicious code (James, Malin) 36

37 References Further Reading NPF. html Windows, WFP, Callouts are trademarks and products of Microsoft, US. Reference is given to these. Information presented in the presentation is taken from freely available resources. Microsoft holds the copyright. Procexp, procmon, tcpview are freely downloadable tools from technet. NDIS was jointly developed by 3com and Microsoft. More on NDIS: DDK Documentation, and 37

38 Thank you && Discussions queries 38