Posted by: realsecurity | November 26, 2008

Finding the unknown on your network

One of the things I constantly keep in mind is “how do I find what I don’t know about?”. An unknown threat is what will hurt you and your organization. So how does one find something they don’t know about?

From an intrusion detection perspective, this can be quite easy. Everyone knows (or should know) that many attacks evade IDS detection and evade AV detection. This is quite unfortunate but there is an aspect of these attacks that is very easy to detect, the transfer of an executable file.

Once a web based malware attack, an IM worm, or a spammed email with a link to a malicious exe is successful a payload must be downloaded. This payload is almost always an executable file or maybe a compressed file like a zip/rar/cab, etc. The file exetention may be renamed to .gif or .php, but the content of the file doesn’t lie.

Simply write a snort signature to look for the presence of the MZ/PE header inside the files traversing your network.

We have had great success with this technique, in the last 4 days alone here are some exes traversing the network. I have included my observations beside each one. – non exe extension – non exe extension – non meaningful name from an IP – non exe extension – no extension at all – non exe extension – probable fake AV – probable fake AV – probable fake AV – non exe extension – suspicious domain using a dynamic dns service – non exe extension – suspicious domain (must be an amature to put ddos in their domain name), suspicious exe to be downloading from a website

Finding those took about 5 minutes of checking at the start of each work day.

The problem with this technique is volume. Thousands of executables traverse a large network everyday, so how does one sort through them all? This is another fairly simple question to answer. The majority of exes being transfered should be from known good sources such as Microsoft, Adobe, Sun, Goole, Apple, etc. Simply whitelist or filter out these domains or IPs. Once these have been eliminated, the pile shrinks drastically.

For example, in 4 days we saw 3,318 exes transfered, aproximately 2,300 of these were from the examples above. Whitelisting will cut out 69% of those. Once that is done, simply scroll through the list and ask yourself the following questions:

Do any exes transfered end in a different file extension?
Ex: exe.php

Are we seeing any bizzar looking domain names?

Are binaries being transfered from IPs with no domain associated with it?

Do the exe file names make sense with the domain they are coming from?
Ex: (Why would someone download a flash update from a site called youtube?)

With all your new found knowledge of hostile files being sent around your network, new questions arise such as:

Is that network segment supposed to have internet access?
Did a user knowingly download it?
Were they compromised by a malicious website?
Did they click a link in an email?
Did our AV/IDS not catch the exploit attempt?
Was the file detected by AV?

Thankfully all these questions are yours to answer đŸ™‚


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: