13Computer Intrusions

Dr. John P. AbrahamProfessor

UTPA

Why computer intrusions?

• Businesses and individuals are very dependent on computers today

• They place financial data on it• Private data also is kept on computers• Criminals benefit financially• Extortion

Illegal activities

• Steal valuable information• Eavesdrop on communication• Harassing those who have control over the

systems• Launching attacks against other systems• Storing toolkits and stolen or illegal data• Defacing websites

Computer intrusions can be deadly

• Gaining access to electric grid• Pharmacy database – change drugs• Tempering with emergency civil service

systems

Who are the criminals

• Do not fit the stereotype - teenagers with behavior problems

• Rather committed by organized criminal organizations

• State-sponsored groups

Exploits

• All operating systems and application programs have weaknesses.

• Manufacturers continually modify code to protect systems

• These vulnerabilities are taken advantage by criminals and called exploits.

• Vulnerabilities are published on the internet, even programs are available to launch attack.

How computer intruders operate• Reconnaissance – process of gathering

information about the target computer. Probe the computer for vulnerabilities and attempt to exploit them.

• Attack – gain unauthorized access or start a denial of service attack. Escalate from an unprivileged account to privileged.

• Entrenchment: Ensuring continued access. Hide tracks and instantiate a persistent re-entry. Allow others access the system.

• Abuse: conducting illegal activities such as stealing information.

Intrusion techniques• Reconnaissance: Nslookup of a domain name to determine the

IP address. Scan target computer for open ports (use a port scanner), service or applications with vulnerabilities.

• Attack: Launch exploit against a specific application.• Entrenchment: A backdoor is uploaded through the remote

shell. Registry entries are altered to start backdoor at boot. A rootkit is uploaded to hide all malicious processes, network connections and files. Clean and delete log entries related to attack.

• Abuse: Sensitive documents are placed into password protected archives and moved off the compromised system to the attacker’s computer.

Social Engineering

• When intruders can’t access through known security holes, they us social engineering. May even dig through garbage cans.

• Social engineering refers to any attempt to contact legitimate users of the target system and tricking them to give passwords (such as I am a new employee, or I am the tech).

• Reverse social engineering. Ticking the user to contact the intruder. Send an email about support desk, etc.

Current intrusion tactics• Direct attacks are becoming difficult due to security

measures.• Attack though email or web browsers that visit a

compromised webserver.• Phishing. Sending mass e-mails that appear to have

come from your friend or family. Replying these emails and giving requested info can lead to fraud. Some emails promise large sums of money.

• Spear phishing. More targeted phishing. Email is personalized.

• Downloads – appear as useful free downloads that contain cross site scripting (XSS).

• SQL injection. Placement of sql control characters.

Investigating intrusions

• Act of uncovering the facts with regard to a potential intrusion. Was there an actual intrusion?

• Containment, eradication and remediation steps

• Determine what harm was done (stolen or destroyed)

• Apprehend the intruders• Where there is one, there is often more.

Investigative Methodologies

• Analysis of memory can reveal ports and IP addresses associated with malicious activities.

• System logs may contain info about user accounts and IP addresses.

• Investigate network log files.• System forensics, memory foresnsics, network

forensics and malware forensics.

Leaving compromised systems vulnerable

• It is a challenge. If you protect the system immediately, you may not catch the culprit.

• Should the system be shutdown immediately?• It may be important to observe intruder

progress

Volatile data

• Information in the CPU cache, CPU registers, video RAM, other RAM or buffer. Will disappear as state change or shut down.

• Network packets• Check for unusual processes running• Acquire full memory dumps

Volatile data preservation• Initially check for any windows that are open• Use a clean forensic tool kit (DVD) and launch the shell

executable from the CD (not computer’s) and change default directory to the CD.

• Insert a clean (new) thumb drive to save volatile data.• Send date and time to the thumb drive and execute a script

that will collect a memory dump, list of running processes, list of loaded drivers or modules and libraries, list of open sockets and active network connections, current users logged in and authorized users, and finally create hash values for the files.

• Remote acquisition of volatile data: for this you need to use enCase or Access Data or other such programs.

• Collect network traffic by using a sniffer.

Post-Mortem investigation• File system analysis• Collect file date-time metadata sorted and or

filtered.• Collect file names sorted and or filtered• Collect configuration files and startup

locations from the registry.• Collect system and security logs and

application logs.• Do keyword searching for malicious

executables, and IP addresses

Malicious code examination

• What is purpose of the code?• Does it create, delete or alter any specific

files?• Does it create new processes or inject itself to

running processes?• Does it accept remote network connections,

or initiate new connections? How the hosts are identified?