In this blog post you will first learn what file carving is and, with a simplified example, why it’s useful. Next you will learn how this powerful technique has been applied to the network and how its utility has been expanded beyond just forensics. We will talk about several tools in this article, but specific attention will be paid to the NFEX network file carving tool.
This week brought us a wide variety of news about the ZeuS malware platform and its criminal users. While the platform has been very successful at stealing banking credentials and money from its victims, it may be showing some promising signs of weakness to the security community. While it has long been recognized as a modular and adaptable platform, the rising complexity in the system may be exposing it to security concerns found in traditional enterprise software. Identifying and exploiting these weaknesses may be an essential factor in disrupting its botnets and tracking down its controllers.
One of those features, highlighted in this week’s Cyber Risk Report, was a jump into mobile malware. One particular ZeuS adaptation has appeared as a combined threat between desktops and smartphones, with the ultimate goal of intercepting not only keyboard-entered user credentials, but also SMS messages from banks used for out-of-band user authentication.
At Cisco, we are fortunate to be at the vanguard of many exciting developments in networking and IT technology. Borderless Networks — where we connect anyone, anywhere, any device, and enable voice, video, and data — is a prime example. Enabling secure access to the cloud, powering SaaS for the enterprise, and helping IT successfully cope with the consumerization of enterprise IT are core elements of this effort.
Trends can sometimes run in surprising directions. While the white hat side of the house is enabling services and applications (Salesforce.com), and even core IT functions such as email and office productivity (Google Docs) are available in hosted or web delivered forms, the black hat side of the house is also not letting technology pass them by. For instance, take IMDDOS, a Chinese company with a name that should perhaps be read “I’m DDoS.”
Before we begin part 3 in this series, let’s review what we’ve covered so far. In the first post we learned how this bot was discovered and some basics about botnets. In the second post we covered botnet fundamentals like command and control (C&C) and various other capabilities. In this post we will examine some of the offensive features incorporated into a botnet designed to launch attacks and maintain control of hosts (aka victims). First we will discuss how botnets spread and then we will look at flooding and how it’s implemented in this bot.
There are two main ways malware spreads. It’s important to note that these two methods are not mutually exclusive. The first method, made famous by the Morris worm, involves targeting a network-based vulnerability; the author designs an exploit to spread his malware. Once the malware takes over a machine it then infects other machines. Every time the binary moves from one machine to another the botnet has the potential to see exponential growth. Most vulnerabilities only affect a specific operating system at a specific range of patch levels. Malware of this nature often hits big and then its growth rate takes a steep dive as patches become available and as malware is removed. Once the vulnerability is patched, the malware must adapt or accept a shrinking attack surface. Two recent examples of this method are Conficker and Slammer. It is important to note the distinction between the growth rate slowing down and the number of compromised machines. There are still countless machines connected to the Internet running both worms. Even as the growth rate approaches zero, many, many computers have already been infected and continue to run the malware. In two days time on a single Intrusion Prevention System (IPS) we saw over 178,000 slammer attacks.
An attacker simply needs to trick an unsuspecting user into running a binary that is under the control of the attacker. This attack vector is known as a trojan horse. A malware author would package his wares as a link from a friend, a new game of interest, or even a program to create keys for pirated software, etc.