25 Mar 2013

From Indicators of Compromise to Smoking Guns

0 comments Permalink Monday, March 25, 2013
In a previous post I used the intuitive visualization in Packetloop to zero in on a particular attacker that had targeted at least two systems with indicators suggesting Warez related FTP and the delivery of shellcode. The analysis at that time was interesting but hardly a smoking gun. The security analyst was presented with indicators of compromise but could not conclusively prove a breach.

Packetloop's "Threat Analysis" feature started out as a functionality story called "play by play". I wanted to be able to peer inside an attack and step through it play by play. To do this we needed to take every indicator and warning and then perform deep packet inspection on every packet from every conversation and link it into our User Interface. Packetloop's Advanced Filter experience is powerful and fast and Threat Analysis had to be able to respond in the same way. So you could zoom in and out, pan left and right through time and filter on Attacker, Victim, Attack, Port or Industry Reference (e.g. CVE). It was a pretty bold concept and initially difficult enough that we pushed the functionality back - but we didn't give up ;)

Remember this is the canonical DARPA98 data set that I am analysing here. So the attacks have that old school retro feel.

Threat Analysis

In the previous post the the source of attack 152.169.215.104 was located due to a large number of New Attacks in a very small period of time (12 new attacks in 1 minute). These attacks were related to information discovery (Finger and RPC Mapping) against 172.16.112.50. On closer inspection there was suspected FTP warez activity triggering a number of indicators. Filtering by 152.169.215.104 as the source and then zooming out to a 3 month time window we were able to view the entire attack timeline and find a second host 172.16.114.50 that was also the destination of attacks (x86 NOOP Shellcode). Despite these indicators it was difficult to conclusively prove and analyse the breach.

The attack timeline shows Finger and RPC requests being used by the Attacker to enumerate the target

An open FTP server is used to store and access Warez and Tools including the Linux Root Kit.

A vulnerability in BIND is exploited to gain root access
Threat analysis enables you to move from indicators and warnings to find the proverbial smoking gun. The initial series of attacks are mostly information discovery with finger attempts and rpcmap's to enumerate users and interfaces. The second set of attacks is linked to FTP and Warez and this is where Threat Analysis really shows it's power. If we focus on those purple bars in the centre of the main visualization, and we switch to the Analysis view in the Data Panel, we can immediately see exactly what this attacker is doing.


The attacker logs in to the ftp server as 'ftp' and idents and the changes into the "caliberX" and then the "Win98.Final-PWA" directory. At a glance we have gone from thinking that this might be suspicious activity on our network to knowing that it is. Scrolling down we can view the individual files that the attacker is accessing including the zip files and nfo files.


Later in the attack timeline the evidence becomes clearer and more damning. Looking into more FTP sessions between 152.169.215.104 and 172.16.112.50 we see the attacker download tools for exploiting Linux systems.


Again the attacker logs in as 'ftp' changes directory into 'lr2k-1.1' and then in the final row of output downloads 'lrootk.tgz'. This is a version of the Linux Rootkit.

The Shellcode attacks between 152.169.215.104 and 172.16.114.50 establish a shell that is used to initiate an X11 Window session between the attacker and the target. Using the advanced filter we can limit the search and zoom into the attack timeline. Shellcode is delivered over DNS (UDP/53) in a series of attacks at 12:33AM and then another flurry of attacks at 12:39AM.



The Shellcode targets a vulnerability in BIND 4.9 and BIND 8.0. This can be determined by highlighting the CVE in the Advanced Filter.




The timeline is important as an X11 session is established in the reverse direction (172.16.114.50 to 152.169.215.104) soon after the initial attacks with the first back channel created at 12:39AM. This is shown in the screenshot below.


Packetloop's Threat Analysis provides a full breakdown of the X11 session.


We can tell that the attacker used the DNS exploit to gain root access because they issue an 'id' command that returns 'root'.


Again we can access a detailed breakdown of the X11 sessions where the id command is executed.


Conclusion

This is a canonical example of an attacker performing reconnaissance and targeting, exploiting a vulnerability and establishing full root access. Packetloop allows you to find and analyse these incidents in minutes with full data fidelity. Every attack and attacker can be isolated, every packet in the attack can be stepped through and analysed.

With Packetloop's Threat Analysis there is no guesswork. The entire attack time line can be examined from months to minutes.

Sign Up for a Free account today and explore the 50GB of Public Datasets available on the Packetloop platform using Packetloop Threat Analysis.



No comments:

Post a Comment