Monday 18 August 2014

How to detect a hacker attack

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.
Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviours.

Windows machines:

  • Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.
  • Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
  • Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.
  • Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.

Unix machines:

  • Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as 'home'.
  • Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
  • Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
  • Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.

What if my computer is infected?

Unfortunately, it may happen occasionally that the antivirus installed in your computer with its latest updates is incapable of detecting a new virus, worm or a Trojan. Sadly but true: no antivirus protection software gives you a 100% guarantee of complete security. If your computer does get infected, you need to determine the fact of infection, identify the infected file and send it to the vendor whose product missed the malicious program and failed to protect your computer.
However, users on their own are typically unable to detect that their computer got infected unless aided by antivirus solutions. Many worms and Trojans typically do not reveal their presence in any way. By way of exception, some Trojans do inform the user directly that their computer has been infected - they may encrypt the user's personal files so as to demand a ransom for the decryption utility. However, a Trojan typically installs itself secretly in the system, often employs special disguising methods and also covertly does its activity. So, the fact of infection can be detected by indirect evidence only.

Symptoms of infection

An increase in the outgoing web traffic is the general indication of an infection; this applies to both individual computers and corporate networks. If no users are working in the Internet in a specific time period (e.g. at night), but the web traffic continues, this could mean that somebody or someone else is active on the system, and most probably that is a malicious activity. In a firewall is configured in the system, attempts by unknown applications to establish Internet connections may be indicative of an infection. Numerous advertisement windows popping up while visiting web-sites may signal that an adware in present in the system. If a computer freezes or crashes frequently, this may be also related to a malware activity. Such malfunctions are more often accounted for by hardware or software malfunctions rather than a virus activity. However, if similar symptoms simultaneously occur on multiple or numerous computers on the network, accompanied by a dramatic increase in the internal traffic, this is very likely caused by a network worm or a backdoor Trojan spreading across the network.
An infection may be also indirectly evidenced by non-computer related symptoms, such as bills for telephone calls that nobody made or SMS messages that nobody sent. Such facts may indicate that a phone Trojan is active in the computer or the cell phone. If unauthorized access has been gained to your personal bank account or your credit card has bee used without your authorization, this may signal that a spyware has intruded into your system.

What to do

The first thing to do is make sure that the antivirus database is up-to-date and scan your computer. If this does not help, antivirus solutions from other vendors may do the job. Many manufacturers of anti-virus solutions offer free versions of their products for trial or one-time scanning - we recommend you to run one of these products on your machine. If it detects a virus or a Trojan, make sure you send a copy of the infected file to the manufacturer of the antivirus solution that failed to detect it. This will help this vendor faster develop protection against this threat and protect other users running this antivirus from getting infected.
If an alternative antivirus does not detect any malware, it is recommended that you disconnect your computer from the Internet or a local network, disable Wi-Fi connection and the modem, if any, before you start looking for the infected file(s). Do not use the network unless critically needed. Do not use web payment systems or internet banking services under any circumstances. Avoid referring to any personal or confidential data; do not use any web-based services that require your screen name and password.

How do I find an infected file?

Detecting a virus or Trojan in your computer in some cases may be a complex problem requiring a technical qualification; however, in other cases that may be a pretty straightforward task - this all depends on the degree of the malware complexity and the methods used to hide the malicious code embedded into the system. In the difficult cases when special methods (e.g. rootkit technologies) are employed to disguise and conceal the malicious code in the system, a non-professional may be unable to track down the infected file. This problem may require special utilities or actions, like connecting the hard disk to another computer or booting the system from a CD. However, if a regular worm or simple Trojan is around, you may be able to track it down using fairly simple methods.
The vast majority of worms and Trojan need to take control when the system starts. There are two basic ways for that:
  • A link to the infected file is written to the autorun keys of the Windows registry;
  • The infected file is copied to an autorun folder in Windows.
The most common autorun folders in Windows 2000 and XP are as follows:
%Documents and Settings%\%user name%\Start Menu\Programs\Startup\
%Documents and Settings%\All Users\Start Menu\Programs\Startup\
There are quite a number of autorun keys in the system register, the most popular keys include Run, RunService, RunOnce и RunServiceOnce, located in the following register folders:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\]
Most probably, a search at the above locations will yield several keys with names that don't reveal much information, and paths to the executable files. Special attention should be paid to the files located in the Windows system catalog or root directory. Remember names of these files, you will need them in the further analysis.
Writing to the following key is also common:
[HKEY_CLASSES_ROOT\exefile\shell\open\command\]
The default value of this key is "%1" %*".
Windows' system (and system 32) catalog and root directory are the most convenient place to set worms and Trojans. This is due to 2 facts: the contents of these catalogs are not shown in the Explorer by default, and these catalogs host a great number of different system files, functions of which are completely unknown to a lay user. Even an experienced user will probably find it difficult to tell if a file called winkrnl386.exe is part of the operating system or foreign to it.
It is recommended to use any file manager that can sort file by creation/modification date, and sort the files located within the above catalogs. This will display all recently created and modified files at the top of the catalog - these very files will be of interest to the researcher. If any of these files are identical to those occurring in the autorun keys, this is the first wake-up call.
Advanced users can also check the open network ports using netstat, the standard utility. It is recommended to set up a firewall and scan the processes engaged in network activities. It is also recommended to check the list of active processes using dedicated utilities with advanced functionalities rather than the standard Windows utilities - many Trojans successfully avoid being detected by standard Windows utilities.
However, no universal advice can be given for all occasions. Advanced worms and Trojans occur every now then that are quite difficult to track down. In this case, it is best to consult the support service of the IT security vendor that released your antivirus client, a company offering IT assistance services, or ask for help at specialized web forums. Such web resources include www.virusinfo.info and anti-malware.ru (Russian language), and www.rootkit.com and www.gmer.net (English). Similar forums designed to assist users are also run by many antivirus companies.

ZeuS GameOver, Brazilian Trojans and Boletos: an explosive combination

I'm sure you've read or heard about the malware attacking boletos – the popular Brazilian payment system – and how lots of malicious code is able to modify it, redirecting the amount paid to an account owned by criminals. Despite the fact that some numbers were overestimated by some companies and media outlets, these attacks are of particular interest and the Brazilian bad guys are quickly developing and adopting new techniques. Trust me: everything you read about boleto malware was only the tip of the iceberg; our complete research into this topic will be presented at the next Virus Bulletin conference.
The boleto malware campaigns combine several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB. It's no coincidence that a very similar technique was used by ZeuS GameOver some months ago, but this time the files are using extensions such as .BCK and .JMP, instead of .ENC.
We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one affecting boletos payments in Brazil.
Zeus_GameOver_1
A typical Brazilian boleto: using web-injection to change the numbers in the ID field is enough to redirect the payment
In February, security expert Gary Warner wrote about a new version of ZeuS campaign that downloads some strange and non-executable .ENC files to the infected machine. Our colleagues at CrySys did a very detailed analysis showing how this is an effective technique for passing through your firewall, webfilters, network intrusion detection systems and many other defenses you may have in place, as a tiny Trojan downloads these encrypted (.ENC) files and decrypts them to complete the infection.
Brazilian cybercriminals decided to use the .JMP extension in files encrypted in the same way, and downloaded by several small Trojans used in boletos and Trojan banker campaigns. This is what an encrypted file looks in the beginning:
image2_new
After removing the encryption we can see it as a normal PE executable:
image3_new
The criminals tend to encrypt the big payload files using this technique, as well as some removal tools such as Partizan and big Delphi Trojan bankers that include images of Internet banking pages. The aim is always to encrypt the payload and make it undetectable, so that it's not recognized as a normal portable executable.
Other files of interest are those with .BCK extensions – they are packed with an as yet unknown application that appears to be a commercial backup app. Just checking the head of the encrypted file is enough to see what's inside - in this case it is a malicious CPL file used in the boletos campaigns:
image4_new
"refazboleto" is Portuguese for "rebuild boleto". It points to a CPL file
Our antivirus engines are prepared to unpack and detect .JMP and .BCK files like these. These facts show how Brazilian cybercriminals are adopting new techniques as a result of the collaboration with their European counterparts.