Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


April 2006

Laying a Malware Trap

When simple detection isn't enough, capture that virus for examination
From the April 2006 Edition
of Windows IT Pro
Roger A. Grimes
Feature
InstantDoc #49434
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Taking It to the Worm

A client of mine had a network that was constantly under malicious attack. When the client was connected to the Internet, the corporate network routers and switches lit up like a Christmas tree. When the Internet connection was unplugged, network utilization hovered around its normal 2 to 3 percent. Hackers were sending millions of packets across the network, but the client didn't know how. The client had plugged a network sniffer into the network to capture malicious packets, but in a few minutes, it was overwhelmed by hundreds of thousands of packets—mostly of unauthorized traffic. How could we find out how the hackers were breaking into the network and what they were doing? Enter the virus trap.

Sometimes preventing viruses, worms, and Trojan horses from attacking your computers isn't enough—you want to capture the malicious program and learn everything you can from it. Studying the mechanics of what the bug is attempting to do will help you provide a better defense. Even for network administrators without advanced diagnostic skills, a virus trap can provide early detection of network intrusions. Here are some methods you can use to trap malware and examples of how they've been used in the past.

What Is a Virus Trap?
In lay terms, a virus trap is a program—often a honeypot program—designed to detect, slow down, or capture a specific piece or type of malware for further study. A honey-pot is a nonproduction computer asset created to track unauthorized exploitation. A virus trap honeypot is a special-function honeypot built specifically to detect and capture automated malware. It isn't as concerned as a regular honeypot is with attacks originating from dedicated attackers, which are a small percentage of overall attacks anyway. In order to track manual hackers, a more functional and complicated honeypot is needed.

When malware is attacking, we're concerned about two things:

  • What vulnerability is the malware looking for to be successful?
  • What will the malware do once it has gained the initial access by using the found vulnerability?

The first question seeks to find out how the pest is planning to attack network computers; the answer will reveal the steps the administrator needs to take to make sure the malware won't be successful (or at least to minimize the damage). The second question speaks to the malware's true motive. Is the malware just breaking in to break in, or does it want to damage data, steal files, send spam, or locate free hard drive space for storing malicious files and unlicensed digital media? A virus trap can help answer these questions.

Here are some situations in which you might want to set a virus trap:

  • A new worldwide worm has been announced on the antivirus lists. You think your network infrastructure is secured against the attack, but you want an early-warning system if something gets inside your perimeter. Or a worldwide worm has been announced, and computers on your network are showing signs similar to reported infection symptoms.
  • Something malicious keeps banging against your perimeter firewall, and you want to capture it to find out what's trying to break in or out.
  • Hackers or malware is successfully breaking into your network and servers and you want to find out how.

Virus Trap Types and Uses
There are four major types of virus traps: port listeners, tarpits, honeypots, and virtual machines.

Port listeners. A port listener is any program capable of opening an IP port and capturing information entering that port. Port listeners are the simplest of programs. They don't have to emulate a service, pretend to be a server, or respond in any way. They only capture what's sent to them. The downside of port listeners is that you can't use them to monitor stateful TCP traffic, which always requires a reply to establish a successful communication session. However, sometimes listening is all you want to do.

For example, the SQL Slammer worm used a single 376-byte UDP packet to carry out its malicious deeds. To capture it, all you needed was a simple port listener listening on UDP port 1434. The most common port listener in use today is Netcat, a free utility that you can download from http://www vulnwatch.org/netcat. You can use Netcat for all sorts of things, including establishing one or more listening ports. To capture the Slammer worm, you could execute the following Netcat command: 

nc -vv -l -p 1434 > port1434.log

The -vv switch tells Netcat to be verbose and report connection attempts to the screen, -l tells Netcat to listen for inbound connections on the port indicated by the -p switch, and collected data is saved to a text file called port1434.log. (If you try this command, press Ctrl+C to end the Netcat session, or type 

nc -h

for the Netcat Help screen.)

Figure 1 shows an example of the SQL Slammer worm captured in a Netcat port listener. It isn't pretty or even understandable unless you're a programmer, because it's captured executable code that's part of a buffer overflow. Still, the text that follows the command 

type port1434.txt

is the SQL Slammer worm. If you didn't recognize the worm and you searched on the Internet for the few text strings you see, the results would indicate that the executable code you captured belongs to SQL Slammer. You could then test and verify that all your SQL Server systems are patched against the worm. To see the full source code details of SQL Slammer, visit http://www.eeye.com/html/research/flash/sapphire.txt. If the attacks continue from the same source IP address, you can even attempt to contact the host or implement other computer defenses.

Tarpits. Tarpits aren't used to capture and display malicious code as much as to slow down quickly spreading malware. Developed by Michael Robinton, LaBrea (http://labrea.source forge.net) was the first and is still the most popular tarpit. It responds to any request for a nonexistent IP address. After allowing time for any legitimate host to answer, LaBrea answers connection attempts in such a way as to waste as much of the malware's time as possible—by maximizing TCP/IP retransmits and wait periods. LaBrea slows down malware and hackers and identifies their origination IP address, as Figure 2 shows. Although LaBrea's functionality is intentionally limited, it's a huge success at what it does. Many real-life worms and lab tests have corroborated its ability to slow down Internet worms, just as its author hoped.

   Previous  [1]  2  Next 


Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path To learn more about fighting malware with honeypots:
"Honeyd for Windows"

"Honeypots for Windows"

"Fighting Internet Worms With Honeypots,"

"Honeyd vs Msblast.exe,"
Top Viewed ArticlesView all articles
VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...

Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing