August 18th, 2014 - by Walker Rowe
The problem with antivirus software is that it can only detect what it already knows. It cannot detect zero day attacks (meaning something that is new and for which the vendor has not made a patch). To combat this, many modern antimalware solutions also include firewalls, heuristic analysis and IPS functionality to catch previously unrecognized malware and stop hacker intrusions. And still this is not enough. Think about it: if such tools worked, then why do so many companies get hacked?
The best security is knowledge: learn what the signs of an attack are and what you should be doing to detect those, since antivirus software in not in itself sufficient. Here we give your some ideas of how to police your environment and to look for signs of malware.
Study the hacker threat
In order to determine whether your servers or desktops have been hacked, you should study some hacking techniques and learn what the attack vectors are. Sign up for security bulletins from Microsoft and study those. I also recommend that you read Krebs on Security; he is not a security expert as in a programmer, but as a former Washington Post reporter, people often give him the scoop and he has lots of contacts in the security and hacker communities.
You may be surprised to find that most hacker attacks are made via the browser and software that is launched inside a browser, like Adobe Flash. These mainly exploit buffer overflow issues in these programs. This allows a virus to read and write to memory that is outside the bounds assigned to a program when it initializes variables.
The hacker uses that memory to write assembly language instructions telling the program to execute a specific instruction, thus exiting the logic it is already executing. Then it launches methods .dlls that are known to have security issues. Then it gains command line access to the DOS prompt. From there it can download more malware and communicate with its command and control center to receive instructions and send out data. In the most sophisticated attacks this malware also will disable whatever antivirus software you have running.
When it comes to less sophisticated attacks, users are usually at fault. Someone sends them a file whose icon looks like a PDF file, but the file extension is actually .exe. The user clicks on it and installs the malware. The best defense against this is to train users not to do that. These viruses are distributed via phishing attacks.
The best defense against hackers is to assume that you have been hacked. You should reinstall your operating system at certain intervals since antivirus software cannot remove all the problems from the machine. I know this is difficult for virtual machines running mission critical applications. But you can certainly wipe the desktops of employees working in your company as these are one of the main attack vectors that hackers use to gain access to the company in the first place. Erasing the hard disks of your employees’ customers should not be an issue in any event, as they should be storing all their data in the cloud (Microsoft Skydrive or Google Drive).
Types of attacks by importance
There are three categories of hacker attacks that should concern you. We list them below in reverse order of the damage they can cause:
- Low risk. Non-sophisticated attacks, like adware, that do no financial damage to your business and do not steal data;
- Higher risk. Having your PC added to a botnet thus making your computer part of a criminal network; and
- Critical risk. Installing software to steal data or money from your company.
Low Risk Attacks
Low risk attacks do no financial harm to your business and do not steal data. Here are some examples. The best way to handle these is to train your employees to look for these signs:
- The antivirus software is disabled. Maybe it is marked with a red color or the Windows security system pops up a warning.
- Fake antivirus messages pop up on the desktop.
- New toolbars appear in the browser.
- The browser search engine is changed.
- People start receiving emails from you that you did not write yourselves.
- There are programs you do not recognize listed in list of install programs in the control panel.
Here are some signs of higher risk attacks.
- Your computer has been added to a botnet.
- You cannot access certain websites because your password has been changed.
Finding out whether your computer is a part of a botnet can be difficult. For the average person it is impossible. The reason botnets work so well is many people do not know much about computers. So they will know nearly nothing about computer security. That is why there are millions of computers on the internet that are in botnets.
These botnets are rented to criminal enterprises and political activists for denial of service attacks. They are also used to steal money and data and to hide the location and IP address of the command and control center by using the botnet to send data along a difficult-to-follow path.
My advice is to use TCPView or firewall logs and sort the data destination IP address to see if any addresses show up more frequently than others. The other way to defeat this attack is to reinstall the Windows operating systems on all your desktops perhaps twice a year. This should not be too difficult, as you can boot newer PCs from the solid state recovery drive and do not have to use installation CDs.
Critical risk attacks are when hackers have targeted your company for data theft. They have hacked your computers and are sending out data to their command and control centers using botnets. They communicate with the command and control center to receive instructions. They are reading data from your computer by recording keystrokes or exploiting weaknesses in peripheral devices like a cash register or credit card reader, or downloading the contents of a database. They have gained elevated access to log into your database, export files, and then use ftp to send this data to the command and control center. They are able to logon to any computer in your network using remote desktop, because they have an Active Directory account with those privileges.
First of all, to detect this, you should be using Snare or nxlog to send Windows logs to a Linux server using syslog. Linux has easier-to-use text parsing tools than Windows. It would be best if you had some kind of SIEM (security monitoring system) but if not you can write your own scripts with regular expressions to look for the following events.
- Ftp is running on a PC. This is how a hacker sends out the data they have stolen.
- Someone has logged into a service account, like Oracle or BMC patrol.
- Someone has obtained elevated privileges in Active Directory or created a local account on a machine.
- DNS settings have been changed. This will direct all your web traffic to a hacker DNS server which is actually a proxy server where the traffic can be read in clear text.
- Someone has stolen money from your bank account.
So, these are the items you should be looking for to make sure that no one has attacked your network and machines. You could also read data going out at the firewall and use regular expressions to look for certain patterns. Some firewall devices can use a man-in-the-middle attack to decrypt encrypted data and then read that, looking for financial or other company information. Assume that your desktops have been hacked and erase them frequently. Finally, train all your employees on the dangers of the internet.