To Catch a (Hacking) Intruder

[Mercury]

Securing your smaller business' data is critical to its survival. But how do you secure your network if it's been hacked? More important, how can you tell if you've been hacked? Jimmy Ray has all the answers

More...

[Mercury]

To Catch a (Hacking) Intruder
Jimmy Ray Purser
Courtesy of Cisco Systems

Securing your smaller business' data is critical to its survival. But how do you secure your network if it's been hacked? More important, how can you tell if you've been hacked? Jimmy Ray has all the answers

It is almost fishing season here in the tundra. I was out renewing my fishing license the other day. The clerk wished me luck this year, but she said it kinda like when Linus would wish Charlie Brown good luck kicking the football this time. Just then out of the corner of my eye, the radiance of the new Rapala X-Rap fishing lures caught my attention.

I was reading the back of the box for some magical tip on how to use this bait when I noticed this statement: "Looks like a real fish." I thought of the painting by Magritte of a pipe with the statement under it: "Ceci n'est pas une pipe." (This is not a pipe). At least that is what my wife told me it said. She speaks fluent French and has a bunch of smart French-speaking friends.

Post-Hack Analysis
Looking back at some of the forensic post-hack analysis calls I have been on, the one thing I noticed in common with nearly all calls was the following statement: "I didn't know I was being hacked." Many times I have written about how to be vigilant and protect your data from attacks. Actually, this column started out being on wireless security, but then the phone rang, and I was asked, "How do I know if I have been hacked?" I reckon that is a good place to start before the security begins.

Certainly, securing your data is critical and job one in any business. Many people connect their networks to the Internet, then secure them later. In my testing here in the Code Cave, the average default install Windows machine has a lifespan of about 16 minutes before being scanned. It is possible that your network is already hacked and you don't even know it. Ironically, securing a hacked network protects the hacker from other hackers. Hackers fight each other for resources like two roosters in a henhouse.

How do we expose the hacks to daylight and clean them up? This looks like a great place for another four tips-kinda thingy. How about four tips to determine if you are hacked or not? I will focus on Windows-based machines, because those have the biggest target footprint on the Internet today.

Tip 00x01: Preserve the crime scene. Do you know you've been hacked, or are you not sure? If you know you have been hacked, then this is a short read for you. Determining the value of the attack is a critical first step. Law enforcement will engage at normally around $3,000 to $5,000 in damage, copyrighted material, or child porn. I would recommend the following steps as a first response:

1. Isolate the machine from use by placing it in a separate quarantined VLAN all by itself. Do not disconnect the network cable; just partition the port off to a VLAN from the switch.
2. Don't use the machine. Hackers can place data land mines that can cover their tracks, plus system cycles can destroy valuable evidence.
3. Notify management to inform them of your findings. Recommend to them to bring in law enforcement/forensics.
4. Call your local law enforcement (with the endorsement of management) and inform them. Ask for the cybercrimes specialist.
5. Don't kill power to the machine unless directed by a forensic analyst. This is a common misconception.

Remember, if you find any child porn on a machine, you absolutely have to contact law enforcement immediately, or you are in direct violation of U.S. Federal Law Title 18 Chapter 110 Section 2251-2260. (I teach Internet safety on the side.)

Tip 00x2: Netstat. OK, so if you've read down this far, then either you are not sure if your machine has been hacked or you're waiting for a mother-in-law reference Get to know the tool Netstat like you know a neighbor with a pool table or a boat. This is a command-line tool that basically tells us the NETwork STATus of our machine. If you open the command-line window by going to Start Run, type in cmd, a window should pop open. Now type the command netstat, and you will be presented with more cryptic options than a rental car agreement. Basically the important ones are:

* -a displays all connections and listening ports.
* -n displays addresses and port numbers.
* -o displays the process ID of the application that owns this connection. I can take this info and compare it to the process IDs listed in Task Manager.
* -p displays protocols currently being used: TCP, UDP, and so on.
* -s displays statistics broken down by protocol.

Netstat is one smokin' hot tool that can really cough up more information than a telescope on a clear night. Chances are that you will find open ports, connections to IP addresses, or connections opened by processes about which you had no idea. Record keeping is ultra mega super extra important when closing the door on a hacker. Never type anything that you are not redirecting the output to a text file for your records. For example, when I'm surfing for hackers, I would type the following Netstat command:

C:\netstat "ao >c:\hack.txt

I chained the "a and "o options together and output the results to a text file named hack.txt so I can have a record for trending and evidence if need be.

Tip 00x03: Registry spelunking. I'm glad the word spelunking was invented because it is fun to say in any situation that requires a deep dive into the unknown. Like bit spelunking or mother-in-law's meatloaf spelunking. In Windows, the registry is like the nickel beer bar in college; it's where all the action is. Microsoft really campaigned hard to scare people out of messing around in the registry, but the troubleshooting tools are just not as good as taking a quick dive in the registry to see for ourselves. A hacking program is no good if it doesn't start up at boot time. The Startup menu item is as worthless as fishing with an empty hook. If we want to see what is actually starting up on our own, then we need to go to the registry! The best way to access the registry is from the command line, so once again, go to the command line and type regedt32. Now the nice multicolor registry window pops open. Now our target is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

For example, the Startup menu item on my machine shows only four programs that fire at boot time. Looking at the registry, I can see it is more like 30 programs! They also show the full path on the right to the program they actually launch. This is very handy to see what is going on with your machine.

Tip 00x04: Shaking hands with a ghost. Alternative data streams are a perfect example of a good idea gone bad, kinda like asking your mother-in-law about her grandkids when Star Trek is on. Alternate data streams, or ADS, as we call it in the cool world of ... well ... ADS, were introduced for Windows NTFS volumes to support the Macintosh Hierarchical File System. The best documentation on ADS is actually on many hacker sites. Using ADS, a hacker can hide files, even executables, and make them almost invisible to the operating system and, of course, you. I did a demo on ADS (and many other common attacks) for the "Invisible Attackers"" episode for TechWiseTV.

Basically, ADS allows me to hide one file behind another file so it is invisible. It's a feature in Windows and is always turned on. It is super simple to run. Let's say I'm a hacker and I want to hide my hacker tool or bot on your machine. I would execute the following command:

type c:\hacktoolz.exe > c:\winnt\system32\calc.exe:hacktoolz.exe

When the program is launched, it looks just like a calculator to the system process ID, and even the file size stays the same, so it slips right through many detection methods. This one is nearly impossible to detect without the use of a third-party tool. I have used LADS, STREAMS, and Crucial ADS with great success. I like LADS the best because of its speed, and I don't have to fill out any marketing information to access the tool.

There are also many good and free programs to find if a hacker is on your machine, but I am not a fan of installing software on a machine (with the exception of looking for ADS) and further contaminating the evidence. I do like using a tool such as NMAP and doing a full port scan on a machine from another machine, but you do risk infecting the clean machine by placing it in the infected VLAN.

Another tip would be knowing when to cut bait and reformat the machine. If a machine is compromised and it's not an interest to law enforcement, then save the data, reformat the machine, and move on. Chalk it up to lessons learned. As my wife's snooty French-speaking friends would say, "C'est la vie," but as a Tennessean, I say, "Time to open up a can and put the smackdown on hackertown!"