Event Log Managment

Logs .. Logs and More Logs

Tracking down ZeroAccess botnet

Normally I focus on the Windows Event Log, but today I’m going to stray into the world of firewall logs.  Over the last several months I’ve been helping customers with Proof of Concepts for LogRhythm and one the things that I have found with several of my customers has been the ZeroAccess botnet.  It’s actually very easy to track down.  One of the rules that the LogRhythm Labs has setup and comes out of the box is focused on finding any ZeroAccess bots, see fig 1.

ZeroAccess AIE Rule

Fig 1.

ZeroAccess is a peer-to-peer botnet operating over ports 16464, 16465, 16470, or 16471.  Each infected host maintains a list of 256 peers that it attempts to connect to over these ports.  Once communications are established payloads and instructions are transferred through the peers.

A simple Unique Values AIE rule was configured that looked for network connections on the appropriate ports, originating from a single host and trying to communicate with 100 or more unique hosts.  Since each infected host attempts to connect to 256 peers, 100 unique hosts was a good number, as it minimizes false positives that might be generated should a host attempt legitimate communications over any of those ports.

http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf

http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-New_CC_protocol_ZeroAccess-final2.pdf)

October 29, 2013 Posted by | Audting, Hacking, ZeroAccess | Leave a comment

Logging, Logging

Here lately we’ve been hearing a lot about Stuxnet and Duqu.  Well this week is no different, but there is some insight into how one of these could have been slowed down if not prevented.  In an article released on Nov 30, 2011 at eWeek.com, Duqu Attackers Wiped All Linux CandC Servers to Cover Tracks, there are some good insights even though it’s almost just a side note.  The article mainly discusses what the Duqu attackers did to help cover their tracks.  The part of the article that caught my eye was the last paragraph.

Even though there was a possibility of a zero-day, the researchers thought it was more likely that the servers’ root passwords were brute-forced, based on a log of a user attempting to log in as root multiple times over an 8-minute period from an IP address in Singapore before finally succeeding.

It all comes down to logging and then doing something with those logs.  Having a solution (www.logrhythm.com) that can help point out these types of items is critical.  Just to have logging turned on gets you nothing, you need to do something with these logs.  Having a solution in place and watching for anomalies like this could have helped to slow Duqu down.  Logs won’t stop the attackers but if we are being proactive and watching (with the correct solution) we would at least slow them down some.

As this also shows that attackers aren’t worried about people logging their activities because they know most organizations/admins aren’t doing anything with the logs until well after the fact.

One of the things that you need to be asking your SIEM/Log Management provider is how would they have picked up on something like this?  Can it be correlated/detected that it was coming from the same IP address and repeated attempts?  Most SIEM/Log Management vendors will tell you “sure we can do that”.  Well my next question would be: What if this was across multiple Operating Systems, could you detect it then?  Now for my shameless plug, with LogRhythm the answer is yes.  Some vendors expect you to be a subject matter expert across all Operating Systems, network devices and applications.  With LogRhythm you don’t need to be, our normalization handles that for you.  We can take being proactive to the next level with advanced correlation and SmartRemediation.

December 2, 2011 Posted by | Audting, Event Log, Hacking, Log Management, Uncategorized | , , , , , | Leave a comment

Inside and Outside Hack Attempts

Over the last several years I have conducted quite a few webinars with Randy F. Smith on a variety of topics that relate to Windows Audit Policies and Log Management.  Two of these truly drive home the point about why you need to be looking at your logs (not just Windows but all sources; *NIX and Network Devices as well).  The first of these was conducted on Jan 20, 2009 entitled “Anatomy of a Hack: Tracking an Intruder with Security Logs” and most recently on Feb 4, 2010 entitled “Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log “.

March 3, 2010 Posted by | Audit Policy, Audting, Event Log, Hacking, Log Management | , , , , , , , | Leave a comment

Detecting Insider Threats

Over the last few weeks I have been putting together a whitepaper on detecting insider threats (on a Windows network).  The paper is finished and is available here.  In the next few days I will be setting up a webinar that will cover this topic watch  <<removed>> for a link to the webinar.

**Some how I missed the links in this post and found it because someone clicked on the whitepaper link.  So July 23, 2011;  Do to some unforseen issues at Prism I can no longer in good faith promote their product or services and I have removed all links to their website.

April 29, 2009 Posted by | Audting, Hacking, Log Management | , | Leave a comment

Tips on Tracking Down a Hack Attempt

On Tuesday March 17, 2009 I conducted a webinar for Prism Microsystems on how Log Management can help you track down a hack attempt.  Now I know there are multiple ways to hack a network, the purpose of this webinar was to show that if you are collecting the log data from ALL your sources, network equipment/Unix/Linux/Windows that you can track down these attempts very quickly.  Log Management can also help you become more proactive vs always being reactive. 

**Feb 14, 2011; Do to some unforseen issues at Prism I can no longer in good faith promote their product or services and I have removed all links to their website.

March 20, 2009 Posted by | Hacking, Log Management | , | Leave a comment