Forensics Based On Evidence Gathered With Peep Attacks - Essay Example

Running Head: COMPUTER FORENSICS Internet Forensics Based On Evidence Gathered With Peep Attacks The Peep attack is a variant application of a Botnet. This paper proposes a forensic procedure to analyze the attack behavior and explains how to carry out a computer crime investigation. We also discuss the well-known Botnets engaged in the execution of a Peep attack. In our paper, we describe a Peep attack on the Internet as the paradigm of how a cyber-investigator needs to act in the case of a Cybercrime. When cyber detectives prepare to investigate a break in cyber security, there are some issues they must keep in mind and face up to. It is crucial to swiftly preserve digital evidence and conduct forensic analysis that any useful evidence is seized soon after the cybercrime has been committed. Furthermore, there are two phases of digital forensic analysis to retrieve useful evidence when facing a cybercrime attack in our scheme. One phase observes the Internet attack action, and the other one introduces how to investigate each case in on-line analysis of sniffing packets and off-line examination of abnormal files. We believe that this analysis model is workable for any other form of Botnets presently being used. 1. Introduction Cybercrime has been cited as one of the most prevalent problems in society. The vast majority of investigators perceive this crime to be on the rise and of becoming an ever increasingly complex and multi-faceted problem. This paper attempts to clarify the complex investigation effort following a Peep attack. We describe evidence collection and problem-solving techniques in the application of computer forensic analyses. A Peep attack is one of the most notorious hacking tools, based on the Robot Network (Botnet) Structure. A Botnet is a term for a collection of zombie systems and autonomous software robots. The threat from Botnets is growing at an alarming rate and the attack techniques are becoming increasingly sophisticated. The majority of the literature describing Botnet attacks is focused on a varied level of IRC-based malware, the activity of Spam mail and the structure of Distributed Denial of Service (DDOS). However, some Botnets are used primarily for data collection, remote control or various other purposes (Microsoft Corporation, 2005). Botnets have gained a significant presence on the Internet as a remote control means for malicious purposes. A Botnet can run programs under the control of a managed network infrastructure. In practice, Botnet communities usually have one or several owners and rely on individual friend-to-friend relationships for their operation (Desmond, 2005) and (Microsoft Corporation, 2005). Because new attacks originating from a Botnet are difficult to identify by default fingerprinting, there is rarely a geographically identifiable pattern to the distribution of the infected computers. Firewalls cannot readily be configured to react to a Botnet attack by using information obtained from previous attacks. The Peep attack is still a developing technique. In this paper we introduce a digital forensic analysis applied to the investigation of a Peep attack, and discuss some of the resulting problems and concerns. Although differing somewhat from the original definition of IRC Botnets, a huge network of zombie computers is also built up in a Peep attack, by utilizing the Anti-port Control Technique, Peer-to-peer (P2P), and Social Engineering Attack. For example, criminals often create e-mail messages with malicious codes disguised to look like they come from trusted, well-known people or organizations, in an attempt to convince the victim to open an executable attachment containing malicious program (malware) (Clandos, 2003). Lots of zombie computers conjure up images of malicious programs freezing up information systems in a bloodless conquest (Microsoft Corporation, 2005). So many intrusions occur all over the world that it is difficult to know even a fraction of them. Some are deliberate; others are unintentional (Caloyannides, 2003). Digital forensic analysis is similar to Forensic Examination of Digital Technology [8], Computer Forensic Analysis (Nelson and Philips, 2004), or any other similar analyses. Digital forensic analysis is any presentation that is based on the principles and knowledge of various sciences applied to legal issues within the field of crime, or that applies to help identify criminal offenders. Digital forensic analysis is often multimedia in nature, and its leading goal is to define the causal relationship and any useful information of the event (Nelson and Philips, 2004). Those who carry out digital forensic analysis must accept the obligation to acquire the fundamental know-how and be prepared to face these challenges. The forensic analyses of cyber intrusion involve obtaining and analyzing digital information as evidence in criminal cases (Caloyannides, 2003), (Mandia, Prosise and Pepe, 2003) and (Meinel, 2004). If an unauthorized user is using the network illegally, or is performing other illegal acts, investigators can respond by locating the user information of these cyber attackers. In addition to finding valuable digital information and produce effective evidence, they also have to examine the computer used by the victim and the attacker (McCarty, 2004). The remainder of this paper is laid out as follows. In Section 2, we describe a Peep attack on the Internet. Section 3 discusses the digital forensic analysis of a Peep attack. In addition, two categories of event reconstruction and digital forensic analysis are discussed for this case. Finally, we draw our conclusions in Section 4. 2. Peep attack on the Internet 2.1. International Peep invasion on Botnets Over the past years, ordinary criminals have increasingly taken advantage of hacker techniques and malicious code (Levy and Arce, 2004). In 2004, police in Taiwan arrested a Taiwanese computer engineer after he admitted to authoring the Peep Trojan horse. At that time, Peep and other malicious programs had invaded hundreds of enterprise and government systems all over the world. The perpetrator had uploaded the Peep program onto popular hacker websites, and encouraged people to download it. He also released the source code of the Peep program into the public domain, sharing some clever and dangerous programming techniques as well as disclosing undocumented Windows functions. He regularly corresponded with hackers in other countries and shared ideas on how to evade detection by the victims of this attack and by anti-virus programs. This case illustrates the increasing prevalence of cyber intrusion. Peep can operate almost seamlessly across the boundaries of NATs and firewalls. It has a high rate of success in compromising the targeted system and has good propagation ability. As worldwide law-enforcement agencies are increasingly taking notice of these types of crimes, more and more intruders are getting caught. (Moore, 2003) However, this is just one example from many that demonstrates the broad range of tactics that are successfully being used by offenders against the information infrastructure. 2.2. Manipulation of Peep Trojan Peep and the companion program Peepbrowser are a form of P2P reverse Trojan. By making use of P2P networks, Peep allows attackers to steal and destroy data stored on infected computers. P2P networks are a growing technology with great potential for file distribution among a wide number of users. Although the P2P technology was designed to let people share new ideas and communicate more efficiently, creative individuals found ways to use the technology for other purposes. Peep transfers calls end-to-end, and stores user information of client nodes in a centralized manner. (Bradbury, 2006) Peep's use of a reversed client–server protocol also makes it practically invisible. In essence, it is similar to the Sub7 and Bo2k Trojan, as it has capabilities for obtaining confidential information, such as passwords. Attacks by Bo2k or Sub7 on targeted computers are launched by the fairly simple technique of scanning and probing for vulnerable systems, or Trojan ports for server nodes (Levy and Arce, 2004). However, the underlying techniques employed by Peep are quite different. Fig. 1 illustrates the difference on a compromised system. While Bo2k and Sub7 essentially wait to be found, Peep actively communicates back to a Peep server. Social Engineering has played an increasing role in the early stages of a Peep attack (Levy and Arce, 2004), (Meinel, 2004) and (Microsoft Corporation, 2005). Fig. 1. Difference between a client–server and a reverse client–server based attack. Peep is an overlay on the P2P network, and thus each Peep server maintains a table of reachable nodes, including public and private IP addresses, computer names, operating system and version, and so on. Fig. 2 shows the basic Botnet of a Peep attack and illustrates the relationship between the client, server, and attacker nodes. In this overlay network, a client node is a compromised computer accidentally executing a Peep program. The Peepbrowser program on the attacker node configures a server node. The server node for a particular client is that client node's end-point on the Peep network. Fig. 2. Basic Botnet of Peep attack. An attacker node is the computer that is operated by an intruder, accessing client nodes through the Peepbrowser program. Any node with a public IP address or Domain Name having a workable user account and remote access privilege is a candidate to become a server node. A server node is an important entity of the central control in a Peep network. (Schultz, 2001) Most of them are zombie computers and have had remote control programs installed. In this Peep network, any client node can automatically initiate and complete a transaction with any configured server node. Server nodes of a zombie computer may differ in local configuration, processing speed, network bandwidth, and available storage (Desmond, 2005). 3. Digital forensic analysis of probing Peep attack A Trojan horse is an IT term for a malicious piece of software that masquerades as a harmless program (Levy and Arce, 2004). Peep is a Win32 based Trojan program, and runs like a client system on the client node. Fig. 3 shows an advanced Peep attack incorporating Botnets. Digital forensic analysis of this Peep attack takes place in two principal phases. An event reconstruction phase is based on the offensive behavior, which launches an assault against a particular information resource. Another phase is the digital forensic analysis phase. Fig. 3. Digital forensic analysis of a Peep attack. 3.1. Event reconstruction phase Event reconstruction plays a crucial role in explaining why a piece of evidence has certain characteristics. The following discussion examines the digital event reconstruction of a Peep attack. Many malware exploitations rely on social engineering, or flaws in software in order to slip into computer systems. The existence of zombie networks is a growing threat that deserves more attention. (Schultz, 2004) System administrators need to understand how to keep these malicious programs out of their networks. Most commercial software, developed for convenience, speed and cost-effectiveness, is weak in the area of audit trails. This can make it difficult to trace an offender and make an arrest. To deter willful offenders, law enforcement must constantly develop new investigation techniques. The following reports describe three sequential steps issued by a malicious attacker (Desmond, 2005), (Levy and Arce, 2004) and (Microsoft Corporation, 2005) 3.1.1. Step 1. Initiate massive infections An offender plants a prepared malware with Peep. The malware is configured to pair with a server running Peepbrowser. When an infected computer connects to the Internet, Peep automatically reports the IP address and opens a backdoor channel to allow access from outside. With the Peepbrowser program, intruders can access that infected computer over P2P networks. The Trojan horse of Peep is delivered in various ways, such as email attachments or executable files from the Internet. One popular method is to attach the Peep program to a system or application program. This allows Peep to run unnoticed in the background waiting for attackers to connect. Peep malware has FQDNs (Fully-Qualified Domain Names) of the zombie servers compiled into the program itself. When this Peep program runs, it will automatically connect to one of the zombie servers by resolving the FQDN to an IP address. The offender is also taking time breaks between the attacks and setting the mentioned FQDN to a non-routable address such as 127.0.0.1 (Microsoft Corporation, 2005). Besides, the attacker who edits and alters these Peep clients can readily find a compromised computer, and issue commands through these second-tier Internet computers. Once the Peep is active, it listens on port 80 or some other well-known port for predefined commands from the Peepbrowser program. This action then gives him the IP address and related information to access any of these compromised computers. Peep often automatically notifies the attacker when the victim comes on-line and that it is ready for further instructions. 3.1.2. Step 2. Form a zombie network An attacker will organize compromised computers into a three-tier network. A centralized Peep network keeps catalog of victim computers and their information. The network keeps growing as new computers are infected and new client nodes added. This network can contain hundreds or even thousands of computers in three or more tiers all controlled by the Peep network. The Peep program runs on the compromised computers and a Peepbrowser program is executed on the zombie computers. The first tier is often a compromised client computer in a targeted government organization or private enterprise. The intruder uses various ways to plant a Peep program in the victim's computers. Once the Peep program is planted, a connection is usually gained automatically with a zombie computer over port 80 or, occasionally, other ports. The second tier typically includes zombie servers in private enterprise. The Peepbrowser program and remote control software are located in this tier. Generally speaking, a zombie computer is not considered a guilty party for its participation in a connection; this is often chosen by attackers to play the role of server node. Zombie systems are typically chosen because they are poorly protected systems with a continuous Internet connection. (Staniford, 2002) The third tier is the attacker's computer, often located in another country. The motivation of an attacker is typically data theft, as evidenced by the existence of stolen data found in the second tier. Fig. 3 illustrates some of the interactions between these different tiers, and shows two methods of Internet attack and consequent forensics. 3.1.3. Step 3. Launch a cyber attack Because a Peep infection allows complete access to a compromised computer by a remote third party, intruders can launch an attack from a third-tier machine. An intruder can remotely control the second tier of zombie computers from the third tier. This layered attack structure increases the difficulty and complexity for pinpointing intruders. The Peep Trojan is a very powerful tool—allowing intruders to take control of an infected computer from the Internet, capture screen shots, and transfer files. Compromised users may never notice anything. Information resources have value and are important to people. Intruders can silently collect information from compromised computers for months without detection. Once Peep is installed, an intruder has a wide range of options, from malicious behavior such as changing the contents of a file to more serious breaches such as sniffing data as it passes from one computer to another. Within the Peep robot network, a specific TCP port of infected computers is automatically opened as a communication channel for the Peep software. Firewalls or Intrusion Detection Systems do not protect this port. The intruder uses the specified message to connect the first tier of compromised computers. This zombie network is programmed to facilitate numerous types of malicious activities, and allows intruders to remotely command the network over an Internet connection. 3.2. Digital forensic analysis phase Every malicious program has unique features that form a signature. Therefore, we can discuss this Peep program in two parts (Ashcroft, 2004), (DFRW, 2001) and (Orebaugh, 2004): first, from the standpoint of off-line examination of abnormal files, with the aim of investigating and tracing the execution of that attack. Second, from an on-line analysis of sniffed packets, which means logging network traffic for forensics and evidence, converting the binary packets to human-readable format, and analyzing the operation and performance of networked applications. 3.2.1. Off-line examination of abnormal files phase Malicious computer programs are becoming more prevalent and virulent year after year. Investigating an Internet attack is like tracking a wild animal. This section gives step-by-step instructions for sorting through the mess, after a malicious attack has taken place. These instructions appear in system analysis. Fig. 4 shows the three essential steps in event discovery, and they are proposed and briefly discussed (Kao and Wang, 2004) in the following. Fig. 4. The flow chart of off-line analysis steps. 3.2.1.1. Step 1. Perform a basic examination Time is critical. When an intrusion event occurs, reactions should be swift and sure. The basic analysis procedure is as follows. (a) Check the system clock. It is critical to trace intruders to be able to correlate events in time. (b) Collect network settings. Determine the configuration environment, such as IP address, subnet Mask and default gateway. This helps you realize the relation between the IP address and the routing table around the examined computer. (c) Examine running processes. A process is a single program, which runs with all the Dynamic Linking Libraries (.DLL) and support files it uses. If malicious programs are running, we ought to find suspicious processes and programs. (d) Examine system directories for unusual files. Intruders often hide these files in system directories, such as c: windows, c: winnt system or c: winnt system32. These areas must be checked to detect any abnormal files. (e) Understand any special default settings. There is a great deal of local and remote system information on startup services, shared resources, etc. These should be examined to determine if a problem exists. 3.2.1.2. Step 2. Check the original settings Most malicious programs are set to switch on spontaneously; giving intruders control over the compromised victim computers. Therefore, we must examine the system startup contents (e.g., the Windows Registry) and the contents of related files. Any Windows program can register itself as a service, and be automatically loaded each time the computer is started. 3.2.1.3. Step 3. Look for suspicious malware Intruders also employ a variety of malicious programs to attack computers on the Internet. Although the individual behavior of malicious programs is unpredictable, it remains possible to detect the method of operation by scanning and searching for unusual executable files. Recently modified files are often a good starting point. If investigators understand the key to the mystery of malware, they will stand a better chance of making a thorough inquiry into mutual differences and features. Almost all zombie computers located in the second tier are compromised because they are not setup with a strict network security policy. It is difficult to determine which programs on the zombie computer received the victim's response messages during an attack. Most compromised computers are remotely controlled from IP addresses that originate from many multiple countries. Malware like Peep is designed to evade detection. Intruders often rename malicious programs to look like standard system files, such as “services.exe,” or “explorer.exe.” This increases the difficulty for discovering security problems from the start. However, investigators can use well-known computer forensic techniques such as Hash Analysis and CAM (Create-Access-Modify) times to analyze the digital evidence. Efforts to decode the malware and inspect it for hidden information can also prove valuable. Often useful information, including the original messages from the author of the program and the programs themselves can be retrieved. Another useful strategy is to search for clues on hacker's websites that help in analyzing the behavior of malicious programs on the network. 3.2.2. On-line analysis of sniffing packets phase Intruders can launch multiple cyber attacks from behind a Peep network without fear of detection. Since the attack originates from so many different points, investigators have great difficulty in examining such large volume of network traffic. To catch the attacker, it must be determined which traffic is relevant to the investigation, where he gets his connectivity, and what the network activity looks like. Then investigators trace that back to the upper tiers of the suspected computers. Analyzing the network packets may lead to upper-tier host(s) behind the Peep network. The aim of sniffing packets phase is to discover unknown data regarding further attack, and to apply computer-forensic techniques to the Cybercrime investigation. It is beneficial to form a task force, and to sniff packets on the live network. Packet sniffing is an effective way to analyze what data was stolen and where it was sent. A silent sniffer is one of the safest ways to put a listening interface into “stealth mode.” Numerous packet sniffing programs are available that allow investigators to observe data passing between computers. A typical goal is to monitor the target network traffic, and to observe the intrusion activity, which provides an increased understanding of the techniques employed by the attackers. And, most importantly it will determine whether or not important data was stolen from a victim's computer (McCarty, 2004) and (Orebaugh, 2004). Powerful packet capture utilities are at the heart of analyzing what is actually occurring on the Internet. Packet-sniffing tools can sniff the traffic across a network segment and identify the unusual communication. Network switches will need to be configured with listening ports. They can filter through the particular types of network traffic (Orebaugh, 2004). Many compromised computers are programmed to look for a particular host name and piggyback onto well-known communication services. By using ports for well-known services such as 25 (Mail), 53 (DNS), 80 (WWW), traffic can more easily bypass firewalls and evade detection. Investigators should examine abnormal traffic on these well-known ports. The latest generation of investigative techniques in computer forensics must always deploy. The purpose of any investigation is to look for evidence, complete the task of computer forensics, find the intruder, announce the new intrusion method, and minimize the damage. An investigator should keep in mind that any digital data needs to be examined and analyzed by a skilled computer forensics expert, especially for preserving evidence and determining the source of attack. In this case, the original source of the attack is confirmed by the utilization of Remote Administration Tools (RATs). These tools allow intruders to take control of zombie computers and hide themselves from detection. 4. Concluding remarks Our current approach has focused on the Peep Attack. We believe that the application of digital forensic analysis can help us accumulate information about the threats from Botnets such as the Peep attack. Other kinds of Botnets can also be observed, but these are rarely used in massive data theft. It is obvious that Peep programs pose a much more severe threat than most other malicious programs. Therefore, we need a variety of mechanisms to repel this type of attack. In this paper we have attempted to demonstrate a proposed digital forensic analysis to help us understand how the Peep attack works, and how intruders control them. As these attacks further develop, so too will digital forensics. This paper has explored a contemporary Peep attack and established a standard procedure to discover such an attack. However, this paper focuses on event reconstruction and on the forensic analysis of this attack. Further expert witness presentations on the discovery of the source attack are still being developed. Although intruders are continuing to adopt numerous attack methods to probe system vulnerabilities, due efforts must be made to remedy this problem without delay. This is a process without an end, and there are no shortcuts to fulfill its requirements. The only thing we can rely on is that the more efforts we expend, the more satisfactory the results will be. References J. Ashcroft, D.J. Daniels and S.V. Hart, Forensic Examination of Digital Evidence: a Guide for Law Enforcement, National Institute of Justice, USA (April 2004). M.A. Caloyannides, Digital evidence and reasonable doubt, IEEE Security and Privacy (December 2003), pp. 89–91. R. Clandos, Eye on cybercrime, IEEE Security and Privacy (Aug 2003), pp. 10–11. D.Y. Kao and S.J. Wang, Strategies to combat the invasion of cyberspace from within, 2004 Conference of Criminal Investigation and Forensics Science, Academy of Forensic Sciences, Taiwan (2004). M. Desmond, Attack of the PC zombieshttp://pcworld.about.com/news/Oct192004id118208.htm, (2005). Digital Forensics Research Workshop, A road map for digital forensics researchhttp://www.ijde.org/archives/02_fall_art2.html, (2001). R.A. Grimes, Malicious Mobile Code, O'Reilly (2001). International Organization on Computer Evidence, Guidelines for best practice in the forensic examination of digital technologyhttp://www.ioce.org/2002/ioce_bp_exam_digit_tech.html, (2002). E. Levy and I. Arce, Criminals become tech savvy, IEEE Security and Privacy (April 2004), pp. 65–68. K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics (Second Edition), McGraw-Hill Companies Inc. (2003), pp. 291–334. B. McCarty, Honeypot forensics Part I. Analyzing the network, IEEE Security and Privacy (August 2004), pp. 72–78. C.P. Meinel, Cybercrime treaty could chill research, IEEE Security and Privacy (August 2004), pp. 28–32. Microsoft Corporation, International Botnet Task Force Training Conference Proceeding, Prague (April 2005). B. Nelson and A. Philips, Computer Forensics and Investigations, Thomson Course Technology (2004), pp. 1–22. A. Orebaugh, Etheral Packet Sniffing, Syngress Publishing Inc. (2004), pp. 2–14. D. Bradbury, The metamorphosis of malware writers, Computers and Security 25 (2006), pp. 89–90. D. Moore, V. Paxson, S. Savage, C. Shannon, St. Stanirod and N. Weaver, Inside the Slammer Worm, IEEE Security & Privacy (2003), pp. 33–39. E. Schultz and R. Shumway, Incident Response: A Strategic Guide for Handling Security Incidents, New Riders, Indianapolis (2001). Schultz, E., Denial of service attacks. In Bidgoli, H. (Ed.), Encyclopedia of Internet Security, Volume I, pp. 424-433, 2004. Staniford, S., Paxton, V., & Weaver, N. How to own the Internet in your spare time. Proceedings of the 11th Security Symposium, Usenix Association, pp. 149-167, 2002. Read More