Investigation of Crytolocker - Report Example

Incident Response: Investigation of Crytolocker Introduction The intricacy that comes with networks and intranets has been on the rise. The challenge has therefore landed squarely on the network administrators and software developers in coming up with the best solutions applicable to keep these networks safe from rampant attacks. A network administrator’s major task lies in dealing with the diverse types of traffic that traverses the networks. The network administrators have to be constantly in charge of traffic monitoring and automated analysis. The two task as are very essential in order to more effectively troubleshoot and resolve the outstanding issues as they occur. Sluggish and untimely implementations of the two network critical tasks are potentially responsible for bringing down network services to a stand still for some extended periods. There are numerous tools in the market that are available and to the disposal of the network administrators. The tools are all vital in helping these experts with the task for monitoring and analysing the network traffic. Using the tool like Wireshark a network forensic persons can unearth all activities of any given computer system. The paper comes up with a detailed report on the investigation conducted on the virtual image and the network traces of a particular host under suspicion. However, the report does is unbiased for it bases on the data gathered from the evidence that is tables by the Company’s incident response team. This paper deliberates the details of an investigation of a crytolocker malware attack using network tool, Wireshark and by an application of other techniques parry to an investigation of this nature. The paper will examine cryptolocker and its activities from a set of captured traffic from the network in question. Wireshark is a network monitoring and analysis tools that are utterly vital in the difficult and demanding task that requires finesse and hard-core evidence of real data linked with the network. Wireshark has over time stood out as the most applicable of the tools that are vital to the job of the network administrator’s job. Network administrators that choose to use Wireshark have a one-stop tool that is able to capture data from the hub, form all the ports, bridges, from ARP spoofs and the remote packet capture. All these data capture points are possibly all the crucial point that a fully-fledged network forensics conducted (Brian, 2005). The tool does give the administrators a constant ability in smooth maintenance of the network smooth operation of their networks. If a network were to be down even for a small period, productivity within a company would decline, and in the case of public service departments, the ability to provide essential services possibly compromised. In order to be proactive rather than reactive, administrators need to monitor traffic movement and performance throughout the network and verify that security breaches do not occur within the network. The task focuses on the investigation conducted on a virtual image after the company’s incident response team has unearthed some malicious activity within their company that relates to the activities only synonymous to Cryptolocker’s activities. Cryptolocker is one of the most devastating malware of the decade. It gets its way in the computer system as Trojan. This therefore means that it is not mandatory that the user of the Host Under suspicion is aware of installing the malware. Trojans pose as legitimate programs and after gaining their way into the system, they run predetermined actions and affect the target machine and network. The malware does not affect all computer systems but Symantec (2014) showed that Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP have all registered some adverse attacks form the malware. The company uses the Windows 2003 server and that raises the possibility that the attacks that occurred in the company’s network. Background of the Research The descriptions from all the major antivirus software in use today have defined cryptolocker as a Trojan type of threat. The devotion to the threats caused by the Trojan has called for a concerted effort of NCCIC, U.S. Secret Service and The Cyber Intelligence Network (CIN). The teaming up of these major crime and software regulatory bodies brought a bit by a realization that the threat in question is one that has potential in breaching of the data and privacy of anybody and any organization that uses the said operating systems. Cryptolocker falls under the category of Trojan Ransom wares. The ransoms wares category of threats are these used by the attackers on a computer system and all have an ultimate requirement that money has money is to be paid to the creators of the malware so as the software is removed from the host’s machine. (Luke, 2014) The cryptolocker Trojan was in existence prior to the first major overhaul but the attackers used for other less threatening purposes. Nonetheless the very first major attack using this devastating malware was in was first discovered on the 11th of September 2013. The malware is hard to flow up for it goes by different aliases, though the attacks form the Trojan follow the same trend pattern. For this reason, major software sellers register this malware under two different names but these two flavours are Trojans. Gpcoder.H and Trojan.Ransomcrypt.F, Norman registers this as CryptLocker.B, Trend Micro registers this as TROJ_CRILOCK.NS, and Microsoft registers this as Trojan: Win32/Crilock.A and Sophos Anti-Virus detects it by the name Troj/Ransom-ACP. Whilst the names may differ, all Antivirus providers agree to its maliciousness. (Gutierrez, 2014) It spreads via email attachments and targets mainly companies utilising phishing methods. The Trojan malware does not prevent the user for using the computer, as it does not affect the system files. Instead once launched, the malware searches through the hosts file system, for files with document extensions such as .xls, .doc, .pdf or .jpg and so on. (Donohue, 2013). The main directive of the Crypto Locker Trojan once executed is to encrypt the files with an RSA2048 bit Public Key. This public key is used to encrypt the host’s data and the private key is used for decrypting, each working inversely of each other. (Bezroukov, 2013) The issue lies in decryption, as unless the host has the private key stored on the same machine, the decryption is near impossible. The Crypto Locker had the private key stored on the cyber criminal’s server, ensuring that only the creators of the malware are able to decrypt the users’ data (Cannell, 2013). A good scenario might be that the user is able to decrypt the data, a payment of $300 made by the cybercriminals in an allotted time frame. All payment that the attackers need all the payments made within this set allotted time the cybercriminal sends a unique private key and request that a specific infested host spared and freed. This is the worst-case scenario for a cybercrime. The outcome after the money after receipt, the private key destroyed and any hope of retrieving the encrypted files is lost. (Cannell, 2013) The reason why this Trojan gained a notorious reputation, as using other hosts private keys sent by the cybercriminals would not work this main, as the private key is unique to that specific host in question. Aim This investigation aims to provide a detailed and thorough analysis of the virtual image and the network traces brought in by the company’s incident investigation team. The two-pronged evidence is the only evidence provided by the team. The challenge in forensic is always the need to work with whatever the evidence even though limited. The virtual image provided has the network specific information for the host under suspicion. In the data capture by the incident response team, emphasis put on the structure of the tool and the theoretical approach. The efficiency of the tool in reference to the expectation of the user and what makes it a good tool for packet analysis and all the features that make it a complete tool. According to Brian, (2005), the tool supports very many protocols (more than 900) but the most common ones are those ones that are the IP (Internet Protocol) and DHCP (Dynamic Host Configuration Protocol). In addition to the protocols, the tool is more specific to some more proprietary protocols, which may include Bit-Torrent and Apple-Talk. In the observation shown above, the output on the graphical user interface is output in numbered lines. Each line was a representation of the specific activity that is taking place in that specific numbered session. The illustration in the figure 1.2 has the partitions and the three well laid out partitions. Partition 1 has the packet list, partition 2 details and partition 3 has packet bytes. The critical incident response team has managed to get a virtual image of the host under suspicion (HUS), along with other traces of evidence that is applicable in the investigation. The evidence at hand includes both host activity on the system and network traces. The aim of the project seeks to have an unbiased investigation on the network traces and the virtual image from the host under suspicion. The report below is the open-minded analysis of the reported data that there has been gathered from the incident response team about some malicious activity within their company related to Cryptolocker-type activity. This sets the objective of this report. The investigation that follows bases its findings on the virtual image and the network traces of a particular host in the bid of production of a fair and an impartial report on the findings. Expected Outcome In this initial data capture, the goal is to explore the tool, Wireshark and gather mostly qualitative data and in some cases quantitative data to give a clearer understanding of the workings of the tool. The tool Wireshark is a new version of Ethereal (its initial name). It is a tool applicable when in need of capturing the network traffic information. In addition to the general traffic information, the tool is very handy in identification of the packet headers and the data information that they bear. Wireshark is one of the most dependable a network analyser. This open source software is widely used by the network specialists in capturing the smallest details of each specific packet among other specific network analysis procedures. The initial analysis of Wireshark by the development team described the tool as “a tool that can be used to scrutinize the activities that do take place in the network cable”. The tool is what a voltmeter is to an electrician. The voltmeter is what gives the electrician the electric cable (though not as literally). The tool was for a long time used by the senior experts and large companies. Wireshark was not a readily available tool to a large section of people as it is today. It is portable across various operating systems, which include Microsoft Windows, OS X, most Linux versions, and UNIX. It comes with a user interface that makes it easier for the user to concentrate on the task and to have a better display of the activities of the software. Furthermore, Wireshark aims at troubleshooting, educating, and development of software and communication protocols too. The data capture looks to compare between two tools used for the same purpose. The comparisons relevant to the student for it aim to show the benefits of using Wireshark rather than a command line tool for the same purpose (Brian, 2005). The purpose of this data capture was to explore the networking tool, Wireshark and to compare it with another common tool that is at the disposal of Computer Forensics students’ tool. The tool is used and tested alongside Wireshark is Tcpdump. Using the tool, the initial data capture by the incident response team aimed at capturing traffic in a real life active scenario on a network and compare it with the corresponding tool. The captured traffic data then used to identify some active packet headers and their corresponding data information vital in incident analysis. Investigation Procedure This report aims to provide a clear and concise analysis during investigation; therefore, it was necessary in dividing the investigation into two parts to aid the reconstruction of the Host Under Suspicion activities. The first part consists of: Analysing of Network Traces The task of analysing the network traces captured from the HUS is very vital and remains at the heart of the whole forensics task. Analysing the HUS machine, this was exported as a virtual image. Methodology The methodology employed meant to cross correlate any information extracted from the network trace capture with specific regards to activities conducted on the HUS machine, this is secondary in terms of its priority as any activities conducted on the HUS machine reflected in the network trace capture. Mainly their connections to its exhibiting crypto locker type activity among other such information are: 1. The extraction of vital information from the virtual image depends on its specifications in the network. For instance, information such as that of the network card information and other machine type information and correlating this information with that of the network trace capture. 2. Locating any files downloaded from the information retrieved from the network trace capture, whether or not it exhibits crypto locker type behaviour. 3. All processes of extraction of any necessary information from the HUS event viewer. This includes looking through the Application Logs, Security Logs and System Logs to determine the HUS activities in relation to the network trace capture. 4. If evidence supports crypto locker type behaviour a thorough analysis of system will be required, this includes searching the Registry and Start-up of the virtual image as well as locating the crypto locker executable. Examining the virtual image with information extracted from the network trace capture will allow for a better understanding of the HSU activities. The information retrieved from the network trace capture will form the bulk of this report, however the virtual image will provide clear evidence of any software or files downloaded. The entire load of the suspect’s content to look out for is any file downloaded and is present in the virtual image system. Be it from an external or internal source that exhibits cryptolocker type behaviour. Areas to look into would be attempting to open files if there is a crypto locker in effect and verifying whether an encryption takes placed through by the malwares actions. It is important to note that analysing the network traces captured first will undoubtedly aid in the analysis of the virtual image as a timeline identified through the network traces captured thus identifying the HUS activities on the virtual image. In addition, highlighting any possible crypto locker activities does require a concerted effort in using Wireshark data and in encryption. This will aid in concentrating on key information retrieval rather than shifting through many system logs on the virtual image. Capture_part01 (The test Results) 1) arp flag Wireshark shows that the capture uses nmap in scans and in verifying active hosts on the network. The process relates to cryptolocker. The first five results captured picked from a proper analysis of Wireshark shows that the host under suspicion linked to five different machines during the window of interest. The five nodes are: 38091 - 172.16.121.143 38094 - 172.16.121.146 38361 - 172.16.121.147 38363 - 172.16.121.148 38385 - 172.16.121.254 2) Attaker 172.16.121.145 3) ip.addr==172.16.121.145 46305 - 46307 - Sends SYN SYN/ACK ACK Confirmation to 172.16.121.145 (Attacker) 4) ip.src==172.6.121.143 46305 - 46307 - Sends SYN SYN/ACK ACK Confirmation from 172.16.121.143 (Victim) In the above data capture conducted by Wireshark, focus is on tracing the packets and identifying the various preferences and the settings and the dynamics that the tool that offers about the naming resolution and the protocols. The victim on IP address 172.16.121.143 replies to the attacker and hence the cryptolocker gets the chance of getting into the machine at address 172.16.121.143. capture_part02 (The results) 1) ftp flag - Brute force password hack conducted on users root guest admin administrator 2) Password found four user administrator - 123456789 933 - Succesful login to ftp service for username administrator 3) ftp.response.code - 4737 - Browsed directory root 4) ftp.response.code - 5231 - Directory jan created 5) ftp.response.code - 5450 - Directory passwords created 6) ftp.request.command - 5289 - STOR work01.xls (Follow TCP STREAM) 7) ftp.request.command - 5382 - STOR lo 8) ftp.request.command - 5468 - STOR jan2014.rar 9) ftp.request.command - 5501 - STOR anty_jan2014 10) telent flag to check the attackers activities 20255 - Lentgh 901 (Follow TCP STREAM) capture_part03 1) Diffie-Hellman key encryption ssh flag 2) Password found four-user administrator - 123456789 133360 - Successful login to ftp service for username administrator 3) ftp.response.code - 13384 - Browsed directory root 4) ftp.response.code - 14177 - Directory feb created 5) ftp.request.command - 15857 - STOR work02.pdf (Follow TCP STREAM) 6) ftp.request.command - 16633 - STOR feb2014.rar 7) ftp.request.command - 17161 - STOR details.zip 8) ftp.request.command - 18198 - STOR lo again, but file already exists 10) ftp flag - Last packet 18230 - Follow TCP STREAM Cross Correlating capture_part04 The second part consists of Cross correlating the activities from both the network traces and virtual image and documenting a timeline and history of the HUS activities. The following are the steps taken by the attacker: 1) Diffie-Hellman key encryption ssh flag 2) Smtp flag used 3) 172.16.121.145 (Attacker) a. Two email sent b. First email 20062 (from Alan) and 20069 (rcpt confirmation Greg) c. Follow the TCP STREAM d. Go www.base64.com and decrypt the data content e. Second email 25374 (from Alan) and 25375 (rcpt confirmation Mark) f. Follow the TCP STREAM g. Content is ‘It’s a blow’ and a cipher UNKNOWN…attachment lo1.png 4) Second Attacker 172.16.121.148 a. Tried to login as user unsuccessful – 58995 b. Logged in as administrator with password Napier - 59495 c. Go to /passwords directory – 59723 d. Transfer jan2014.rar – 60845 e. Transfer lo – 61366 f. Transfer feb2014.rar – 61849 5) Third Attacker 172.16.121.200 a. Telnet login unsuccessful and – 39753 b. FTP service login as Administrator with “Napier” as password on the first try - 63627 c. Go to /passwords directory – 63852 d. Delete file lo – 64087 shac The above steps gathered show that the Wireshark data capture is very important to the computer forensics task. The skill applicable in making sense of the above gives an idea of the activities that the attacker and the user of the host under suspicion went through. The data is vital in analysis and in establishing the intent of the attacker. The information/data that gathered from the packets and frames is the taken under scrutiny in search of traces of cryptolocker activity. Packets are the basis of all the communications that take place and hence getting to have access to the packet is a foundation of computer networking. The ability capture and analyse packets is well mastered using Wireshark as a network analysis tool. The tool is much easier to use due to its simple to use graphical user interface. The interface is well organized and most of what the forensics student is supposed to look for is the data and then apply the theoretical understanding in computer networks to make deductions. Network traces (crime) The network activity traces content from the network traffic captures information from the HUS machine over a selected period. This traces in zip file we have to use WinRAR to extract this file. Furthermore, Wireshark is used to analysis this traces. Another software called network "mine" used to analysis this traces. Thus, application could help us to investigation to be able to open this traces. Methodology The methodology employed is to provide a timeline of the HUS network activity history. Retracing the HUS activities through a systematic approach will provide a clear picture of the events that has taken place. This will aid in determining the validity of the HUS malicious activity. The malware will exhibit behaviour identified. Analysis of the HUS network trace capture will be the main priority and bulk of this report, as it will verify whether malicious activity is present. This includes identifying internal network activity such as network, server, and file access, as well as external network activity in the form of websites visited and data downloaded with emphasis on attachment downloaded from an email source as per the crypto locker introduction to an unsuspecting system. Before attempting to extract the necessary information from the network, trace capture a structured approach is required. This includes applying and identifying the necessary methods and tools before commencing analysis. With the correct and compatible software to be able to open and view the network, capture is important. The Software used during this investigation opens the files and should facilitate the ability to search through the entire trace. The extraction of information from the network trace about the HUS machines ensures the network trace indeed originated from the HUS machine. Important information to extract was the IP address, Mac Address, Default Gateway and the Domain information. Retrieval of information from the network trace capture by searching through its content based on the protocols used. As the content of each network capture trace can be large, searching via specific protocols will aid in the extracting of information for analysis. Protocols to be searched for are, TCP, UDP, HTTP, DNS, FTP, ARP, ICMP, SMTP, POP-3, IMAP, SSL, and TLS. It is important to note that not all protocols may be used, but searching for all will ensure a thorough analysis conducted and leaves no stone unturned. An identification of all the irregular activities with that of a crypto locker behaviour should it be present, will be in parallel whilst protocol searching. Seeing as the crypto locker utilises certain protocols whilst executing its function this should allow for better identification of its presence within the network capture trace. Suspect content to look out for is file downloaded from an external source and retrieving this information from the network activity traces. Documenting the timeline of this and looking for cryptolocker type activities as outlined in the background research section of this report. The key areas we had a look into and those that we thought the malware entangled into; we gathered sample data and applied encryption. The process of encrypting all the data information and then contacting different domains and subsequently attempting to communicate with these domains in order to retrieve its source origin to complete its final execution of encrypting all files on a HUS through the creation of private and public keys which results in a complete lockout of these files. Procedure Complex procedures resonated from the need to find the cryptolocker malware and hence data analysis and data sample tests became necessary. The complexity in testing the data above will be ensuring data gathered and presented in a clear and concise manner within this report and the verdict that was arrived at the end is accurate. Important information relating to the HUS activities will be presented in a tabulated format as well as using screenshots from the network trace capture for highlighting key information for this investigation. Each captured network trace will contain its own information pertaining to it. Whereby the four network traces captured will have their own information extracted and presented. Once all captured network activities have been documented and tabulated individually. This information will be correlated and presented as a final component highlighting key information for this investigation. The software to be used for extracting the file crime.rar will be the WinRAR application. The open and view the network traces captured was the Wireshark application for it provides the ability to search a network trace using codes and flags, this will facilitate the locating of necessary information by searching for protocols mentioned in the Methodology and aid in identifying whether crypto locker type activity was present at the time of the network trace capture by determining its behaviour. Virtual Image (Filename: Cryptolocker.ova) The virtual image is that of the HUS machine. It is of a file extension of .ova under the name of Cryptolocker.ova (Appendix - Image 01). This virtual image is an exact copy of the HUS machine. No alterations were made. It was exported as a virtual image so it may be investigated. Procedures to be followed will be ensuring data gathered is presented in a clear and concise manner within this report. Important information relating to any crypto locker activity in the virtual image will be documented using screenshots. The software to be used for opening the virtual image cryptolocker.ova will be the VMW are Workstation application. The image will run on a standalone machine for testing purposes and will not be connected to any network. The VMW are application will be able to convert the .ova extension into a format that is compatible with the application. Before the virtual image is turned on the network adapter will be disabled to ensure no connectivity is present at all. Findings Network Capture Trace Analysis They are four network trace capture, below are the finding for each trace and documentation. Capture 1. pcap All import the information extracted from the network capture trace, which are beneficial for this investigation is as follow: The network trace capture revealed a lot of HTTP requests and usage by various users within the network. A search using the [arp.hw.type==1] flag in the Wireshark software revealed an nmap scan executed by a particular IP address of 172.16.121.145. The purpose of this scan is to determine active host machines on the network (Figure 1 – NMAP Scan). Based on the analysis of the traces and HUS image we have write academic report by considering the following: • define a strict methodology that you would apply in actually undertaking the investigation. • Take reasoned judgments as to the nature of the trace of network activity. • Where faced with suspect content, try to uncover the root of the evidence, such as Cracking cipher codes. The methods tried should be clearly defined in the report. • Cross-corroborate the network traces with the system traces that appear on the host system (such as examining system logs, audit logs, and the file attributes), and Report on any suspicious activities References Brian C., (2005) File System Forensic Analysis, Addison-Wesley Publishers. Cliff S., (2005) The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage, Simon and Schuster. Kevin P., (2012) Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground? Broadway Books. Richard B.,(2013) The Practice of Network Security Monitoring: Understanding Incident Detection and Response, No Starch Press. Read More